Need Forensic Text Message Extraction
August 15, 2011 3:04 PM Subscribe
I am an attorney. I do employment law. I have a sexual harassment case where my client is the victim. There are potential criminal aspects to this case. I need to know how best to preserve text messages and to prevent them from being deleted.
I am need of information on software and techniques for saving cell phone text messages with an emphasis on forensic use. I have little to no experience and although there appears to be plenty of software, I have little idea what is what and what is cost effective.
Any advice would be good. I am unaware of the provider.
I am need of information on software and techniques for saving cell phone text messages with an emphasis on forensic use. I have little to no experience and although there appears to be plenty of software, I have little idea what is what and what is cost effective.
Any advice would be good. I am unaware of the provider.
Bitpim. http://www.bitpim.org/
It's free. You'll need to also download a driver specific to the phone in question. Instructions are on the site.
You'll also need to get a phone-to-USB cable that fits the phone. I found one for my phone on Amazon for about two dollars. A much better deal than the phone company would offer.
As far as forensic preservation goes, I don't know what - if any - technical or legal requirements there are for forensic preservation, provenance, or what have you. Bitpim stores pretty much all the information you need about the messages - dates, times, etc. From a forensic standpoint, I think you may be able to make a bit for bit copy of the SMS data, but I can't imagine that would be necessary for labor law purposes.
I use Bitpim to store SMS messages for legal purposes, but I am not a lawyer. Just for my own protection.
posted by Xoebe at 3:39 PM on August 15, 2011
It's free. You'll need to also download a driver specific to the phone in question. Instructions are on the site.
You'll also need to get a phone-to-USB cable that fits the phone. I found one for my phone on Amazon for about two dollars. A much better deal than the phone company would offer.
As far as forensic preservation goes, I don't know what - if any - technical or legal requirements there are for forensic preservation, provenance, or what have you. Bitpim stores pretty much all the information you need about the messages - dates, times, etc. From a forensic standpoint, I think you may be able to make a bit for bit copy of the SMS data, but I can't imagine that would be necessary for labor law purposes.
I use Bitpim to store SMS messages for legal purposes, but I am not a lawyer. Just for my own protection.
posted by Xoebe at 3:39 PM on August 15, 2011
Response by poster: I think you may be able to make a bit for bit copy of the SMS data, but I can't imagine that would be necessary for labor law purposes.
to clarify, the conduct is likely criminal under federal law. If this makes a difference, any advice you may have could help.
posted by Ironmouth at 3:47 PM on August 15, 2011
to clarify, the conduct is likely criminal under federal law. If this makes a difference, any advice you may have could help.
posted by Ironmouth at 3:47 PM on August 15, 2011
Also not a personal endorsement. But a quick search for your request turned up a few hits. There are more than a few companies out there that offer the service.
Generally it seems to work by accessing your phone and monitoring incoming messages. Not sure how it would work for messages that have already been received. I also don't have any idea as to the validity (legally) of messages that are extracted this way.
Of course, YANML. But that is OK, because YAAAAL (You Are Already Are A Lawyer).
Here are a couple I found.
treasuremytext.com
dexrex.com
mobilespytool.com
posted by lampshade at 3:51 PM on August 15, 2011
Generally it seems to work by accessing your phone and monitoring incoming messages. Not sure how it would work for messages that have already been received. I also don't have any idea as to the validity (legally) of messages that are extracted this way.
Of course, YANML. But that is OK, because YAAAAL (You Are Already Are A Lawyer).
Here are a couple I found.
treasuremytext.com
dexrex.com
mobilespytool.com
posted by lampshade at 3:51 PM on August 15, 2011
A good technique in addition to digital preservation is to record a video in which someone speaks a timestamp, and then shows the evidence to the camera, and then digitally preserves the evidence. In addition to the added credibility it probably is more easily understood by jurors.
posted by michaelh at 3:52 PM on August 15, 2011
posted by michaelh at 3:52 PM on August 15, 2011
If you know the NPA/NXX for the phone (area code & phone number), you can probably determine the carrier via online search. Alternatively, your own customer service may be able to find it. Then send a letter to the carrier making out a possible law enforcement need for the texts and providing whatever appropriate warnings you feel are necessary to preserve against spoliation issues that might harm your client's interests.
You can try to get the text messages themselves with a subpoena duces tecum, but my experience in California is that this is very hard to do. Carriers routinely deny to me that they have any such records, which of course they always seem to have if the party asking happens to be the Government... (But I digress.) Without this info, you might have some foundational issues, especially where the opposing party can claim 5th Amendment protections and may not be available for examination sufficient to lay your foundation. I have been able to successfully introduce texts as evidence at some kinds of hearings here in California. (P&A available if helpful.)
Aside from that, I'd strongly consider getting an expert to extract the info and prepare a report. Such experts can also advise you about whether you should preserve the phone (and have your client get a new one) to avoid altering its state any more than necessary.
posted by Hylas at 4:01 PM on August 15, 2011 [1 favorite]
You can try to get the text messages themselves with a subpoena duces tecum, but my experience in California is that this is very hard to do. Carriers routinely deny to me that they have any such records, which of course they always seem to have if the party asking happens to be the Government... (But I digress.) Without this info, you might have some foundational issues, especially where the opposing party can claim 5th Amendment protections and may not be available for examination sufficient to lay your foundation. I have been able to successfully introduce texts as evidence at some kinds of hearings here in California. (P&A available if helpful.)
