People often have questions about how to best protect their children and their assets during a divorce, but one area that they often overlook is protecting their data and making sure that their spouse can’t access their devices accidentally or otherwise. In this episode host Jaime Davis explores this topic with Rusty Gilmore, a Security Consultant and Computer Forensic Expert with Protus3.
Note: Our Podcast, “A Year and a Day: Divorce Without Destruction”, was created to be heard, but we provide text transcripts to make this information accessible to everyone. All transcripts on our website are created using a combination of speech recognition software and human transcribers and could contain errors.
Jaime Davis: Welcome to Episode 7 of Season 3 of “A Year and a Day.” I’m your host, Jaime Davis. Today I’ll be speaking via Skype with Rusty Gilmore about how you can best protect your electronic devices and data during a separation and divorce. Rusty is a security consultant and computer forensic expert with Protus 3. Prior to becoming a computer forensic expert, Rusty sought to protect and serve the people of North Carolina as an officer with the Raleigh police department. Throughout his career, Rusty has consulted on several high profile and nationally recognized computer and technology misappropriation cases. He has dealt with data theft, deletion of data, murder cases, hacking cases, wire fraud investigations and quite a few family law cases. We are glad to have Rusty here with us today. Here’s our call.
So when clients first meet with me, they often have questions about how to best protect their children and their assets. But one area that they often overlook in my experience is their data and making sure that their spouse can’t access their data accidentally or otherwise. Um, when a person is separating from his or her spouse, what data do they need to think about protecting?
Rusty Gilmore: It’s, any data that’s shared between the spouses, and usually what happens over time, people give email passwords to their spouse to be able to log in for, for whatever reason. So email accounts, um, any kind of financial account where you both have shared access, uh, Google specifically because it allows you not, uh, not just to do email, but also you’ve got files on Google documents, photographs.
So any kind of account where you’ve both shared access, you, you need to think about how to separate that, you know, during this period in their lives.
Jaime Davis: Where does this data normally exist?
Rusty Gilmore: The data can be on the devices. And if you have an iPhone, you’ve probably synced this data to the cloud, uh, which means your data may be both on your iPhone and in the iCloud. With an Android phone, it would be on your phone and possibly synced with your Google account.
Also understand that with an iPhone or an iCloud account, you can have family sharing. So you may have multiple devices that you’ve connected to this account over the years, including your children’s accounts. Um, you may have old phones you’ve, you’ve put away in a drawer that still have access to this old iCloud account. It’s the phone has just been turned off.
So there’s data on pretty much every device you’ve had in your possession and used since the relationship. And then all of the service providers that you’ve connected to with those devices, such as Google, uh, Yahoo iCloud.
Jaime Davis: And so when you say family sharing on the account, what does that mean?
Rusty Gilmore: Family sharing allows you to share data amongst members of your family so that you can have four or five members of your family associated with one iCloud account and it allows them to share iTunes data, documents, photographs. It also allows the ability to track the device associated with that our cloud account, if that service is turned on.
Jaime Davis: So does that mean that if let’s say you, your spouse, your kids, you have one account. Does that mean any one of you can access the cloud?
Rusty Gilmore: Yes. Any one of you would be able to access the cloud. And, and in a situation where there’s, there’s a separation that’s taking place, you may have thought about separating your, the spouses, separating their ability to connect to that one iCloud account, maybe one spouse gets a new iCloud account so that they can take care of that concern. But the, the child’s device, usually an iPad from my experience, will still connect to one of the iCloud accounts either of the spouses and when that child travels to the other spouse’s house, then that data associated with the other spouse’s activity, emails, text messages could be available to the other spouse.
Jaime Davis: So that sounds like something that folks would definitely want to make sure is taken care of, especially with a device that does get shared between houses.
Rusty Gilmore: Yeah, I think you need to reevaluate all your electronics as it relates to any kind of communications when, when you go through something like this. Um, it’s, it’s tough enough as it is to deal with the normal aspects of something like this. But when you add this shared data amongst everybody involved, I think it’s a process that needs to be dealt with in the beginning so that six months or six weeks down the road, all of a sudden there doesn’t become a concern that by all means could have been prevented.
