Digital Forensics

Pixels and Perjury: The Alarming Ease of Fabricating Text Message Evidence and What to Do About It

19 juli 2024

In an era where digital communication dominates our daily interactions, text messages have become a crucial form of evidence in legal proceedings. However, the reliance on screenshots or pictures of text messages as definitive proof is fraught with risks.

This article delves into the reasons why such evidence is insufficient, exploring the ease with which these images can be manipulated, the importance of proper digital forensics procedures, and the stark contrast between manual examinations and forensic acquisitions.

Creating Fake Text Messages is Easy

While seemingly straightforward, screenshots or pictures of messages are inherently unreliable as evidence. Their susceptibility to manipulation makes them a precarious foundation for legal arguments. There are numerous ways in which these images can be altered or entirely fabricated, rendering them potentially misleading or outright false. Modern photo editing software has made it remarkably simple to alter text message screenshots.

Tools like Adobe Photoshop, GIMP, or even smartphone apps can be used to change dates, times, message content, or sender information. For instance, using Adobe Photoshop, one could open a screenshot of a text message conversation, use the clone stamp tool to remove existing text, and then use the text tool to input new, fabricated content. The color picker tool can be used to match the original text color, making the alteration nearly undetectable to the naked eye.

Beyond photo editing tools, websites and applications exist to create fake text message conversations. These online text message generators allow users to input custom text, choose timestamps, select the cellular carrier and battery level, and even select different phone models for the display.

Popular examples include fakeimess.com, zeoob.com, and geekprank.com. These generators produce realistic-looking screenshots that can be easily mistaken for genuine conversations.

Users can manipulate their device settings to create misleading screenshots even without technical skills. Simply changing the device's date and time before taking a screenshot can alter the timestamp of messages. At the same time, editing contact names before capturing the screen can misrepresent the parties involved in a conversation.

Furthermore, users can selectively capture parts of a conversation, omitting crucial context or presenting an incomplete picture of the exchange. This method doesn't require technical skills but can significantly alter the perceived meaning of a conversation.

Real-World Case Example of Faked Messages

As a digital forensics expert, I have first-hand experience with fake text messages being used as evidence in cases and have testified as an expert in cases on this exact issue.

In one case my team and I worked on, a defendant was sent to jail for violating a restraining order. The evidence submitted by the alleged victim to law enforcement was pictures of messages between them and the defendant. The messages contained many threats, including threats of bodily harm.

We questioned the reliability of these text messages and ultimately proved that the victim had faked them. After spending six months in jail, the charges against the defendant were dropped, and he was released from jail based on this evidence.

The Right Way to Take Pictures of Text Messages

Taking pictures of text messages is within the bounds of digital forensics best practices, but it must be done correctly. The best way to explain the right way is to compare a manual examination with mobile phone acquisitions using digital forensics tools and techniques.

First, we will look at forensic acquisitions to lay a foundation. Then, I'll explain how manual examinations should be performed.

Cell Phone Forensic Acquisitions

In contrast to manual examination, forensic cell phone extractions acquire the device's data from the physical phone itself, providing a more comprehensive and verifiable set of evidence.

Forensic Acquisiton Process

  • Forensic acquisition creates an extraction of all recoverable data on the device.
  • This process uses specialized software and hardware to extract all accessible data.
  • The resulting extraction can be analyzed without risking the original device.

Verification Methods

  • Hash Values: Both the original data and the copy are generated with a cryptographic hash (e.g., MD5, SHA-1).
  • These hash values serve as a digital fingerprint, ensuring the integrity of the copied data.
  • Any alteration to the data, no matter how minor, will result in a different hash value.

Advantages

  • Comprehensive data capture, including deleted and hidden files.
  • Verifiable integrity through hash values.
  • Ability to perform multiple analyses without risking the original data.
  • Admissibility in court due to the rigorous and verifiable process.

Cell Phone Manual Examinations

A manual examination involves physically interacting with the device to navigate through its contents, including text messages, while documenting the process. In other words, an examiner uses the touchscreen to scroll through messages, emails, and images.

The documentation is done via pictures and video. The video is a critical component. When a cell phone is acquired using forensic software and hardware, we can generate a hash value that acts as digital DNA. The extracted data is a perfect snapshot in time of what has been recovered, and any attempts to change the data will result in a completely different hash value and, therefore, proof that the evidence has been changed.

A video recording of the entire manual examination process is critical to proving that nothing on the phone has been changed, modified, or deleted, intentionally or unintentionally.

Note that even when done correctly, a manual examination has several limitations. I'll explain the process first, followed by the limitations.

Definition and Process

  • A manual examination involves an examiner physically handling the device.
  • The examiner navigates through the phone's interface, accessing relevant applications and data.
  • Each step is meticulously documented through photographs and video recordings.

Example of a Manual Examination

  • Photograph the powered-off device from multiple angles, capturing identifying features.
  • Begin video recording of the examination.
  • Power on the device.
  • Navigate to the messaging application.
  • Scroll through a conversation and take pictures of the messages.
  • Take additional photographs of specific conversations and other data as needed.
  • Complete the examination and end the video recording.

Documentation Requirements

  • Photographs: Detailed images of the device, including its make, model, and condition.
  • Photographs: The pictures taken of the messages, emails, images, and other contents on the phone.
  • Video Recording: A continuous video of the entire examination process, capturing all interactions with the device.

Limitations

  • Risk of accidental data modification.
  • Inability to access deleted or hidden data.
  • Time-consuming process, especially for large volumes of data.
  • Potential for human error in documentation.

