The FTI Technology team in Tokyo received a request from one of the largest firms in Japan to extract and preserve private cloud data relating to an ongoing high-profile criminal investigation. The data of interest included calendar items in a cloud-based calendaring application, typically installed and used on personal devices. FTI Technology’s emerging data sources experts developed custom solutions to ensure a complete and defensible extraction of information from the application, despite not being compatible with existing e-discovery and digital forensics tools.
The lead lawyer was familiar with the latest technologies and common challenges in emerging data sources and understood that a high degree of technical proficiency would be needed to complete the request. The first challenge the legal team encountered was that it would not be possible to collect the data from the custodian’s mobile device directly because of a government agency’s ongoing investigation. Through discussion with the lead lawyer, FTI Technology realized it might be possible to defensibly collect the calendar items using the calendar application’s application programming interface (API) with the user credentials that the law firm already collected.
FTI Technology’s Tokyo team collaborated with the firm’s emerging data sources experts in the U.S. to begin tackling the matter together.
At the outset, the calendar app supported OAuth authentication, providing on-behalf access to the user data and API calls supporting CRUD1 operations of the calendar items.
However, almost immediately upon beginning the application evaluation, the team realized that the calendar application needed to support the querying of past events. The API only supported upcoming events. Further research found that the API did, however, support access to the data about an event if the ID of that event was known.
That meant the team would need to obtain the list of events from the previous five years. The team formed a threepronged solution to address these issues:
- Engage with the calendar application developers to determine whether a premium service, beta release, or mobile API existed that provided an API call to list past events. Without one, the team would enquire about the developer’s ability to extract the list using its internal tools.
- Determine if the data in the mobile devices were synced with the data in the cloud and could be exported using mobile forensic tools such as Cellebrite or Oxygen.
- Develop a bespoke solution with web scraper to obtain the list of the event IDs and then use the API to find the information about each item.
Further challenges arose when the application provider responded that no paid service or internal tools existed to list past events.
With further support from FTI Technology’s digital forensics experts, the team explored options to extract data from custom mobile applications. The team quickly began testing with the calendar application, creating a new account, setting calendar items, shared events, and adding subscriptions to internet calendars to create a rich test set. The team tested whether Android or Apple versions of the application would create a backup of the data, which they did not.
Testing with iTunes backup revealed that an iTunes backup contained an encrypted database table called “Events” consisting of 40 files relating to the calendaring application. Without guidance or documentation from the application provider, it was impossible to verify the entirety of the “Events” list to propose a forensically sound and defensible collection.
The team turned to the bespoke web scraper solution. This process started with an analysis of the web version of the calendar application for the simplest way to scrape the event list by traversing through the months and extracting the list of events for each month from the corresponding screen. The team automated the process of traveling back to the start date and collecting until the end date, gathering the list of calendar events into a local database.
In only two-weeks, FTI Technology’s development, digital forensics and emerging data sources experts were able extract roughly 6,000 calendar items. The team also provided a detailed an error log of items that could not be recovered, with documentation of the reasoning.
Considering the value of the information and the downstream workload, the law firm approved additional hours to transform the extracted calendar items into a reviewable format. In this ongoing matter, FTI Technology is conducting the work to render the files into Outlook format.
Through this process, the team has also addressed language encoding issues in the e-discovery platform, to ensure that CJK (Chinese, Japanese and Korean) characters could be accurately represented in the data set.