The divorce proceeding between Kim Kardashian and Ye (formerly known as Kanye West) is front and center in millions of peoples’ social media feeds. Over the past few months, Ye has frequently been posting about Kardashian’s new relationship with SNL comedian Pete Davidson. The tone of these posts is agitated, and most have been deleted. But the digital bread crumbs are permanent across the internet.

Keeping Up With Digital Forensics

From a digital forensics and legal matter perspective, an interesting development occurred in late February as Ye’s attorney attests that Ye didn’t author or post the messages on his Instagram account. Being able to determine the “what,” “when,” and “how” something happened on a social media account (or smartphone, computer, or email address) is typically the result(s) of a digital forensics investigation. The problem is determining “who” was behind the keyboard or phone screen? Also, “who” was logged into the account and/or clicked the “post” button.

Photo credit: Instagram

Ye had a post on his Instagram profile last month that included a screenshot of text messages between himself and Kardashian, which he has denied authoring. We frequently encounter similar scenarios in legal matters and are often requested to determine the authenticity of a screenshot of an alleged text message between parties.

There are several options on how to approach this scenario. Here is an expanded breakdown of a use case with a custodian, Mr. Johnson, and how to navigate to a successful outcome.

Verifying The Authenticity of a ScreenShot

In this use case, Mr. Johnson was fired from his job and has filed suit for wrongful termination. He documented a text message string on his iPhone between himself and his former boss by capturing a screenshot. The screenshot, which is in a PNG file format, has been provided to Mr. Johnson’s counsel and sent over to opposing. The alleged date and time of the text messages are listed on the screenshot, but the opposing counsel wants to verify the message’s authenticity. Opposing would be wise to request this because photoshopping or doctoring an image isn’t very difficult nowadays. The creation date of the screenshot photo file is usually a different date and time than the original messages in question.

To further complicate the issue, many providers like Apple and Android have baked in the ability to update timestamps of photos directly within the phone’s factory software. For example, this new “feature” results in the below screenshot, where the time on the phone’s screen was clearly after the alleged reported time when the screenshot was “made.” As a result, the timestamp changes might seem genuine to a casual user, but during a proper forensic analysis, this could be detected as falsified information.

Records From Cell Phone Provider

One approach is to subpoena Mr. Johnson’s cell phone carrier (Verizon, T-Mobile, AT&T, etc.) and request the SMS and MMS text message records from his account. The carrier would provide a list of phone numbers, dates, and times in which Mr. Johnson sent or received messages. Of course, there is a difference between SMS and MMS messages, but in either case, the records would not include any text content, images, or videos of the sent or received messages – simply the time frames. Additionally, this subpoena would not allow for collection of Apple’s proprietary iMessage, as those are sent through a different protocol and, as a result, effectively blind the carriers from knowledge of those messages.

Given the two above points, the prudent step for authenticating Mr. Johnson’s iPhone messages is to preserve a true digital forensics image and conduct a brief analysis of his messaging records.

Collecting A Forensic Image From An iPhone

Preserving a forensic image on an iPhone may require Mr. Johnson to provide his device to a digital forensic expert, execute a chain of custody, and have the expert preserve an image before returning his device. An alternative that is more preferable to Mr. Johnson is if he maintains physical custody of his device and collects a forensic image through a remote collection process. The steps would include shipping a remote collection kit to Mr. Johnson, scheduling a time – convenient to Mr. Johnson – with a forensic examiner to collect the data on his iPhone, and shipping the kit back after the collection.

4Discovery's remote collection process

How Long Does It Take To Collection A Forensic Image?

The primary question is often how long will this process take? The collection process duration depends on the amount of data on the phone. Typically for smartphones – Android and Apple iPhones – it can take anywhere from one to six hours to preserve a forensic image, but most of the time, it takes three to four hours.

Analysis of a Forensic Image

The analysis of the forensic image of the iPhone would only focus on the messages. In Mr. Johnson’s scenario, simply looking at the date, time, sender, and recipient’s phone number would isolate the message. The metadata within the message(s) would provide the definitive proof that a digital forensics expert would need to testify about the sender, recipient, and date and time of the message(s) in question.

If opposing counsel had a digital forensic expert review the same forensic image, they would reach the same determination. The forensic image and the data included on it are definitive, and being read-only, also allows a time capsule of sorts preserving this evidence for the life of the case.

Photo by Adem AY on Unsplash

Determining A Protocol

One area of contention in a matter within this scenario is the privacy of the data on Mr. Johnson’s phone. This is easy to overcome if both parties are able to reach an agreement on a collection protocol. This would specifically define how the forensic image would be collected and what specific data on the phone would be analyzed and produced.

Here’s an example of a remote collection protocol that has been used to image devices in similar scenarios.

Be Proactive and Don’t Lose Data

Whenever there is a device or account with data that may be relevant to a matter, the number one recommendation is to preserve that data before something happens to it. With Messages on iPhones, some settings can automatically delete messages after 30 days, which can be enabled without a custodian knowing. Even updating the version of an iPhone’s iOS can affect the data on the device, including loss of data. 

Data can also be lost if a device is damaged, lost, stolen, or “misplaced”. Another common occurrence for lost data is if a phone is traded in or upgraded with a custodian’s cell phone provider. When in doubt, preserve the data in case it is needed at a later time.

Depending on how the divorce proceedings – and the future engagement on social media – develop, Ye and/or Kim could be preserving a forensic image of their phones to authenticate the text messages between them.