Kelley to present a CLE webinar to Women in eDiscovery - Indianapolis Chapter on June 5 on the topic: Fabricating & Concealing Data on Smart Phones.

Using Digital Forensics to mitigate defamation of character via electronic communications


Using Digital Forensics to mitigate defamation of character via electronic communications

Author photo
Vestige Digital Investigations, Senior Forensic Analyst


Intentional defamation of character is a nasty endeavor. Being the target of such an attack can be enough to ruin careers, relationships or severely tarnish company reputations. The unfortunate nature of defamation attacks is that they can’t entirely be prevented. That being said, digital forensics can certainly provide a course of action, particularly by way of electronic communication evidence, which can assist in repairing the damaged reputation. When attackers execute their defamation actions, digital forensic evidence is generated. To an investigator’s advantage, this usually occurs without the attacker’s knowledge.

First Step to Battling Defamation

The first step required to properly utilize digital forensic evidence is the preservation of relevant data. The following are possible sources of electronic communications and how they can be preserved.

  • Emails – Provided access to the mailbox, all email data from within a mailbox can be preserved. Preserved data can include each email’s body, to/from address, sent/received date and time, attachments, originating IP address, and much more.
  • Text Messages – Typically originating from a mobile device such as a cell phone, but can be found on other digital media, such as within email mailboxes, on computers, and Google accounts. Similarly to email preservation, a preserved text message includes body, to/from number, sent/received date and time, and attachments. Defamation through text messages can also happen text messages from 3rd party applications as well, such as WeChat, WhatsApp, and others.
  • Instant Messenger Messages – Yahoo! Messenger, Skype, and ICQ are examples of such applications. The conversation records from these applications are found on the computers involved in the conversation. The conversation records typically include the screen name of the sender and recipient, date and time of the message, and the body.
  • Websites – Relevant web sites can be sites that allow user reviews such as Yelp, Google, and Amazon or even sites dedicated to exposing misconduct, or “complaint sites,” such as ConsumerAffairs and Ripoff Report. Unfortunately, preservation of these sites are typically restricted to a “web crawl” of a webpage, capturing only the content publicly viewable on that page. However, the date and time the web crawl was executed would show when the preservation took place, indicating confirmed dates associated with malicious posts. Sometimes additional measures can be taken to attempt to ascertain the identity of a poster to one of these sites, but legal action is usually necessary for such a request.
  • Social Media – This includes mobile device application and web browser versions of social media platforms. Social media exclusive to mobile devices, such as Instagram and SnapChat, can provide useful information that is similar to text messages, e.g. message body or image sent, sent/received date and time, and sender/recipient. Web browser platforms, such as Facebook and Twitter, have similar preservation restrictions to websites in that generally a web crawl of the publicly available information is the best preservation available.

The Data is Preserved. Now What?

Once the data is preserved, a forensic investigation can be initiated. During an investigation, a digital forensic examiner would have the ability to review the aforementioned relevant data and identify correlations to reach an end.

As a hypothetical example, a web post on a complaint site defames a company, leading to potentially irreparably negative customer relations. The investigator, with the assistance of a legal team, serves a subpoena to the website for specific information about the poster. In the meantime, the public web page is preserved to maintain the integrity of the digital forensic evidence. The web site complies with the subpoena and provides the IP address for the poster. Geolocation of the IP address places the poster within the same town as the company. The investigator and legal team again serve a subpoena for records, but this time on the internet service provider (ISP) of the IP address identified. The ISP complies and provides the name of the subscriber, address included. The attacker, now having been identified, is required to turn over the computer used in the incident. Using the preservation of the post and IP address provided by the complaint site and the web history on the newly acquired computer, the investigator is able to demonstrate that the attacker did indeed post the defamatory post.

It may be surprising, but the real world does occasionally operate in-line with this ideal hypothetical. Vestige has worked such investigations on numerous occasions and successfully identified the perpetrator behind such defamation attacks.


Vestige Digital Investigations has handled our fair share of defamation matters. When attackers engage in this type of behavior, we have found that their concerns typically do not lie with future litigation. Instead, intent is purely focused on damage. That almost always means there will be digital forensic evidence left behind to leverage against the malicious activity. While it may seem like defamation of character attacks are insurmountable, know that there is a course of action to take — through expert digital forensics.

For some additional reading, see another page on the Vestige website regarding defamation –

Ian Finch for web

By Ian Finch, BS, GCFA,
Senior Forensic Analyst
Vestige Digital Investigations

  Follow Vestige on Linkedin