A common question about capturing text message data from cell phones is whether it is possible to extract just the text messages, or if extraction of all data on the device is required. Until a few years ago, the answer was that all data generally had to be extracted from the phone. Now, tools allow more targeted collections of certain types of data from cell phones.
Targeted collection involves extracting specific information, such as text messages, from a cell phone without acquiring all extractable data stored on the device. This method is often chosen for its efficiency as it allows investigators to focus solely on the information deemed relevant to an ongoing investigation or legal case. Additionally, the device owner is often concerned about privacy and may be reluctant to allow collection of all data on the device (court orders or subpoenas notwithstanding).
But just because it is possible to limit the collection of cell phone data to certain types of data does not mean it is advisable to do so—targeted collections can have drawbacks and pitfalls.
Risks of Incomplete Context:
One of the primary risks associated with targeted collection of text messages is the potential lack of context. Text messages are often part of a broader conversation, and extracting only text messages may result in a fragmented understanding of the communication. How often has an email thread sparked a side conversation via text messages, Snapchat, or some similar social media communication? Maybe the exchange eventually ends in a telephone conversation, yet the call log was not obtained? A targeted collection may leave behind critical details and nuances that provide context to the messages, potentially leading to misinterpretations or incomplete insights into the situation at hand.
Overlooking Hidden Data:
Targeted collection may overlook separately encrypted or hidden data within the cell phone. As technology advances, individuals are increasingly using encryption methods and secure messaging apps to protect their communication. Focusing solely on targeted text message extraction from the native texting app may result in missing valuable information that could be crucial to an investigation, especially if the parties involved are deliberately concealing their conversations. Each app on the device capable of communicating with other cell phones generally stores communication data in a different location (and in a different format and structure). Extracting the text messages in the native messaging app may leave behind Signal, WhatsApp, Viber, or other messaging data. Similarly, Discord, Slack, and other collaborative apps would also be omitted from the collection. Perhaps even more importantly, targeting solely the text message data will leave behind data necessary to even determine whether such apps were on the phone during the relevant time period (either at the time of extraction or previously).
Limited Forensic Analysis Opportunities:
We all know that issues in a legal dispute usually change as the matter proceeds. Additional issues and disputes arise, new issues develop, and unexpected turns happen all the time. While a targeted collection may have seemed reasonable at the time, subsequent developments in the case may necessitate a more complete collection later in the case. Not only does this waste resources, but also introduces the opportunity for the opposing party to argue that data was lost in the meantime.
Choosing targeted collection over full forensic extraction limits the opportunities for a comprehensive forensic analysis of the device and of communications of interest. A full extraction allows an examiner to delve deeper into the device, examining various artifacts and metadata that contribute to a more thorough understanding of the user's activities. This broader analysis is crucial in uncovering patterns, connections, and timelines that may be essential to an investigation. Determinations about the phone’s settings or changes to those settings, whether a device was ever wiped (and, if so, how and when it was restored), whether backups exist, and other activities will be virtually impossible with a targeted collection.
A targeted collection may leave your forensic expert ill equipped for proving a negative at deposition or on cross examination at trial. As an example, look at a situation in which the absence of a text message is an issue. That is, the party that performed a targeted collection points to the lack of communication on a certain issue, about a certain topic, or during a certain time frame. Here is a potential exchange between opposing counsel and the forensic examiner:
Q: So, the only communication you extracted from the defendant’s phone was the text messages?
A: That’s correct.
Q: And those are solely from the resident or native texting app?
A: That’s correct.
Q: So, you did not investigate whether the device used another texting such as Signal, WhatsApp, or Viber?
A: That’s correct.
Q: So, you cannot testify as to whether the defendant had any communications using Signal, WhatsApp, or Viber, between [Date X] and [Date Y]?
A: That’s correct.
Q: Would the same be true for instant messaging?
A: Yes.
Q: Would the same be true for Discord, Google Chat, or Slack?
A: Yes.
Q: Did you examine the device to determine if it had any game apps that allow texting or IM chats?
A: No.
Q: So, again, you cannot determine whether the defendant had any chats in any gaming apps?
A: Not without performing another extraction.
Q: And you did not extract any messaging from social media apps, such as Snapchat, Instagram, or Facebook?
A: No, I did not.
Q: So, you cannot testify as to whether the defendant communicated about this incident using those platforms, can you?
A: No, I cannot.
Ethical Concerns:
The owner generally continues using the device after the extraction. Data accumulates, is deleted (whether by user action or through the device’s automated processes), and data gets changed. If it is later discovered that a comprehensive extraction is needed, determining the state of the data on the device at the time of the initial targeted collection could be very difficult, if not impossible, depending on what the new issue is and the degree of use on the device. Spoliation arguments provide distractions that could have been avoided with a comprehensive collection in the first place.
Furthermore, defending the initial targeted collection as reasonable if it is subsequently challenged could be difficult. Did you document why, at the time of the targeted collection, that decision was made as opposed to a more complete extraction? Did you investigate the cost difference between a targeted collection and a full extraction to defend the decision, and can you really defend any cost savings as reasonable? Have you sufficiently documented the decision so you can withstand a subsequent spoliation attack? And here is a more uncomfortable question: Did you apprise your client, who insisted on limiting any extraction to solely text messages, of the possible consequences of such a decision?
Conclusion:
While targeted collection of text messages from a cell phone offers some benefits, including a limitation of the invasion of the device owner’s privacy, it comes with inherent risks that must be carefully considered in each case. A targeted collection is probably better than no collection, if that is the only collection the device user will allow. But the multitude of problems it can cause underscores the importance of evaluating the trade-offs.
In most situations, the recommendation is to collect all data that can be obtained from the device.
In certain situations, targeted collection may be sufficient, especially when time is of the essence. However, for investigations where a comprehensive understanding of the digital landscape is (or may later become) crucial, opting for a more complete extraction ensures a more thorough and reliable examination of the evidence. It serves as an insurance policy against later issues and arguments.