Case Study 1 - deleted ipad messages 


The case

This case centered around a woman who was accused of perverting the course of justice. The lady had been accused of submitting an electronic document to the court on a particular date which, when subjected to forensic examination, showed a creation date later than when it was supposed to have been created. 

The defence

The woman's defence was that she had originally created the document on her iPad using the 'Notes' application, and had subsequently copied the note from the iPad to her laptop so it could be printed for the court. The iPad had subsequently been given to her children and had had all of the notes (and other data) deleted months prior to any suspicion of wrongdoing relating to the document surfaced.

The prosecution findings

Two prosecution experts had in turn examined the iPad and found that there were no Notes, live or deleted, recoverable from the device. There was, they concluded, no evidence to support the woman's claims and asserted that she was in fact, lying.

our findings

Enter 3EF Ltd. We examined the iPad using the same forensic software used by the prosecution experts, plus different forensic software they did not have. No Notes, live or deleted ere recoverable. Our initial results were the same, but our method of working could not be more different. Most prosecution experts are, unfortunately, under huge time constraints and as a result often rely on the forensic software to do their job for them. For us, that's not 'proper' forensics and is only half of the story...

Delving deeper into the data recovered, it could be seen that fragments of data remained in the 'Notes' database. Not enough for the forensic software to detect or parse correctly, but enough for us to prove beyond a shadow of a doubt that at least eight Notes had been created on the iPad, and that the notes had been subsequently deleted by the user, as reported. Research and testing on another iPad were key to decoding the remaining fragments of data retained within the database - actions the prosecution experts did not carry out due to lack of interest/time/training.

The court ruling

It was not possible to determine the message body or the dates and times of creation, modification or deletion, but it was enough for the court - The woman was cleared.

The moral for defence teams

Never take the prosecution's word for it. We see so many cases in which the examination of a device was flawed or incomplete. This can be at the extraction stage, the parsing of the extracted data by forensic software stage, the interpretation of the data stage or the reporting stage. Our advice is simple - If your client's mobile phone or tablet has been examined by the prosecution and they are using the extracted data in court, get it examined by your own expert - It's the only way you can be sure of the full story.