Jaime Davis: Right. Especially if you know, one spouse, let’s say they’re communicating with their lawyer, um, through text message or email and, you know, there’s that data on that iPad, that’s going over to the opposing party’s house. You certainly don’t want them getting their hands on that.
Rusty Gilmore: Right. And it’s, in some cases it’s completely unintentional, but there’s that unknown there that makes it something that has to be dealt with. And, um, you know, making sure that that’s something that can’t happen in the beginning really does prevent a lot of, uh, issues down the road. And a lot of questions, unanswered questions down the road, too.
Jaime Davis: So along those lines, what steps can folks take to ensure that their data is protected from being accessed by their former spouse?
Rusty Gilmore: Well, you have to look at the cloud account, that’s where you would start, so say the iCloud account. And it gives you the ability to go into that account, log into it as the user is the main user and go on and see what devices are connected to that iCloud account.
Um, most people forget it’s an automatic process when you set up a device and you never really check. So I think as you, you know, if you see you’re going to go down this road in a relationship, you just log on to the iCloud account or the shared account such as Google, see what devices are connected to that account, and then remove the devices that don’t need to co-mingle anymore, uh, especially co-mingle the data. You know, now we have TVs and, and Alexa’s that connect to some of our devices. Um, I’ve never seen an issue with an Alexa as far as sharing data, but those are things that have to be considered. What accounts do I have that are cloud accounts? And the problems I see mainly relate to iCloud and Google. Um, and then what devices are attached to that account in which devices need to be removed?
Now, you know, maybe this may be temporary. You can always go back and add that device. Um, maybe one party doesn’t want to lose a bunch of pictures. There can always be a remedy to be able to share that data in another format. But I think it’s important not to allow the data, to be able to share constant communications that the other party is having.
Jaime Davis: So in order to be able to change the access to the cloud or to remove devices, like you just mentioned, do you have to be like the primary person on the account or can any of the folks on it do it?
Rusty Gilmore: You, you do have to be the administrator, which is mainly as the person who set it up. Um, you, in some cases it is one of the children, but in most cases it’s a parent. Um, it’s, you know, this may be a 10 year old account. Uh, they may have forgot how, how they set it up. And I’ve had some even forget the password. It’s been so long since they’ve had to use that password.
So, uh, we, you know, when we sit down with a client, the first thing we do is say, what are your devices? What services do you use? How do you communicate? Um, and then we get into those accounts. And start going through what devices are associated with them, identify those devices and then make the necessary changes.
Jaime Davis: So that sounds like really good advice. Do you have any other, uh, tips for how to deal with email accounts and passwords and what folks should do with those?
Rusty Gilmore: I say, if, if you, you get into a situation where you’re going to have to go through something like this, um, you need to change all your passwords. I find quite often, spouses and people who have lived together for extended periods of time share passwords, or somebody needs to get into somebody else’s email account because of, uh, some email that’s coming in that’s relevant to both of them and somebody needs to see it or access it. Somebody is out of town. And so if you haven’t changed your password in five or 10 years, um, you can feel pretty comfortable that the person who’s been with you for a year or more may know what that password is with and they would have access to that account. So change your passwords.
Um, you know, and, um, I didn’t even think about this in the beginning, but look up and then determine if two factor authentication is available for your service. That would be iCloud or our Google, your bank account, any service you use. You can set up two factor authentication that so that you have to have your telephone in your possession to be able to log into that account. And it just adds a layer of security and removes that uncertainty.
And I see uncertainty in every one of these cases. It’s, I’m not sure. Uh, I’m not sure if this is happening, but let’s check it out and see, and it’s best just to remove that uncertainty.
Jaime Davis: Right. Go ahead and do that on the front end so you don’t have to worry about it later. So, what do you recommend someone do if they think their data has been compromised?
