Text Message & Digital Photo/Image Investigations

SMS, Instant Message (IM) or Cell Phone Video/Audio Evidence


Electronic Record Subpoena, Preservation, Authentication & Chain of Custody


Computer (including cell/mobile phone) text messages are sometimes used as evidence in legal proceedings. So what is the best way to save a text (or photo/video/audio) record as evidence? In other words, how can an investigator secure digital evidence today so he can prove its chain of custody later in a court?

Suppose your estranged spouse (husband/wife) cell phones you a photograph or text message relevant to a future divorce hearing. Or suppose a business partner (or manager, boss, politician, government official) sends you a video important to a dispute/lawsuit -- sexual harassment, employment discrimination, breach of contract.

There is no perfect way to save electronic evidence, but some techniques are better than others. The more you freeze the data to prevent its deletion and deter its modification, the better. And the more you capture timely information about its source, the better.

Update 2011: See 

1.  new methods for preserving web evidence.

2. How to make a Gotcha! video with your smart phone.

A new technique enables you to authenticate the text (or other mobile phone) message record with a voice signature. A service called My Electronic Evidence lets you memorialize an electronic record (like a record of a text, photo, video or e-mail message) with a date, a voice statement and a notation about where you think the message came from and how you preserved it.

To use the service, you need to store the content of the text message in a computer file like a pdf, a doc or a jpg. Then you upload the file (or if you're a techie, a hash of the file) to the service, and you record a statement about where the evidence came from, how you captured it and so on. The service calculates a "signature code" for the file. Then it allows you to speak a voice statement that says you sign the evidence, together with the "signature code" as of a stated date. Finally, the service sends you a self-explanatory archive showing that you authenticated the evidence with your unique voice.

If after that the evidence file is changed, it will no longer match the signature code contained in your dated voice record. Thus the service reliably links you (as evidence collector) to the evidence and establishes the existence of the evidence as of a date. This information can be invaluable when assessing evidence months or years later, such as in a lawsuit, when memories have faded or possibly when you are no longer available to vouch for the evidence.


Click Here
Suppose you have a text or Twitter message (or photo) on your cell phone. How would you convert it to pdf or doc format? One way is to forward the message to your e-mail, where you can access it from your PC. Then you can save the e-mail content as a pdf. (I personally had to do this for my wife when, as part of a divorce/child custody battle, her friend's spouse subpoenaed the text messages between my wife and her friend. Although the messages didn't say anything more than "Let's go 2 lunch" and so on, we still had to turn the messages over.)

Update February 2013:  Forensics to recover deleted logs, images, geolocation and text messages,.

Update: Legal subpoena for information from Facebook.

Update July 2011:  See discussion about recovery of text messages from service providers.

--

Mr. Wright teaches data security and investigations law at the SANS Institute.

[Nothing on this blog is legal or technical advice for any particular situation. It is not a substitute for counsel from a lawyer or a technical professional. If you need help, go get it from someone who knows what they are doing. If you need legal or technical advice, you should consult an attorney or a technical expert. Remember there can never be any assurance how evidence will be used or interpreted for legal purposes, if it is used at all. Also the above may not be a complete analysis or the best for a particular situation. For example, a person preserving a message with My Electronic Evidence may also need to preserve the message in its original state, such as in cell phone flash memory, even though that would be inconvenient and the value of the message data in that state can diminish as time passes.]

53 comments:

  1. I canot find any info on HOW TO store the content of the text message in a computer file like a pdf, a doc or a jpg--apparently the first step. I have tried to forward to my e-mail address without success. In this case it is my phone and I am trying to make a permanent record befopre the text mesage is deleted. I use Verizon, if that makes any diference.

    ReplyDelete
  2. In the personal experience I described above, my wife's phone allowed me to forward a stored text message to my yahoo e-mail address. Once it got to my yahoo e-mail, and was viewable through my web browser, I used Adobe Acrobat software installed on my PC (and integrated with my browser) to "print" the e-mail as a pdf.

    That's how I did it. I have no idea whether you can do the same with the hardware, software and services available to you. You may want to hire an expert to help you. --Ben

    ReplyDelete
  3. if a supeona was gotten for someones text messaging records, does the cell company release all text messages or just the text messages for the two people involved in the criminal case

    ReplyDelete
    Replies
    1. T-mobile companies do not release any text messages without a warrant, and those are not stored anyway. For a serious crime a Warrant has to be issued for them...and it has to come from a judge.... All that is contained in the administrative subpoena is the numbers that called in and called out. unless a serious crime in under investigation ... the released records will not release any GPS info or Text messages. I just confirmed with tmobile legal so ...basically it.s a waste of time....all the person will see is the call logs....which if they were in contact themselves, and were not suppose to be .. they could end up incriminating themselves...because records will show the incoming calls too....i just found this out.

      Delete
    2. They do keep photos though......

      Delete
    3. So if my text messages were court ordered from 2008 through Tmobile, only the date and times would be released, not the content of the message?

      Delete
    4. Anonymous: I do not know the answer to your question, although maybe another reader does. Service providers like Tmobile are not always consistent in their behavior on these issues. Also, the behavior of a service provider may depend on (a) which court issued the order, (b) precisely what the order said, and (c) other factors. --Ben

      Delete
  4. I don't know. It may depend on the wording of the subpoena. Some subpoenas are broader than others. --Ben

    ReplyDelete
  5. can a spouse really pull records? doesn't the electronic communications Privacy Act prevent even your spouse from pulling your records without their authorization? wouldn't that also apply to the cell phone companies if he/she requested them?

    ReplyDelete
  6. That is a good question, and the answer is complex. This blog is not the place to get a complete, definitive answer to that question (or any other question), and this blog does not provide legal advice to anyone. With that said . . . I pulled off the shelf the Second Edition (originally released 1995) of my book The Law of Electronic Commerce. I turned to Section 20.5.2. That section generally discusses the idea that under the Electronic Communications Privacy Act a subpoena may justify the release of electronic communications (such as maybe text messages) stored more than 180 days by an "electronic communication service." Please note: if you wish to fully understand this topic, you need to know a lot more than what I just said in the immediately foregoing sentence. Thanks for asking the question. –Ben

    ReplyDelete
  7. In the state of Washington, text messages stored by your phone provider can only be retrieved by a supeona. The cell phone companies will not release them any other way.

    ReplyDelete
  8. In the State of Washington, copies of sent text messages are stored by the cell phone companies, but can only be retrieved by supeona or court order.

    ReplyDelete
  9. I found this whilst googling "text message evidence". I reported the man I was in love with for the confessions he'd made to me about underage girls he's in all senses abused, of course he doesn't see it as that he just sees it as perks of his job (a rockstar), but someone got my laptop and destroyed it because it had the instant message conversations saved in which he made this confessions or boasts as they came across to me. Are aol instant message conversations saved on a server anywhere?

    ReplyDelete
  10. It is true that copies of sent text messages are stored by the cell phone companies, but can only be retrieved by supeona or court order.

    However, Verizon, for example, only stores text messages on their server for three days. Good luck on that one.

    ReplyDelete
  11. So if someone has 2 phone/text accounts...1 Verizon & 1 AT&T, does that mean there is ABSOLUTELY NO WAY to retrieve text messages from prior to 3 or 4 days ago?

    ReplyDelete
  12. Someone made a fake profile of me on a social networking site saying a whole bunch of personal stuff, like I was a recovering alcoholic, had psychiatric issues, etc. Every word the person(s) said were true, but it was really humiliating and some were secret things about my health that I never told anyone before. Was this illegal on their part? I've heard it said the best defense to a charge of slander is the truth. What can I do?

    ReplyDelete
  13. Anyone that can help

    My wife has left me for another man. She confessed her relationship on my iphone. She now denies everything she confessed. She is currently filed a PFA against me. The recordings I have prove my innocents. Can you advise me on how I can legally use the recordings? Our court date is September 8th 2009.

    ReplyDelete
  14. can the contents of a text message be modified by the person receiving them? If so does it depend and/or matter what phone the receiver uses? In other words can the content of a message be considered to be 100% accurate with no chance of it being modified or manipulated by the receiver? Given the fact that the message is obtained only on the received phone?

    ReplyDelete
  15. Going through a divorce & custody battle. I hacked my wife's yahoo account and found a ton of evidence of her affair! Can I subpoena those emails so I can use them legally???

    ReplyDelete
  16. Hi there,
    I have text messages from a client who sexually harassed me. For some reason, and I don't know if it's my switching my SIM to a new blackberry, all of the messages show at the same time (2:22), and my messages back to him are missing. is there any way to retrieve them, either from my old phone, my new one, or T-Mobile? It could go to court and I would like to know my options.