Aside from that, I'd strongly consider getting an expert to extract the info and prepare a report. Such experts can also advise you about whether you should preserve the phone (and have your client get a new one) to avoid altering its state any more than necessary.
posted by Hylas at 4:01 PM on August 15, 2011 [1 favorite]
Stroz Friedberg is also good and has local DC offices.
posted by procrastination at 4:23 PM on August 15, 2011
posted by procrastination at 4:23 PM on August 15, 2011
If you haven't been in touch, on a legal basis, with the cellular carrier(s) in question, you should be. First. Like in, way before trying to save messages off a client phone, yourself.
posted by paulsc at 4:30 PM on August 15, 2011
posted by paulsc at 4:30 PM on August 15, 2011
Best answer: There are a bunch of different issues floating around here, both legal and technical.
First, from a “what do you personally care about” perspective, your first concern is probably preserving the evidence in a way such that it is admissible in whatever proceeding you’re going to use it in. The degree of effort this requires (in and of itself) will depend on what witnesses you have available, and in particular whether you’ll need to call forensics guys (or phone carrier custodians of records) to authenticate your stuff. (See generally Judge Grimm’s treatise opinion in Lorraine v. Markel, 241 F.R.D. 534).
You also should care about satisfying your duty (and your client’s duty) to preserve relevant electronically stored evidence. I won’t cite you the ediscovery spoliation cases (PM me if you need more info) but suffice it to say there’s a lot of digital ink spilled about this, and concomitant risks. LOTS of risks.
Technology to preserve data on phones ranges from glorified cameras (that snap pictures of the phone’s screen) to bit-by-bit imaging of the storage media used by the phone. The usability of any of that technology varies depending on the type of phone involved. The desirability of using any particular technology depends on how you’d plan on authenticating the evidence and what the demands of the case are. (How to apply concepts of proportionality (see generally FRCP 26(b)(2)(B) and pretty much anything from The Sedona Conference) to preservation is one of the hot-button ediscovery topics, and in fact is also the subject of ongoing meetings of the Rules Advisory Committee.)
Most forensic consultants (who do hard drive imaging and analysis) will happily do a “forensic” acquisition from the phone. This may be nothing more complicated than running bitpim on it – but what you are really buying is the ability for the forensic guy to testify for you regarding chain-of-custody and (hopefully) using a repeatable, defensible methodology. (Reality is that they may be figuring out the bitpim or Cellebrite or whatever settings for that particular model of phone, anyway. YMMV depending on phone model and forensic guy experience.)
While I do not want to offer an opinion on the suitability any particular vendor, I will offer that Guidance PSD, Stroz Friedburg and the like are what I would normally consider the “Cadillac” preservation options and the pricing for their services (hourly or otherwise) are going to be on the high-end of the scale.
One HUGE danger I have seen in this field is that if you decide to “do it yourself” in any way, if you (the attorney) are the one doing things, you are potentially inserting yourself into the chain-of-custody, and potentially making yourself a witness if you’d ever have to testify to prove up chain-of-custody or if the methodology gets questioned.
IAAL and I practice in this field, but (hopefully obviously) I’m only talking about cell phone preservation/acquisition issues in general and I have no desire to create any type of attorney-client relationship with you or your client.
posted by QuantumMeruit at 4:36 PM on August 15, 2011 [20 favorites]
First, from a “what do you personally care about” perspective, your first concern is probably preserving the evidence in a way such that it is admissible in whatever proceeding you’re going to use it in. The degree of effort this requires (in and of itself) will depend on what witnesses you have available, and in particular whether you’ll need to call forensics guys (or phone carrier custodians of records) to authenticate your stuff. (See generally Judge Grimm’s treatise opinion in Lorraine v. Markel, 241 F.R.D. 534).
You also should care about satisfying your duty (and your client’s duty) to preserve relevant electronically stored evidence. I won’t cite you the ediscovery spoliation cases (PM me if you need more info) but suffice it to say there’s a lot of digital ink spilled about this, and concomitant risks. LOTS of risks.
Technology to preserve data on phones ranges from glorified cameras (that snap pictures of the phone’s screen) to bit-by-bit imaging of the storage media used by the phone. The usability of any of that technology varies depending on the type of phone involved. The desirability of using any particular technology depends on how you’d plan on authenticating the evidence and what the demands of the case are. (How to apply concepts of proportionality (see generally FRCP 26(b)(2)(B) and pretty much anything from The Sedona Conference) to preservation is one of the hot-button ediscovery topics, and in fact is also the subject of ongoing meetings of the Rules Advisory Committee.)
Most forensic consultants (who do hard drive imaging and analysis) will happily do a “forensic” acquisition from the phone. This may be nothing more complicated than running bitpim on it – but what you are really buying is the ability for the forensic guy to testify for you regarding chain-of-custody and (hopefully) using a repeatable, defensible methodology. (Reality is that they may be figuring out the bitpim or Cellebrite or whatever settings for that particular model of phone, anyway. YMMV depending on phone model and forensic guy experience.)
While I do not want to offer an opinion on the suitability any particular vendor, I will offer that Guidance PSD, Stroz Friedburg and the like are what I would normally consider the “Cadillac” preservation options and the pricing for their services (hourly or otherwise) are going to be on the high-end of the scale.
