There’s More Than One Way to Lay a Foundation: Retrieving Short Message Data

Feb 8, 2024 9:04:00 AM / by Adam Arnold

More than 23 billion text messages were sent from cell phones daily in 2023. Consequently, the collection of messages will likely be a topic of conversation during a litigation or investigation. After balancing the issues of the case, the ability to obtain information from other sources, the potential relevance of cell phone data, and the time consuming and costly nature of cell phone collection, collection may be needed. Proper data collection and handling of messages is difficult, especially without a vendor qualified to handle this type of data. This is compounded by the fact that sending and receiving messages can occur over a wide variety of communication platforms, with more coming online every year.

Messages come in a variety of flavors

There is a proliferation of cell phone messaging platforms and apps. From corporate messaging systems, like Slack, Teams, and Twist to messaging apps like iMessage/SMS/MMS, WhatsApp, and WeChat to social media-based messaging like Snapchat, Facebook Messenger, and Signal, each of these types of messaging systems may be in play in the right case. What’s more is that while all these apps may be present on a device, many of them are irrelevant to a case, but contain highly personal information. Therefore, understanding the landscape of what is potentially relevant and what is not is critical prior to collection or at least prior to review.

*** Pro tip: Several messaging platforms can collect messages independently from cell phones (and those collections would be more robust than collecting from a cell phone). This is especially true for Slack, Teams and e-mail.

Collection Considerations

Traditionally, data collections from mobile devices required a custodian to send their device to a forensics lab - you can imagine how many people dug their heels in when it came to parting with their phone. This is not necessarily the case anymore. Born of necessity during COVID and in response to the understandable pushback from custodians, remote collection of cell phones essentially became the industry default. There are still discrete situations, though, in which a device may need to be sent to a lab, or a technician may travel on-site to collect, but those situations are increasingly rare.

The phrase “forensically sound” gets tossed around frequently in the context of data collections. This refers to the software and workflows digital forensics providers use to preserve and collect electronically stored information (ESI, such as messages) in a manner that preserves metadata. It allows data to be validated and heightens defensibility. A simple screenshot does not meet this standard as the screenshot is easily fabricated and does not contain the metadata used to pinpoint the time of the message.

There are multiple ways in which messages may be collected; each option carries respective advantages and disadvantages:

*** Pro tip: The collection methodologies available for a particular phone depend on the manufacturer, type, and software version.

  1. Targeted Collection: In a targeted collection, certain types of ESI can be selected (for example, iMessages/SMS/MMS data) and other data may be excluded (for example, Facebook Messager data). This can be great for addressing privacy concerns and reducing the cost of hosting the collected data. The disadvantage of this collection methodology is the possibility of having to go back to the custodian and recollect data if the scope of discovery expands. Given custodians’ apprehension to have strangers look at their phones combined with the two-year upgrade cycle of phones, this may be difficult to do.

  2. Whole Device Image: Apart from targeted collections, you can image the whole device. This type of collection would capture everything on the device and would allow one to gain insights on when apps were used, what types of apps were present on a device and depending on the device type and software type can provide further insights on deletion and calling activities.

  3. Backup Collection: A collection can occur without even having access to the device. This type of collection is limited to the data that is backed up to the cloud or to another device (e.g., synced with a computer). These are limitations to what is available in this type of collection, so it is important to tell your vendor what you agreed to provide to the other side, to understand the backup schedule for the custodian, and to know how many backups are available.

*** Pro tip: depending on the nature of the collection, it may be a good idea to collect any sync data as well. This is cloud-based data that allows, for example, the same text thread to appear on your iPhone and your iPad.


There are also many options regarding how collection occurs

Once the data has been collected, the case team can opt for a high-level report. This may come from the software used in the collection, like Cellebrite or Axiom. Tools like this can give you search term hits, lists of contacts, and other basic information, but usually don’t offer Boolean searches.

Some forensics providers are developing Early Case Assessment (ECA) software; for example, our partner Downstreem created StreemView. Tools like this can provide deeper insight, and they allow for converting the data into near-native form. In the Stone Age of pre-COVID, reviewing text messages was soul-crushingly tedious because texts were exported into Excel. This made it difficult to follow along since your brain is used to little blue and green bubbles. Finally, note that while these ECA tools are helpful, coding texts as responsive or privileged and making a production require exporting the data into an eDiscovery platform.

There are a wide variety of use cases for message data and a wide variety of options on how to collect that data and you do not have to navigate these waters alone.

If you want assistance with your particular eDiscovery issue, reach out to hire us… we can help.

Disclaimer: Obviously, we are not your lawyer and not your eDiscovery professional. That only happens after we have a signed engagement letter or agreement. As such, the information provided in this document does not, and is not intended to, constitute legal advice, predict a result, or describe how you should handle your specific eDiscovery or legal issue. Instead, all information and content is for general informational purposes only. eDiscovery changes fast, so Information in this document may not constitute the most up-to-date legal or other information. 

Tags: Data Collection, Data Preservation, eDiscovery, Litigation Support, ESI, Digital Forensics

Adam Arnold

Written by Adam Arnold

Adam was introduced to eDiscovery during his legal informatics certificate studies when he took a course taught by Proteus co-founder and CEO Ray Biederman. Afterward, he joined Proteus as a data management intern, then accepted an offer as a Data Analyst upon graduation. He is responsible for collection, tracking, and processing physical evidence, and for defensibility documentation in our matter management software. Outside the office, Adam plays golf, tinkers with computers, and spends time with his wife (Lisa), dog (Reba) and cat (Mia).