Category Archives: Legal

You too can make a forensic image! (Part 1)

NOTE: This exercise is to gain an understanding of what a forensic image is, and how they are created.  We strongly recommend that you contact a certified forensic examiner to create images that will be introduced as evidence.

Not long ago, I was speaking with an attorney over a case which involved dates of creation and dates of access.  They told me how concerned they were that when they copied these files to a flash drive, all of the creation dates changed to the day that they copied them!  What could possibly be wrong?

A simple misunderstanding of how to acquire information was all that was at stake.  Well, that and the case. For anyone needing to preserve the state of information of, say a hard drive, it is important to seek the assistance of a certified forensic examiner.  They will be able to make an accurate bit-by-bit “image” of the data source, so that it can be referenced, viewed, extracted, etc., without the risk of altering the state of the data.  Now some of you might wonder why I put the word Image in quotes.  This is a term of art.  Many attorneys refer to an image as a photograph, or a graphic.  In the scope of forensic acquisition, it means a bit-by-bit duplicate of the media, created is such a way that it can be verified, and not altered.

Can anyone make a forensic image?  Well, this part isn’t very difficult.  But you do want to be certain that you document what you are doing, and can explain how you were able to authenticate that the image was correctly produced.  At the very least, it is an EXCELLENT exercise for an attorney to do a forensic acquisition so that when you have to speak with an examiner, you will have more of an idea of what they are going to do for you and your case.

First, you will need forensic acquisition software.  Not to fear, it is free from my friends at Access Data.  The link for the Windows version that is current as of this writing is here: .  Once it is downloaded, go ahead and install it.  It is quite small.  I’ll wait.

The next thing we will need are two flash drives.  Smaller is better for our example.  One however should be slightly larger than the other.  So a 1GB and a 2GB flash drive would be great. (It is important that you use different size flash drives – your destination should always be larger than your source)  Format the larger of the two devices (your destination media) so that there is no data on it. (A forensic examiner would do a ‘wipe’ to make certain that the media is completely erased before beginning, but that is not necessary for this exercise). Take the 1GB flash drive (this will become our SOURCE media), and copy some files from your computer onto the drive.  Browse the flash drive to make certain that your newly copied files made it safely to our source media.  Next we start FTK imager.  Once you start FTK, Your screen should look like this:

At the top of the screen, on the left side are two small green icons.  The first one allows us to pick a single device that we want to image. When you click that, a screen will pop up to ask you what it is that you want to create a forensic image of.  In this instance we want to take an image of a PHYSICAL DRIVE.  Select that.  Your screen should look like this:

Click NEXT
You will now be presented with a drop down box asking you WHICH physical drive you want to image.  Remember when I told you to use different sized drives?  The drop down box identifies the devices that are currently attached to your computer.  Since FTK doesn’t recognize drive letters here, you should pick the device that is the size of your source media.  In this image you can see that I have two devices attached to my computer: my hard drive, and the 1GB flash drive:

When you click finish at the bottom of the screen, your source drive should be listed on the left hand side of the screen in FTK.

Now it is time to create our forensic image.  While leaving the source drive plugged into your computer, now add your DESTINATION flash drive. PLEASE be careful at this juncture to select the correct drives – we don’t want you to overwrite something important.
Right click on the drive that is in the evidence tree.  Using the above example, you would right-click on \\PHYSICAL DRIVE1.  A small menu should pop up – please select EXPORT DISK IMAGE.

So far, so good.  We aren’t done yet though …

When you click the EXPORT DISK IMAGE menu item, you will get a screen asking for the DESTINATION MEDIA information. It should look like this:

Please take care to tick the box at the bottom that says “VERIFY IMAGES AFTER THEY ARE CREATED”.  This is of paramount importance.  Then click the ADD button. You will be asked what type of image to create.  These are different formats that are readable by different systems.  The most universally accepted are DD and E01 images.  You should not concern yourself with the other two types at this time.  Just so we can all be on the same page, please select E01 and click NEXT.  On this screen you can identify the information relevant to your case.  None of this is mandatory, but it is all a really good idea.  Go ahead and populate this information – you will see why in a few minutes.  When you are ready click NEXT for the image destination screen.

First let’s click the BROWSE button, and find the DESTINATION flash drive that you plugged in. (Note, there shouldn’t be any files on it – if there ARE files, you either did not format the drive, or you have selected the WRONG drive.  So, using my example, my destination flash drive is drive Y and the image filename I have chosen is “DemoImage”.

