One of the largest law firms in Japan engaged FTI Technology to extract and preserve private cloud and personal device data from a calendaring application relating to a high profile criminal investigation. FTI Technology’s emerging data sources experts developed custom solutions to ensure a complete and defensible extraction of information from the application, despite not being compatible with existing e-discovery and digital forensics tools.
Tomoyuki Numata of Nishimura & Asahi Crisis Management practice, the lead partner on the matter, said of FTI Technology’s work, “In this case, it was crucial for determining our defense strategy to objectively ascertain when the key personnel of the client company had met with external parties related to the case, based on concrete evidence. Despite being turned down by many vendors due to the use of uncommon calendar apps and data formats, we are truly grateful to FTI Technology, that demonstrated technical expertise by fearlessly taking on the challenge and delivering the desired results within a short timeframe.”
In this Q&A, FTI Technology Senior Directors Suguru Yoshida and Maddy Ramasamy discuss the details of the matter and the unique digital forensics challenges involved in accessing data from the cloud calendaring application.
Suguru, Maddy, will you please discuss the background of this engagement and what made it so unique?
SY: Tomoyuki, the lead lawyer on the case, was familiar with the latest technologies and common challenges in emerging data sources. So, he understood that a high degree of technical proficiency would be needed to complete the request for previous calendar entries and related data from specific individuals relevant to the investigation.
The first challenge the legal team encountered was that it would not be possible to collect the data from the custodian’s mobile device directly because of a government agency's ongoing investigation. Through discussion with counsel, we realized it might be possible to defensibly collect the calendar items using the calendar application’s application programming interface (API) with the user credentials that the law firm already collected.
MR: Our teams handle high-stakes, high-profile, time-sensitive investigations all the time, most of which now involve complex emerging data sources. What made this matter different was that we had not previously encountered this cloud application in previous engagements and the process for collecting data required highly technical custom work.
What were some of those technical issues?
SY: First, the good news was that we have a robust team in Asia and internationally with deep experience handling emerging data sources in an investigative context. So, the foundation was already in place. Our experts quickly determined that the calendaring application provided an API that allowed querying of calendar items using on-behalf access to user data. However, the API supported only upcoming events, not past events, which were needed to provide evidence about where certain persons of interest were and what they were scheduled to be doing during specific dates and times. Using the API, the team gathered what data they could, and created a custom workaround to obtain event data from the dates under investigation (a period of the previous five years).
Maddy, can you explain the process of solving for this issue?
MR: We did several things concurrently, including engaging with the application developer to determine whether a premium service, beta release, or mobile API existed that provided an API call to list past events and extensive testing to see if the data in the mobile devices were synced with the data in the cloud and could be exported using mobile forensic tools.
Through extensive testing with iTunes backup, we found that it contained an encrypted database table called “Events” consisting of 40 files relating to the calendaring application. But without guidance or documentation from the application provider, it was impossible to verify the entirety of the “Events” list to propose a forensically sound and defensible collection. So, we developed a bespoke solution, which involved analysis of the web version of the calendar application to scan the event list by traversing through the months and extracting the list of events for each month from the corresponding screen. We automated the process of traveling back to the start date and collecting until the end date, gathering the list of calendar events into a local database.
So, what was the end result for the client? Was the team able to collect a forensically defensible set of the calendar items in question?
SY: Yes, the solution did what it was intended to do. In only two-weeks, our development, digital forensics and emerging data sources experts were able to defensibly extract roughly 6,000 calendar items, along with a detailed error log of items that could be recovered, with documentation of the reasoning. We also transformed the extracted calendar items into a reviewable format, including solving for language encoding issues in the e-discovery platform, to ensure that CJK (Chinese, Japanese and Korean) characters could be accurately represented in the data set. Our work provided counsel with the pieces they need to further analyze the calendar items for relevance to the ongoing investigation.
Read more about this matter here.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.