Copyright 2026, Steve Burgess

In over four decades of digital forensics work, I’ve examined more than 20,000 devices and pieces of digital evidence. And in that time I’ve developed a reliable theory: the evidence that counts – that might win or lose a case is rarely sitting where the attorneys expected to find it.

It’s hiding. Not maliciously — well, sometimes maliciously — but more often just because nobody thought to look there.

Let me tell you about some of the places where the good stuff actually lives.

The Email You Didn’t Ask For

Attorneys ask for emails. That’s great. What they often forget is that email is not one thing — it’s a collection of things, each with its own quirks, its own storage habits, and its own forensic personality.

Consider Outlook. When you delete a message in Outlook, it doesn’t vanish. It goes to the Deleted Items folder. When you empty that folder, it still doesn’t vanish — not entirely. The message gets marked as deleted in the PST or OST file, but the data hangs around – not just in unallocated space – but also right in the file,  like a houseguest who doesn’t take hints. A forensic examiner can often recover those messages intact, complete with headers, timestamps, and attachments. Your client’s opponent who “deleted everything” may have deleted nothing of consequence at all.

Then there’s webmail — Gmail, Yahoo, Outlook.com, and their cousins. Here’s where it gets interesting for attorneys. The messages don’t live on the user’s computer in the traditional sense. They live on the provider’s servers. That means you may need a subpoena or a preservation request to Google or Microsoft, and you need to move on that quickly, because providers don’t hold onto data forever out of the goodness of their hearts. Gmail keeps deleted messages in Trash for 30 days. After that, they’re gone from the server — though sometimes not entirely gone from a forensically imaged phone or computer that was syncing that account.

One more thing about email that trips people up: the headers. Nobody reads email headers. Attorneys definitely don’t read email headers. But headers tell you the actual IP address the message came from, the route it traveled, the mail servers it touched. And here’s the beauty of email saved in the provider’s servers – the user can’t really fake the dates and the precise timestamp, because those are assigned by the server, which is not in the user’s control. I’ve had cases where someone claimed an email was sent from one city when the header told me, very clearly, it was sent from another city entirely. Headers don’t lie. People do.

Texts: More Than Just “Hey”

SMS text messages are a goldmine. Most people treat them casually — the digital equivalent of talking out loud — which means they say things in texts they’d never commit to a formal email. I’ve seen business deals negotiated entirely over text. I’ve seen admissions, threats, and instructions that made attorneys’ eyes go wide when we produced them.

The forensic wrinkle is device dependency. Unlike email, which typically has a server-side copy, SMS and iMessage messages often live primarily on the device itself. If that device hasn’t been preserved, you may be looking at a very uncomfortable conversation with your client about spoliation.

But don’t give up too quickly. A few things to remember:

iMessage has iCloud backup. If the user had iCloud backup enabled — and most iPhone users do, at least for a while — there may be a backup copy of the messages in the cloud. Apple will respond to valid legal process, although they may resist a bit. The preservation window isn’t infinite, but it exists.

Android devices with Google accounts often back up SMS data to Google’s servers as well, depending on device settings and the apps installed. Samsung has its own backup ecosystem. The point is: the phone is not the only place to look.

Carrier records are another option. Wireless carriers retain metadata — who texted whom, when, and from what number — for varying periods. AT&T, Verizon, T-Mobile: they all have legal compliance departments that respond to subpoenas. You won’t get the content of the messages from the carrier, but you’ll get the records of communication, which can be extremely valuable for establishing a timeline or refuting someone’s claim that they “never contacted” the other party. And cell tower records can point where the user’s phone was when they were using it.

The Cloud: Where Everything Lives Now, Even the Things You Forgot About

Cloud storage is the gift that keeps on giving — to forensic examiners, anyway.

Google Drive, iCloud, Dropbox, OneDrive, Box: people store documents, photos, videos, and files in the cloud without thinking much about it. They also forget what they’ve stored there. This creates a wonderful situation where the evidence is sitting in the cloud, perfectly preserved, while the person who put it there has completely forgotten it exists. I have been on the beneficial end of this situation more than once.

One case that comes to mind involved a business dispute where the defendant insisted he had no copies of certain proprietary documents. His hard drive, conveniently, had been wiped. His phone, also conveniently, was new. But his Google account had been syncing files from his old computer for two years. Those documents were sitting right there in his GDrive, timestamped and everything. Not wiped. Not new. Just waiting.

The lesson: always ask about cloud storage accounts as part of your discovery requests. Not just “do you use Dropbox” — ask about all of them. Google Drive. iCloud. OneDrive. Box. Evernote. There’s more. Even Adobe Creative Cloud if the case involves documents or design files. People have more cloud accounts than they realize, and they rarely think of them as places where evidence lives.

