Digital Forensics and Text Messages

cloud-based phone
Top Legal Marketing Companies

Expanding on my previous article “Trending Attorney Forensic Requests in 2019,” often I am asked by counsel to provide text messages from a phone in their Native File Format. What counsel often does not realize is that the Native File Format of text messages on most smart phones is SQLite. SQLite is a database. It frequently consists of multiple tables (you can think of these as similar to spreadsheets) which contain some of the information and reference another table which contains other information and so forth. While this is the Native File Format and contains the most complete information on those text messages, it is likely not what you want to request. Different forensic software offers different formats for reports to forensic experts.

Typically, if you request a forensic report for extracted text messages the forensic expert will provide you a spreadsheet. This spreadsheet will likely contain substantial information which is technical. You may simply desire a picture of the text message so you can present the ESI in a familiar format to the court. That does not mean you should not ask for the spreadsheet with the technical information because it may be helpful to discuss the information in the spreadsheet with your forensic e xpert. This may provide insight into how messages were sent or received and provide information about other potential sources of ESI responsive to discovery. Pictures of text messages by themselves should not be accepted as a form of self-authenticating ESI. There is nothing which stops someone who has physical control of the cell phone – this might be the owner or another person who accesses the cell phone, from changing the name associated with a phone number.

Advertisement

Answering Legal Banner

If the cell phone is subsequently given to an attorney who takes a picture of a text message, the text message will show the name associated with the phone number. That picture would be misleading and should not be used in court. If you want a picture of a text message, a safe way to do that is to have a forensic expert image the cell phone, take pictures of the text messages, extract the text messages from the cell phone and provide the forensic information about the text messages with the pictures of them to the attorney. Please note the order matters. A forensic expert should image the cell phone as quickly as possible once it is determined the cell phone may contain ESI which needs to be preserved. As a forensic expert, I would give a picture of a text message without valid authentication no evidentiary value at all. It is trivial to create pictures of allegedly accurate text messages, to manipulate information the phone shows on the screen, or otherwise falsify information viewed on a phone.

If a client claimed they had a picture of a text message from their employer or employee which they wanted to use in a lawsuit, and they provided you with the picture would you accept it? What if they have this picture on their cell phone and they say it is a screenshot of a text message and they deleted the text message itself? Should you introduce the picture? Not unless you can independently authenticate the picture of the alleged text message. How can you independently authenticate the picture of the alleged text message?

It may be possible for a forensic expert to recover a deleted text message from either the cell phone which purportedly sent the text message or the cell phone which purportedly received the text message. What about deleted text messages. Usually the SQLite database where the text messages is stored is one file. In this case a deleted text message is not a deleted file it is deleted information from one file so to recover it you need to try to recovery deleted content inside the file. There are different programs which are intended to recovery deleted information in a SQLite database and they may each have different levels of success. Whether or not the deleted text messages can be recovered from the SQLite database also can depend on how recently database maintenance has been performed and if new text messages have overwritten the deleted text messages you need to recover. Michael Zinn

Advertisement

Eza Mediation

Michael Zinn

Michael Zinn is a recognized digital forensics and cybersecurity expert who holds a number of industry certifications including certified computer examiner (International Society of Forensic Computer Examiners), EC-Council computer hacking forensic investigator, AccessData certified examiner, and AccessData mobile examiner. He is an experienced computer security incident response team leader and is available for cybersecurity consultations and cybersecurity training.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts