Working with Email in Discovery: Processing Options and Review Workflows

Featured

Introduction

Technologies that allow for easier review of ediscovery in native format have become more affordable and accessible. Working with files in native format has several advantages including avoiding loss of potentially relevant information, access to metadata and better searchability. Email is one of the most common of the native formats produced in discovery. This article will explore some approaches for processing email and identify a number of low-cost of tools that can assist. (This article deals with the processing but not the substantive review of emails for case analysis – for this you should consider other tools such as CaseMap, or – for larger collections of emails – review platforms such as Casepoint or IPRO.)

The tools and approaches you select will depend on a combination of three factors: (1) volume, (2) format(s) and (3) the defense team goals. While a single tool might facilitate a discreet goal, more involved goals may require different approaches with a combination of tools. These scenarios can be ends in themselves or phases in an overall workflow. This article does not try to anticipate every possible situation that might arise but will explore a few common scenarios.

Many electronic file formats produced in the course discovery like Acrobat, Excel and Word files are generally accessible via standard software available on most computers. However, email file formats like MSG, EML, PST, and MBOX files present more of a challenge as often the recipient may not know how to access these files. 

Below is a quick overview of some of the most common email file formats encountered in eDiscovery that will be discussed in this article:

  • MSG: A Microsoft format for single emails. Often associated with the Microsoft Outlook email client.
  • PST: A Microsoft format for a collection of emails (as well as other potential items including: Calendars, Contacts, Notes and Tasks). Often associated with the Microsoft Outlook email client.
  • EML: Email format for single emails used by many email clients including Novell GroupWise, Lotus notes, Windows Mail, Mozilla Thunderbird, and Postbox.
  • MBOX: Email format for a collection of emails (as well as other potential items including: Calendars, Contacts, Notes and Tasks) used by many email clients including Novell GroupWise, Lotus Notes, Windows Mail, Mozilla Thunderbird, and Postbox.

All four formats are typically received in discovery and subpoena returns. Google Takeout, a service offered by Google which allows you to download your email, will produce emails in the MBOX format.

Working with these email formats consists of understanding which tool is compatible with which file format, and which tool or set of tools will most effectively allow you to achieve your goals. Below is a table that maps out some of various tools available in terms of which file formats they are able to process, their functionality and cost. Before using any of these tools, make sure to work with a copy of the data as opposed to the original.

SoftwareCompatible FormatsCostFunctionality
Mozilla Thunderbird with the Import Export Tools add-onEML, MBOXfreeView emails, convert to EML, HTML, MBOX and PDF (without attachments)
Mbox ViewerEML, MBOXfreeView emails, convert to HTML or PDF (without attachments)
PSTViewer ProMSG, EML, PST, MBOX$129View emails, convert to multiple formats including EML, HTML, MBOX and PDF (includes advanced PDF attachment image options)
MS Outlook  MSG, EML, PST$159 or $69.99 per yearView emails, export to MSG, PST and PDF (requires Acrobat integration)
Aid4MailMSG, EML, PST, MBOX$299 per yearConvert email to multiple formats including MSG, HTML, EML, PST, MBOX and PDF
dtsearchMSG, EML, PST, MBOX$199 or *free
Search and view results in email viewer panel (no conversion or export options)

*For information about a free license of dtSearch available to CJA Panel Attorneys see: nlsblog.org/2014/03/25/dtsearch-desktop

This article will discuss demonstrate how to work with emails in terms of a series of discreet tasks including:

  1. Generate a list of emails to review.
  2. Viewing emails.
  3. Search, tag, and convert emails.
  4. Working with email attachments.

1. Generating a list of emails for review.
An initial task at the outset of a case might be to generate an index to facilitate early case assessment. Some programs, like PstViewer Pro, will work with many formats while other programs, like Mbox Viewer, work with a more limited number of formats.

  • Example 1 – Generating a list using Mbox Viewer:
    Mbox Viewer is a free tool that allows you to preview emails and generate a list of emails by simply selecting messages in the viewer, doing a right click and selecting print to CSV, then selecting which fields you would like to include in the spreadsheet (Figure 1-1).
Figure 1-1
  • The resulting CSV file contains a table that can be opened in Excel or imported into other programs (Figure 1-2).
Figure 1-2

2. Viewing emails.
While a list will provide you with a high-level overview of the emails you have in terms of subject matter, players involved and so forth, a closer review will require a different approach. MS Outlook, Mbox Viewer and Mozilla Thunderbird are all tools which can be utilized for this purpose.