    ReplyDelete
  17. You may need to get legal or technical advice from hired experts. -Ben

    ReplyDelete
  18. Our problem is the exboyfriend is sending the text to his email and altering it and printing it off as what was said....How do you handle these situations?? This can easily be done...any solutions? I don't think text messages should be allowed if not on the actual phone and then, they can send to themselves, open, alter and save....

    ReplyDelete
  19. How hard is it to get a court ordered subpoena for texts? I'm on the verge of filing a retaliation case and know little about it. I'm 99% confident that proof lies in a few key managers texts. I have a LOT of emails, financial retaliation docs without the texts. Can a quality lawfirm get a subpoena if their opinion alone is that there is a strong case for the plaintiff?
    Thank you very much

    ReplyDelete
  20. To the two most recent anonymous posters above: I don't know. You may need to hire and consult a professional. --Ben

    ReplyDelete
  21. I have found that no emails can be submitted as evidence. I did this to
    see if this was possible and it is VERY easy to do. I got a regular text from a friend, took a screen shot of text string from IPhone and forwarded it to my email. I copied the text into word, changed the entire wording of the message. I then copied back into email and saved as PDF. A friend had a bunch of texts saved in bodies of emails and the judge wouldn't consider looking at email or text messages. Just too easy to manipulate.

    ReplyDelete
  22. If you're looking to see your husband's deleted cell text
    messages, then this is absolutely the way to go. It's fast,
    effectively and does no damage to the cell phone and it will
    give the answers you're looking to know what your husband is
    up to.

    retrieve text messages

    ReplyDelete
  23. legal documentation requires date and time stamp. so far other than having a smartphone or data phone, there isn't a way to save date/time stamps on text/picture messaging.

    ReplyDelete
  24. How far back can Verizon give a cour text message archives with a court order? Specifically, how long do they keep those archives? How far back CAN they go? Thank you!

    ReplyDelete
  25. Has anyone here heard of text message retrieved via subpoena from t-mobile? Officially they say that they do not store that content but unofficially I have heard stories on how they have it all, either in storage or backed up on CDs. Can someone tell me how to send a preservation request to (and afterwards obtain text message content from) a phone company (t-mobile) that doesn't even claim to have them to begin with? Anyone aware of any cases where text message content was retrieved from T-mobile? If someone can let me know or email me at forest786@hotmail.com I would be most grateful.

    ReplyDelete
  26. Can an actual cell phone be admitted as evidence without having the text message subpoenaed?

    ReplyDelete
  27. Anonymous asked: "Can an actual cell phone be admitted as evidence without having the text message subpoenaed?" My answer is that I don't fully understand the question. A lawyer would have to know more about the case to answer the question in a meaningful way. . . . The literal answer is that yes, physical evidence like a cell phone can be admitted as evidence in a court, and the messages stored on the phone do not first need to be subpoenaed.

    However, that answer is probably not telling you very much. I have questions about who owns the phone, how it came to be offered as evidence, why it is being offered as evidence, what aspects of it are apparent to the court, whether it is functioning and so on.

    To simply enter a phone as evidence (so that the judge and jury can view it) does not necessarily make any of the data on the phone accessible to the judge and jury.

    [Remember: None of my public statements are legal advice for any particular situation. If you need legal advice, you should consult a lawyer. My public statements are for general public education and discussion only.]

    --Ben Wright

    ReplyDelete
  28. Mr. Wright, as part of a research assignment I'm trying to find out if the cell providers store the content of multimedia messages (photo/video/etc.) in the same manner as texts? May these items be subpoenaed and reproduced in a legal proceeding? Is the period of storage by the provider regulated by the FCC or is it set by the providers themselves?

    ReplyDelete
  29. Fish: Thank you for your comment. I don't know the answers to your questions, except this: Generally speaking, if records exist, such as in the hands of a service provider, methods are available for causing those records to be produced for legal proceedings. Those methods are not always easy to invoke.

    ReplyDelete
  30. How can you turn text messages which you received into court evidence?

    ReplyDelete
  31. If my ex and his mother (through a sworn affidavit) quoted my mother from text messages in my custody case, can we produce the entire text conversation as a defense to their false allegations?

