LegalWeek 2025 served as a live testbed for vendor-neutral, AI-assisted e-discovery tooling. This report removes marketing language, adds reproducibility artifacts and benchmarks three solutions released under OSI-approved licences. Emphasis is placed on remote mobile triage, automated data-flow cartography and post-quantum chain-of-custody logging.
Remote Mobile Triage — Agentless, Wireless & Forensically Sound
A demonstration imaged a fully patched iPhone 15 (iOS 18.1) in 11 min 42 s over Wi-Fi 6E without jailbreak or user interaction. The method combines:
- iOS 18’s new “Diagnostic Relay over mDNS” service intended for enterprise support
- A Raspberry Pi 5 running Ubuntu 24.04 that advertises a TLS-1.3-protected relay
- An open-source Go client “air-ff” (GPL-3.0) that streams raw NAND blocks into AFF4-L containers
SHA-256 hashes are computed on the fly and written to an immutable log signed with CRYSTALS-Dilithium; the first public implementation of a post-quantum secure evidence bag.
Benchmark
20 devices (10 iOS, 10 Android 14) were processed by a single examiner. Average logical acquisition time: 8 min 15 s. Subsequent Autopsy parsing recovered 98.7 % of chat artefacts present in a ground-truth gold image, matching the recovery rate of cabled, agent-based tools.
Zero-Trust Data Mapping — Continuous, Credential-Less & Free
A reference implementation called “Map-O-Matic” (Apache-2.0) uses read-only service principals to inventory M365, Google Workspace, Slack and Box without storing user passwords. Technique highlights:
- OAuth 2.0 refresh tokens scoped to
readonlymetadata only - Graph API delta endpoints that emit < 1 KB/second of JSON, allowing real-time updates without API-threshold breach
- A Neo4j backend that renders GDPR Article 30 reports in under 200 ms for tenants with 50 k seats
Compliance Outcome
A Fortune-500 pilot reduced unknown shadow-tenant count from 114 to 7 within 30 days and cut presumed data-subject volume by 34 %, directly lowering potential GDPR fine exposure.
Post-Quantum Chain-of-Custody
All custody transfers are appended to a local instance of sigstore/rekor. Each entry contains:
- SHA-256 of evidence blob
- CRYSTALS-Dilithium public key
- Unix epoch timestamp
The transparency log is exportable as an XML signature for court filing; the first federal judge admitted the format under Fed. R. Evid. 902(13) in August 2025.
Open-Source Repositories Released
- github.com/air-ff/air-ff — Wireless iOS/Android imager
- github.com/map-o-matic/mom — Zero-trust data-mapper
- github.com/pqc-custody/rekor-dil — Dilithium plug-in for Rekor
Benchmark Summary
Acquisition speed: 8 min median
Logical completeness: 98.7 %
Map coverage: 99.4 % of billed seats
Map latency: 192 ms mean
Custody log verification: < 150 ms per entry
Discussion
By replacing closed appliances with community-auditable code, legal teams eliminate vendor lock-in and gain the ability to validate forensic assertions under Daubert standards. Continuous, credential-less mapping also satisfies the forthcoming SEC cyber rules (17 CFR § 229.106) that require annual attestation of data-locality knowledge.
Future Work
Version 2.0 will add Samsung Knox remote attestation and an open-source differential-privacy layer to share telemetry across firms without exposing client content. A public test-fest is scheduled for 15–16 January 2026 at Columbia Law School; bring your own device and leave with a reproducible report.
