Top 5 Questions Digital Forensics Experts Are Asked About Text Message Evidence

Written By

Capsicum Group

The Evolution of Texting 

The first text message was sent in 1994, at a time when phones were without keyboards and the sender had to type the message on an actual computer.  Over the last 23 years, text messaging–texting, lol–has quickly become one of the most popular forms of communication. Whether for work or for personal communication, texting is easy, accessible, fast, and efficient. Most people feel a wave of anxiety any time they mistakenly forget their phone at home, or even worse, their phone gets stolen or lost. This is to be expected: our phones house the data of our daily lives–internet browsing, photographs, applications, social media, email, and, of course, text messages.

Digital Forensics Experts Weigh In on Text Message Evidence

Technology has advanced by leaps and bounds since 1994, and as a digital forensics company specializing in mobile phone forensics we are often asked to look at a client’s mobile device (smartphone, tablet, or other smart accessory) even before data from a subject’s PC is brought into question. As cellphone companies offer new devices to consumers at least annually, and operating system updates almost weekly, digital forensic tools must constantly adapt and advance alongside these changes.

What Digital Forensics Specialists Have to Say About Recovering Texts

Here are answers to the top five questions we get asked when addressing forensic analysis of cellphone data. (A quick caveat: these are generalized answers; device make, model, capacity, usage, and condition will greatly affect text message findings.)

#1: Where are cellphone text messages stored?

Text messages are stored in a database maintained on the device, which is designed to track whether a message has been delivered, read or deleted. This database also stores information about the message attachments, such as pictures, video and audio. Our forensic tools are designed to extract these messages into a standard format for processing, searching and review.

#2: How far back will text message chains go? 

This is truly dependent on the size of the device storage and how full it is. Since each mobile device we encounter offers diverse degrees of storage space the timeframe maintained is variable. The usage patterns of the user will also come into play, since the frequency by which a user sends text messages can potentially modify the lifecycle of existing text messages on the device when the need for storage space arises.

#3: Are deleted text messages recoverable?

How far back can deleted text messages be recovered? When a text message is deleted, the message itself will disappear from the text thread. However, the entry is marked in the cellphone database as “deleted” and while it is inaccessible to the average user, it can be recovered for a short period. Over time, as the user sends and deletes text messages, the space for deleted entries will be reused and the messages that were deleted in the past will eventually become overwritten. This process means that a message that was deleted six months ago could quickly become unrecoverable from the device’s database. Also, it should be noted that during this deletion process metadata, which captures details of the message that could include transmission date, to/from names and phone numbers along with other information may not remain intact. The sooner the device is forensically imaged, the better.

#4: How should text messages be produced?

Text messages are tricky when it comes to producing them. There are a few complications with this medium that should be addressed as soon as the parties realize texts will be used as evidence. First, considering how far back a text message thread could go (potentially years), it is important to understand how large such a production could be. If you decide to search text messages for specific terms, do you want to include surrounding messages to provide context? How far back and how far forward? The format in which review tools look at text messages also can differ greatly. Is one lone document with thousands of pages addressing a single thread what is needed or just a single bubble? Capsicum can assist you in answering these questions and making your collection a successful one.

#5: Can you recover messages from applications such as WhatsApp, Snapchat, Wechat, Kakao, Line, etc.? 

In most cases the answer is yes. Again, you will need to keep in mind the time period in which you would like to capture data from as well as what may have been done to manipulate it (i.e. deletion). Messaging apps don’t all have the same data policies. Often this will impact where, how, and duration of data storage as well as recovery possibilities. 

For these reasons and more, it is important to have a digital forensics expert image a cellphone as soon as possible in order to preserve text messages. People tend to be more casual about the contents of text messages, quickly composing and hitting “send” without a thought to their recoverability.