  • Example 2.1 – Viewing emails received in PST format using MS Outlook:
    Within Outlook open the ‘File’ menu, select the ‘Open & Export’ button, then ‘Open Outlook Data File’. Navigate to the folder containing the PST file (Figure 2-1) and select the file to import. Outlook will create a folder within the ‘Personal folders’ from where you can conduct a review of the files.
Figure 2-1
  • Example 2.2 – Viewing emails received in MBOX format using Mozilla Thunderbird with the Import Export Tools add-on:
    The free ‘Import Export Tools’ add-on available for Mozilla Thunderbird allows for the import and viewing of MBOX files. After the add-on has been installed, right click on ‘local folders’, then choose ‘Import mbox file’ from the ‘ImportExportTools NG’ menu and navigate to the folder containing the MBOX file (Figure 2-2). This will copy the MBOX file into Thunderbird’s ‘Local Folders’ where, similar to Outlook, you can conduct a review of the emails within.
Figure 2-2

3. Search, tag, and convert emails
The approaches discussed in the two previous sections can be useful when you simply want to gain a high-level view of the emails, or take a closer look at particular emails in a smaller collection. However, when you are working with large volumes of emails, manual review becomes impractical and inefficient, and taking advantage of the search and tag functionality of the available tools is a better approach.

  • Example 3 – Searching, tagging and exporting within MS Outlook:
    Outlook can be utilized to conduct key word searches, and relevant files can be tagged exported as either MSG or PDF files (using the Acrobat integration that is included with licensed copies of Acrobat Standard and Pro). To tag an email, right click and select ‘Categories’ then select a color coded tag (Figure 3-1). You can also customize the tags using the ‘New Category’ option within the ‘Category’ dialog box (Figure 3-2).
Figure 3-1
Figure 3-2
  • You can then filter and tag a selection of emails (Figure 3-3) and save them to a folder as either individual MSG files or a new PST file. If you have a licensed version of Adobe Acrobat, there integration menu within Outlook can be used to convert messages into individual PDF’s or a combined ‘PDF Portfolio’ (Figure 3-4).
Figure 3-3
Figure 3-4
  • When choosing an export format, be aware of the limitations of the different conversion formats. The HTML and PDF export formats typically will not include the complete email metadata. Email header information that may include important information like IP addresses used may be lost during conversion. Export formats including the MSG, EML, MBOX and PST retain much more of the original email metadata.

4. Working with email attachments.
Emails invariably have attachments, which, in addition to the body of the email can contain substantive relevant information. The programs discussed in this post vary greatly with how attachments are handled during format conversion. Be aware that some of the programs are not able to include the attachments when exporting to PDF. While PDFs are generally easier to add bates stamps to or turn into exhibits not all programs include the attachments..

  • Example 4.1 – Exporting email with attachments using Mozilla Thunderbird with the Import Export Tools add-on:
    Thunderbird offers several export options including the ability to batch export relevant emails when using the Import Export Tools add-on. It does not have the ability to embed or append attachments when exporting messages to PDF, however it does allow for emails to be exported to the EML format (with attachments embedded) as well as an HTML format, which will include links to exported copies of the attachments (Figure 4-1).
Figure 4-1
  • Example 4.2 – Exporting email with attachments using PSTViewer Pro:
    PSTViewer Pro is yet another option for format conversion, and is a great tool to use in conjunction with tools like Thunderbird or Outlook. It can convert to many formats and includes some advanced PDF conversion options. When converting to PDF, attachments can either be embedded or “imaged” (Figure 4-2). The “imaged” option will convert supported attachments into PDF pages and appended them to the PDF version of the email (Figure 4-3).
Figure 4-2
Figure 4-3

Conclusion

As shown in this article there are a multiplicity of tools available to work with emails that are not universally compatible with all email formats and do not have the same functionality. This requires careful thought about how to leverage and integrate the tools. The best path forward through this thicket is to know what your goals are before you select your tool. Defining your goal early will help you select which tool or combination of tools you should use to develop an effective workflow that matches both the set of data you are working with and the needs of your case.