For the purposes of this exercise, we won’t go onto the other settings on this page.  After you have these items properly populated, then click FINISH.  Now you are returned to the CREATE IMAGE screen.  Since we have no more source media to add, double-check that the box is ticked at the bottom that says “Verify images after they are created”, and click START.  Since the source media is only 1GB in size, this will only take less than 5 minutes to create the image and to verify it.  When the process is finished you will see “Image Created Successfully” in the STATUS field of the progress box.  A new box should have popped up on your screen that says “Drive/Image Verify Results”

Mine looks like this:

This is a really important screen.  When you see the word HASH, this is another term of art.  It is a method of positively identifying a file, folder, or drive, so that it can be verified that it has not been altered.  FTK Imager calculated two different types of HASH before it imaged your source drive.  After it completed the process, it calculated those HASHES again, and they both matched.  THAT means that you have authenticated your image and can be certain that it is an accurate representation of the source drive.  If anyone were to alter anything it this image, even a comma, the HASH that would be calculated would NOT match.
So, you have successfully created your first forensic image of a drive.  Congratulations!
Now …. What can you do with it?
Lets go ahead and close the FTK windows that are up.  Let’s pretend that an attorney gave you this destination drive with the image on it for you to examine.

When you look at the drive itself, you will see lots of files that have the same filename, but a different extension.  You can’t use Word or Excel, or notepad to read this.  What can you use?  FTK Imager.  FTK Imager will not only CREATE images, it will also READ them.
Start FTK imager again.  Click the little green icon on the left to Add Evidence Item.  This time when it asks the source type, select IMAGE FILE. Click next and browse to the image that you created on your destination flash drive.
My screen looks like this:

Click on the DemoImage.E01 file.  Hey! There are TWO of those.  Well, not really.  One it a TEXT file that will have the case information and the hash information of the image, and the other one is the E01 file that you created.  Note the extension difference in the TYPE column.  Select the E01 file named DemoImage.E01, then click OPEN, and FINISH.

You have NOW opened your forensic image of the source media that you created.  In the column on the left, you will see the file DemoImage in the Evidence Window.  If you click the + sign next to the items in the list, you will drill down to the files that are on your source device.

The next article will talk about all the things you can see in an image that you may not be able to see on the source media.


As an attorney, how would you defend yourself?

USA Today reports in the November 12th 2014 issue that “Former Jodi Arias attorneys blamed for porn deletion”. The claim is that when the defense attorneys viewed the evidence at the police station, that they secretly deleted thousands of files. This is why it is important, if not imperative, that attorneys never work with live evidence. Had the attorney been working from a forensically sound copy, as they should have been, this allegation could not have been made.

The sad part is that most attorneys have not had the training to know how to use a forensic copy. That is not hard to fix, as this process simply isn’t that hard.

1. The police should *never* give access to original evidence that could be altered – in the case of hard drives, or mobile devices, forensic copies should be made for examination.

2. An attorney should *insist* that the evidence that they are examining must be in such a condition that it could not be altered. Failure to do this invites this kind of claim.

3. An attorney should request an authenticated copy of all electronic evidence. These authenticated copies can easily be compared to the original to verify that the data is authentic

4. An attorney should possess software that can mount the forensic copy as a drive on their computer. (This software is FREE.)

5. The attorney should know where to look for standard documents.

What are the take-aways?

• If the police department, or opposing counsel, lets you have access to evidence that can be altered, REJECT IT.

• If the police department, or opposing counsel, gives you access to evidence that has not been authenticated, REJECT IT.

• If you get an authenticated image of electronic evidence, know how to mount it.

• Once you mount the authenticated image of electronic evidence, know where to look for common files.

• When in doubt, consult a certified forensic computer examiner.

I’ve heard attorneys state “relax, this isn’t life or death”. In this instance, and the instance of Casey Anthony, I have to differ in opinion.

Jodi Arias was found guilty of murder, and the evidence was overwhelming. If this improper handling of evidence is used as grounds for a new trial, then a murderer could go free.

If the investigators that were working the Casey Anthony case had done a proper investigation of the internet browsers on Casey’s computer, perhaps there would be some degree of justice for her daughter, Caylee. I am not casting blame on anyone – the fact is that people make mistakes. However, if those mistakes can be fixed, then there is no excuse to make them again.

This evidence, found on June 16th, 2008 (the day Caylee Anthony died), was never admitted as evidence.