Messaging Apps: The New Wild West

Here’s where attorneys really leave evidence on the table.

WhatsApp, Telegram, Signal, Facebook Messenger, Instagram DMs, Snapchat, WeChat, Line — and whatever new platform launched last Tuesday. These are messaging apps, and they are increasingly where people conduct their most candid conversations. They feel private. They feel ephemeral. They often aren’t.

WhatsApp stores message databases on the device, and — critically — backs them up to either Google Drive or iCloud. Those backups are not encrypted with the same end-to-end encryption that protects messages in transit. That’s a significant forensic opportunity if you can get access to the backup.

Telegram stores messages on Telegram’s own servers unless the user specifically uses the “Secret Chat” feature. Regular Telegram chats are cloud-based and accessible from multiple devices. The fact that someone deleted a Telegram message on their phone does not mean the message is gone everywhere.

Signal is the hard one. Signal is designed to be forensically resistant. It uses end-to-end encryption, stores messages locally, and gives users easy tools to set messages to auto-delete. However, the device itself can sometimes still be examined if we have access to it and the right tools. And sometimes people screenshoot Signal messages and those screenshots end up somewhere more recoverable. People undermine their own secure communications with impressive regularity.

Snapchat is a perennial source of confusion. “But it disappears!” No — it disappears from the app’s interface. Snapchat retains opened snaps on its servers for a period after opening, and unopened snaps for longer. Forensic examination of the device can also reveal plenty of evidence of Snap activity even after “disappearance.” And again: screenshots. Always screenshots.

Location Data: The Witness Who Never Lies (Much)

I’ll include this one because it relates to cloud data and it’s massively underutilized.

Smartphones are location-tracking devices that also make phone calls. The location data that accumulates in cloud accounts — Google Timeline, Apple’s Significant Locations, fitness apps, rideshare apps, photo metadata — can place a person at a specific location at a specific time with remarkable precision.

Phones don’t keep an audit trail of all locations – too many users screamed about that several years ago and the providers just stopped – but as above, it can be derived, inferred, and actually found from other artifacts.

I’ve worked cases where Google Timeline data provided a minute-by-minute account of where a phone traveled on a given day. Photo EXIF data embedded GPS coordinates and timestamps in every image. The phone didn’t just know where the person was — it was more than willing to tell us.

The catch: much of this data is tied to cloud accounts and requires preservation requests or legal process. Some of it is stored only on the device. Either way, if location is at issue in your case, ask your forensic expert about it early.

A Word About Preservation

Everything I’ve described above comes with an expiration date. Email gets purged. Carrier records get overwritten. Cloud backups get replaced by newer backups. Messaging app logs get deleted. The evidence isn’t gone yet — but it will be.

The single most expensive mistake I see attorneys make is waiting too long to engage a forensic examiner. By the time the case heats up and someone thinks to ask about the text messages, the carrier retention window has closed, the phone has been traded in, and the iCloud backup has been overwritten fourteen times. I’ve seen this plenty of times and they attorney can only say, “if only…”

Digital evidence doesn’t wait for a convenient moment in your litigation schedule. Issue litigation holds early. Serve preservation letters early. Call a forensic expert early — ideally before the evidence knows it’s being looked for.

After 40 years and 20,000-plus look-sees, I can tell you that the cases that get won on digital evidence are usually the ones where someone moved fast. The cases that get lost on digital evidence are usually the ones where someone assumed the evidence would still be there when they got around to it.

It wasn’t.

Steve Burgess is a digital forensics expert witness and the founder of Burgess Forensics, one of the longest-established independent digital forensics practices in the United States. He has examined more than 20,000 cases over four decades and provides expert witness testimony in civil and criminal matters nationwide. He can be reached at burgessforensics.com.

The post Where Critical Evidence Hides: Email, Texts, & Cloud Data Part II appeared first on Burgess Forensics.

Copyright 2026, Steve Burgess

I’ve been working with digital evidence since 1985, and I’ve seen a lot of changes. Back then, the biggest challenge was recovering data from a 10 MB hard drive—yes, megabytes, for you youngsters who think gigabytes are small. But nothing compares to what’s happening right now with artificial intelligence.

Here’s something that should concern everyone: we’ve reached a point where anyone with a smartphone can create fake videos, photos, and audio recordings that look and sound completely real. Not “pretty good” fakes that experts can spot. I’m talking about fakes so convincing that even professionals like me have trouble telling the difference. And trust me, after 40 years of staring at computer screens, my ability to spot weird pixels is legendary.

This technology is called “deepfake” AI, and it’s already being used in courtrooms, whether judges and juries realize it or not.

What Are Deepfakes?

