Smartphone in an evidence bag awaiting digital forensic examination.
Screenshots of smartphone text messages have become a common feature in courtrooms, but their reliability is increasingly under scrutiny. A recent case involving eXp Realty founder Glenn Sanford illustrates that screenshots alone are not enough to prove text message authenticity.
Sanford has previously submitted dozens of pages of text message screenshots of communications with some of the accused defendants. However, plaintiffs’ attorneys contended that this method of “self-collection” was inadequate and failed to meet evidentiary standards, RisMedia reports.
In response, Judge Alicia Rosenberg granted a protective order requiring Sanford to collaborate with a digital evidence expert to extract, authenticate, and provide the messages from the physical phone itself, but with privacy guardrails. A cell phone forensic examination can prove if a text message is authentic, but there is still the problem of privacy, which the protective order aims to address.
When a digital forensics expert collects the data from a cell phone, they cannot selectively choose data beforehand. All the data has to be collected at the outset, meaning the examiner would have access to everything recoverable from the smartphone, including recovered deleted data.
Digital Forensic Experts Cannot Pre-Filter Smartphone Data Before Collecting It
Cell phone forensics is a complex process that relies on advanced tools like Cellebrite and Magnet Forensics Graykey to retrieve and analyze data from mobile devices. These tools are designed to capture all available data from a device in a single process called a forensic acquisition or extraction. Pre-filtering, selectively extracting only certain types of data before acquisition, is not possible due to technical, structural and evidentiary reasons inherent to the way mobile devices store and manage data.
Smartphone Data Is Interconnected in Complex Databases
Modern smartphones store data in highly interconnected databases that are often encrypted. Messages, metadata, app information, and even deleted files are often co-mingled in the same data structures. Here’s why pre-filtering isn’t feasible:
- Shared Storage: A single database might contain texts from multiple contacts, app communications, and system logs all in one file. Pre-filtering would risk disrupting this structure and losing important related data. Further, some databases connect to one another, and pre-filtering could miss important evidence if rebuilding it required a database missed in the collection process.
- Contextual Information: Isolating specific pieces of data, like a message, without its associated metadata, including timestamps, sender and recipient information would render it incomplete and potentially unusable in court.
To extract any specific data, forensic tools must first acquire the entirety of the smartphone’s recoverable contents, ensuring no connections or context are lost.
What Is a Cell Phone Forensic Acquisition?
The problem with screenshots of text messages is that they cannot be verified using digital forensic technology. Anyone with a modicum of technical sophistication can create fakes using websites or applications. This is why a cell phone forensic acquisition and examination is always superior.
A forensic acquisition is the gold standard for retrieving data from a phone. Unlike a simple screenshot, this process involves accessing the phone directly and creating a digital copy of all recoverable data. This includes messages, timestamps, contact information, and even deleted content that might still reside in the device’s memory.
By using specialized digital forensic tools, experts can pull this information without altering the data, preserving its original state. A process called “hashing” ensures that the digital copy is tamper-proof. Hashing generates a unique code—akin to a digital fingerprint—for the data, and any subsequent change to the evidence would alter the hash code, signaling potential tampering.
ForbesCan Screenshots Of Text Messages Be Used As Digital Evidence In Court?By Lars Daniel
Why Is a Forensic Acquisition Better Than Screenshots?
Last month, I explained why screenshots of text messages along are inferior evidence, and are often dismissed in court because they are inherently unreliable. They can be cropped, edited, or taken out of context. In contrast, a forensic acquisition provides:
- Complete Data: Unlike screenshots, forensic methods capture all recoverable information, including deleted messages and metadata that may be critical to a case.
- Integrity: Forensic tools protect the original data from accidental alterations or contamination, ensuring that what is presented in court is an exact replica of the phone’s contents at the time of acquisition.
- Credibility in Court: Forensic experts can testify about the methods they used, how the evidence was preserved, and why it is reliable. This level of detail gives the evidence more weight.
- Independent Verification: Because forensic copies are exact replicas, they allow opposing parties to independently analyze the data without affecting the original phone, ensuring transparency and fairness in legal proceedings.
What Does the Protective Order Do in This Case?
When courts issue protective orders to limit the scope of discovery, they create a framework for balancing privacy rights with the need for relevant evidence. Digital forensic experts cannot filter cell phone data before collecting it. Instead, they must perform a forensic acquisition of the phone’s contents, capturing everything recoverable on the device, and then carefully filter the data afterward to comply with the court’s instructions.