•At 2:49 p.m., after George Anthony said he had left for work and while Casey Anthony’s cellphone is pinging a tower nearest the home, the Anthony family’s desktop computer is activated by someone using a password-protected account Casey Anthony used;

•At 2:51 p.m., on a browser primarily Casey Anthony used, a Google search for the term “fool-proof suffocation,” misspelling the last word as “suffication”;

•Five seconds later, the user clicks on an article that criticizes pro-suicide websites that include advice on “foolproof” ways to die. “Poison yourself and then follow it up with suffocation” by placing “a plastic bag over the head,” the writer quotes others as advising;

•At 2:52 p.m., the browser records activity on MySpace, a website Casey Anthony used frequently and George Anthony did not.

Does this mean the Casey was guilty? That is not for me to say. What it does mean, is that valuable evidence was not considered because someone didn’t know what they were doing. We all do our jobs to make a living, but there must be something greater than that. We have an obligation to society to help fix the things that are wrong.

The things I point out in this article, we can help you fix.



Windows XP – Zero Day

Do you remember Y2K?  Do you remember when the magnetic poles of the earth shifted and all life ceased to exist?  People make some wild claims, but if you become informed and remain calm, then the challenges that change brings are not so bad.

So – here we have Windows XP.  What to do?  “ZERO DAY IS UPON US”, says the headlines of technical journals everywhere.  So where is the hype and what is the truth?  I’m glad you asked.

Zero day is real.  It is a date that Microsoft will no longer offer security updates of any kind (unless you have a contract with them) to Windows XP.  Why is that a big deal?  Because if there are no more security updates, then hackers will be able to find and exploit vulnerabilities without fear of being stopped by the next security update.  In a business environment, Windows XP is a two-edged sword; on one side, it was easy to develop software that interacted with XP and made it extensible and many people did

– on the other side, because of the way that Windows 7 differed from Windows XP, many programs would not run in the same way.

So, the real questions are :

1)      Do you have any programs that were specifically written for Windows XP that will not run in Windows 7 ?

2)      Do you run or keep confidential information on computers running Windows XP ?

If the answer to question number 1 is “no”, AND the question to number 2 is “yes”, then I will tell you without pause that it is in your best interest to upgrade your computers NOW.  The largest threat we are facing in the technological world right now is electronic theft.  Sometimes it is personal information, sometimes it is credit card information, but the new threat is information that has greater implications.  To steal corporate information that has trade secrets and to sell them to competitors, to steal legal or medical information that yields TONS of information that can be used to do all sorts of evil – these are the issues that concern us the most.

I understand wanting to save money – and I understand that people resist change.  I also understand that the reason we have vaccines is because someone figured out a way to stop certain diseases.  In this illustration, the “vaccine” of which I speak is the replacement of the old computer.  Let it go.  Back up your data (or better yet, keep your old hard drive), and get a new computer.  If you are afraid of the way that Windows 8 works, there are plenty of ways to make it look like Windows 7.

In the end, our advice is simple: upgrade your computers.  It simply isn’t worth the risk.  Will the magnetic poles of the earth shift if you don’t? Unlikely, but in the event it does, one would imagine that this will not be your largest concern.

Please call us with questions.  We can assist you in moving your data to its new shiny home.




The typical role of a forensic examiner is to find exculpatory information as designated by a discovery order.   It is common to receive a list of terms that are of interest to the attorney, and then the search begins.  But what happens when you need to find what isn’t there anymore ?


More importantly, why isn’t it there anymore ?


According to the Ohio Revised Code

2921.12 Tampering with evidence.

(A) No person, knowing that an official proceeding or investigation is in progress, or is about to be or likely to be instituted, shall do any of the following:

(1) Alter, destroy, conceal, or remove any record, document, or thing, with purpose to impair its value or availability as evidence in such proceeding or investigation;

(2) Make, present, or use any record, document, or thing, knowing it to be false and with purpose to mislead a public official who is or may be engaged in such proceeding or investigation, or with purpose to corrupt the outcome of any such proceeding or investigation.

Now why I am telling you, an attorney, that which you know so well ?  Because there are a lot of ways to hide things that you may not be familiar with.

There are also quite a few ways to casually (or not so casually) destroy potential evidence.

I have been a forensic examiner for many years, and I have used many tools during that time to assist me in my job.  As the profession of computer forensics has become more widely known, it is no surprise that a group of tools would be created to thwart the efforts of the would-be examiner.  These tools, though seldom advertised as such, are known as “anti-forensics”.  Their very job is to destroy or obfuscate information so that it would be of no use in a legal proceeding.