Think of deepfakes as Photoshop on steroids. Photoshop that went to Gold’s Gym, got a PhD in computer science from University of Phoenix, and decided to cause chaos. But instead of just touching up a photo, this technology can:

• Put your face on someone else’s body in a video
• Make you appear to say things you never said
• Create recordings of your voice saying anything
• Generate completely fake images that look like real photographs

The scary part? This used to require expensive equipment and expert knowledge. Now there are apps that can do it on your phone in minutes. The same phone you use to watch cat videos and argue with strangers on the Internet.

Why This Matters in Court

Imagine you’re on a jury. The prosecutor shows you a video of the defendant at the crime scene. It looks real. It sounds real. The metadata (the hidden information in the file) says it was recorded at the right time and place.

But what if that video was created by AI? What if the defendant was never actually there?

Or flip it around: what if you’re accused of something, and there’s a fake video showing you doing it? How do you prove it’s not real when it looks so convincing?

This isn’t hypothetical. These situations are already happening in courtrooms. Welcome to the future, where “the camera doesn’t lie” is officially retired as a saying.

The Old Rules Don’t Work Anymore

For decades, we’ve had pretty good ways to tell if photos and videos were tampered with. We could look at the file’s internal structure, check when and where it was created, and spot the digital fingerprints left behind when someone edits an image.

But AI-generated fakes don’t leave those fingerprints. They’re not edited versions of real photos or videos—they’re created from scratch. There’s nothing to compare them to because there was never an original.

It’s like trying to prove a painting is a forgery when there’s no original painting to compare it to.

What’s Being Done About It

The good news is that courts are starting to take this seriously.

In 2025, new federal rules were put in place that require stricter verification of digital evidence that might involve AI. Judges can now demand that experts test evidence with multiple detection tools before it’s allowed in court.

Some tech companies are also developing authentication systems. Think of it like a tamper-proof seal on a medicine bottle, but for digital files. These systems create a kind of digital signature the moment a photo or video is captured, proving it’s authentic.

The problem? Most phones and cameras don’t have this technology yet, and it could be years before it becomes standard. So, we’re in that awkward phase where the bad guys have a bunch of cool toys and the good guys are still waiting for their equipment to ship.

How Do Experts Catch Fakes?

I wish I could tell you we have a foolproof method, but we don’t. If I had one, I’d be drinking mojitos on a beach somewhere instead of writing this article. What we do is use multiple approaches:

Run detection software. There are programs specifically designed to spot AI-generated content. They’re not perfect, but they can catch many fakes.

Look for impossible things. Sometimes AI makes mistakes—lighting that doesn’t match, shadows falling the wrong way, people with eleven fingers, or physics that just don’t work in the real world. AI is smart, but it still occasionally forgets how gravity works.

Check the story. Where did this evidence come from? Who had access to it? Does it make sense that this file exists?

Compare with other evidence. If you have ten photos from an event and nine look normal but one looks suspicious, that’s a red flag.

The truth is, detecting deepfakes is getting harder as the technology improves. The detecting tech gets better, too. But it’s an arms race, and right now, the fakers are ahead. It’s like playing whack-a-mole, except the moles have PhDs and keep getting smarter.

What This Means for You

You might be thinking, “I’m not a lawyer or a forensics expert. Why should I care?”

Here’s why: we’re all going to be affected by this technology.

Maybe you’ll serve on a jury and need to decide if evidence is real. Maybe you’ll see a video of a public figure saying something outrageous (that they never actually said). Maybe someone will use this technology to fake evidence against you or someone you love. Or maybe you’ll just want to know if that video of your uncle “dancing” at the wedding is real or if someone’s playing a prank.

We’re entering a era where “seeing is believing” is no longer true. That’s a fundamental shift in how we understand reality and truth.

What You Can Do

Be skeptical. Just because a video looks real doesn’t mean it is. This is especially important for dramatic claims or shocking content. If it seems too crazy to be true, it might be—but then again, it’s 2026, so who knows anymore.

Check sources. Before believing or sharing something, try to verify where it came from. Is it from a credible source?

Understand the stakes. In legal situations—whether it’s a court case, an insurance claim, or a business dispute—insist on proper verification of digital evidence.

Stay informed. This technology is evolving rapidly. What’s true today might be outdated in six months.

Looking to the Future

I’ve been doing this work for over 40 years, and I’ve learned that technology always creates new challenges. But we adapt. We develop new tools, new methods, new ways of finding the truth. It’s what keeps forensic experts like me from having to learn how to do something sensible, like accounting, or racing cars.

Courts are updating their rules. Researchers are building better detection tools. Tech companies are working on authentication systems. It’s going to take time, but we’ll figure this out.

In the meantime, we all need to be more careful about what we believe and more demanding about proof. The old saying “don’t believe everything you see on the Internet” has never been more important.