Google Data and Geofence Warrant Process

Featured

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Introduction

This is an updated version of a post originally published in December 2020, which provides a primer on how Google collects location data, the three-step warrant process used by law enforcement to obtain these records, and an example of how the data is collected and used by the prosecution. The updated version includes references to United States v. Chatrie, a recently decided district court opinion regarding the constitutionality of geofence warrants.[i] From the opinion and the pleadings in Chatrie, we have a better understanding of the Google collection and geolocation search warrant process.

What Can Google Do?

Google began collecting location data in order to provide location-based advertisements to its’ users. Google tracks location data from the users of its products, including from consumers who use Android telephones and those who use Google’s vast array of available apps on other devices such as Apple iPhones. For Android devices, Google is constantly tracking devices whenever the permission settings on the device are set to allow for the use of Google Location Accuracy. For iOS users, location information is only collected when a user is using a Google product, such as Google Maps.[ii] Google stores this information in a repository called “Sensorvault”, which “assigns each device a unique device ID…and receives and stores all location history data in the Sensorvault to be used in ads marketing.” 3:19-cr-00130-MHL at 7. The use of Sensorvault has been very profitable for Google. Since Google started collecting data and using Sensorvault in 2009, Google’s advertisement revenue has almost increased tenfold.

See https://www.statista.com/statistics/266249/advertising-revenue-of-google.

Google is able to determine the approximate location of a mobile device based on GPS chips in the device, as well as the device’s proximity to Wi-Fi hotspots, Bluetooth beacons, and cell sites.[iii] For purposes of Wi-Fi, Google uses the characteristics of wireless access points within range of the device (including received signal strength) to determine the device’s proximity to the access point, and thus approximate location. How Google tracks this data is dependent of the type of device (Android v. Apple) and an individual user’s privacy settings.[iv] Google cannot determine the exact location of a device, and as such, location records contain an “uncertainty value” which is expressed in meters.

Maps Display Radius:

Because Google does not know a device’s precise location, it represents the possible location in a sphere, or what Google refers to as the Maps Display Radius.

In this picture, Google’s “goal is that there will be an estimated 68% chance that the user is actually within” the spherical representation.[v]

To see how Google determines the approximate location of a mobile device, viewing the Location History of a Google account is instructive. In the following example, according to Google, the blue line indicates the path of travel, the orange dots represent wireless access points, and the grey sphere next to the blue arrow is the estimated range of the location source.

Generally, the location information source has the largest impact on the Maps Display Radius. Most often, GPS provides the smallest sphere whereas Cell Sites are generally the largest. By way of example, the map display radius for GPS is often a few meters whereas Wi-Fi is routinely over 1000 meters.

Use of Google’s Tools by Law Enforcement – Three-Step Warrant Process

Although the original intent of Google’s Sensorvault technology was to sell advertising more effectively, over the past few years this data has been sought by law enforcement to determine who was present in a specific geographical area at a particular time, for example, when a crime was committed. These warrants are often called “Geofence warrants” because officers seek information about devices contained within a geographic area. In 2021, Google released information about the number of geofence warrants sought by law enforcement. According to the data, “Google received 982 geofence warrants in 2018, 8,396 in 2019 and 11,554 in 2020.”[vi]

In current practice, Google requires law enforcement to obtain a single search warrant. The three stage warrant process is based on an agreement between Google and the Department of Justice’s Computer Crime and Intellectual Property Section (CCIPS). Once Google receives a geofence warrant, it takes on the extrajudicial role of determining when law enforcement officers have complied with probable cause such that additional information will be provided.

Stage One:

In response to the warrant, “Google must ‘search … all [Location History] data to identify users’ whose devices were present within the geofence during the defined timeframe” and to provide a de-identified list of such users. Chatrie at 19. The list includes: (1) anonymized user identifiers; (2) date and time the device was in the geofence; (3) approximate latitude and longitude of the device; (4) the maps display radius; and (5) the source of the location data.[vii]

Stage Two:

After reviewing the initial list, law enforcement can return to Google and request additional information about any device that is within in the first geofence. This includes “compel[ling] Google to provide additional…location coordinates beyond the time and geographic scope of the original request.” Chatrie at 21.[viii]  Troubling,
Google imposes “no geographical limits” for Stage Two review. Id.

Stage Three:

The third step involves compelling Google “to provide account-identifying information for the device numbers in the production that the government determines are relevant to the investigation. In response, Google provides account subscriber information such as the email address associated with the account and the name entered by the user on the account.”[ix]

It is important to note that in practice it appears that law enforcement routinely skips Stage Two and moves directly from Stage One to Stage Three analysis.