This is a two-edged sword.  Whereas I have no problem with people using software designed to destroy information for the purpose of thwarting identity thieves, or protecting themselves from people that might be involved in industrial espionage, it is obviously a crime to use these methods, software, or hardware devices to alter or destroy information sought by the court.

Though ignorance of the law is not an officially accepted reason (for almost anything), it would be better to remove the specter of ignorance from a custodian’s claims by being specific in an order designed to elicit information

Litigation Hold (AKA “preservation orders” or “hold orders”), are designed to inform a party that they are to preserve any and all information regarding a potential discovery order.  Generally, the  Court Order is written in such a broad fashion as to cover any potentially discoverable information. What it never includes (at least as far as we have seen), is a prohibition from employing any software, hardware, or method,  that is “anti-forensic” in nature.  This is an important concern, because many potential Custodians employ their own software in a corporate environment which is designed to obfuscate their actions.  This software may be in use outside of the purview of the corporate IT department, and as such would fall outside the scope of a corporate retention policy.

Typical examples of common packages in use would be :

Window Washer

Software that is less common, but very powerful would be :

Tracks Erase Pro
Evidence Eliminator

By specifying the prohibition of any tools which could obfuscate or destroy data in the preservation order, you give yourself more tools should a case of spoliation occur, and you also aid the Custodian in understanding what is and what is not permissible.

Advanced forensic analysis is often able to uncover the use of such methods, however the investigator must be familiar with the “footprints” that these products often leave.  If you were to walk into a room where a couch was recently removed, there would be imprints on the carpet where the couch was.  In much the same way, when we are examining a hard drive, we are not only looking for what is there, we are also looking for the remnants of what USED to be there.

As these products become more and more prevalent, the need to be diligent in defining the terms of the Rule 26 conference becomes greater.  When it doubt, take your forensic specialist with you.  If you don’t have one, give us a call.


–Many thanks to my editor, Mark Kruse


What does my smart phone know about me? (And what do I know about it?)

As a Certified Computer Examiner, and a Mobile Certified Examiner, I have the opportunity to look into all kinds of devices looking for information which is responsive to a subpoena and has probative value.  I tend to forget that most folks don’t realize what is in their device.  I was asked to look at a website today to determine if I could tell when it was accessed and by whom.  Simple enough – I went to the access logs of the site, and found exactly what I was looking for.  Well, that seems straight forward enough, doesn’t it ?

I was a little surprised at the reaction of the attorney I was working with, until I realized that most folks don’t know what information that their Smart Phone is willing to give up.

I was able to tell the attorney :

1) What type of phone the user had
2) What browser they were using
3) What they searched on their telephone to find the website in question
4) and their GPS co-ordinates when the request was made.

I can comment on that information – but I have simply decided to let you think about it.


For my forensic friends out there

Know your environment.  Know more than one operating system ( I suggest at least three).

Know the major browsers – and the minor ones too.  Know where things are kept.

Know how email works.  Not just the flavor that YOU use – know them all.

WHY ??

On July 5th, 2011, Casey Anthony was found not guilty in the death of her baby girl, Caylee.  The forensic examiner did not follow the rules I just gave you.  The examiner was instructed to find the internet searches that had been executed on the computer that Casey accessed.  When the investigation was complete, it was declared that there was no evidence of value to be had in Microsoft Internet Explorer.

Casey Anthony used Firefox as the browser of choice.

Now, is that to say that if the examiner checked the internet history of Firefox he would have found the search terms “fool-proof way to suffocate” ?  I do not know.  They may not have known that Firefox stores its data in SQL-Lite and even after history files are purged, remnants remain.  What I do know, is that this type of oversight cost a little girl her justice.

We also can be certain that the examiner was not using professional tools.  Had he been using Access Data’s FTK (Forensic Toolkit), the question of “what browser did she use” would simply be moot.  Providing a proper forensic image of the computer was made, FTK would have located her search, and the results of the trial would have been drastically different.

So, for my forensic friends, know your environment and get good tools.

For my attorney friends, make sure that your forensic expert knows their environments and has a decent toolset, as well as a great skillset.  Good tools are no substitute for poor skills. Good skills and good tools, however, are the combination that is required.

Be good at what you do – in this business, justice depends on it.


We are certifiable…

It’s true … and we can prove it.



We are happy to announce that we now hold all Access Data Certifications, including all 3 from Summation.

