PDAs leave all kinds of digital footprints

Private messages or PIN messages exchanged using corporate BlackBerry wireless devices might not be so private, as demonstrated by a lawsuit filed this year by the Canadian Imperial Bank of Commerce against Genuity Capital Markets.

Even if you don't have someone's BlackBerry, there's a number of places to find that information, says Chuck Rothman.CIBC is suing Genuity Capital Markets, a new Toronto-based investment management firm established by six former CIBC employees. The lawsuit hinges on CIBC's allegation that its former employees used their BlackBerrys to recruit colleagues while still working at the bank.
These PIN messages, which were once thought to be untraceable, do leave a trail, say computer forensic experts.

Chuck Rothman, director of e-litigation services at H+A Computer Forensics Inc., says that while the storage space on the PDA itself is quite small and allows for data to get overwritten very quickly, evidence of these messages can be found elsewhere.

"Because these devices typically synchronize with a workstation computer, and in some cases, depending on how it's configured, it may synchronize with an e-mail server. There are other locations to find the information that you would want off the PDA," he said.

"For instance, in CIBC, they didn't need the actual BlackBerrys in order to see the conversations that were going on because in that situation all of the communications were synchronized with CIBC's central mail server. All they had to do was go to the mail server, and because they were investigating something that was recent, they didn't even have to worry about backup tapes, they just looked at the live data and were able to see these PIN communications."

Rothman said that every communication through a BlackBerry goes through some server, whether it be the BlackBerry's parent company, Research in Motion's, server, an Internet service provider's server, or, as is the case with CIBC, the corporate server of the company-issued PDA.

"There's no way that it can go directly from one BlackBerry to another," he said. "The system is not set up like that."

Tae Kim, senior computer forensics investigator in the Toronto office of Kroll Inc., said that when it comes to investigating these types of devices, timeliness is key.
"There are various computer forensics tools out there that allow you to retrieve that kind of information, and depending on how quickly you can get to that device, some of that information could be lost because it's overwritten by new information or the information could be cleared out, deleted, and so on," he said.

"If you get to it in a timely fashion you can restore some of that information, sometimes that information can be useful, sometimes not, depending on what you're looking for. The advice we give our clients all the time is to basically secure any electronic evidence as soon as possible."

Typically, when a computer forensics expert is called in, he or she will take a bit copy of the entire surface of the device using a portable imaging system, then another copy is taken of the copy back at the lab.

All text is indexed, allowing the lab to do keyword searches with assistance from counsel to find e-mails, word files, contact names, etc.

"If you're doing a particular investigation, you compile a list of keywords that would lead you to the information you're looking for," said Kim. "So if you're looking for relationships between two individuals and you've got the PDA of one individual then you might want to put in the name of the other individual as your search criteria.

"The tools would go in and identify all the different places, files and so on, on the device where that name appears then you go and review text surrounding that hit. In some cases you might get their contact information because it's part of the address book section."

Rothman said that depending on the nature of the investigation, keywords may not always be
relevant to the investigation.

"We may be looking for information on if certain files were deleted or when they were deleted or if certain Web sites were accessed."

Oleh Hrycko, president of H+A, said this type of information can be useful in proving a tort of spoliation as an added damage in litigation.

"If there's some indication that a prospective fraudster defragmented his hard drive . . . it becomes relevant to a particular counsel depending on the timing of it," he said.

When lawyers decide to investigate using computer forensics, it's important to realize that there are a host of sources to find digital evidence. Rothman emphasized that delete never really means delete — information can be found on a corporate server or on backup tapes.

As well, the experts say it's vital not just to focus on the obvious — the PDA itself — but to examine memory cards and any other accessory for the device.

While the industry of computer forensics is five to 10 years ahead in the United States, Hrycko said lawyers in Canada are catching up.

"There's a greater awareness to think outside the box within the legal community," he said. "When we started doing computer forensics two or three years ago, our presentations basically entailed what is computer forensics and how do you use it in a case.

"Two or three years later, lawyers accept computer forensics and now they're interested in how to use computer forensics. Don't just focus in on the laptop, think about the backup tapes, think about the exchange server, think about the home computer at the cottage, think about the BlackBerry.

"And all of a sudden a lawyer who's launching a lawsuit is saying 'Yeah, there could be a lot of evidence there,' and we can open up the world to him digitally."