Past Examples

The shape of Google Geofence warrants has changed over time. For instance, In the Matter of the Search of information that is stored at premises controlled by Google, 1600 Amphitheatre Parkway, Mountain View, California 94043, law enforcement officers investigating a bank robbery sought information about “all Google accounts” located within a 30 meters radius around 43.110877, -88.337330 on October 13, 2018, from 8:50 a.m. to 9:20 a.m. CST.

Compare that to In the Matter of the Search of Information Regarding Accounts Associated with Certain Location and Date Information, Maintained on Computer Servers Controlled by Google, Inc.. In that instance, law enforcement was investigating a series of bombings and they sought location information for “all Google accounts” for a 12-hour period between March 1 and 2, 2018 in a “[g]eographical box” around 1112 Haverford Drive, Austin, Texas, 78753 containing the following coordinates: (1) 30.405511, -97.650988; (2) 30.407107, -97.649445; (3) 30.405590, -97.646322; and (4) 30.404329, -97.647983.

More recently, Google has requested that law enforcement submit Geofence warrants that are convex polygons in shape.

Starting from the Beginning – How the Process Works

To put this into perspective, the following example is illustrative. For these purposes, a crime occurred in the parking lot of a strip mall.

Because the crime occurred in the middle of a parking lot, we will create a geofence that includes storefronts because it will increase the chances that the suspect’s mobile device will be within range of a Wi-Fi hotspot or Bluetooth beacon. Conversely, the geofence will include the mobile devices of numerous people who are not connected to the offense.

The above geofence appears to only impact people who are present in the parking lot or surrounding business. However, the geofence would likely capture many more people, including people living or visiting in the nearby apartments and anyone who was driving on the surrounding streets during the time in question.

Stage One—The following is an example of a Stage One warrant return:

Device IDDateTimeLatitudeLongitudeSourceMaps Display Radius (m)
12345678912/20/2015:08:45(-8:00)32.752667-117.2168GPS5
98765432112/20/2015:08:55(-8:00)32.751569-117.216647Wi-Fi25
14785236912/20/2015:08:58(-8:00)32.752022-117.216369Cell1000
12345678912/20/2015:09:47(-8:00)32.752025-117.216369Cell800
98765432112/20/2015:09:55(-8:00)32.752023-117.216379Wi-Fi15
12345678912/20/2015:10:03(-8:00)32.752067-117.216368Wi-Fi25
98765432112/20/2015:10:45(-8:00)32.752020-117.216359Cell450
98765432112/20/2015:10:55(-8:00)32.752032117.216349Wi-Fi40
12345678912/20/2015:10:58(-8:00)32.752012117.216379Cell300

Here, Device ID 123456789 is Suspect One, Device ID 987654321 is Suspect Two, and Device ID 147852369 is Suspect Three.  For this example, only one location for each device is shown.

At first blush, it would appear as if the Geofence has located three possible suspects.  But this image does not tell the full story. The blue bubbles for Suspect One and Suspect Two show a Maps Display Radius of 5 and 25 meters respectfully.

Suspect Three’s location was derived from a Cell Site, with a Maps Display Radius of 1000 meters.

Thus, although Google believes that Suspect Three’s device was near the scene of the crime, it is possible it was located anywhere within the larger sphere, and it is possible that the device was not located within either sphere.

Stage Two—For this stage, we can expand our original results, as long as we only include one of the accounts returned in Stage One. Here, we will expand our results and determine if Suspect One’s device also present in the area Northeast of the original search location.

Stage Three—is the step whereby subscriber information about the accounts Google deems responsive. Meaning, law enforcement requests Google to provide the account number and information for Device IDs provided in either Stage One or Two. The following is an example of such a return:

Conclusion As technology and privacy concerns of consumers continue to change, so will the ability for law enforcement to obtain location data of users. The use of Google geofence warrants implicates a number of Fourth Amendment issues; future posts will explore the legal implications surrounding the overbreadth of these warrants.[x] But beyond the legal challenges, those encountering Google location warrants should remain mindful of the limitations of the data as well as the absence of concrete answers from Google regarding their methodology for determining location data


[i] See United States v. Chatrie, 3:19-cr-00130-MHL, Docket Entry 220.

