Mobile, Endpoint, and Forensic Collections
Forensically sound acquisition from phones, laptops, desktops, and remote devices for New York litigation and regulatory matters. Physical, filesystem, and logical collection methods with chain-of-custody documentation accepted in SDNY, EDNY, NY Supreme Court, and NY Commercial Division proceedings.
What This Solves
A significant share of business communication now happens on phones. Text messages, Signal threads, WhatsApp conversations, and calendar data from a custodian's iPhone may be the most important evidence in a matter before the NY Commercial Division or SDNY. The same is true for the browser history on a work laptop, or the files copied to a USB drive the night before a resignation. None of that data survives a standard IT backup, and none of it will survive a factory reset.
Mobile and endpoint collections require speed, the right tools, and a methodology that will not be challenged at deposition. Collecting a phone using an iTunes sync, or imaging a laptop by dragging files to an external drive, is not forensic collection. It loses metadata, may alter timestamps, and produces no chain-of-custody record. NYCF performs collections that are admissible, reproducible, and defensible, whether the device is in a custodian's Manhattan office, their home in Westchester, or at a third-party location.
For matters requiring full forensic device examination beyond eDiscovery collection, NYCF's mobile device forensics team and computer forensics team handle deep analysis including deleted data recovery, encryption bypass where legally authorized, and full artifact examination.
NIST Mobile Forensics Standards
NIST Special Publication 800-101, "Guidelines on Mobile Device Forensics," defines mobile forensics as "the science of recovering digital evidence from a mobile device under forensically sound conditions using accepted methods." NYCF's mobile collection practices follow the NIST SP 800-101 framework, which organizes the discipline around five stages: preservation, acquisition, examination, analysis, and reporting.
The NIST framework recognizes three primary acquisition types. Logical acquisition extracts data through standard application programming interfaces, producing call logs, contacts, messages, and app data. Filesystem acquisition provides deeper access by extracting the device file system directly, capturing additional data including some deleted artifacts. Physical acquisition creates a bit-for-bit image of the device's storage, the most complete method when device type and circumstances permit it. NYCF selects and documents the acquisition method based on device type, operating system version, encryption status, and the specific data required for the matter.
Devices and Platforms Covered
Mobile and endpoint forensics requires different tooling and techniques for each platform, operating system version, and device state. NYCF's collection team handles the full range of devices encountered in New York litigation:
iOS (iPhone and iPad): Logical, advanced logical, and filesystem-level acquisitions using industry-standard tools. NYCF handles current and legacy iOS versions, including devices with passcode or biometric lock, with appropriate legal authority from counsel or court order.
Android: Acquisition from Samsung, Google Pixel, and other manufacturers. Android's fragmentation across OS versions and manufacturer customizations requires tool selection and methodology documentation on a per-device basis, which NYCF provides.
Windows laptops and desktops: Forensic imaging using write-blocked hardware, producing verified bit-for-bit images in E01 or AFF4 format. Includes both on-site imaging at client offices across the tri-state area and remote collection for endpoints not accessible in person.
macOS devices: Forensic imaging with T2 and Apple Silicon security considerations addressed. NYCF's analysts understand macOS artifact locations including APFS snapshots, Unified Logs, and the SQLite databases used by Apple applications, all of which have appeared in NY commercial litigation.
Tablets and specialized devices: iPad, Surface Pro, and other tablet platforms used in corporate environments across Manhattan, Westchester, and Long Island offices.
Wearables and IoT endpoints: Apple Watch, fitness trackers, and connected devices when their location, activity, or communication data is relevant to the matter.
Remote and Agent-Based Endpoint Collection
New York commercial litigation often involves custodians in multiple offices, states, or countries. Deploying a forensic analyst to every location adds time and cost. For endpoint collections where physical imaging is not required, NYCF uses agent-based remote collection tools that extract targeted data sets from Windows and macOS devices over a secure connection, with a full audit trail of what was collected, from which device, and when.
Remote collection is not uncontrolled collection. NYCF scopes remote collections to specific custodians, date ranges, file types, and directories. The process runs in the background without disrupting the user, and the collection agent is removed after acquisition. Every remote collection produces a log file documenting collection parameters, items collected, and hash values for the output package. That log satisfies what NY courts and the SDNY/EDNY expect in terms of collection transparency.
For high-stakes matters or when the collection may be challenged, on-site forensic imaging remains the strongest methodology. NYCF's Manhattan, Westchester, and Long Island offices mean local collection can happen the same day you call.
NYCF's Collection Process
Preservation and Device Isolation
Before any acquisition begins, the device is isolated from networks to prevent remote wipe commands, data synchronization, or automatic updates from altering the evidence state. Mobile devices go into airplane mode plus a Faraday bag or signal-blocking case. Endpoints are disconnected from the network with the disconnection event documented. The initial device state is photographed and logged before any tool touches the device.
