Text Message Forensics

Text messages are the most popular form of cell phone evidence recovered and admitted in civil and criminal cases today. Text message forensics is the science of recovering the evidence they hold for admission into the court record for adjudication of disputes. Text messages consist of Short Message Service (SMS) messages and Multimedia Messaging Service (MMS) messages found on iPhones and Android smartphones. They also consist of proprietary iMessages on Apple’s iPhones and iPads.

Rounding out the mix are over one hundred alternative or specialty mobile messaging apps in use worldwide today. WhatsApp is the most popular messaging app and has broad international market share.  But Facebook Messenger, Snapchat, WeChat, and secure messaging apps like Telegram and Signal are a few of many mobile messaging apps from which to choose while shopping Apple’s App store and Google’s Play store. Messages from these various mobile apps can be recovered with text message forensics.

Text Message Recovery

Mobile device forensic examiners spend perhaps 50% of their time recovering deleted text messages. Text messages comprise unique, fact-specific evidence that answer what and when questions in legal disputes in which detailed statements or admissions are required. Enforcement of Orders for Protection (OFP) and Harassment Restraining Orders (HRO) are good examples of an excellent match between the need for relevant text messages to litigate disputes.

The examiner’s analysis is guided by the lawyer’s goal of the examination.  The goal is usually designed to recover and describe messaging evidence that may support the lawyer’s theory of the case.

Text Message Metadata

Important metadata provides foundation for text message evidence. For instance, the message’s deleted status indicates whether the phone user deleted it from the smartphone. The message’s read status indicates whether the message was opened and read by the user. Some messages, like iMessages, have read receipt metadata which, enabled in settings, records when the correspondent read the iMessage.

Each text message identifies phone numbers to and from the smartphone often with a user’s name matching the phone number taken from the phone book of contacts. And date and time stamps show when the text message was sent, received, and read.

Text Message Reports

After text message forensics analysis the examiner will use his or her mobile device forensic tools to generate mobile evidence reports with responsive messages that satisfy the lawyer’s goal of the examination.

For instance, one mobile evidence report might be a chronology of text messages sent between the phone user and an important correspondent.  The report will highlight message content including emojis and descriptive metadata like date and time stamps.  Often the report is presented in a colorful conversation or thread of messages which resemble the dialogs which may be seen on the smartphone’s screen.

The choice of form of production for text message reports includes Adobe PDFs and Microsoft Excel spreadsheets.  Also available are innovative and highly usable web browser reports which support links to attachments and other useful information.  Lawyers and paralegals can use Google Chrome, Microsoft Edge, Apple Safari, and Mozilla Firefox at no charge to view browser reports.

Portable case files are a new form of production with many advantages for the legal team.  They provide mobile evidence but also no-cost forensic software which enables you to review it in your own office on your own computer.  You can also search, filter, bookmark, and generate your own mobile reports using the forensic software designed for lawyers and investigators.

Many examiners now send mobile evidence digitally from the forensics lab over the Internet for fast turn-around.  Attorneys and paralegals can download it right away in their offices and start review immediately.

Retrieving Documents and Media from Text Messages

It appears document retrieval from messaging apps is more “art” than science for many legal practitioners in 2022.  Many paralegals report difficulties recovering documents, photographs, and other attachments from message apps on iPhones and Android smartphones today.  Also tablets including iPads, Amazon Fires, and Samsung tablets.  They lack a viable process capable of producing repeatable and defensible results.

Paralegals mastered document recovery from emails decades ago.  But retrieval of documents from modern mobile messaging platforms is a new challenge that eludes much of the legal profession.  A paralegal will usually start from scratch to discover messages for each case or each client.  They use ad hoc or case-specific methods which often disappoint and produce only screenshots or worse.  Ultimately, parties are frustrated and the bench faces admissibility challenges due to unsound recovery or collection of messages with no authentication.  We are looking for a better retrieval method that is reliable, repeatable, and forensically sound. Text message forensics encompasses methods and tools that can lead the way.

So what types of messages do you encounter in your cases at law that must be retrieved?  The vast majority are garden variety text messages.  Garden variety text messages with attachments are called MMS which stands for multimedia messaging system.  They are sent through the switches and cell towers of telecommunications carriers or cell phone service providers like Verizon, AT&T, and T-Mobile.

Mobile messaging apps residing on smartphones also send and receive messages through the Internet instead of carrier switches and cell towers.  They include Apple’s iMessages, but also third party mobile messaging apps like Facebook Messenger, Snapchat, and many others.

So what types of attached documents do you encounter in your cases at law that must be retrieved?  Traditional Microsoft Office documents?  What about Apple’s and Google’s documents?  And Adobe Portable Document Formats, PDFs?