[ii] The exception is for a user who has turned location services to always on, has a Google product open on a device, and has allowed for background app refresh. That means that is likely that Google knows far more about the location history of android users than iPhone users. That’s important because approximately 52 percent of devices on mobile networks are iOS devices. https://www.statista.com/statistics/266572/market-share-held-by-smartphone-platforms-in-the-united-states/.

[iii] https://policies.google.com/technologies/location-data (“On most Android devices, Google, as the network location provider, provides a location service called Google Location Services (GLS), known in Android 9 and above as Google Location Accuracy. This service aims to provide a more accurate device location and generally improve location accuracy. Most mobile phones are equipped with GPS, which uses signals from satellites to determine a device’s location – however, with Google Location Services, additional information from nearby Wi-Fi, mobile networks, and device sensors can be collected to determine your device’s location. It does this by periodically collecting location data from your device and using it in an anonymous way to improve location accuracy.”)

[iv] https://support.google.com/nexus/answer/3467281?hl=en

[v] See United States v. Chartrie, 19cr00130-MHL (EDVA 2020), ECF 1009 [Declaration of Marlo McGriff] (“A value of 100 meters, for example, reflects Google’s estimation that the user is likely located within a 100-meter radius of the saved coordinates based on a goal to generate a location radius that accurately captures roughly 68% of users. In other words, if a user opens Google Maps and looks at the blue dot indicating Google’s estimate of his or her location, Google’s goal is that there will be an estimated 68% chance that the user is actually within the shaded circle surrounding that blue dot.”)

[vi] https://techcrunch.com/2021/08/19/google-geofence-warrants/

[vii] Id. at 4 (“After that search is completed, LIS assembles the stored LH records responsive to the request without any account-identifying information. This deidentified ‘production version’ of the data includes a device number, the latitude/longitude coordinates and timestamp of the stored LH information, the map’s display radius, and the source of the stored LH information (that is, whether the location was generated via Wi-Fi, GPS, or a cell tower)”).

[viii] Id. at 17

[ix] Id.

[x] In the Matter of the Search of: Information Stored at Premises Controlled by Google, 20mc00392-GAF (NDIL 2020) provides a great overview of the Fourth Amendment issues relating to Google Geofence warrants.  See also https://www.eff.org/deeplinks/2020/07/eff-files-amicus-brief-arguing-geofence-warrants-violate-fourth-amendment


Ephemeral Messaging Apps

[Editor’s Note: John C. Ellis, Jr. is a National Coordinating Discovery Attorney for the Administrative Office of the U.S. Courts, Defender Services Office. In this capacity, he provides litigation support and e-discovery assistance on complex criminal cases to defense teams around the country. Before entering private practice, Mr. Ellis spent 13 years as a trial attorney and supervisory attorney with Federal Defenders of San Diego, Inc. He also serves as a digital forensic consultant and expert.]

Ephemeral Messaging Apps are a popular form of communication. With privacy a concern for everyone, using a self-destructing message that works like disappearing ink for text and photos has a certain allure. All messages are purposely short-lived, with the message deleting on the receiver’s device, the sender’s device, and on the system’s servers seconds or minutes after the message is read. Although these apps were initially only used by teenagers, they are now a ubiquitous part of corporate culture.

According to the 6th Annual Federal Judges Survey, put together by Exterro, Georgetown Law CLE, and EDRM, 20 Federal Judges were asked “[w]hat new data type should legal teams be most worried about in the 5 years?”[1]  The overwhelming response was “Ephemeral Apps (Snapchat, Instagram, etc.).” Id.  In fact, 68% of those surveyed believed ephemeral messaging apps where the most worrisome new data type, whereas only 16% responded that biometric data (including facial recognition and fingerprinting) were the greatest risk. Only 5% were concerned with Text Messages and Mobile, and 0% were concerned with the traditional social media such as Facebook and Twitter.  Id.

Even now, Courts are attempting to sort out the evidentiary issues cause by ephemeral messaging apps, see e.g., Waymo LLC v. Uber Technologies, Inc. 17cv0939-WHA (NDCA).  This article discusses popular ephemeral messaging apps and discusses guidelines for addressing potential evidentiary issues.