One HUGE danger I have seen in this field is that if you decide to “do it yourself” in any way, if you (the attorney) are the one doing things, you are potentially inserting yourself into the chain-of-custody, and potentially making yourself a witness if you’d ever have to testify to prove up chain-of-custody or if the methodology gets questioned.
IAAL and I practice in this field, but (hopefully obviously) I’m only talking about cell phone preservation/acquisition issues in general and I have no desire to create any type of attorney-client relationship with you or your client.
posted by QuantumMeruit at 4:36 PM on August 15, 2011 [20 favorites]
I'm impressed at the answers above.
IANAL, but can you not ask/consult with someone who might prosecute such a case or would be prosecuting this case? I can see you're trying to do some of their work for them, but it's hard to tell wether they'd actually find this helpful.
Also, the phone carrier also may have record of the messages in question. Talk to someone who handles that aspect of it on the carrier's end. Then, client's phone, client, is not an issue as far as this evidence goes. I remember an infamous cocaine dealing prosecution case that hinged on text messages in the last 18 months or so at a US university. If I recall, the messages came from the carrier, not the accused's phone.
Good luck!
posted by thenormshow at 4:57 PM on August 15, 2011
IANAL, but can you not ask/consult with someone who might prosecute such a case or would be prosecuting this case? I can see you're trying to do some of their work for them, but it's hard to tell wether they'd actually find this helpful.
Also, the phone carrier also may have record of the messages in question. Talk to someone who handles that aspect of it on the carrier's end. Then, client's phone, client, is not an issue as far as this evidence goes. I remember an infamous cocaine dealing prosecution case that hinged on text messages in the last 18 months or so at a US university. If I recall, the messages came from the carrier, not the accused's phone.
Good luck!
posted by thenormshow at 4:57 PM on August 15, 2011
PaulSC has the right idea. The phone really doesn't much matter here, the carriers already know exactly what text messages (sender/receiver and the contents) went over their networks. Subpoena their records, and the phone doesn't much matter (and in fact, your client could theoretically have tampered with her own phone - On my cell phone, I could fake a stored text message from whomever and saying whatever I wanted).
That said, to answer your direct question - It entirely depends on the phone itself. With most of them, you can do a perfect rip of their contents to an image file on a PC; Keep in mind that despite the ease of that step, you would still need a way to extract the desired data from that image dump.
Such a dump would matter more for something like pictures, where they might only exist local to the phone rather than having gone over the network, but I suppose it would give you something to fall back on when AT&T threatens to waste the next 20 years of your life in appeals if you actually want them to do something to help you.
posted by pla at 5:02 PM on August 15, 2011
That said, to answer your direct question - It entirely depends on the phone itself. With most of them, you can do a perfect rip of their contents to an image file on a PC; Keep in mind that despite the ease of that step, you would still need a way to extract the desired data from that image dump.
Such a dump would matter more for something like pictures, where they might only exist local to the phone rather than having gone over the network, but I suppose it would give you something to fall back on when AT&T threatens to waste the next 20 years of your life in appeals if you actually want them to do something to help you.
posted by pla at 5:02 PM on August 15, 2011
IAAL and routinely face e-evidence preservation issues. Quantummeruit is right on.
posted by wuzandfuzz at 5:21 PM on August 15, 2011
posted by wuzandfuzz at 5:21 PM on August 15, 2011
Best answer: At the risk of threadshitting, advice to subpoena the provider really misses the mark. I feel comfortable saying that, hypothetically speaking, if a lawyer ignored preservation of his own client's cell phone data and focused solely on trying to acquire records from the cell phone provider, and the client's cell phone data subsequently were overwritten or otherwise rendered inaccessible, the hypothetical lawyer in question would open himself up to a malpractice claim.
The availability of equivalent, responsive data from other sources does NOT absolve a party of their duty to preserve potentially responsive electronically stored information.
It may be good litigation strategy to attempt to obtain corroboration from the provider's records. However, provider responsiveness to third-party civil subpoenas can be spotty (you generally fall in line behind the high-priority criminal investigations) and if time has passed, you run the risk that the provider has not retained the information. Providers also routinely invoke the Stored Communication Act as a reason to decline providing the content of stored communications (such as emails). I've never run into the issue with respect to text messages, but wouldn't be surprised if they assert a similar response.
posted by QuantumMeruit at 5:30 PM on August 15, 2011 [2 favorites]
The availability of equivalent, responsive data from other sources does NOT absolve a party of their duty to preserve potentially responsive electronically stored information.
It may be good litigation strategy to attempt to obtain corroboration from the provider's records. However, provider responsiveness to third-party civil subpoenas can be spotty (you generally fall in line behind the high-priority criminal investigations) and if time has passed, you run the risk that the provider has not retained the information. Providers also routinely invoke the Stored Communication Act as a reason to decline providing the content of stored communications (such as emails). I've never run into the issue with respect to text messages, but wouldn't be surprised if they assert a similar response.
posted by QuantumMeruit at 5:30 PM on August 15, 2011 [2 favorites]
QuantumMeruit : At the risk of threadshitting, advice to subpoena the provider really misses the mark. I feel comfortable saying that, hypothetically speaking, if a lawyer ignored preservation of his own client's cell phone data and focused solely on trying to acquire records from the cell phone provider, and the client's cell phone data subsequently were overwritten or otherwise rendered inaccessible, the hypothetical lawyer in question would open himself up to a malpractice claim.
YAAL, and IAN, so I'll entirely defer to you on the legal aspects of this.