Acquisition Method Selection and Execution
NYCF selects the appropriate acquisition method based on device type, OS version, encryption status, and matter requirements. Logical acquisition is used where it captures the required data. Filesystem or physical acquisition is used when deeper access is warranted. Hardware write blockers prevent any writes to the original device during endpoint imaging. Hash values (MD5 and SHA-256) are computed immediately on both the original and the acquired image to confirm an exact copy.
Validation and Integrity Verification
After acquisition, NYCF verifies the image or extraction by recomputing hash values and confirming they match the values recorded at collection. This verification is documented in writing and becomes part of the chain-of-custody record. For mobile extractions, NYCF also validates that the output contains the expected data types and that application databases are intact and parseable before the package is delivered to counsel.
Chain of Custody Documentation
NYCF generates a chain-of-custody form at collection, recording device make, model, serial number, IMEI (for phones), collection date and time, analyst name and certification, collection method, and hash values. Any transfer of custody is documented with the same specificity. These records are maintained for the duration of the matter and provided to counsel as part of the collection package, meeting the standards expected in NY state and federal proceedings.
Data Extraction and Processing
From the verified forensic image or mobile extraction, NYCF processes the data using forensic analysis tools to extract targeted data types: emails, text messages, call logs, contacts, calendar entries, documents, browsing history, application data, geolocation records, and media files. For eDiscovery purposes, the extracted data is converted into standard formats for loading into the Advantage Plus review platform or any platform specified by counsel.
Collection Report and Expert Documentation
NYCF produces a written collection report documenting the devices collected, acquisition methods used, validation results, hash values, and a chain-of-custody log. This report is suitable for disclosure to opposing counsel in meet-and-confer discussions under FRCP Rule 26 or NY CPLR disclosure rules (CPLR 3101, 3120), and as the basis for an expert declaration or affidavit if collection methodology is challenged in SDNY, EDNY, or NY state court proceedings.
Evidence Integrity and Defensibility
Challenges to mobile and endpoint collections in NY litigation typically target three things: write contamination, authentication, and continuity of custody. NYCF's process addresses all three directly.
Write-blocking hardware ensures zero writes occur to the original device during imaging. Hash verification at acquisition time and again at analysis time confirms the image matches the original, bit for bit. Chain-of-custody documentation accounts for every custody transfer from collection through delivery to counsel. NYCF's certified examiners are prepared to testify to each of these points under oath in federal and state court proceedings, including before magistrate judges in SDNY and EDNY who scrutinize collection methodology in complex commercial matters.
NY Bar rules under the NYRPC and the duty to preserve evidence under NY decisional law require that attorneys supervise the technical aspects of eDiscovery collection. NYCF works directly with litigation counsel to ensure that collection methodology is documented in a form that satisfies both the technical and professional responsibility dimensions of that obligation.
What NYCF Delivers
Forensic image files (E01, AFF4) or verified mobile extraction packages, with MD5 and SHA-256 hash verification records for each device. Signed chain-of-custody documentation. A written collection report documenting methodology, acquisition type, and validation results. Extracted data in review-ready format: load files, native files, or processed output for the Advantage Plus platform. Expert declaration or affidavit on collection methodology if required by court order or meet-and-confer agreement. Deposition and trial testimony on collection and analysis methodology from CCE, EnCE, or ACE certified examiners.
Last reviewed and updated: April 2026
Mobile Device Collections
iOS logical, filesystem, and physical acquisitions. Android across all major manufacturers and OS versions. SMS, MMS, iMessage, WhatsApp, Signal, and app data. Location history, call logs, and calendar entries extracted with full family relationships preserved.
Endpoint Imaging
Windows forensic imaging in E01 and AFF4 format using hardware write blockers. macOS imaging with T2 and Apple Silicon support. On-site collection across Manhattan, Westchester, and Long Island, plus remote agent-based collection for out-of-state custodians.
NIST SP 800-101 Methodology
Preservation and network isolation before acquisition. Documented acquisition method selection with reasoning. Hash-verified integrity confirmation at collection and analysis. Structured examination and reporting suitable for NY state and federal court submission.
Forensic Support Services
Chain-of-custody documentation for every device and transfer. Expert declarations and affidavits on collection methodology. Deposition and trial testimony from certified examiners. Collection challenge support in SDNY, EDNY, NY Supreme Court, and NY Commercial Division proceedings.
Mobile or Endpoint Collection Needed?
All matters are strictly confidential. NYCF can deploy on-site across the tri-state area for urgent collections, or begin remote endpoint collection within hours of engagement.