Cell phone as smoking gun: In court, few messages are gone for good

When Stephen Baldwin sued fellow actor Kevin Costner in 2012 over a business deal gone sour, lawyers demanded that Costner turn over his phone for a forensic exam. The phone sweep turned up old text messages that Baldwin’s lawyers put before a jury to claim that Costner knew more than he said he did.
The text messages failed to trip up Costner and the jury rejected Baldwin’s claims, but other defendants haven’t been as fortunate when it comes to mobile phone evidence. According to legal forensic experts, phones these days have replaced computers as the most important source of digital evidence — evidence that can be nearly impossible to erase for good.

“The smoking gun is on the cell phone”

In the legal process known as discovery, people identify and turn over documents the other side thinks will help their case. This has normally meant turning over filing cabinets and bankers boxes, but today discovery is more likely to involve laptops, email servers and mobile phones.
Typically, lawyers will ask people to surrender their phones for a few hours to a firm that specializes in storing and scouring digital Smoking Gun and Laptopdocuments. Once the sweep is complete, the phones (and other electronic devices) are returned to the owners, leaving the lawyers to pick through the copied set of phone files in search of a bombshell. Sometimes they find one.
“A lot of the time, the smoking gun is on the cell phone because people are a lot more liberal when texting than on a corporate computer. They’re a lot more off-color when texting,” says Clint Shirley, a partner at New Orleans e-discovery firm Clarity Litigation. He says that at least half of the company’s work involves phones rather than computers.
According to Shirley, mobile phones are so significant not only because people are less discreet on their phones, but also because phones can store far more information than they could a few years ago. The result is that clues from phones, including texts and photos, can provide damning evidence in their own right, or else contribute to a story along with information gleaned from computers and offline sources.
Perhaps surprisingly, it’s not divorce cases where mobile phones are playing the biggest role. Instead, says Shirley, most of his forensic work comes from corporate litigation or from personal injury cases where information on a person’s phone reveals that they are lying about their condition.

Deleted but not gone

The prospect of lawyers coming to sweep your phone begs the question: Why not simply delete everything incriminating before they arrive? There are two reasons this could be a poor idea. First, it’s probably illegal because, under the discovery process, courts typically order both sides to preserve all relevant evidence.

“People have shredded documents since the dawn of time, but an erased cell phone is tampering evidence,” says Shirley, explaining that it’s become easier to detect attempts to evade discovery in the digital age.

The second reason is technical. Namely, deleting those damning texts or emails doesn’t mean the firms sweeping the phone won’t find them all the same.

“There have been cases where I’ve recovered 30,000 text messages and 50,000 emails on one phone,” says Lars Daniel, an examiner at Guardian Digital Forensics, who has testified as an expert witness in hundreds of court cases. He explained that simply deleting a text message or email doesn’t destroy it. Instead, other versions of the data remain stored within deeper layers of the phone. Recovering such data — along with things like a phone’s browser history or Dropbox links — often provides incriminating evidence.

There appears to be one way, however, that users can effectively destroy all data on their phone: Telling the device to perform a factory reset. Doing so wipes out the device’s existing encryption key, meaning that even if a file has survived, the phone will no longer be able to read it. Both Daniel and Shirley said that, in the case of iPhones, they have been unable to recover data purged by a factory reset (they did not refer to Android devices but the process would appear to be the same).

A factory reset will purge data but investigators still can, however, determine the date of the reset — a potentially incriminating piece of evidence in and of itself. And in many cases, the data still won’t be gone entirely — many mobile phone users will have synced the phone data to a computer or to a backup service like iCloud, where it can easily be retrieved.

Even “disappearing” apps don’t vanish

The popularity of vanishing message apps like Snapchat has soared in recent years. Snapchat, for instance, lets you send a text or a Snapchat logophoto that disappears from the recipient’s phone a few seconds after they open it.

While the rise of vanishing messages may reflect a social desire for ephemeral communication, they can also serve a more pragmatic purpose: keeping a lid on things. The target market for a new app called Confide, for instance, is executives who want to discuss sensitive issues without leaving a paper (or digital) trail. Like Snapchat, messages from Confide disappear as soon as they’re read.

But while the idea of “disappearing” messages may appeal to those who want to keep their communications out of court, it turns out that these messages can also be retrieved.

According to Clint Shirley, Guardian Digital Forensics has routinely recovered Snapchat messages from a variety of digital devices, including iPads, and doing so isn’t difficult. (He was unfamiliar with the Confide app so it’s unclear if messages can also be retrieved from that or other disappearing message apps).

This reinforces the idea that nearly every communication on a mobile phone is permanent and that — short of resets or throwing it in the river — there is little a person can do to keep its contents out of court.