Rusty Gilmore: You know, as it relates to the situations we’re talking about, I mean, of course you can, you can come and see us and we can try and work you through that. And we have a process to deal with clients who think somebody may be accessing their data. Um, I would have to say a lot of time it’s, somebody has the capability to access their data, but it’s not necessarily happening. And so what we wound up doing is just removing unnecessary devices and enabling two factor authentication on all the accounts that are important to, to our client.
Um, if, if somebody is, you know, computer savvy and understands all this, by all means, all you have to do is go in, log into your account, enable two factor authentication and remove suspect devices.
But if you think somebody is compromised, if you think somebody logged into your account, then you know, we, we need to look at that and then get that login information. And in some cases it requires subpoenas. It requires a legal process through, um, an attorney to determine whether or not, you know, that’s a route that needs to be taken, but you do have to subpoena records in a lot of cases to approve someone has access to an account without authorization.
Jaime Davis: So if a client were to come to you ,and let’s say that they show up with their iPhone and they say to you, I think that my spouse is in my phone, what is the first thing that you all do?
Rusty Gilmore: If it’s just a phone, um, and we deal with computers too, but if in this matter, if it would have just been the phone, um, we would look at the settings on the phone. We would look at whether or not that, that device was connected to an iCloud account. Then we would go log into that iCloud account to make sure that it was set up so that only the person using this phone had access to that iCloud account. In some cases, the person who has the phone who thinks it’s being monitored, they’re not the owner of the iCloud account. So it can’t be removed from that iCloud account. We just turn off sharing. And then we’ll set it up on a different iCloud account.
Jaime Davis: So there is a fix, even if you’re not the administrator of the iCloud account, you can still help those folks as well?
Rusty Gilmore: Yes. There is a fix with a lot of caveats of, well now I can’t see my pictures or this data’s not available to me or, you know, issues down that line. But again, we can make a list of all that, and that can become something for the attorney to deal with as far as making sure everybody gets the data that’s rightfully theirs. What’s the emergent issue is making sure the client feels safe in their communication with their attorney, their family, their children, during this period.
Jaime Davis: So if iCloud sharing is not the issue for the person, do you have ways to see if there are any sort of like apps or spyware on the phone that are enabling the spouse to monitor the other person’s actions?
Rusty Gilmore: Uh, yeah, we, what we do and we get a case like this, we will image the phone. Um, we use an application specifically designed to collect all the data from the device, whether it’s an, a phone or a tablet, iPad. And then we have the ability to forensically image computers, whether it’s an Apple computer or a standard windows PC. And then we can run scans across those computers, us specialized software to analyze the data, and determine whether or not there’s some spyware that’s been purchased and installed on the computer, keeping in mind, you know, and the questions we have to ask, is this your work computer, and you’re the only one who knows the password and has anybody else ever touched it? Or is this a computer that’s sitting on the kitchen counter that everybody used without a password. That’s, that’s important to know.
Jaime Davis: Right. And you mentioned having it imaged. For folks that don’t know, what does that mean to have a computer imaged?
Rusty Gilmore: To have a computer imaged means getting a bit for bit copy of all the data on the hard drive. Not just what the user sees when they boot up windows or the Apple software, but the deleted data, the unused space on the hard drive. So it collects every bit of data, valid or not, or good or not, off that hard drive for us to examine. But it’s an exact duplicate of that hard drive that we have the ability to process. And what’s important about that is you can bring the computer to me, or anybody who does computer forensics. You take the computer to them. It’s imaged, you know, later that afternoon or the next day, you can take the computer back and have it in your possession. Once we’ve imaged it, we, we have an exact copy of that, that computer and can analyze that copy.
Jaime Davis: And so when you are analyzing a copy of a computer, what sorts of things might you be looking for, in the connection with a family law case?
Rusty Gilmore: Oh, we’re definitely looking at, um, malware, spyware, any kind of applications that’s been installed that would allow data from the computer to be transmitted somewhere, to be reviewed by somebody else. Um, it’s very difficult with family computers, where there’s no sign in for each person. Everybody signs in or uses the exact same account.
