Text Message Screenshots: Real Or Fake?

Fake news, false identities, and phony emails – in today’s digital world, it is becoming increasingly more difficult to detect fact from fiction.

Fake Texts Are Easy To Create, Difficult To Detect

For lawyers, judges, juries, and investigators, discerning what’s real when dealing with digital evidence is more difficult than ever. This is due, in part, to how easy it is to create fake evidence. Specifically, a rise in fake text message apps makes it almost effortless to falsify all types of instant mobile communications – iMessage, SMS, MMS, and chat. Nearly every aspect of the text message can be fabricated, including the sender and recipient, time stamp, and delivery status.

iDiscovery Solutions (iDS) was founded in 2008, and is a professional services consulting firm that specializes in Digital Forensics, e-Discovery, Structured Data, Cybersecurity, Data Privacy, and Information Governance. Of the many services iDS provides is the ability to examine, dissect and provide legal testimony as to the validity of digital evidence produced in court proceedings.

With the click of a button, the imposter or falsifier can download an image that looks like a genuine text message, making it nearly impossible for an untrained eye to notice the difference between a real chat and a fake.    

Unfortunately, state cyber evidence laws have not caught up with technology demanding certification of evidence other than, “I made my own screenshots of all of them and have them on my computer. I can email them to you,” rather than letting law enforcement take snapshots or better yet conficating the devices for the forensics lab. The proper process has yet to be thoroughly defined which leaves the door wide open for fraud and fabrication.

Uncovering Fake Evidence In Litigation And Investigations

In litigation and investigations, fake texts can wreak havoc. This is not to say that you should assume screenshots of text messages are fake, but diligence and expert forensics is recommended. 

Consider these scenarios:

  • Hostile Work Environment – An employee claims that a co-worker made unwelcome comments, and he or she provides HR with screenshots of text messages allegedly proving the accusations. The HR team member notices that on the screenshot, the wireless carrier is not capitalized (“verizon” instead of “Verizon”).
  • Fabrication and Spoliation – The blank text entry box at the bottom of the image is inconsistent with an image of an authentic iPhone interface, because all versions of the iPhone OS show the words “iMessage” or “TextMessage” in an empty text entry box, depending on the protocol that the iPhone will use to send the message. Finally, the font used in the image differs, albeit subtly, from that used to display text messages on iPhones. See ROSSBACH v. MONTEFIORE ME | No. 19cv5758 (DLC). | 20210810b65
  • Inconsistent Characteristics – For instance, certain characteristics of the font and icons in the iPhone text message application will be consistent on all iPhones using OS 10. “But the image produced by the fabricator and her attorneys contains characteristics not consistent with OS 10 or any other version of the iPhone OS available on the iPhone5.” These include the icon depicting the phone’s level of battery charge; the font size and style in the header; the icons in the lower portion of the header; and the icon for the iMessage Apps feature in the footer. See Rossbach.
  • Screenshot Generators for Faking Text Messaging – “Just by Googling “fake a screenshot,” every result on the first page is either a tutorial or actual screenshot generators for faking text messaging conversations. On the website “iphonefaketext.com” for example, it is possible to enter various data values, such as contact name, carrier, message content, and even signal strength. Entering in enough detail can result in a very convincing faux screenshot of a text conversation.” See Vestige Digital Investigations

“Apple” Identifier Tags – “If a cell phone screenshot was claimed to have been taken with an iPhone, forensics experts would expect an “Apple” identifier tag inside the image artifacts. Apple devices by default will insert various tags that reference Apple. Additionally, if the screenshot showed the time at the top of the screen, as Apple iPhones do, digital forensics experts would be able to verify if that time is reflected as when the image was created. It is through this type of analysis that these artifacts have been utilized in a number of cases in order to authenticate images in general, and screenshots can be reviewed by the same means.” See Vestige.

Screenshots are commonly produced as evidence as they are a straightforward way of sharing an exact copy of the information. However, there are pitfalls with any digital file; they can be corrupted, manipulated, and edited to twist the facts.    

