Blog Post

Q&A: Calendaring App Clouds Data Discovery in Japanese Criminal Investigation

Downtown

Suguru, Maddy, will you please discuss the background of this engagement and what made it so unique?

SY: Tomoyuki, the lead lawyer on the case, was familiar with the latest technologies and common challenges in emerging data sources. So, he understood that a high degree of technical proficiency would be needed to complete the request for previous calendar entries and related data from specific individuals relevant to the investigation. 
The first challenge the legal team encountered was that it would not be possible to collect the data from the custodian’s mobile device directly because of a government agency's ongoing investigation. Through discussion with counsel, we realized it might be possible to defensibly collect the calendar items using the calendar application’s application programming interface (API) with the user credentials that the law firm already collected.

MR: Our teams handle high-stakes, high-profile, time-sensitive investigations all the time, most of which now involve complex emerging data sources. What made this matter different was that we had not previously encountered this cloud application in previous engagements and the process for collecting data required highly technical custom work. 

What were some of those technical issues?

SY: First, the good news was that we have a robust team in Asia and internationally with deep experience handling emerging data sources in an investigative context. So, the foundation was already in place. Our experts quickly determined that the calendaring application provided an API that allowed querying of calendar items using on-behalf access to user data. However, the API supported only upcoming events, not past events, which were needed to provide evidence about where certain persons of interest were and what they were scheduled to be doing during specific dates and times. Using the API, the team gathered what data they could, and created a custom workaround to obtain event data from the dates under investigation (a period of the previous five years). 

Maddy, can you explain the process of solving for this issue?

MR: We did several things concurrently, including engaging with the application developer to determine whether a premium service, beta release, or mobile API existed that provided an API call to list past events and extensive testing to see if the data in the mobile devices were synced with the data in the cloud and could be exported using mobile forensic tools. 

Through extensive testing with iTunes backup, we found that it contained an encrypted database table called “Events” consisting of 40 files relating to the calendaring application. But without guidance or documentation from the application provider, it was impossible to verify the entirety of the “Events” list to propose a forensically sound and defensible collection. So, we developed a bespoke solution, which involved analysis of the web version of the calendar application to scan the event list by traversing through the months and extracting the list of events for each month from the corresponding screen. We automated the process of traveling back to the start date and collecting until the end date, gathering the list of calendar events into a local database. 

So, what was the end result for the client? Was the team able to collect a forensically defensible set of the calendar items in question?

SY: Yes, the solution did what it was intended to do. In only two-weeks, our development, digital forensics and emerging data sources experts were able to defensibly extract roughly 6,000 calendar items, along with a detailed error log of items that could be recovered,  with documentation of the reasoning. We also transformed the extracted calendar items into a reviewable format, including solving for language encoding issues in the e-discovery platform, to ensure that CJK (Chinese, Japanese and Korean) characters could be accurately represented in the data set. Our work provided counsel with the pieces they need to further analyze the calendar items for relevance to the ongoing investigation. 

Read more about this matter here.
 

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.