Horowitz discovered previously unknown database contained text messages...
DETAILS
The Problem
The OIG requested from the FBI text messages of, among others, two employees in
connection with the Pre-election Review. When the OIG received the text message production
from FBI, there was a time period of several months for which FBI did not produce text
messages for mobile devices used by the two FBI employees. The FBI informed the OIG that it
was aware that there were deficiencies in its collection application and that it was changing the
model of the mobile device issued to FBI employees as part of a regular technical refresh and to
mitigate the problem. However, the OIG later learned that, even after upgrading to new devices,
the data collection tool utilized by the FBI was still not reliably collecting text messages from
approximately 10 percent of more than 31,000 FBI-issued mobile devices.
In addition, during the OIG’s forensic examination of FBI mobile devices that were used
by the two employees, the OIG discovered a database on the mobile devices containing a plain
text repository of a substantial number of text messages sent and received by those devices.
Neither ESOC nor the vendor of the application was aware of the existence, origin, or purpose of
this database. OIG analysis of the text messages in the database compared to ESOC productions
of text messages during the same time periods when the collection tool was functional identified
a significant number of text messages found in the database that were missing from the ESOC
production. Furthermore, the Subject Matter Expert with whom the OIG consulted in connection
with its forensic analysis of the devices identified additional potential security vulnerabilities
regarding the collection application. The OIG has provided these findings to the FBI.
Existing FBI Policy
FBI Policy Directive 0423D, Section 8.5.5 states in part: “if employees need to access e-
communications that, for whatever reason, have not been preserved, they should address requests
to retrieve text messages . . . to the Security Division’s Enterprise Security Operations Center
(ESOC).” Although this directive designates ESOC as the repository for text messages, there is
no specific policy that requires ESOC to collect and retain text messages.
RECOMMENDATIONS
1. Amend the existing FBI Policy Directive to formally designate an entity to be responsible
for text message collection and retention.
2. Conduct additional research and testing of the current collection tool application with the
mobile devices deployed by the FBI or seek by other means, in coordination with the
collection tool’s vendor, to improve reliability of collection and preservation of text
messages sent to and from FBI-issued devices, with a goal of 100 percent text message
collection and preservation, to the extent technically feasible.
3. Conduct additional research and testing, or seek by other means, prior to procurement of
any new collection tool to be used by the FBI to collect and preserve text messages sent
to and from FBI-issued devices, with a goal of 100 percent text message collection and
preservation, to the extent technically feasible.
4. Coordinate with the collection tool vendor to ensure that data collected by the tool and
stored on the device is saved to a secure or encrypted location.
5. Verify and address the security vulnerabilities identified by the Subject Matter Expert
with whom the OIG consulted, which have been provided to the FBI. Current and future
mobile devices and data collection and preservation tools should be tested for security
vulnerabilities in order to ensure the security of the devices and the safekeeping of the
sensitive data therein.
Horowitz discovered previously unknown database contained text messages…
~~~~~~~~~~~~~~~~~~~
OOPS!!