How To Perform A Manual Examination Without An Expert

In certain situations, it may not be possible to send a cell phone for a forensic acquisition, particularly when the phone belongs to a witness or bystander who is not directly involved in the case. This can occur due to privacy concerns, lack of legal authority, or the witness's unwillingness to surrender their device.

In such cases, an alternative method to collect relevant evidence from the phone is for an attorney to take pictures of the pertinent messages using their own phone. This process should be well-documented to maintain the integrity of the evidence.

Here's how an attorney could proceed:

  • Obtain consent: The attorney should obtain written consent from the witness or bystander to access and photograph the relevant messages on their phone.
  • Prepare documentation: Create a document that includes the date, time, location, and names of the individuals present during the evidence collection process.
  • Photograph the messages: Using their own phone, the attorney should take clear, readable pictures of the relevant messages. They should capture the entire conversation, including timestamps, sender/recipient information, and any other contextual details.
  • Record the process: Have an associate or another member of the legal team record the entire process of photographing the messages using their own phone. This video should clearly show the attorney accessing the witness's phone, navigating to the relevant messages, and photographing them.
  • Transfer and secure the evidence: Immediately transfer the photographs and video recording to a secure location, such as an encrypted storage device. Ensure that the original files are preserved and only accessible to authorized people.
  • Document the chain of custody: Maintain a clear record of who has accessed the evidence, when, and for what purpose. This helps establish the authenticity and integrity of the evidence.
  • Document the Process: Create a detailed report describing the process of collecting the evidence, including the date, time, location, and individuals involved.

While this method may not be a replacement or nearly as comprehensive as a full forensic acquisition, it can serve as a viable alternative when a forensic acquisition is not possible.

However, it is essential to note that the admissibility of evidence collected in this manner may be subject to challenge in court, and the attorney should be prepared to defend the evidence collection process's reliability and integrity.

Even when performed as outlined above, a manual examination performed by an attorney could be challenged in court for several reasons:

  • Authenticity: The opposing party may question the authenticity of the photographs, arguing that they could have been altered, fabricated, or taken out of context. Without a forensic acquisition, it may be more difficult to prove the integrity of the evidence. For example, were the messages altered before you could perform your manual examination? Without a true forensic acquisition, proving this would be difficult or impossible.
  • Completeness: Photographing only relevant messages may not provide a complete picture of the conversations or the context in which they occurred. The opposing party could argue that the selected messages are cherry-picked and do not represent the full scope of the communication.
  • Reliability: The process of collecting evidence through photographs may be seen as less reliable compared to a forensic acquisition. The court may question the attorney's expertise in handling digital evidence and whether proper procedures were followed to ensure the evidence's integrity.
  • Chain of custody: Although the attorney may document the chain of custody, the lack of a professional forensic acquisition process could raise doubts about the evidence's handling and potential tampering.

Forensic Acquisitions are Superior in Every Way

Because of the challenges mentioned above, a forensic acquisition of the phone's data should be performed by a qualified expert, if at all possible, for several reasons:

  • Thoroughness: A forensic acquisition captures a complete copy of all recoverable data from a phone, including deleted messages, metadata, and other relevant information that may not be visible through photographs alone. This provides a more comprehensive view of the evidence.
  • Integrity: Forensic acquisition tools and techniques are designed to maintain the integrity of the data during the collection process. This helps ensure that the evidence is not altered or contaminated, which is essential for admissibility in court.
  • Expert testimony: A forensic expert can testify about the acquisition process, the tools used, and the findings, providing credibility to the evidence. They can also explain technical aspects of the evidence to the court and answer questions from the opposing party.
  • Reproducibility: A forensic acquisition creates a digital copy of the phone's data that can be analyzed as often as needed without altering the original evidence. This allows for independent verification of the findings and enables further analysis if new questions arise.
  • Adherence to standards: Forensic experts follow established industry standards and best practices when conducting acquisitions, which helps ensure the process's reliability and the evidence's admissibility in court.

While photographing messages on a witness's phone may be a necessary alternative in some situations, it is not a substitute for proper forensic acquisition. Whenever possible, engaging a qualified forensic expert to perform a full acquisition of the phone's data is the best way to ensure the evidence's integrity, completeness, and admissibility in court. However, if a manual examination is the only option, ensure it is done correctly to reduce the risk to you and your client.

Har din virksomhed været udsat for skade?

Vores eksperter kan hjælpe dig!

Om forfatteren
Lars Daniel
Lars Daniel, EnCE, CCO, CCPA, CIPTS, CWA, CTNS, CTA
Practice Leader
Digital Forensics

Mr. Lars Daniel is the Practice Leader of the Digital Forensics Division. Mr. Daniel has qualified as an expert witness and testified in both state and federal courts, qualifying as a digital forensics expert, computer forensics expert, cell phone forensics expert, video forensics expert, and photo forensics expert. He has testified for both the defense and prosecution in criminal cases and the plaintiff and defense in civil cases.

Hvordan kan vi hjælpe dig?

Vi har eksperter i mange tekniske discipliner fordelt over hele verden. Kontakt os, så vi kan finde den rigtige ekspert til opgaven.

 Envista Forensics Logo
Udforsk vores hjemmeside

Vores job er at løse komplekse udfordringer for vores kunder ved skadehændelser. Vi servicerer virksomhedsejere, små som store og uanset, hvor det er henne i verden og uagtet af, hvilket problem de står overfor.