But as an IT professional, I would always trust something the end user does not control, over something they do. ;)
I don't suggest that as the "lazy" way out, but as the most reliable.
posted by pla at 5:50 PM on August 15, 2011 [1 favorite]
YAAL, and IAN, so I'll entirely defer to you on the legal aspects of this.
But as an IT professional, I would always trust something the end user does not control, over something they do. ;)
I don't suggest that as the "lazy" way out, but as the most reliable.
posted by pla at 5:50 PM on August 15, 2011 [1 favorite]
At the risk of threadshitting, advice to subpoena the provider really misses the mark.
Actually, the discovery issues aside, relying upon the carrier is a really bad idea because, having looked into almost precisely this issue myself, most cell providers don't keep records of texts sent over their networks for more than thirty days. You can certainly get the number of texts--they do want to bill you after all--but even getting data on where they went to/came from can be iffy.
Go with QuantumMeruit's advice.
posted by valkyryn at 6:05 PM on August 15, 2011
Actually, the discovery issues aside, relying upon the carrier is a really bad idea because, having looked into almost precisely this issue myself, most cell providers don't keep records of texts sent over their networks for more than thirty days. You can certainly get the number of texts--they do want to bill you after all--but even getting data on where they went to/came from can be iffy.
Go with QuantumMeruit's advice.
posted by valkyryn at 6:05 PM on August 15, 2011
Best answer: IAAL, I do this stuff to, I agree with QuantumMeruit, especially with respect to not making yourself a witness in your own case. But, hiring experts can be expensive. So, if the messages are still in the phone, maybe the best thing to do is to tell your client not to use the phone and have him/her put it in a locked, safe place for now. Then, if this is a federal case, bring the phone up in the Rule 26 conference, and come up with a plan with opposing counsel for how to handle it (on the defense side, we regularly worked with plaintiff's counsel on preserving hard drives when necessary; or agreed that we didn't need to do that; or whatever, every case being different). That only works if the counsel can work together, which maybe you can't.
Alternatively, have the client put the phone somewhere safe, etc., and then contact the feds if you're going that way. They'll know how to do this.
Since you have no experience in this yourself, I wouldn't try to forensically save the stuff yourself - you're likely to end up a witness, and you might accidentally lose something. Which would be a nightmare under the electronic discovery stuff - sanctionable nightmare.
posted by dpx.mfx at 6:20 PM on August 15, 2011 [1 favorite]
Alternatively, have the client put the phone somewhere safe, etc., and then contact the feds if you're going that way. They'll know how to do this.
Since you have no experience in this yourself, I wouldn't try to forensically save the stuff yourself - you're likely to end up a witness, and you might accidentally lose something. Which would be a nightmare under the electronic discovery stuff - sanctionable nightmare.
posted by dpx.mfx at 6:20 PM on August 15, 2011 [1 favorite]
If it's an iPhone you can just take screen shots of the text messages in question by pressing the power button and the home button at the same time. Then you probably also want to get the phone bill for that month that would corroborate that the text was indeed sent/received at that time.
If you don't back it up with the phone statement, it would be incredibly easy to fake.
Hell, you could probably just take digital images of whatever phone it is and use the phone bill to back it up as well.
posted by darkgroove at 7:05 PM on August 15, 2011
If you don't back it up with the phone statement, it would be incredibly easy to fake.
Hell, you could probably just take digital images of whatever phone it is and use the phone bill to back it up as well.
posted by darkgroove at 7:05 PM on August 15, 2011
Can't over emphasize the whole chain of custody remark above. It;s easy to get sms messages off of any cell phone. How do you prove that the messages weren't altered? That they are intact , complete. That nothing got accidentally deleted? That they were the actual messages and that you or your client didn't doctor them up?
The only way to protect yourself against such claims I think would be to shell out the bucks for a professionally licensed and bonded forensic service to extract the messages and certify them. And BTW it''s just about as easy to put messages on the cellphone as to extract them you (as I think one responder already alluded to). If I have your phone I can in a few minutes put any SMS message I want on it so you are going to have to correlate them somehow with the cell phone provider or else your opposition is going to hire someone like me to show up in court and show how easy it is to alter any SMS message on a cell phone in someone's possession. FYI.
posted by Poet_Lariat at 9:37 PM on August 15, 2011
The only way to protect yourself against such claims I think would be to shell out the bucks for a professionally licensed and bonded forensic service to extract the messages and certify them. And BTW it''s just about as easy to put messages on the cellphone as to extract them you (as I think one responder already alluded to). If I have your phone I can in a few minutes put any SMS message I want on it so you are going to have to correlate them somehow with the cell phone provider or else your opposition is going to hire someone like me to show up in court and show how easy it is to alter any SMS message on a cell phone in someone's possession. FYI.
posted by Poet_Lariat at 9:37 PM on August 15, 2011
I am a digital forensics student on placement with a forensics company, specialising in mobile phones. I am exactly who you need.
Unfortunately I'm in the UK so I can't specify which companies you should go to in the States if that's where you are.
The very first thing you need to do is preserve the phone from any additional changes. This is generally done by turning it off and placing it in a sealed tamper-evident bag, and recording the time and date you did so.