Short technical background:

There are several background definitions relevant to this discussion:

  1. Text Messages – otherwise known as SMS (“Short Message Service”) messages, text messages allow mobile device users to send and receive messages of up to 160 characters. These messages are sent using the mobile phone carriers’ network. Twenty-three billion text messages are sent worldwide each day.  Generally, mobile carriers do not retain the contents of SMS messages, so the records will only show the phone number that sent or received the messages and the time it was sent or received.
  2. Messaging Apps – allow users to send messages not tethered to a mobile device (e., a phone number). With some apps, a user may send messages from multiple devices. These apps include iMessage, WhatsApp, and Facebook Messenger. Messaging Apps are generally free. Unlike text messages, these apps rarely have monthly billing records or records showing when messages were sent or received.
  3. Ephemeral Messaging Apps – are a subset of Messaging Apps that allow users to cause messages (words or media) to disappear on the recipient’s device after a short duration. The duration of the message’s existence is set by the sender. Messages can last for seconds or days, unless the receiver of the message takes a “screenshot” of the message before its disappearance.
  4. End-to-End Encryption – also known as E2EE, this is a type of encryption where only the communicating parties can decipher the messages, which prevents eavesdroppers from reading them in transit.

Common Disappearing Messaging Apps:

Messaging apps, like all apps, are changing.  The following is a list and description of several popular ephemeral messaging apps.


Snapchat – both a messaging platform and a social network. The app allows users to send messages and media (including words and emojis appearing on the media) that disappear after a set period of time. Photos and videos created on Snapchat are called “snaps.” Approximately 1 million snaps are sent per day.

Signal – an encrypted communications app that uses the Internet to send one-to-one and group messages which can include files, voice notes, images and videos, which can be set to disappear after a set period of time. According to Wired, Signal is the one messaging app everyone should be using.

Wickr Me – a messaging app that allows users to exchange end-to-end encrypted and content-expiring messages, including photos, videos, and file attachments.

Telegram – cloud-based instant messaging app with end-to-end encryption that allows users to send messages, photos, videos, audio messages and files. It has a feature where messages and attachments can disappear after a set period of time.

CoverMe – a private messaging app that allows users to exchange messages, files, photographs, and phone calls from a fake (or “burner”) phone number. It also allows for private internet browsing, and llows users to hide messages and files.

Confide – a messaging app that allows users to send end-to-end encrypted messages.  The user can also send self-destructing messages purportedly screenshot-proof.

Evidentiary Issues:

Messaging app data, like other forms of evidence, must, amongst other criteria, be relevant (Fed.R.Evid. 401); authenticated (Fed.R.Evid. 901 et seq); and comply with the best evidence rule (Fed.R.Evid 1001 et seq).

As for the Best Evidence Rule, based on the nature of disappearing messaging apps, the original writing of the message is not preserved for litigation. See Fed.R.Evid. 1004(a) (finding that the original is not required if “all the originals are lost or destroyed, and not by the proponent acting in bad faith.”) Sometimes, the contents of the message may be established by the testimony of a witness. In other cases, the contents of the message may be based on a screen shot of the message.

Authenticating messages from apps, regardless of their ephemeral nature, is often difficult—text messages can be easily faked. When it comes ephemeral messages, we often must rely upon a screenshot or testimony regarding the alleged contents of the message.  In such circumstances, the following factors—repurposed from Best Practices for Authenticating Digital Evidence—are useful[2]:

  • testimony from a witness who identifies the account as that of the alleged author, on the basis that the witness on other occasions communicated with the account holder;
  • testimony from a participant in the conversation based on firsthand knowledge that the screen shot fairly and accurately captures the conversation;
  • evidence that the purported author used the same messaging app and associated screen name on other occasions;
  • evidence that the purported author acted in accordance with the message (e.g., when a meeting with that person was arranged in a message, he or she attended);
  • evidence that the purported author identified himself or herself as the individual sending the message;
  • use in the conversation of the customary nickname, avatar, or emoticon associated with the purported author;
  • disclosure in the message of particularized information either unique to the purported author or known only to a small group of individuals including the purported author;
  • evidence that the purported author had in his or her possession information given to the person using messaging app;
  • evidence that the messaging app was downloaded on the purported author’s digital device; and evidence that the purported author elsewhere discussed the same subject.

Conclusion:

Ephemeral messaging app data will continue to impact investigators, attorneys, and the Court. Defense teams should be prepared for the challenges ephemeral messages cause from investigations to evidentiary issues.


[1]Available at https://www.exterro.com/2020-judges-survey-ediscovery.

[2] Hon. Grimm, Capra, and Joseph, Best Practices for Authenticating Digital Evidence (West Academic Publishing 2016), pp. 11-12.