And so five members of the family using the same account on that computer, make it a little bit more difficult to identify somebody, if somebody did anything and exactly what they did. Um, in some cases, people sign on as different users and we’re able to see better what someone, you know, may have installed on, on one of the other accounts, or maybe on the computer as an administrator of the computer.
Jaime Davis: And so when you’re analyzing an image, are you able to retrieve emails from a computer?
Rusty Gilmore: We can retrieve emails that have been saved to the computer and some of the residual internet history. Understand there’s several ways you can get email. You have outlook on your computer, and so outlook connects to your email account. Download your email to that outlook client, and all those, and in most cases are stored on the computer. So if you bring me the computer, I can see all those emails.
But if you use Google, and you only log in to Google through the Google browser, those emails aren’t, aren’t stored on the computer. There’s pieces and parts of them on the computer that can be reviewed and looked at, but those emails are stored in the cloud.And that, that goes for phones too. Most of the emails on the phone, aren’t stored on the phone. They reside in the cloud.
Jaime Davis: So in a case like that, where someone is using Google for their email and the email is not going to be on the device itself, what would you need to do to go about getting those emails?
Rusty Gilmore: Well, if the, the client who comes to me, if my client says hey, I need a copy of all my emails and they’re in Gmail, and I don’t really know how to do that, we have a process and an application specifically designed to connect to that Gmail account and download relevant emails. We can do a keyword search. We can do a date search, and we can go into to Google’s account and download all those emails and then provide those to the client or the attorney. Now it takes a court order for me to get the other person’s email account. So one spouse can’t come to me and tell me to get the other spouse’s emails out of the cloud, even if they have the password. I can’t do anything like that without a court order, and I don’t think that anybody would recommend or suggest that to.
Jaime Davis: Right. So what about those emails that are stored on the device? Let’s say it is Outlook that we’re talking about. What if it’s a family computer, and some of those emails have been deleted. Are you able to get any of that information off of the device itself?
Rusty Gilmore: Yes. Some deleted emails, um, can be recovered from the computer. Um, and if that Outlook is associated, that Outlook application on the computer is associated with a Gmail account or a work account or something like that, sometimes we can go into the service provider or the exchange server and get those deleted emails.
And, um, you know, people have to realize too, there are backups, um, and specifically as it relates to iCloud. So if you don’t have that email or you deleted it six months ago, there’s a possibility, it resides in a backup that may be somewhere on that computer, somewhere in the phone or somewhere with the service provider.
Jaime Davis: So what about text messages on a cell phone. Are you able to retrieve deleted messages?
Rusty Gilmore: Yes. Sometimes we can. It depends on the make and model of the phone. It’s a little bit more difficult on newer phones, a little bit easier on older phones because the technology keeps changing so rapidly. Um, but in, in some cases, yes, we are able to get deleted texts. Now six months after the fact, uh, it’s a lot more difficult. Also if the, iPhone has been factory reset, you cannot get anything off the phone if it’s been factory reset.
Jaime Davis: And what does that mean?
Rusty Gilmore: Factory reset is a process you can go through on an iPhone that sets it back to the same way you got it the day you first saw it. So when you picked it up out of the box and you turned it on and you started seeing, you know, hello in multiple languages, that’s what you’ll see again when you do the factory reset. It’s allowing you to reset that phone up again, either usually with, some people do it with a new account number, uh, or a new account information. But sometimes people do that to clean their phone off or because they forgot their passcode.
Jaime Davis: And so at that point, all the data that was on that phone is gone?
Rusty Gilmore: All the data would be gone under those circumstances, yes, unless you had a backup in the cloud. So most our phones are either backed up to a laptop computer, or backed up to the iCloud. After you do that factory reset, if you type in the same username on that iPhone, it will recognize that you have an iCloud account and ask you if you want to restore your data back to the phone.