You absolutely must get a professional phone examiner to do this job for you, if the laws are anything like the ones in the UK. Mobile phone examinations are always what are known as 'live' examinations, because the phone has to be switched on in order to extract data. Any action taken that changes data must be, by law, taken by someone qualified to and capable of explaining exactly what those changes are, how far they extend and how they came about. The relevant guidelines for UK practice are here if you want to look through them, the U.S. ones will be very similar.
In the UK, mobile network providers generally do not store the content of SMS messages, only the time/date for billing purposes. Therefore if SMS is your main source of evidence, the phone is your prize exhibit.
As for how to know whether you're getting a quality service, I can't point you at specific companies - other than to say that Guidance Software as mentioned before is certainly the king of the heap in dealing with computers - but the tools my company uses are .XRY by MicroSystemation, and UFED by Cellebrite.
Please, if you need to ask anything about the process rather than the exact points of law (IANAL obviously and your laws may differ in some respects anyway), memail me. And if you're in the UK, I can speak to my boss about taking on another job :).
posted by fearnothing at 10:30 PM on August 15, 2011 [3 favorites]
Unfortunately I'm in the UK so I can't specify which companies you should go to in the States if that's where you are.
The very first thing you need to do is preserve the phone from any additional changes. This is generally done by turning it off and placing it in a sealed tamper-evident bag, and recording the time and date you did so.
You absolutely must get a professional phone examiner to do this job for you, if the laws are anything like the ones in the UK. Mobile phone examinations are always what are known as 'live' examinations, because the phone has to be switched on in order to extract data. Any action taken that changes data must be, by law, taken by someone qualified to and capable of explaining exactly what those changes are, how far they extend and how they came about. The relevant guidelines for UK practice are here if you want to look through them, the U.S. ones will be very similar.
In the UK, mobile network providers generally do not store the content of SMS messages, only the time/date for billing purposes. Therefore if SMS is your main source of evidence, the phone is your prize exhibit.
As for how to know whether you're getting a quality service, I can't point you at specific companies - other than to say that Guidance Software as mentioned before is certainly the king of the heap in dealing with computers - but the tools my company uses are .XRY by MicroSystemation, and UFED by Cellebrite.
Please, if you need to ask anything about the process rather than the exact points of law (IANAL obviously and your laws may differ in some respects anyway), memail me. And if you're in the UK, I can speak to my boss about taking on another job :).
posted by fearnothing at 10:30 PM on August 15, 2011 [3 favorites]
Best answer: Oh, and all the advice you've gotten about tools you can use to connect to the phone are a REALLY BAD IDEA. Forensic tools MUST employ write blocking, preferably at the hardware level to ensure the data is correctly preserved. Freebie tools for people to copy their texts onto their computer WILL NOT DO THIS.
posted by fearnothing at 10:36 PM on August 15, 2011 [1 favorite]
posted by fearnothing at 10:36 PM on August 15, 2011 [1 favorite]
Forensics aren't my specialty but I am an infosec professional. Chain of custody, true bit-for-bit copying & preservation of the original all dictate that under no circumstances should you run any tools yourself on the phone. Leave it to a court-certified forensic examiner. In the meantime, keep the phone off, put it in a sealed envelope with your signature, time & date across the seal & store it in as secure & limited access a place as you can manage. A safe would be nice but a locked drawer or cabinet will do.
posted by scalefree at 10:52 PM on August 15, 2011
posted by scalefree at 10:52 PM on August 15, 2011
Maybe I'm just being ornery when faced with this thread, but ARGH.
No, no, no, no NO. Advice upthread implying an absolute forensic requirement is objectively wrong and incorrect when applied in the context of civil litigation.
With respect to the posters, this situation is identical to the fearmongering several years ago by the forensic examiners who went through some basic Encase or FTK training, and started telling lawyers that "the only way to get data off of a PC in a forensically sound manner is to take a bitstream image". That advice was wrong then, it's wrong now and it continues to be wrong for small-scale digital devices.
Forensics has a place in civil litigation. It has a place in small-scale digital device exams. But just because you have some tool from Guidance or FTK that does "forensics" on the cell phone doesn't mean that it's the only tool that is "valid".
To the OP and anyone else who's interested, read Lorraine v. Markel. This is a bread-and-butter evidence question (although many trial attorneys don't get it).
Lawyer: Mr. Smith, I'm handing you what's been marked as Plaintiff's Exhibit 5. Do you recognize it?
Smith: Yes.
Lawyer: What is it?
Smith: It's a picture of my cell phone.
Lawyer: And did you regularly receive text messages on that cell phone?
Smith: Of course, yes.
Lawyer: Please describe what's visible on the phone's screen in Exhibit 5.
Smith: It's a picture of a text message I received on August 5 of last year.
Lawyer: And is it a true and accurate representation of the way the phone was on August 5?
Smith: Yes.
Hey, guess what. I just authenticated a picture of a text message. Admitting it into evidence may still be tricky (I still have a hearsay problem, so getting the text message admitted for the truth of the matter asserted is an issue.)
I may have a weight of the evidence problem, however. My witness is subject to cross examination, and if the other attorney knows what he's doing and this issue is important enough, he'll introduce evidence that would show how easy it is to fake the messages.
Law enforcement examinations require very exacting chain-of-custody documentation because if you seize data from a suspect, you cannot force the suspect to testify against himself (to authenticate the information that came from his own device). Breaks in the law enforcement chain of custody mean that the evidence can't be authenticated. (I leave it as an exercise to the reader to come up with ways in which a different witness could authenticate files from a seized computer.) HOWEVER, in the context described above by the OP, he has HIS OWN CLIENT to authenticate the text messages, and theoretically HIS OWN CLIENT would testify regarding the accuracy of any captured text messages. In the vast majority of civil cases that get tried, no testimony from forensic examiners is necessary because you get the information admitted another way (and oftentimes it gets stipulated).
