I’ll Just Take a Screenshot

Articles

I’ll Just Take a Screenshot

Author photo
by Greg Kelley
Vestige Digital Investigations, CTO and Founder
BS, EnCE, DFCP

Cell phones, web pages, social media.  All of those sources of electronic data are commonly used in court.  Not a week goes by where here at Vestige we aren’t processing at least a few cell phones, Facebook pages, Twitter accounts or company websites.  Our process starts with preserving the device using best practices in the industry and maintaining the forensic integrity of the evidence.  Often times that involves MD5 hashing and other documentation.

Over time, I have seen productions of this type of electronic data done by the custodian to save money.  Quite often the custodian will use the screen capture feature of their cell phone to capture a text message conversation.  The result is a picture that is just sent along as proof of the conversation.

Or is it?

While there are other pages around, here was one we found recently that can very easily replicate a text message on an iPhone.  Here is a nice conversation I generated with this tool:

As you can see, the above picture looks just like one that comes from an iPhone, albeit an older model.  But wait, there are websites that can generate newer looking fake text messages.

How about the latest iPhone?  Here is one from http://www.ios8text.com/.

What if the time of the meeting in the above message was important?  Wouldn’t take much to generate a fake text message or fake screenshot that had the time that someone wanted.

The same can be done with social media.  This page (http://simitator.com/generator/facebook/chat) allows one to generate fake Facebook chats.  You can even go so far as to download someone’s profile picture and upload it into this chat screenshot generator.

So, how is any of this different from what Vestige does?  When a phone, website or social media account is preserved, all available information is collected from the source so that the authenticity of the message or web page can be verified.  Furthermore, that preservation is usually coupled with an MD5 hash, which is a fingerprint identifying the uniqueness of the data.  That MD5 hash can be used in the future to verify that there hasn’t been any changes to the data since it was collected.

The point is, don’t settle for your opponent to produce just a screen shot of a piece of digital evidence.  Not only can mobile forensic evidence be edited on a computer, but it can be generated with whatever information is desired.  Furthermore, don’t allow your client to go their own way and produce screen shots in response to a request for documents.  You may find the documents rejected by your opponent or court. Contact us to learn more about how to spot a fake screenshot.

Greg Kelley - Vestige CTO lft smallby Greg Kelley, EnCE, DFCP,
Chief Technology Officer at Vestige Digital Investigations

This site uses cookies, for more information, review our privacy policy.