Authenticity – The court will want to know whether the text messages you are trying to admit are authentic. Are the messages between you and the person you are claiming? Have you deleted or altered any of the text messages? Source: Is it Legal to Screenshot Text Messages for any Official Purpose?

Faking a Screenshot – “Take a look at a screenshot of a string of text messages; all the expected symbols like wifi, service provider, battery life, and time are at the top along with the name of the sender, looks legitimate, right? Maybe it is a bona fide screenshot; however, how do you know that a digital artist hasn’t entirely constructed it? After all, it is essentially just a computer image and a relatively simple one at that. Even when we assume that the screenshot has been established as genuine and not a work of art, what does it prove and how could you or I fake it? What if all the symbols are missing altogether?

The time is a simple enough fact; however, it is not backed up by a date. The absence of a date means we could send a constructed set of fake messages 24, 48, even 72 hours or longer after the originals, and the time at the top would be the same. The name at the top of the messages is who we believe to be the sender; however, it doesn’t show their phone number. In this instance, by simply changing the name in the phone’s contacts, we can attribute whatever name we want to an alternate phone number. And, if we can change the name of the sender, we can use a second phone to send whatever messages we want. The service provider can be manipulated with a bit of careful planning leaving just the battery life, which can be run down or charged up as necessary before taking our perfect fake screenshot!

Because of the demonstrated ease by which we can manipulate screenshots, proving authenticity has become crucial to establishing their credibility.” See LifeHash.

Sounds criminal doesn’t it?

False evidencefabricated evidenceforged evidencefake evidence or tainted evidence is information created or obtained illegally in order to sway the verdict in a court case. Falsified evidence could be created by either side in a case (including the police/prosecution in a criminal case), or by someone sympathetic to either side. Misleading by suppressing evidence can also be considered a form of false evidence (by omission). Source: Wikipedia

In a criminal case, the evidence must be Proof Beyond a Reasonable Doubt. This is likely because criminal cases can come with much more serious penalties than civil cases, including jail time, serious fines, and potentially the loss of certain rights. Innocent until proven guilty is a large part of the criminal justice system and rights afforded to those being accused of a crime, and requiring the prosecution to provide proof beyond a reasonable doubt that the defendant is guilty ensures that the assumption of guilt is not hastily or incorrectly made.

This means that falsifying evidence, cropping, fabricating and faking text messages can lead to harsh punishment on the fabricators. The courts frown on such antics, but especially on the parties to an action and their attorneys or prosecutors who should have known better than to submit questionable evidence in the first place.

In ROSSBACH v. MONTEFIORE ME | No. 19cv5758 (DLC). | 20210810b65, for example, the court found Rossbach had fabricated documentary evidence she produced during discovery in the action. “On April 22, the Court held an evidentiary hearing regarding the allegations of fabrication of evidence. iDS Daniel L. Regard II and Joseph Caruso testified as forensic experts for the defendants.

In her complaint, Rossbach alleged that Morales, one of her supervisors subjected her to, among other things, a series of unwanted sexual comments and to unwanted sexual touching. Rossbach never made a formal complaint regarding this alleged conduct and there is very little documentary evidence that supports her claims. The primary piece of documentary evidence supporting Rossbach’s allegation that she was sexually harassed by Morales is the following image that purports to depict a series of text messages sent by Morales to Rossbach.

Rossbach claimed that she received the text messages displayed in the image from Morales on the iPhone 5 that she used during 2017. Rossbach created several versions of her iPhone 5C difficulties and manipulative detail surrounding her device and evidence.

More to the point, the image contained elements that are not consistent with any iPhone OS. For instance, the contact bar displayed in the image shows Morales’ full first and last name, while an authentic iPhone OS image would display only his first name. The blank text entry box at the bottom of the image is also inconsistent with an image of an authentic iPhone interface, because all versions of the iPhone OS show the words “iMessage” or “Text Message” in an empty text entry box, depending on the protocol that the iPhone will use to send the message. Finally, the font used in the image differs, albeit subtly, from that used to display text messages on iPhones.