But the bottom line is that in civil litigation, I don't go around taking forensic disk images for every case, nor do I break out the cell phone forensics for every case. Quick-and-dirty acquisition/preservation techniques MAY be perfectly acceptable, once the lawyer in question applies their judgment about the cost of the various acquisition/preservation techniques.
By way of example, last week I preserved a voicemail by pointing an audio recorder at the speakerphone of the phone console. Quick, dirty, analog, lossy -- but also cheap and my advice to the client was that it was eminently defensible given the logistics involved with extracting a digital copy from the (ancient, non-integrated) voicemail system. (I hashed the file and created a declaration for the voicemail recipient to sign, BTW.)
Finally, someone who may be more up-to-date on the state-of-the-art of SSDD forensics please correct me if I'm wrong -- but for many models of phones there is no such thing as a "write blocker" or "bit-by-bit" copying. Many of the "forensic" tools that are out there actually connect to the phone, query it via AT commands and receive the data dump over the USB cable. (The tools then parse the data dump into a nice looking database, and then run some hashes for your chain-of-custody.)
As far as I understood, "true" digital forensics (enabling recovery of deleted items) is in fact available for some devices (in particular devices which use an SD card with known (i.e. fat32) filesystems. But for other phones (in particular obscure cheap "dumb" phones), the ability of anyone to do a deleted-item analysis is minimal or nonexistent.
tl;dr. You may be surprised at how cheap a forensically sound acquisition winds up being. However, do-it-yourself solutions may be proportional and still get you admissible evidence, as long as you think things through.
posted by QuantumMeruit at 3:43 AM on August 16, 2011
No, no, no, no NO. Advice upthread implying an absolute forensic requirement is objectively wrong and incorrect when applied in the context of civil litigation.
With respect to the posters, this situation is identical to the fearmongering several years ago by the forensic examiners who went through some basic Encase or FTK training, and started telling lawyers that "the only way to get data off of a PC in a forensically sound manner is to take a bitstream image". That advice was wrong then, it's wrong now and it continues to be wrong for small-scale digital devices.
Forensics has a place in civil litigation. It has a place in small-scale digital device exams. But just because you have some tool from Guidance or FTK that does "forensics" on the cell phone doesn't mean that it's the only tool that is "valid".
To the OP and anyone else who's interested, read Lorraine v. Markel. This is a bread-and-butter evidence question (although many trial attorneys don't get it).
Lawyer: Mr. Smith, I'm handing you what's been marked as Plaintiff's Exhibit 5. Do you recognize it?
Smith: Yes.
Lawyer: What is it?
Smith: It's a picture of my cell phone.
Lawyer: And did you regularly receive text messages on that cell phone?
Smith: Of course, yes.
Lawyer: Please describe what's visible on the phone's screen in Exhibit 5.
Smith: It's a picture of a text message I received on August 5 of last year.
Lawyer: And is it a true and accurate representation of the way the phone was on August 5?
Smith: Yes.
Hey, guess what. I just authenticated a picture of a text message. Admitting it into evidence may still be tricky (I still have a hearsay problem, so getting the text message admitted for the truth of the matter asserted is an issue.)
I may have a weight of the evidence problem, however. My witness is subject to cross examination, and if the other attorney knows what he's doing and this issue is important enough, he'll introduce evidence that would show how easy it is to fake the messages.
Law enforcement examinations require very exacting chain-of-custody documentation because if you seize data from a suspect, you cannot force the suspect to testify against himself (to authenticate the information that came from his own device). Breaks in the law enforcement chain of custody mean that the evidence can't be authenticated. (I leave it as an exercise to the reader to come up with ways in which a different witness could authenticate files from a seized computer.) HOWEVER, in the context described above by the OP, he has HIS OWN CLIENT to authenticate the text messages, and theoretically HIS OWN CLIENT would testify regarding the accuracy of any captured text messages. In the vast majority of civil cases that get tried, no testimony from forensic examiners is necessary because you get the information admitted another way (and oftentimes it gets stipulated).
But the bottom line is that in civil litigation, I don't go around taking forensic disk images for every case, nor do I break out the cell phone forensics for every case. Quick-and-dirty acquisition/preservation techniques MAY be perfectly acceptable, once the lawyer in question applies their judgment about the cost of the various acquisition/preservation techniques.
By way of example, last week I preserved a voicemail by pointing an audio recorder at the speakerphone of the phone console. Quick, dirty, analog, lossy -- but also cheap and my advice to the client was that it was eminently defensible given the logistics involved with extracting a digital copy from the (ancient, non-integrated) voicemail system. (I hashed the file and created a declaration for the voicemail recipient to sign, BTW.)
Finally, someone who may be more up-to-date on the state-of-the-art of SSDD forensics please correct me if I'm wrong -- but for many models of phones there is no such thing as a "write blocker" or "bit-by-bit" copying. Many of the "forensic" tools that are out there actually connect to the phone, query it via AT commands and receive the data dump over the USB cable. (The tools then parse the data dump into a nice looking database, and then run some hashes for your chain-of-custody.)
