Exemplary Evidence: The art of retrieving text message evidence

Listen to this article

In today’s digital age, text messages have become a crucial source of evidence in legal cases ranging from family disputes to high-stakes corporate litigation. As a lawyer, understanding the intricacies of retrieving and presenting this evidence is essential for building a robust case. This article aims to provide a primer on retrieving text message evidence, drawing insights from expert sources and addressing key legal considerations.

Understanding the importance of mobile evidence, retrieval and messaging types:

Mobile devices are veritable treasure troves of discoverable information. They contain more probative evidence per byte of data than computer hard drives, housing not only text messages but also emails, documents, multimedia messages, contacts, appointments, voice calls, voicemails, photographs, videos, audio recordings, web browsing history, social media interactions, and various forms of mobile app data. The personal nature of these devices means that the evidence they contain can provide critical insights into a user’s actions, communications, and state of mind.

Retrieving text message evidence is a complex but essential task for lawyers. By understanding the tools and techniques available, their limitations, and the legal considerations involved, lawyers can effectively retrieve and present message evidence in a credible and defensible manner. As mobile forensics continues to evolve, staying informed about the latest advancements and best practices will be important for maintaining a competitive edge in legal practice.

Many types of text messages can be sent including SMS, MMS, iMessage, WhatsApp, Facebook Messenger, Google Hangouts, Snapchat, and Instagram Direct Messages. Each type has its unique data storage and retrieval challenges.

Data deletion, integrity, and barriers to retrieval:

Deleted messages can often still be retrieved, but the process is complex and may require advanced forensic techniques. Data marked as deleted is often still present in the device’s memory and can be recovered using specialized tools.

Ensuring that the retrieved data is authentic and has not been tampered with is crucial. This requires a clear chain of custody and the use of forensically sound methods and tools.

Accessing data from damaged devices, locked phones, or prepaid “burner” phones can pose significant technical challenges. Advanced repairs and extraction techniques like JTAG, chip-off, and ISP may be necessary to retrieve data from such devices. These methods can extract data directly from the device’s hardware, bypassing the need for standard access methods. Advanced passcode unlocks are now available for Android smartphones and iPhones.

Deleted messages can often yield important evidence. Professional forensic tools can recover such data by analyzing the device’s operating system, databases, file system, and physical memory.

Tools and techniques for retrieving mobile evidence: Self-help or self-sabotage?

Professional forensic examiners use specialized tools and techniques to retrieve data from mobile devices. These methods are reliable, repeatable, and defensible in court. They can recover a wide range of data, including deleted messages, attachments, status, and date/time stamps.

Several consumer-grade tools are also available for message retrieval. These tools can be cost-effective and useful for preliminary data review, but they have limitations and are not recommended for high-stakes litigation or criminal cases because of potential issues with data integrity, completeness, and forensic soundness.

Many messaging apps store data in the cloud. Tools and techniques for cloud forensic collection can retrieve messages and attachments from cloud accounts like Apple iCloud for iPhones and Google for Androids. Self-help options for custodians such as Google Takeout or Apple’s data export tools can also be used, but they come with limitations and risks.

In sum, the retrieval of text message evidence requires a strategic approach, leveraging tools appropriately while ensuring the integrity and admissibility of the evidence.

What’s a savvy lawyer to do?

• Ensure data integrity: Maintain a clear and complete chain of custody and use defensible methods like metadata and hash codes to ensure the data’s authenticity. This includes using tools that do not alter the original data and following proper legal procedures for data retrieval.
• Make sure you can authenticate and admit: Ensuring that the retrieved data can be authenticated and admitted in court is important. Lawyers must be cautious when using consumer-grade tools, as they could become a fact witness or disqualify oneself from representation. Recommending these tools to clients without proper understanding of their limitations can result in inadvertent consequences, such as modifying or erasing data, or failing to calculate or maintain hash codes.
• Subpoena third-party providers: Cellphone service providers like Verizon, AT&T, and T-Mobile can be subpoenaed to produce call detail records and SMS and MMS logs. This method involves legal procedures, and often delays, but can provide valuable data. When retrieving data from cellphone service providers or internet service providers, make sure you know how to properly draft and serve these subpoenas. This includes obtaining necessary authorizations and correctly identifying subpoena compliance departments and registered agents.

Knowns, unknowns, and unknown unknowns:

In one sense, lawyers are well-positioned to understand the practical forensics of text message evidence. And for the same reason lawyers had little trouble conceptualizing the importance of email: (1) the platform was (usually) Microsoft Windows, which lawyers use; (2) the email attachments were typically documents that lawyers work with, like Microsoft Word and PDFs, which lawyers use; and (3) the method of communications, Microsoft Outlook email, which lawyers also use.

And lawyers can also understand the effect of text message evidence, including the failure to produce it, based on their experience with email, electronic documents, and hardcopy documents. Any seasoned lawyer 20 years ago and today has war stories about a material “smoking gun” document discovered in these formats.

But lawyers also should not rest too easy, because text messages differ from emails in several important ways.

Text message evidence poses new challenges for lawyers due to:

• The diversity of platforms: Windows, Mac, Chromebook, iPhone, and Android.
• The variety of attachment data types: Photos, videos, audio recordings, documents, links, GPS data, screenshots, emojis, and so on.
• The multitude of message types: SMS, MMS, iMessage, WhatsApp, Snapchat, Facebook Messenger, and many other mobile messaging apps.

Envisioning the right tool for the right job:

There is no one right tool for everyone for the same job. So digital forensic experts, and the savvy lawyers who retain them, should be on the lookout for text message retrieval tools that are:

• Reliable
• Repeatable
• Defensible
• Admissible in court
• Cost-effective

Most text message retrieval tools fall short in at least one of these categories. But unless we have an image of what a better tool would look like, we’re not likely to find it. It is a philosophical principle that “everything that can be imagined must necessarily exist.” So maybe it’s time for digital forensic investigators and lawyers to do a little less doing, and a little more dreaming.

Conclusion:

By following these guidelines, lawyers can enhance their ability to uncover critical information and strengthen their cases. As the field of mobile device forensics continues to advance, lawyers must stay updated on the latest tools, techniques, and legal precedents related to text message evidence. This knowledge will not only enhance your ability to build stronger cases, but also make sure you’re providing the best representation for your clients in an increasingly digital legal landscape.

John J. Carney, Esq., is chief technology officer of Carney Forensics

Brendan Kenny is one of Hellmuth & Johnson’s top legal writers with prior experiences working for both Minnesota and California Attorney General’s Offices.