by Tom Kaneshige

Think deleted text messages are gone forever? Think again

Mar 11, 20147 mins
CareersCybercrimeIntellectual Property

A former federal prosecutor and cybercrime expert tells how IT departments can retrieve text messages that the user thought were deleted months or even years ago. As more litigation and investigations turn on the content of texts, every CIO needs to know how to find the smoking gun.

Three businesswomen texting    153967692
Credit: Thinkstock

Last month, National Football League special investigator Ted Wells delivered a shocking report about Miami Dolphins player Richie Incognito’s bullying tactics aimed at teammate Jonathan Martin. At the heart of the report: More than 1,000 text messages, many of them outrageously explicit, that Incognito and Martin swapped between October 2012 and November 2013.

Wells most likely had access to both Martin’s and Incognito’s phones and possibly even backup laptops, which would hugely aid in the recovery of text messages. Yet some of these messages were no doubt deleted. How was Wells’ investigative team able to access year-old deleted text messages?

For most CIOs, text messages on an employee’s “bring your own device” phone are a blind spot. That is, text messages don’t go through the corporate network and thus are unmonitored and presumed unrecoverable when deleted. Even phone companies supposedly don’t store content of text messages.

“We just had a case last week where we were able to harvest and recover 8,000 text messages. They covered between 12 and 15 months of activity.”

–Paul Luehr, managing director at Stroz Friedberg

It is true that most IT departments lack the know-how to recover old or deleted text messages even if they’re in possession of the devices, but that’s not the case with mobile forensics experts armed with an array of new tools. They can pull thousands of deleted text messages from the distant past and unearth evidence that self-destructing message apps, such as Snapchat, leave behind.

Perhaps because of a false belief that deleted text messages stay buried, many people rely on text messaging to carry out their dirty work, such as stealing trade secrets and other intellectual property, violating non-compete agreements and committing fraud. Even Foreign Corrupt Practices Act investigations involving bribery and price-fixing regularly run into text messaging.

“Text messages are now involved in most litigation or investigations we encounter,” says Paul Luehr, formerly a federal prosecutor and supervisor of the Internet fraud program at the Federal Trade Commission and current managing director at Stroz Friedberg, a global data risk management company with a cyber-crime lab. talked with Luehr, in hopes of shedding a little light on the secret world of deleted text messages and the forensics experts that recover them. Can IT retrieve deleted text messages from any phone?

Luehr: It really depends on the make and model of the phone, in terms of how difficult it’s going to be. Text messages are usually outside the normal monitoring of the IT department. They may not be going through the system at all, rather through the carrier in a phone-to-phone transaction. You really need to have access to one or more physical devices.

In my experience, the Android phone might be easier to get at the physical level, but the iPhone backup tends to be more extensive and more prevalent. Maybe because of the nature of iTunes, people tend to backup to a laptop. So I don’t think there’s a preference of one phone or another. Forensically, we’ve got possibilities to go after deleted text messages on either one. What should IT do to retrieve these messages?

Luehr: First of all, secure the phone and don’t turn it on and poke around. Deleted text messages just sit there until they’re overwritten. With the growing memory on phones, it’s not uncommon to have thousands of text messages. Most phone systems operate on a database, and so the data may still be there marked with a flag that says deleted. A normal user or IT person won’t be able to see the deleted messages, but that’s where forensic tools are helpful. If you poke around, you may start overwriting important pieces of information.

Second, secure the laptop or workstations that may have been used to back up the phone.

Third, you may need to call computer forensics expert who is well-versed in a variety of different phones and forensic tools. Unlike a hard drive, laptop or desktop where you have three flavors — Apple, Windows and Unix or Linux — cellphones have maybe 150 flavors.

Fourth, make sure you note the make and model of the phone, because that will dictate whether or not the forensics expert can handle it and how difficult to job might be. You’ll also want to provide information about specific dates, addresses and phone numbers, which will help the forensics expert wade through the thousands of text messages.

One thing you should be ready for with cost estimates from a mobile forensics company is that you’ll probably pay as much, if not a little more, than you would for the analysis of a [PC] hard drive. With cell phones, we’ll often go at them with two or three different tools. How far back can you go?

Luehr: We just had a case last week where we were able to harvest and recover 8,000 text messages. They covered between 12 and 15 months of activity; a year’s worth of text messages is quite normal to see. The phone had been recently wiped and reformatted, but we found a thousand text messages within the backup. Were they all stored on the phone?

Luehr: So we talked about the database, where there are active texts you can pull up and deleted texts using forensic tools. Depending on the phone, you can also perhaps go down and get information off the physical layer of the phone, much like making a forensic image of a hard drive.

In the unallocated space that exists in the background, we will be able to recover snippets of text messages or entire text messages if they still happen to linger there. With cell phones like the more modern iPhone, because of the encryption algorithms they use, the background information is all scrambled.

If the phone was backed up any place, a backup of those text messages can exist on the hard drive in both active and deleted form. What about data from the phone companies?

Luehr: I haven’t heard of any investigators going to the phone company for text messages. As I understand it, the most a phone company has is the meta data. Might even be at a higher level, such as X number of messages were passed, maybe the to and from, but probably not the content itself.

It’s important to have access to the device and the laptop backup. With BYOD, it underscores the importance of having a thorough exit strategy whenever an employee leaves. If you think text messages are in play, you need to have some access to that device. If you didn’t have access to the BYOD phone, can you search for deleted text messages on the corporate-owned laptop used as a backup?

Luehr: Theoretically, you could but that’s a dangerous proposition from a legal and ethical perspective. If it’s truly a person’s personal device and they have a reasonable expectation of privacy, you may be crossing a line when looking at that personal information, especially if it’s just in a backup format. Can you get deleted messages from Whatsapp, iMessage, Snapchat and others?

Luehr: We had a case that involved a conversation between different players in the game Words With Friends. The messages sent back and forth within that gaming environment ended up being relevant to the litigation. It depends on how the software is built. Many of them that have a messaging feature will have within their structure, either on the server or in the app itself, some type of database — a lot of them use a SQL-like database. If that database exists, then it’s very similar to retrieving information from the mobile phone’s messaging system.

Increasingly, we have more cases involving mobile devices and apps. I’ve learned that apps really run the continuum. One operates almost like the old terminal and mainframe type of environment, where the app is really a very thin client and doesn’t have much substance. Other apps are storing a substantial amount of information on the phone. It’s really just a programming choice, and we see it both ways.