The protective order in this case prevents a full forensic examination of Sanford’s cell phone. Instead of allowing unrestricted access to the entire contents of the smartphone, the court has limited the scope of discovery to ensure only relevant data is disclosed. Here’s how it works and why it matters:
Restricts Unnecessary Intrusions: Cell phones hold a wealth of personal information, much of which may have no connection to the legal case. The protective order safeguards Sanford’s private data—such as personal communications, photos, or unrelated files—from being exposed during discovery.
Ensures Relevance of Evidence: The court directed that only specific types of electronically stored information, or ESI, relevant to the case—such as text messages, timestamps, and deleted communications—be extracted and reviewed. This ensures that discovery is focused and not a “fishing expedition” into unrelated matters.
Mandates Use of an Electronic Evidence Expert: To strike a balance between privacy and the need for evidence, the judge required the parties to collaborate with an electronic evidence expert. The expert’s role is to extract and authenticate the relevant data while filtering out extraneous information. This process reduces the risk of misusing private data and enhances the reliability of the evidence.
Protects Against Abuse of Discovery: Without a protective order, unrestricted smartphone forensic examination could lead to the exposure of sensitive information unrelated to the case. This could be used improperly to pressure or embarrass the opposing party. The protective order ensures that discovery remains proportional and fair.
But What About Phone And Call Detail Records: Can They Prove Screenshot Authenticity?
Short Message Service, or SMS, and Multimedia Messaging Service, or MMS, messages are sent through the cellular carrier’s network. When these messages are transmitted, the carrier generates records of these messages in call detail records, or CDRs. These records provide metadata about the communication, including timestamps, sender and recipient phone numbers and the cell tower used to make the call. However, CDRs do not capture the actual content of the message—just that it was sent or received. The contents of the messages exist for a short period of time before being erased by telecommunication service providers.
Because of this, while the existence of an SMS or MMS message can sometimes be corroborated through carrier logs, the only way to confirm the content of the message is by examining the sender’s or receiver’s phone directly. Without access to the device, the conversation contents are unrecoverable.
In other words, CDRs can prove a SMS or MMS message was sent or received, but you can only recover the actual conversations that took place from the phone itself with cell phone forensics.
In contrast, messages sent through platforms like iMessage, WhatsApp, Telegram, Instagram Messenger, Facebook Messenger, and all other chat apps rely on internet data connections—either Wi-Fi or mobile data. These messages bypass the carrier’s network entirely, meaning they are not logged in CDRs. Carriers cannot verify their existence, metadata, or content because these messages are outside their domain.
ForbesHow Digital Forensics Experts Read Your Encrypted WhatsApp MessagesBy Lars Daniel
For data-based messages, the only record typically resides on the phones of the sender or recipient. In some cases, the platforms themselves may retain encrypted copies of the data, but these are generally inaccessible without specific legal requests and cooperation from the service provider.
Screenshots can be easily manipulated, cropped, or fabricated, and they lack the metadata necessary to prove a message’s origin, timing, and context. For traditional SMS and MMS, screenshots cannot be cross-referenced with carrier logs to confirm the contents of a message, since the message contents are not recorded in the CDRs. For data-based messages, where no carrier logs exist, screenshots are even more problematic—they offer no mechanism for independent verification.
Court Responds: Privacy and Authenticity Matter
The only way to authenticate a message reliably is through a digital forensic examination of the physical smartphone. This process can retrieve not only the visible messages but also the underlying metadata and, where possible, deleted messages and other supporting artifacts. It provides a comprehensive and verifiable record, ensuring that the evidence stands up to scrutiny in court.
The eXp Realty case highlights this reality. By seeking a forensic examination to access text messages and metadata, the plaintiffs aimed to move beyond potentially unreliable screenshots to establish a full and accurate picture of the communications, and the court agreed. As a digital forensics expert, I have witnessed firsthand how courts are relying on protective orders like this with increasing commonality. With the protective order, the court is signaling that privacy matters, but so does proper evidence authentication.
This case illustrates the necessity of digital forensic methods to ensure the integrity of electronic evidence in the modern legal system. In a world where digital communications are central to many disputes, screenshots of smartphone text messages alone are no longer sufficient.