We had a very productive time at the Access Data Users Conference held in Las Vegas.  The expert panels, and classroom instruction were informative and interesting.  The NEW Summation is something that you must see.  It is a game changer, and we would be pleased to give you a demonstration on our live Summation Server.



Sticks and stones may break my bones, but I will still get your password.

“I can do more damage on my laptop, sitting in my pajamas,
before my first cup of Earl Grey than you can do in a year in the field.”

– Q, Skyfall.


In the history of combat, it used to be that one could see the enemy approaching and take proper precautions.  A “fair” fight dictated that one announced their intentions to their opposer and stand firm to look the enemy in the face.  When the revolutionary war came about, the Americans did not prescribe to these notions – they did not wear red, they did not march in a straight line, they hid behind rocks and trees, and attacked in the dead of night.

There is a certain aristocracy for those who follow in the traditional steps of war.  I recall hearing two older men arguing once and one of them said “sure, anyone can drop a bomb – but real men go hand to hand”.  Interesting.  So pilots and smart warriors are not real men ?  No, I believe that they are.  They just have better tools.

So what does this all have to do with the internet ?  I was reading the comments of someone who stated that password cracking was now “officially” a script-kiddie activity.  Wow.  You know, you can call these people names all you want.  That does not negate their intelligence, nor should it lessen the impact of what they are able to do.  Password cracking is a great example of where scripts can come in pretty handy. The article goes on to say that an amateur, using only free tools available on the web was able to break more than 10,000 passwords in one day – and he had never broken a password before in his life.

You have heard it said by everyone : Change your passwords often and make them complex.  Don’t use words that are easy to type or remember – and don’t use words that are in the dictionary – and don’t write them down.  But you aren’t a computer are you ?  How will *you* remember a password that is complex, not in the dictionary, and you didn’t write it down ?  You won’t – unless you are willing to put a little work into it.

Padding a password helps – the longer the password, the longer it takes to break.  What is padding ?  Im glad you asked.  Imagine the password PASS123 – a very common password – most password cracking programs will have this done in moments.  However, if we padded it slightly PpAaSsSs112233, this will increase the complexity dramatically – and it isn’t too hard to remember.  However many systems now require you to have three different types of characters of the four you can choose from (lower case, upper case, numbers, and special characters). Our previous example has three – but if you want to be even more secure, lets add two more characters : PpAaSsSs11!22!33@.

That is a strong password – and we haven’t done a lot to make it so.  Simple changes like this can make the job of password cracking a little harder.  Of course, if you wrote them all down and leave them on your desk, then it won’t take a lot to lose them all at once.

This isn’t a new concept, but it is one that deserves your time.

According to CBS news, the 25 most common passwords of 2012 are as follows :

1. password
2, 123456
3. 12345678
4. abc123
5. qwerty
6. monkey
7. letmein
8. dragon
9. 111111
10. baseball
11. iloveyou
12. trustno1
13. 1234567
14. sunshine
15. master
16. 123123
17. welcome
18. shadow
19. ashley
20. football
21. jesus
22. michael
23. ninja
24. mustang
25. password1


If you use a password on this list, you are not alone. It is worth taking the time to make a change.  You wouldn’t use 1234 on your home alarm would you ?  Don’t fall victim to the use of an “old friend” password.  Your attacker will not be wearing a red coat, with a musket, marching in a straight line, with drums behind him.  They might just be in their Pajamas, eating Captain Crunch and waiting for their morning cartoons.


Rule 26, Rule 37, HIKE!

Technical information to assist you in a Rule 26 Conference.

It is not always practical to take a forensic examiner to your Rule 26 Conferences – but if you can, we recommend it highly.  If you can’t however, there are some issues that you will want to include in your evidentiary requests.

You will undoubtedly ask for information from computers that are a target of the discovery process – however, did you know that you can also request a list of devices that were attached to that computer so that they can also be included in your discovery request ?  On Windows-based computers, the registry tracks the removable devices that have been attached to the computer – and in many cases, includes the serial number of the device.  So when you ask for all of the thumb drives, or external USB drives used on a computer, you will actually know if they are the ones requested, or if they were simply purchased earlier that day.

Certainly you will ask for any mobile phones that may contain valuable evidence, but did you know that most corporate email systems track the devices that attach to them to pull data ?  A simple request to the IT department for a list of all devices that a user used to attach to corporate resources takes the guesswork out of how many devices – personal or corporate – were used to access information from a protected source.

