Friday, April 24, 2020

Screen Shots Are Not (Good) Evidence


April 24, 2020

Screen Shots Are Not (Good) Evidence

Working a variety of civil, corporate and criminal litigation cases, we see a myriad of different approaches to digital forensics in a litigation support model.  One of the common cost-benefit questions that comes up is, why would a party involved in litigation spend the money to hire a digital forensic expert if they can simply take screen shots of disputed and/or evidentiary text messages on a mobile device and print them out?  It’s a good question & a valid point, on its face.  However, there are a number of different reasons we generally discourage this as a practice for presenting evidence in litigation, which we’ll explore here.



Screen Shots Are Susceptible to Alteration

Consider a real-world example from a criminal case worked several years ago.  Our client was charged with a misdemeanor count of assault & battery, but because his career field was such that he did not want a criminal conviction tarnishing his ability to obtain future employment, nor his reputation, he hired a very renowned law firm and a digital forensic expert to help refute the claim of assault because there were to have been exonerating text messages on his phone between he and the complaining party.

When the trial date came, the complaining party introduced into evidence several screen shots of a text message between them and our client.  The content of the messages was different from what we had obtained from the client’s phone via mobile forensic data extraction, which was confusing to the judge and the other parties in the case.  When pressed for an answer about this discrepancy, they admitted that they had altered the text message screen shots before printing them to not only change the content of the messages, but the chronology as well.  The lesson learned here is that anyone with very basic tools and computer skill can take an image (i.e., screen shot) and cut-and-paste or insert messages to their own ends.  This is also true of some non-forensic tools which can be purchased online to extract text messages from a phone.

When we conduct a mobile forensic data extraction and report the relevant information, we cannot alter the data.  Furthermore, even if we could alter the data, we would be violating professional ethics and risking reputation by doing so.  This example was a great lesson in why screen shots should never be presented as evidence.

Screen Shots Cannot Be Fully Validated or Authenticated

The point of validation & authentication is an important one for court proceedings.  If evidence such as text messages cannot be validated or authenticated, how can they be introduced into evidence?  To me, this point all boils down to the source of the evidence that is being presented in court, which is usually some sort of printout of the relevant messages between the parties involved in the case.  Who created those printouts or the report from which they came?  Was it one of the parties involved in the litigation or was it a third-party expert who used bona-fide, validated and repeatable methods?  If the evidence that is being presented was generated by one of the parties involved in the case, that should immediately call the veracity of those messages into question. 



Presentation is Important

I’d be willing to bet that both attorneys and digital forensic experts who read this article have, at some point, been presented with a series of screen shot printouts from a client which they believe is of extreme importance to their case.  Many times, these printouts also include pictures, which if printed out improperly, are simple unrecognizable.  Beyond that, some of the text conversations which may be relevant can lead to dozens or hundreds of pages being printed, which are hard to keep track of and just plain look bad!

The benefit of a mobile forensic data extraction is that we can often report out just what is relevant in a concise, easy-to-read manner, which is much more concise for presentation in court.  The ultimate goal and purpose behind all of the methods used during the forensic process is so we can present those findings, along with any reasonable conclusions, in a court of law.  It is counter-productive to present overly voluminous and/or excessive information to the judge, jury and opposing parties because their attention span for what may (or may not) be relevant is quite short during the course of a trial or hearing.

Wrapping It Up

Covey said in his book 7 Habits for Highly Effective People, “Begin with the end in mind.”  When involved in litigation where text/picture messages may be used as evidence, this is a good rule by which to live.  Do we want to be flipping through volumes of printed screen shots, which may or may not be altered by whomever “collected” them, in order to present a relevant point at trial?  Probably not.  We also don’t want questions about the veracity of the content or chronology of the messages, which is easy to alter and therefore be disputed just as easily.  When we “begin with the end in mind”, we can see that it’s always better to have a trained, certified, experienced digital forensic examiner conduct the data collection and reporting.  By doing so, we can make great strides toward getting at the truth of the matter!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com