As far as I understood, "true" digital forensics (enabling recovery of deleted items) is in fact available for some devices (in particular devices which use an SD card with known (i.e. fat32) filesystems. But for other phones (in particular obscure cheap "dumb" phones), the ability of anyone to do a deleted-item analysis is minimal or nonexistent.
tl;dr. You may be surprised at how cheap a forensically sound acquisition winds up being. However, do-it-yourself solutions may be proportional and still get you admissible evidence, as long as you think things through.
posted by QuantumMeruit at 3:43 AM on August 16, 2011
QuantumMeruit is probably right, but it would seem to me that the best way to ensure the evidence is as strong as it can be is to use the most trustworthy means of preservation. Take pictures, get the forensic extraction, and have the cell provider's records that show that the texts as they exist in the phone match what went through their system. Belt and suspenders seems the best approach.
An important thing to consider and protect for is how the phone identifies the sender of the text. In my phone, if the phone number is in the address book, it only shows whatever name I put in the phone book. So having matching records from the phone company seems important.
posted by gjc at 7:27 AM on August 16, 2011
An important thing to consider and protect for is how the phone identifies the sender of the text. In my phone, if the phone number is in the address book, it only shows whatever name I put in the phone book. So having matching records from the phone company seems important.
posted by gjc at 7:27 AM on August 16, 2011
Best answer: Best practice if you're in possession of evidence relevant to a criminal prosecution? Call the police and turn it over to them. Each jurisdiction has their own procedures.
I am a prosecutor. We deal with text messages all the time. In our jurisdiction, we take a photograph of the cell phone screen and have the person who received the text message authenticate it, through Q&A
"i am familiar with the contents of this photo, it is a photo of my cell phone, taken yesterday, the photo depicts text messages, I received these texts from xxx-xxx-xxxx. The date and time i received the text is below. I know that number to belong to john doe."
You pair this with business records - namely the defendant's cell phone bill that shows time and date of messages sent. Call a rep from the phone company or get a detective to testify.
That's one way to do it. If you have trouble proving the defendant possessed the phone or that he wrote those messages or his phone was hacked, etc etc, then you need some forensics involved.
posted by abdulf at 8:15 AM on August 16, 2011
I am a prosecutor. We deal with text messages all the time. In our jurisdiction, we take a photograph of the cell phone screen and have the person who received the text message authenticate it, through Q&A
"i am familiar with the contents of this photo, it is a photo of my cell phone, taken yesterday, the photo depicts text messages, I received these texts from xxx-xxx-xxxx. The date and time i received the text is below. I know that number to belong to john doe."
You pair this with business records - namely the defendant's cell phone bill that shows time and date of messages sent. Call a rep from the phone company or get a detective to testify.
That's one way to do it. If you have trouble proving the defendant possessed the phone or that he wrote those messages or his phone was hacked, etc etc, then you need some forensics involved.
posted by abdulf at 8:15 AM on August 16, 2011
Response by poster: Incredible answers. We are way far out from discovery--I just got the case Friday. I'm worried about spoilation. This is also the Client's personal phone. I'm going to have to twist my head around this one.
Thanks so much. Not just from the technical standpoint, but also from the standpoint of how the technology plays into discovery issues.
posted by Ironmouth at 9:33 AM on August 16, 2011
Thanks so much. Not just from the technical standpoint, but also from the standpoint of how the technology plays into discovery issues.
posted by Ironmouth at 9:33 AM on August 16, 2011
Response by poster: I cannot even file for some time as there is an entire administrative procedure involved. Normally, my practice with E-mails is to just use the copies as a guide and subpoena the originals. However, I am concerned with the issues in question.
Right now the criminal side is important and abdulf you are so helpful on this aspect. I want the bad guy prosecuted if it helps my client's case.
posted by Ironmouth at 9:37 AM on August 16, 2011
Right now the criminal side is important and abdulf you are so helpful on this aspect. I want the bad guy prosecuted if it helps my client's case.
posted by Ironmouth at 9:37 AM on August 16, 2011
If your client feels like they need the phone, maybe get a burner and transfer the number to that? That way you can leave the phone with the evidence turned off and in an evidence bag.
posted by ob1quixote at 10:21 AM on August 16, 2011
posted by ob1quixote at 10:21 AM on August 16, 2011
A caveat to my reply, QuantumMeruit makes a good point that forensics may be disproportionate to your needs. And he's technically correct that mobile phone forensic tools don't write-block, however they are designed to only allow commands to be sent to the phone that either a) do not change any of the contents or b) only change the contents in a specific and known way. Tools for the casual user may adhere to this principle, but forensic tools are backed up by the weight of experts in the field recognising them as being forensically sound.
Please look at my advice from the perspective that my training has emphasised how easy it is for a defence lawyer to discredit evidence obtained by somebody who doesn't know exactly what they're doing.
posted by fearnothing at 10:31 AM on August 16, 2011 [1 favorite]
Please look at my advice from the perspective that my training has emphasised how easy it is for a defence lawyer to discredit evidence obtained by somebody who doesn't know exactly what they're doing.
posted by fearnothing at 10:31 AM on August 16, 2011 [1 favorite]
Response by poster: Leaning towards just physically isolating the telephone and combining with an affidavit.
posted by Ironmouth at 2:57 PM on August 16, 2011
posted by Ironmouth at 2:57 PM on August 16, 2011
Response by poster: A follow up. If we save the phone, (client is elgible for an upgrade), how do we control auto delete when its turned back on? I just don't want the phone to delete the texts. I just learned it is an android smart phone.
posted by Ironmouth at 4:52 PM on August 16, 2011
posted by Ironmouth at 4:52 PM on August 16, 2011
Best answer: IANAL but I am married to a senior manager at an e-discovery/litigation support firm, and take an active interest in such technology - not least since I am now studying law.