Backups are the bane of existence for many people and the companies that they work for.  With the advent of the Safe-Harbor clause in Rule 37, people can often declare that data does not exist because it was purged in accordance with corporate retention polices and therefore they are unable to comply with requests.  However, if the data purge that is in accordance with the corporate retention policy is unchecked and automatic, a litigation hold order might inadvertently be neglected.  It is wise to include the IT personnel of the company at the time to exclude or suspend the retention policy with respect to information sought.

Another item which must be considered is something called Shadow Copies.  With respect to Windows-based computers, Shadow Copies may exist on workstations which will allow you to “go back in time” to see revisions of documents.  This same technology may also be present on Macs using a built-in program called “Time Machine” which is an image based backup that often occurs automatically.  It is wise to query if a “Time Capsule”, or other such storage medium is/was in use.

Finally, copies vs. images is a topic that must be discussed.  Historically we refer to images as pictures, or graphics, however in the context of evidentiary discovery, it is something completely different.  If you are to request copies of documents in a proceeding, you will not have a lot of the information that you may require.  If, on the other hand, you request a forensic image,  the forensic examiner will create a complete “image” of the storage medium which will include deleted files, meta data, and other information that will not be found in copied documents.  As well, a qualified forensic examiner will create a hash, or digital fingerprint, of the device to ensure that the original drive and the forensic copy are identical, thus aiding in admissibility.

So if you can’t take your tech, take these suggestions with you.  It isn’t everything there is to know, but it might just be what you need to make your case.


BYOD – A Legal Perspective

BYOD, or “Bring Your Own Device” is a topic that is gaining all kinds of interests, though as of yet, there is very little case law referencing it.  However, that doesn’t mean that the prepared attorney has to wait for a judge to rule against your client.

The pros and cons of such an arrangement are discussed in our blog “BYOD – Bring Your Own Device,  or Bought Your Own Disaster …. ??”, which you can read here

The thing is, you have clients to protect, and to do that we have to know what the options are.  At the heart of any workplace dispute is the corporate handbook which outlines the Acceptable Use Policy.  This is the policy that states that computing devices of the company are to be used strictly for the business operations of the company, and the employee acknowledges that all information contained on the computers of the company belongs to the company, and the employee should expect to enjoy no expectation of privacy.  Your clients have one of those right ??   I am sure that they will shortly if they don’t now.

The acceptable use policy is typically broad enough to cover all of the devices that are owned by the company, however the question becomes a little different if the company is expecting/permitting/requesting the employee to use their own personal equipment for corporate gain.

This is the time for a very specific outline of expectations and a reasonable and enforceable plan of action should the employment condition be altered by one party or another.

What many folks do not know is that most corporate electronic mail systems have the ability to remotely destroy all of the information on a corporately attached device.  This means that if your employee is getting their corporate email on their personal device, the Technology Department of your company likely has the ability to destroy that phone.  The idea is that, should a corporate executive with the secret sauce recipe of his company on his phone, lose the device in a New York cab, he can simply call the IT department and have them perform a remote “wipe” of the device.  This will destroy ALL information on the phone keeping the sauce recipe safe from prying eyes.  The ramifications of this ability, however, can be legally problematic if the employee is not notified that this ability exists, and acknowledges it through the acceptable use agreement.  Should the employee be terminated, the IT department may be instructed to destroy the device as it has sensitive corporate data on it.  The problem is that is may have also had the last text from a deceased relative that could never be replaced.

Many people believe that if an employee does not sign a waiver which explicitly absolves the employer of damages for a remote wipe, that the employee has grounds for a lawsuit.

But these devices are not just phones.  iPads, iPods, Surface, Tablets, and laptops are all devices that could contain corporate information.  These all must be taken into consideration when crafting an Acceptable Use document, and any accompanying waivers of liability.

The other workplace concern is the access of confidential information on a personal OR corporate device by the police if the holder is arrested. The Supreme Court of California recently upheld the warrantless search of mobile phone text messages in People v. Diaz, 51 Cal. 4th 84 (2011). The decision places little to no restrictions on the data police officials may access when searching an arrestee’s devices This could open a world of problems should the information of the device be sensitive and unencrypted.

The subject in this case involved searching text messages on a phone,  however,  there is no limitation which would prohibit accessing confidential emails, documents, and voicemail messages that may contain private business or client information and/or information of a personal nature.  Telephone devices are not the only devices which may be at risk, flash drives, digital cameras, and laptops found on the person may also be searched.

In conclusion, the choices are very clear : either prohibit the use of personal devices to perform business operations, or write a very inclusive Acceptable Use Policy and waiver which the employee must sign.