chevron-down Created with Sketch Beta.
January 29, 2020 Tech Tip

Digital Forensic Trails: Mobile Devices, Messages, and Apps

By Margaret Reetz

While “data is forever,” as the adage goes, legal and practical considerations may exist regarding how and what types of data an entity will manage and maintain (e.g., data retention policies, storage costs, and security issues). See Kaveh Waddell, Your Data Is Forever, The Atlantic, June 6, 2016. Most lawyers have a basic understanding that the preservation and extraction of data are critical issues in investigations on behalf of clients and especially in disputes and litigation. What about information communicated via mobile devices, text messages or messaging apps?

Mobile Devices

Mobile devices present certain challenges as compared to laptop and desktop computers. Not all data is stored on the device even though a user may have access to it. Daniel Ogden, Mobile Device Forensics: Beyond Call Logs and Text Messages, United States Attorneys’ Bulletin (Jan. 2017), at 11. Some of this will depend on whether data is being stored in the cloud or on remote storage. In the case of email, different service providers may have different default settings for archived material, depending on their policy regarding the length of time for which the provider will maintain logs for IP addresses. In a notable case out of Germany, a court forced a service provider, Posteo, to log traffic data despite the fact that the service’s business model was specifically designed not to do so. See David Meyer, Log-free email provider Posteo: “You must log user IP addresses,” court rules, ZDNet, Jan. 30, 2019.

Older email programs used POP3 (Post Office Protocol), software that downloaded the user’s emails and then deleted them. More commonly used now is Internet Message Access Protocol (IMAP), software that downloads the user’s emails and leaves them on the server, unless the user deletes them. Data on a device may be “deleted,” but unless the device has been wiped or reformatted, the data may still be available. Thus, the availability of data that has been transmitted using a mobile device will depend on web-based email accounts, social media accounts, and the type of file storage utilized by the user.

Text Messages

Text messages on a mobile device are stored in a database maintained on the device, which may include attachments (e.g., photos, videos, and audio). There are forensic tools that can extract such messages into standard formats for processing, storing, and analysis. How much data is stored and in what kinds of format the information can be retrieved may depend on the device’s make, model, capacity, storage, and condition. When a text is deleted, the message itself will disappear, but it may be recoverable for a period of time. Such messages may be overwritten as the user sends and deletes messages. Reproducing text messages for evidentiary purposes will depend on whether the device on which they were stored was forensically imaged within the relevant time frame and whether the relevant data can be captured. If an organization has a protocol in place to manage the messages of employees, commercial services are available to capture and archive such communications through direct carrier relationships.


WhatsApp, Facebook Messenger, and various encrypted message applications are attractive to consumers and some business users alike because users have an expectation of privacy regarding their electronic communications, and encrypted communications cannot be tampered with or accessed by third parties. End-to-end encryption is key to this feature because the information will be transmitted via code rather than plain text. The app maker, Internet service providers, and governmental entities are not supposed to be able to have access to the communication. WhatsApp communications are never stored on the WhatsApp server. With this kind of security, how can data be extracted in the event that it is required for an investigation? For iOS devices, WhatsApp data reportedly can be extracted using a basic iTunes backup procedure. For Android devices, physical extraction may be necessary to recover files.

Secure and Preserve

Mobile devices, texts, and messaging apps present challenges in preserving and extracting data. Securing and imaging a device is a critical step for the forensic recovery and analysis portion of an investigation.

The material in all ABA publications is copyrighted and may be reprinted by permission only. Request reprint permission here.

By Margaret Reetz

Margaret (Peggy) Reetz is a partner at Mendes & Mount in New York, New York, focusing on cyber/data security and privacy issues. She acts on behalf of insurers and their policyholders in managing data security/privacy matters. She may be reached at [email protected].