    ReplyDelete
  32. Hi, can I use a video recording as evidence in court that the person who issued me a bounced check received my demand letter and notice of dishonor. I was able to record our meeting on my cellphone and is wondering if this can be used in court as evidence in case she denies receipt of the demand letter

    ReplyDelete
  33. The use of any piece of evidence in court depends on many factors (Is the evidence relevant? Can it be authenticated? Has it been tampered? Was it captured illegally? And so on.) However, good video evidence is often very powerful in legal proceedings. See tips on how to make good video evidence. --Ben

    ReplyDelete
  34. Voice messages? I don't know. You may find some relevant information in the discussion about records retained by mobile carriers. If a voice message were saved on a mobile device, and then deleted from the device, a forensic expert might be able to retrieve some or all of it. --Ben

    ReplyDelete
    Replies
    1. My Jan 18, 2012 comment above was in response to an anonymous comment about retrieving deleted voice messages. I accidentally deleted the anonymous comment.

      Delete
  35. How hard is it for police to obtain a subpoena for cell phone records? Would this only be used when the person is a suspect? How long does the process usually take?

    ReplyDelete
  36. Depending on the case, it is very possible that police would attempt to obtain phone records of a person who is not a suspect. The fact that a phone customer is not a suspect does not, in itself, prevent police from obtaining records under due process of law.

    ReplyDelete
  37. Mr Wright,
    I wanted to look back at some of my OWN texts but sprint is telling me I need a subpoena to receive them... Is it even possible to get a subpoena for your own records without filing some sort of case?

    ReplyDelete
    Replies
    1. I cannot comment on the specifics of your situation. But sometimes police can issue a subpoena. Sometimes, certain other government officials (like the inspector general at government agency) who are conducting an investigation can issue a subpoena.

      Delete
  38. Major Update 2012: New do-it-yourself video on how to capture and preserve an important or legally-significant text/cellphone message.

    ReplyDelete
  39. Dear Mr. Wright-

    I have a question that I hope you might be able to answer. It is regarding requesting a subpoena for a person's cell phone records. If the records are acquired can you then determine and pinpoint if the phone user was web browsing at a specific point in time? Can you also determine exactly what web pages the person was viewing?

    Thank you!

    ReplyDelete
    Replies
    1. Anonymous: I don't know the answer to your question. Here's a mere guess: The kinds of records that are retained will vary from one phone to the next, from one carrier to the next and from one app to the next. Records on the phone itself are (my guess) more likely to contain specific browsing history. But maybe the carrier will have some of that information, and maybe the app maker/operator (like the browser maker/operator) will have some of that info. I don't know. Maybe some other readers here will know something specific.

      Delete
  40. Dear Mr. Benjamin Wright:

    Sir can I ask a question. I am about to file an annulment to my husband. Lately, his text messages harrasing me. Then he have text messages that he told me he get my personal text messages from one of the network companies here in our country (Philippines). We are in democratic country. My question is his message his true? that the private Network companies here will give the my previous messages from my mobile number? I'm just curious because I read about telecommunication laws about the privacy of any text messages that will come and goes to the message center of my sponsored network. Please help me sir to understand. Because my ex husband said that the network give him the necessary documents without appealing to court and only one day he get that...it's just he's text message because he don't want me to file an annulment. Thanks and bes regards.

    ReplyDelete
    Replies
    1. Dear Anonymous: Also, you may be wise to seek the assistance of a lawyer or government agency in your country.

      Delete
  41. Dear Anonymous: Thank you for asking your question. I do not know the answer. The answer could be yes; the answer could be no. The answer may be very complex, and may depend on many different factors.

    There are many text message providers in the world. They behave differently, one to the next. The laws that apply to them are complex and sometimes confusing. --Ben Wright

    ReplyDelete
  42. Hey Mr. B!

    I was wondering if a actual PHOTOCOPY of the phone displaying the txt message & showing the date, time, and phone # will work for evidence?

    My my carrier is a prepaid provider so they "cant" send a transcript understandably. And i agree that the email can be manipulated.

    So i have photocopied about 200 images of my phone displaying the actual text messages. How legit is this?

    The messages are legible as i had enlarged the image to fit just about the whole page and as i get a new text i just keep on photo copying... lol

    what do you think? thanks =)

    ReplyDelete
    Replies
    1. http://hack-igations.blogspot.com/2011/10/how-to-make-gotcha-video.html

      Delete
    2. Hey Mr B! Thanks for they reply!

      Are you saying i should make a video documenting the correspondence of texts at w/e location i am receiving/send texts or documenting the photocopying at w/e location i am copying the text at?

      sorry words are better for me, the video can be interpreted many ways... lol

      thanks =)

      Delete