Jaime Davis: So in your experience, how often are folks backing up to a computer now versus the cloud, or have most folks switched over to, they just back up to the cloud?
Rusty Gilmore: Most of those backup to the cloud. Um, you know, I had a recent case where someone forgot a password. So we were looking for the iPhone’s backups, and we found some in the cloud and four, um, four other backups on different computers throughout the house.
So, and that showed me that in the past, most people plug their phone into a computer, did an iTunes backup of their phone, made the changes they wanted to make, and, uh, and lately, uh, it’s more been back up to the iCloud because that is an automatic process. Uh, you, you just, there’s a switch on your phone, on your iPhone. You tell it to back up to the cloud, and as long as you have enough storage space, you’ll continue to back up that device to the cloud.
Jaime Davis: So we’ve talked a lot about phones and computers and having those devices imaged. Are there other types of devices that can be imaged as well?
Rusty Gilmore: Oh, of course. Um, you know, electronics are kind of is involved in every aspect of our life now, as well as computers. Um, you have Fitbits. You have Apple iWatches. You have, um, phones, I mean, excuse me, you have TVs that connect to Netflix. You have Amazon devices. So you know, whether or not they’re relevant in a matter is, you know, depends on the situation, but those devices can all be, um, can be imaged.
Jaime Davis: That’s really interesting. What types of information can you get from something like a Fitbit or an Apple watch?
Rusty Gilmore: Well, I mean, if, if someone always wears a Fitbit, it’s gonna monitor the number of steps they take a day, their heart rate. Um, so maybe an issue would be, uh, somebody is supposed to be going to the gym for two or three hours every other day, and you know, they’ve got a Fitbit or an Apple watch, you know, it tracks that kind of activity. Maybe you just want to confirm that that’s in fact what happened. Now, of course they could say they take it off. But, um, those are some of the questions I get asked when we’re trying to determine someone’s past activity or in some cases, even someone’s current activity.
Jaime Davis: What is the cost associated with imaging a device?
Rusty Gilmore: A mobile device, such as an iPhone, an Android or tablet is $750 just to image it. Um, and in some cases we’re asked just to image something and preserve it and, and you might can speak better to that than me. In some cases, we’re asked to analyze that data and that’s at $250 an hour. That’s about the average rate in this general, in this area. And it can take two to four hours to, to analyze the data on a mobile device.
On a computer, averages about $500 to image the hard drive and then four to six hours to analyze the data. Again, it depends on what you’re looking for. If you can be, you have a real specific request like just want the history on, um, May the 5th, that’s pretty straightforward and simple to collect. If you want to see all internet history, uh, all documents on the computer, all pictures on the computer, and that kind of, uh, collection of data, that’s going to take a lot longer to put together.
Jaime Davis: It sounds like when you say, just make an image, what you’re saying is that you were literally just making a copy of the device. You’re hanging onto it. You’re not going through it. You’re not searching it. It’s literally just a duplicate copy. Is that right?
Rusty Gilmore: That’s correct. We can image a device and hold on to it. We can give that image, that forensic image to the attorney. We will not look at the data on any device unless we get told to do that in most cases by the attorney, because once we look at that data, then we’re obligated to provide information, or look at things and we shouldn’t be privy to yet until an agreement comes in place.
Now I’ve also worked in the middle of, uh, issues where I’ve worked for both sides, um, as a document custodian. I’ll collect documents from both sides, share what documents are allowed with the other side. So I’m real specific about what I can look at and what I’ve been instructed to review on any device I’m providing.
Jaime Davis: And so most often, would you say that the information that you should not be providing to one side or the other, is that typically like attorney-client protected information, like maybe communications the person had with his or her lawyer?
Rusty Gilmore: Correct. And in, from experience, a separation or the thought of the separation will, will start, people will communicate with an attorney to figure out exactly how they should go about this, or even if they should go through it, and then four months later, or three months later, we’re collecting computers that contain all these, uh, attorney-client privilege emails. And so we, we are very aware of the need to continue to keep that attorney-client privilege intact and will not share those emails with anybody.