In sum, the evidence at the evidentiary hearing conclusively demonstrated that the image was not of text messages received on an iPhone 5, that it was not a photograph taken by an iPhone X, that the image is not an authentic representation of how text messages received on an iPhone would be displayed, and that the image was not even a photograph. As a result, there is clear and convincing evidence that Rossbach fabricated the image and engaged in perjury and spoliation to prevent discovery of that fabrication.

Plaintiff’s Fabrication of Emoji and Text Evidence Leads to Case Dismissal, Monetary Sanctions: eDiscovery Case Law

This is a rare case law post with pictures to illustrate the issues and was recommended to me for coverage by several people, including Tom O’Connor and Judge Peck, writes Doug Austin of eDiscovery Today. In Rossbach v. Montefiore Med. Ctr., No. 19cv5758 (DLC) (S.D.N.Y. Aug. 5, 2021), New York District Judge Denise Cote, based on “clear and convincing evidence” of the plaintiff’s fabrication of an image of a text exchange between her and her supervisor, dismissed the action “with prejudice as an exercise of its inherent power to sanction and pursuant to Fed. R. Civ. P. 37(e).” A monetary sanction in the amount of the defendants’ attorneys’ fees, costs, and expenses associated with addressing the plaintiff’s fabrication was also assessed jointly and severally against the plaintiff and her counsel. For more information see eDiscovery Today.

To the bottom of which Judge Cote added this statement: “This image is a fabrication.”

Judge’s Ruling

Judge Cote described next steps as follows: “On April 22, the Court held an evidentiary hearing regarding the allegations of fabrication of evidence…Daniel L. Regard II and Joseph Caruso testified as forensic experts for the defendants and Rossbach, respectively, and Rossbach also testified. The Court received the expert reports of Regard and Caruso as their direct testimony, and they were subject to cross examination regarding that testimony at the hearing. Rossbach was subject to both direct and cross examination at the hearing. At the conclusion of the hearing, the Court found by clear and convincing evidence that Rossbach had fabricated the disputed text message evidence and had given false testimony about how the evidence had been produced. As a result, the defendants’ request to move to dismiss and for sanctions was granted.

Considering monetary sanctions for plaintiff’s counsel on top of case dismissal, Judge Cote added: “In short, at every step of these proceedings, Altaras failed to take reasonable steps to preserve critical evidence and failed to recognize the gravity of his client’s misconduct and its implications for his own duties.

He instead burdened the defendants and this Court by suborning his client’s perjury and making frivolous and procedurally improper legal and factual arguments. A monetary sanction against Altaras and DSLG is warranted…and the Court imposes a monetary sanction under its inherent power and § 1927. As with the monetary sanction against Rossbach, the monetary sanction shall be in the amount of the defendants’ attorneys’ fees, costs, and expenses associated with addressing Rossbach’s misconduct.”

Smiley Face with Heart Eyes: How much meaning can there be in one emoji?

In this case, the emoji meant that the evidence was false and clinched an accelerated win.

An emoji says so much with so little. It’s not every day that a lawsuit is dismissed due to emoji use. In a recent sexual harassment case, a smiley-face-with-heart-eyes emoji was one of the smoking guns.

This modern example of digital forensics shows the impact subtle changes in tech can make to a case, and how data authentication isn’t always black-and-white. Sometimes, it’s yellow and red.

Determining the authenticity of data-driven evidence in this landmark case was an honor. iDS’ proven methodologies safeguarded innocent employees from falling prey to fake evidence, and the case will serve as a guide for future eDiscovery litigation.

The case brought sexual harassment, retaliatory firing, and hostile work environment claims to the forefront. Let’s dive in and see what this case can teach you about evidence. READ MORE CLICK HERE

 §710-1076  Tampering with physical evidence.  (1)  A person commits the offense of tampering with physical evidence if, believing that an official proceeding is pending or about to be instituted, the person:
     (a)  Destroys, mutilates, conceals, removes, or alters physical evidence with intent to impair its verity in the pending or prospective official proceeding;
     (b)  Makes, presents, or offers any false physical evidence with intent that it be introduced in the pending or prospective official proceeding.
     (2)  “Physical evidence,” as used in this section includes any article, object, document, record, or other thing of physical substance.
     (3)  Tampering with physical evidence is a misdemeanor. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s