And what about the popular photographs and videos you find attached to messages on your smartphone?  They are multimedia, but can also include audio clips and recordings.

What about more unfamiliar documents types you may find attached to messages on a cell phone?  We often see voice messages, contacts, web links, and GPS geolocations attached to messages.  And these rare attachments are becoming popular, especially web links to articles and posts.  GPS locations are often attached to messages to show exactly where the other person is to be found.

The bottom line is documents are anything attached to messages.  They’re just like documents attached to emails.  And the traditional documents are the ones lawyers think of as documents.

Demonstrative Exhibits from Text Messages with Documents and Media

Let’s consider credible demonstrative exhibits of document evidence competently retrieved from modern mobile messaging platforms to help you visualize successful outcomes.  The exhibits that follow are from professional examinations of iPhones and Android smartphones.

This first demonstrative exhibit below shows Facebook Messenger messages from an Android phone in the mobile device forensic tool.  You can see the messages in the rows depicted with content and metadata.  And the column on the right labeled Coordinates shows the GPS location’s latitude and longitude of each message.

Below you see a Kik Messenger report showing a conversation with an exchange of attached photographs.

In this last demonstrative exhibit below you see a mobile device forensic report from a Zoom meeting.  It was held on a mobile phone in which the attendees were typing into the chat box and one of them attached this photograph or screenshot.  Mobile device forensic tools can recover Zoom evidence including the chat box messages and their attachments like this one.

Other Messaging and Document Evidence Sources

What other message and document sources can be probed using text message forensics when mobile devices are lost or otherwise not available? 

Cell phone service providers or carriers like Verizon, AT&T, and T-Mobile provide garden variety text message logs in response to a subpoena or search warrant.  They provide a phone number and a date and time stamp.  But the logs do not include message content, the “text” in text messages.  Carrier logs also do not include documents or photographs attached to messages as described above.

So Carney Forensics checks online, cloud sources for messages.  They may not be recoverable from a cell phone, but may still be available for forensic collection from connected accounts like Google, iCloud, and Samsung.  We may also check other online accounts like Facebook and Snapchat for messages.

Deleted Text Messages

Carney Forensics has been recovering live and deleted messages, calls, photos, videos, etc. from smart phones, feature phones, burners, and tablets for lawyers nationwide for fourteen years.  For deleted evidence we usually probe the device with two or three tools to get a better shot at finding the evidence needed for your civil or criminal defense case.

We also examine over 700 mobile apps (WhatsApp, Snapchat, Kik, Telegram, Signal, TigerText, Facebook, etc.) to recover deleted messages and other evidence.   And we filter text messages by the phone number of the phone user’s correspondents for to generate reports for your review.  We also produce a timeline to clarify chronologically the text message evidence and the story it must tell.

The timing of collecting text messages from smartphones is important.  The length of time between deleting a message and extracting the phone for its recovery is a critical factor.  Text messages are fragile and must be preserved at the earliest opportunity.  Precarious, deleted, text messages stored in the smartphone’s memory can be wiped by the operating system because of day-to-day usage and therefore, may become unrecoverable.    

Recovery of deleted text messages from a smartphone can be tricky.  The memory capacity available on the device to store mobile evidence directly affects the successful recovery of text messages.  Text messages are small.  After one or more of them are deleted, they can be overwritten by other data arriving over the air through 4G LTE, 5G, or nearby through Wi-Fi or Bluetooth.  Photos and videos captured by the phone user are large and when stored in the phone’s gallery can wipe out hundreds, even thousands, of deleted messages.

Encrypted Text Messages

Carney Forensics recovers evidence in secure messaging apps, encrypted ones like WhatsApp, Telegram, and Signal using our text message forensics service.  We locate and recover encryption keys and support many decryption algorithms to expose them for production in civil and criminal cases. 

Spoofed Text Messages

Many “spoofing” apps or services exist for sending anonymous messages and making anonymous calls on iOS and Android smartphones.  There are also legitimate apps that offer a virtual or private number (as contrasted the with device’s phone number or MSISDN) from which to text and place calls confidentially on a smartphone.  Some of the legitimate apps offer complaint or gripe services.  Spoofing apps generally do not and do not operate in good faith.

Identifying the caller or texter, the harasser, depends on which app or service was used and how much metadata is available from a phone examination.  Sometimes examiners can use the originating phone number, if available, to identify the service and the country or region of origin.  Sometimes the origin is an email address, which is of little value unless the domain identified the service.  A subpoena is not actionable against the service unless the case is filed in court.  Most often an investigation has not progressed that far to discover the suspect behind the unidentified spoofing.

Often the harassed person has a good idea of the identity of the harasser, which might make a private investigation worthwhile.  Some agencies have retired three letter agency talent on board that can sometimes shed light on the situation.