Jaime Davis: So, what is your process if a client comes to you with the device that they would like you to image?
Rusty Gilmore: Um, whether it’s a phone or a computer that can bring the device to us. Um, you know, of course we have some paperwork to fill out, but we’ll image that device, do it as quickly as possible and give that device back to them. Um, with a phone, an iPhone can take three or four hours, um, to, to collect the data. I’ve had Androids take six and eight hours because of the way they’re configured, and computers can take four to six hours.
But all the client has to do is bring us that computer, hand it over to us, um, sign that they have a right to do that, and we’ll image it. Once we image it, we give the device back, if we can. Sometimes the attorney has asked us to keep those devices. Uh, and then it takes about two to four days to process that data, um, to analyze, to run through processes on all the data so we can separate emails from internet history, from photographs, from documents, uh, so that it’s easier to, to provide back to the client, um, the information they need.
Jaime Davis: So what if the client shows up and the phone they have with them to be imaged is not theirs, but it belongs to their spouse? And let’s say they don’t know the passcode to it. Can that device still be imaged?
Rusty Gilmore: In most cases, that device cannot be imaged. If it is an older device, um, it can be imaged and, you know, like the old, uh, iPhone 5’s or, you know, the old, older models. Um, you can circumvent the passcode in a lot of those, but, and with that being said, if I can image any device that is brought to me, I will image it. Um, but I will not look at that image. I will preserve that data because I will wait for later instructions on who that data should go to, based on agreements made between both sides or, or attorneys. But I would not look at that data, but I would image it.
Jaime Davis: Yeah. That’s a really good point. You know, sometimes it is a matter of just preserving that evidence so that it still exists later, um, but still needing to get, you know, in some cases, permission from the court before that data is looked at.
Rusty Gilmore: Yeah, agreed. And that would, to me, I don’t know what’s on the phone and I haven’t given permission to really look at it. And if it’s brought to me by the other spouse, um, imaging, that phone, I don’t think is an issue. I think the only thing that would be an issue for me would be if I just started looking through it. So, um, that would not be done until some kind of agreement was put in place.
Jaime Davis: Right. Well, before we wrap up today, do you have any additional tips for folks who are going through a separation to protect their devices and data?
Rusty Gilmore: Just be aware of where your data is, what accounts you have shared over the, the many months, or many years that you’ve been together with someone, your children’s devices. Um, you know, I’ve had people walk in with eight phones that they’ve had over the past five-year period where people keep changing out phones, but older data is on these older phones.
So I think you need to sit down and put on paper, your accounts, your devices, who has access to what, and then figure out a way to separate that and prevent problems down the road, as far as shared data or shared accounts. In a lot of cases, I see it is unintentional and sharing of that, that information. But if a child’s iPad is getting one, you know, parent’s text messages while he’s at the other parent’s house, whether that other parents saw those texts or not is going to come into question, and it’s best to, document everything you have as far as phones, accounts that were all shared or they were combined, and then work with your attorney to figure out the best way to make sure you separate that, um, so that you can have a secure form of communication with, with your, um, your legal advisor.
Jaime Davis: Rusty, those are some great tips. Thank you for joining me today. If any of our listeners would like to contact you, what is the best way for them to reach you?
Rusty Gilmore: Um, of course you can call me at the office. Uh, the company is Protus 3, and the office number is (919) 834-8584. And, um, um, feel free to send me an email. That’s our Gilmore, rgilmore@protus3 and the number 3.com.
Jaime Davis: I hope you all found this episode of “A Year and a Day” to be helpful. And if you have any questions or comments, I would love to hear from you. You can email me at jdavis@divorceistough.com. As a reminder, while in my role as a lawyer, my job is to give folks legal advice. The purpose of this podcast is not to do that. This podcast is for general, informational purposes only, should not be used as legal advice, and is specific to the law in North Carolina. If you have questions before you take any action, you should consult with a lawyer who’s licensed in your state.
