Case Study

FTI Technology’s Digital Forensics and Emerging Data Sources Experts Solve Complex Data Extraction Challenges in High-Profile Japanese Investigation

The FTI Technology team in Tokyo received a request from one of the largest firms in Japan to extract and preserve private cloud data relating to an ongoing high-profile criminal investigation. The data of interest included calendar items in a cloud-based calendaring application, typically installed and used on personal devices. FTI Technology’s emerging data sources experts developed custom solutions to ensure a complete and defensible extraction of information from the application, despite not being compatible with existing e-discovery and digital forensics tools.

Our Role

FTI Technology’s Tokyo team collaborated with the firm’s emerging data sources experts in the U.S. to begin tackling the matter together.

At the outset, the calendar app supported OAuth authentication, providing on-behalf access to the user data and API calls supporting CRUD1 operations of the calendar items.

However, almost immediately upon beginning the application evaluation, the team realized that the calendar application needed to support the querying of past events. The API only supported upcoming events. Further research found that the API did, however, support access to the data about an event if the ID of that event was known.

That meant the team would need to obtain the list of events from the previous five years. The team formed a threepronged solution to address these issues:

  1. Engage with the calendar application developers to determine whether a premium service, beta release, or mobile API existed that provided an API call to list past events. Without one, the team would enquire about the developer’s ability to extract the list using its internal tools.
  2. Determine if the data in the mobile devices were synced with the data in the cloud and could be exported using mobile forensic tools such as Cellebrite or Oxygen.
  3. Develop a bespoke solution with web scraper to obtain the list of the event IDs and then use the API to find the information about each item.

Further challenges arose when the application provider responded that no paid service or internal tools existed to list past events.

With further support from FTI Technology’s digital forensics experts, the team explored options to extract data from custom mobile applications. The team quickly began testing with the calendar application, creating a new account, setting calendar items, shared events, and adding subscriptions to internet calendars to create a rich test set. The team tested whether Android or Apple versions of the application would create a backup of the data, which they did not.

Testing with iTunes backup revealed that an iTunes backup contained an encrypted database table called “Events” consisting of 40 files relating to the calendaring application. Without guidance or documentation from the application provider, it was impossible to verify the entirety of the “Events” list to propose a forensically sound and defensible collection.

The team turned to the bespoke web scraper solution. This process started with an analysis of the web version of the calendar application for the simplest way to scrape the event list by traversing through the months and extracting the list of events for each month from the corresponding screen. The team automated the process of traveling back to the start date and collecting until the end date, gathering the list of calendar events into a local database.

Related topics: