SMS, Instant Message (IM) or Cell Phone Video/Audio Evidence
Electronic Record Subpoena, Preservation, Authentication & Chain of Custody
Computer (including cell/mobile phone) text messages are sometimes used as evidence in legal proceedings. So what is the best way to save a text (or photo/video/audio) record as evidence? In other words, how can an investigator secure digital evidence today so he can prove its chain of custody later in a court?
Suppose your estranged spouse (husband/wife) cell phones you a photograph or text message relevant to a future divorce hearing. Or suppose a business partner (or manager, boss, politician, government official) sends you a video important to a dispute/lawsuit -- sexual harassment, employment discrimination, breach of contract.
There is no perfect way to save electronic evidence, but some techniques are better than others. The more you freeze the data to prevent its deletion and deter its modification, the better. And the more you capture timely information about its source, the better.
Update 2011: See
1. new methods for preserving web evidence.
2. How to make a Gotcha! video with your smart phone.
To use the service, you need to store the content of the text message in a computer file like a pdf, a doc or a jpg. Then you upload the file (or if you're a techie, a hash of the file) to the service, and you record a statement about where the evidence came from, how you captured it and so on. The service calculates a "signature code" for the file. Then it allows you to speak a voice statement that says you sign the evidence, together with the "signature code" as of a stated date. Finally, the service sends you a self-explanatory archive showing that you authenticated the evidence with your unique voice.
If after that the evidence file is changed, it will no longer match the signature code contained in your dated voice record. Thus the service reliably links you (as evidence collector) to the evidence and establishes the existence of the evidence as of a date. This information can be invaluable when assessing evidence months or years later, such as in a lawsuit, when memories have faded or possibly when you are no longer available to vouch for the evidence.
Update February 2013: Forensics to recover deleted logs, images, geolocation and text messages,.
Update: Legal subpoena for information from Facebook.
Update July 2011: See discussion about recovery of text messages from service providers.
Mr. Wright teaches data security and investigations law at the SANS Institute.
[Nothing on this blog is legal or technical advice for any particular situation. It is not a substitute for counsel from a lawyer or a technical professional. If you need help, go get it from someone who knows what they are doing. If you need legal or technical advice, you should consult an attorney or a technical expert. Remember there can never be any assurance how evidence will be used or interpreted for legal purposes, if it is used at all. Also the above may not be a complete analysis or the best for a particular situation. For example, a person preserving a message with My Electronic Evidence may also need to preserve the message in its original state, such as in cell phone flash memory, even though that would be inconvenient and the value of the message data in that state can diminish as time passes.]