My advice would be isolate the phone for now, then pick up your local trade paper and hire a professional - unfortunately I can't tell you which firms are good or bad in the DC area. Yes, that's going to be expensive for your client; most forensics people I've met charge a pretty penny. My wife's firm would charge you something like $1000, even though there is very little actual work involved.
What's involved here for practical purposes is connecting the phone to a computer via USB and copying the data off it. It's a small computer and any forensics tech will have the same tools that a phone developer would have from the operating system publisher.
But you are right to be worried about spoliation - it's a fast track to sanctions, or worse. QuantumMeruit's points notwithstanding, if you've never had to do this before then you should probably pay someone to hold your hand if this requires anything more complex than a deposition. Only you can make a good determination about the defensibility of your information-gathering in this particular case.
I just learned it is an android smart phone.
If you are comfortable operating the phone yourself or having the client do so, then go to the messaging app (a rectangular green speech bubble with a smiley face), hit the menu button (at the bottom of the phone screen, a little icon of 4 stacked horizontal lines), choose Settings, and uncheck 'delete old messages.'
Android has a default limit of 200 messages per conversation (ie, from a single person), then it starts throwing away the older messages. For multimedia messages (the limit is 20, but hardly anyone uses those. Unless the phone storage is already full to the brim, it will be able to hold thousands of text messages indefinitely, since they take up very little space. Power state (ie the barrety dying) should not have the slightest effect on this.
Since your client is eligible for an upgrade, I'd say get a new one, then turn this phone off, pop it in an evidence bag along with the charger, and stick it in the safe while you figure out your next move.
ARMA is the association of Records and Information Management professionals and could refer you to a bonded firm that specializes in this kind of forensic work. Remember that large firms like large corporate clients, someone like Kroll probably won't get out of bed for under $5,000. Also, get yourself a copy of the ABA's new book Managing E-Discovery and ESI: From Pre-Litigation Through Trial. It came out just a few weeks ago so it's about as current as it's possible to get. At $100 or so, it will likely pay for itself immediately by helping you to cut through the bullshit. It's not rocket science but people in the industry know many lawyers are technophobic and assume there are deep pockets for litigation. See if you can get a discount by saying you'd like to try them out on a small job first.
posted by anigbrowl at 8:11 PM on August 16, 2011
My advice would be isolate the phone for now, then pick up your local trade paper and hire a professional - unfortunately I can't tell you which firms are good or bad in the DC area. Yes, that's going to be expensive for your client; most forensics people I've met charge a pretty penny. My wife's firm would charge you something like $1000, even though there is very little actual work involved.
What's involved here for practical purposes is connecting the phone to a computer via USB and copying the data off it. It's a small computer and any forensics tech will have the same tools that a phone developer would have from the operating system publisher.
But you are right to be worried about spoliation - it's a fast track to sanctions, or worse. QuantumMeruit's points notwithstanding, if you've never had to do this before then you should probably pay someone to hold your hand if this requires anything more complex than a deposition. Only you can make a good determination about the defensibility of your information-gathering in this particular case.
I just learned it is an android smart phone.
If you are comfortable operating the phone yourself or having the client do so, then go to the messaging app (a rectangular green speech bubble with a smiley face), hit the menu button (at the bottom of the phone screen, a little icon of 4 stacked horizontal lines), choose Settings, and uncheck 'delete old messages.'
Android has a default limit of 200 messages per conversation (ie, from a single person), then it starts throwing away the older messages. For multimedia messages (the limit is 20, but hardly anyone uses those. Unless the phone storage is already full to the brim, it will be able to hold thousands of text messages indefinitely, since they take up very little space. Power state (ie the barrety dying) should not have the slightest effect on this.
Since your client is eligible for an upgrade, I'd say get a new one, then turn this phone off, pop it in an evidence bag along with the charger, and stick it in the safe while you figure out your next move.
ARMA is the association of Records and Information Management professionals and could refer you to a bonded firm that specializes in this kind of forensic work. Remember that large firms like large corporate clients, someone like Kroll probably won't get out of bed for under $5,000. Also, get yourself a copy of the ABA's new book Managing E-Discovery and ESI: From Pre-Litigation Through Trial. It came out just a few weeks ago so it's about as current as it's possible to get. At $100 or so, it will likely pay for itself immediately by helping you to cut through the bullshit. It's not rocket science but people in the industry know many lawyers are technophobic and assume there are deep pockets for litigation. See if you can get a discount by saying you'd like to try them out on a small job first.
posted by anigbrowl at 8:11 PM on August 16, 2011
'charge you something like several $1000', I meant to say.
posted by anigbrowl at 8:15 PM on August 16, 2011
posted by anigbrowl at 8:15 PM on August 16, 2011
Response by poster: These answers are great, people. Thank you so much.
posted by Ironmouth at 10:38 AM on August 17, 2011
posted by Ironmouth at 10:38 AM on August 17, 2011
This thread is closed to new comments.
posted by Bohemia Mountain at 3:13 PM on August 15, 2011