How to Recover Hidden Evidence

Increasingly, the evidence to resolve an audit, an investigation or a legal dispute is connected with electronic communication.  Whether the evidence is a photo, a video, text message, or a geolocation coordinate it passes through cyberspace via email, a mobile phone carrier or an ISP like Facebook.

Subpoena a Big Internet Service Provider?

Many lawyers and other investigators assume the best place to get this evidence is from the third party that handled the evidence – such as AT&T or Yahoo or Google.

However, often these investigators fail to get much by sending subpoenas to big service providers.  ISPs are known for being slow, bureaucratic and resistant to civil subpoenas.

The Evidence is on the Phone

Many investigators do not realize there is often a better
Evidence Acquisition
source of evidence.  It is the computing device possessed by the target of the investigation.  That device might be a desktop PC, a laptop, a smartphone, a tablet or a smartwatch.

Modern forensic tools and techniques are astonishing!  In the hands of competent professionals, forensic tools like Cellebrite and MobiSec (just to name two from the mobile device world) can recover floods of data, including (sometimes) even deleted or password-protected records.*

A Preservation Letter is Powerful

Thus, as an investigation starts, an investigator’s key objectives are to cause data on devices to be preserved and to force disclosure of that data.  An early step would be for the investigator (such as an in-house lawyer in a human resources probe) to deliver to the target of the investigation a “preservation letter.”  The letter would warn the target not to destroy evidence.

The letter might also go to witnesses or suspected accomplices.

Scaring the Target into Cooperating

Depending on the circumstances, the preservation letter might go on to inform the target that ultimately tremendous quantities of records can be recovered from phones, service providers (including the operators of mobile apps), connected parties (e.g., the recipients of text messages) and so on.

The letter might explain that production of these records might be forced by way of contract (e.g., a BYOD agreement with employees), subpoena, court order, e-discovery under a lawsuit and other legal processes.

These warnings and explanations could influence the decision of an investigative target to cooperate with the investigation.  When the target realizes how much data – even deleted data – might be recoverable, the target may decide it is wiser voluntarily to come clean, tell the truth, disclose all the records, confess if necessary.

Is Resistance Futile?

Modern forensics is changing the dynamics of an investigation.  The number of records recoverable on any given incident is so great that witnesses and targets of investigations can be persuaded that resisting or hiding information is futile.

==
*Footnote:  Here is an example true story from Evidence Technology Magazine.
Video from
Telephone
 Child abuser Christopher J. Perkins tried to destroy evidence on his iPhone by crushing the telephone with his SUV.  But modern forensics techniques foiled Perkins’ caper.  Clever police detectives (Madison, Wisconsin) were still able recover incriminating evidence from the device – including a video and a deleted text message.  Christa M. Miller, “A Broken iPhone,”  Evidence Technology Magazine, October 2012.