Because in 2026, sometimes you can’t believe your own lyin’ eyes. Which is a little ironic, because your eyes aren’t the ones lyin – it’s the computers. But try explaining that to a jury.

Steve Burgess has been working in digital forensics since 1985 and has examined evidence in over 20,000 cases. If you have questions about digital evidence or think you might be dealing with AI-generated content, Burgess Forensics can help. We also promise not to create any deepfakes of you. That’s in our mission statement.
steve@burgessforensics.com     

The post Can You Trust What You See? The Rise of Deepfakes and What It Means for Justice appeared first on Burgess Forensics.

It was true forty years ago and it’s truer today: “Just because it’s digital doesn’t mean it’s true.”

We’re now facing a challenge that would have seemed like science fiction when I started doing civilian data recovery back in 1985: artificial intelligence that can fabricate images, videos, and audio recordings so convincing that even experts can be fooled. Welcome to the era of deepfakes, and trust me, it’s already changing how courts handle digital evidence.

What We’re Up Against

Let me paint you a picture of where we are right now. AI-generated content has moved from research labs to consumer smartphones. Anyone with a decent app can now:

– Swap faces in videos with frightening accuracy

– Clone voices from just a few seconds of sample audio

– Generate entirely synthetic images of people who don’t exist … and of those who do.

– Alter existing footage in ways that leave minimal technical traces

I’ve examined cases where manipulated video evidence looked so authentic that initial reviewers accepted it without question. The technology has democratized deception in ways we’ve never seen before.

The Authentication Crisis

Here’s what keeps me up at night: our traditional methods of authenticating digital evidence are struggling to keep pace.

For decades, we’ve relied on metadata analysis, file structure examination, and chain of custody documentation. Those tools still matter, but in many cases, they’re no longer enough. When AI can generate a video from scratch—complete with realistic metadata, proper codec structures, and no obvious manipulation artifacts—we need a fundamentally different approach.

The challenge isn’t just technical. It’s philosophical. We’re moving from a world where we asked “Has this been altered?” to one where we must ask “Is this even real to begin with?”

The Metadata Problem

In traditional forensics – and most of the time even now – metadata has been our friend. Creation dates, device identifiers, GPS coordinates—these data points help us verify authenticity and establish provenance. But AI-generated content can include perfectly plausible metadata that’s entirely fabricated.

The “No Negative” Dilemma

Back in the day, photos had negative. Even in modern (digital) photography, there’s usually a kind of “negative”—an original file that shows a clear progression from capture to final image. With AI generation, there is no negative. The content springs into existence fully formed. How do you authenticate something that has no original?

What Courts Are Starting to Do

The good news? Courts are waking up to this challenge, and we’re seeing some interesting responses.

Enhanced Authentication Standards

Federal jurisdictions are raising the bar for digital evidence authentication. In June, 2025, the Judicial Conference of the US’s Committee on Rules of Practice and Procedure approved Federal Rule of Evidence 707, that ensures that AI-derived evidence is subject to the same Daubert standards as traditional expert testimony.

A judge might require the expert to run multiple AI detection algorithms on submitted video evidence—not because there was any specific reason to doubt it, but because the stakes were high enough to warrant extra scrutiny.

Blockchain and Cryptographic Verification

Courts are also showing increased interest in cryptographic authentication methods. Some organizations are now implementing systems that create cryptographic signatures at the moment of capture—essentially a digital seal that proves when and where content was created.

The Content Authenticity Initiative (backed by Adobe, Microsoft, public media, camera manufacturers, and others) is pushing standards for embedding authentication data directly into digital files. While not yet widely adopted in legal contexts, even in its sixth year, attorneys ask about these tools more frequently.

Expert Testimony Evolution

The role of digital forensics experts is expanding. It’s no longer enough to say “I examined this file and found no signs of manipulation.” Now we’re being asked:

What is the probability this content is AI-generated?

– Can you rule out deepfake creation methods?

– What authentication measures were in place at capture?

– Are there any positive indicators of authenticity beyond the absence of manipulation?

That last question is crucial. We’re moving from negative verification (looking for signs of tampering) to positive verification (finding affirmative proof of authenticity).

The Detection Arms Race

Here’s the uncomfortable truth: detection is always playing catch-up … and the law is yet is almost always further behind. By the time we develop tools to identify one generation of AI-generated content, the next generation is already better at evading detection.

I use multiple AI detection tools in my practice—everything from Microsoft’s Video Authenticator to various academic research tools. They’re helpful, but they’re not foolproof. Detection accuracy varies wildly depending on the generation method, content type, and how much post-processing has been applied.

What Actually Works

In my experience, the most reliable authentication approaches combine multiple layers:

**Technical analysis**: Running the content through various detection algorithms and looking for statistical anomalies that suggest AI generation.

**Contextual verification**: Examining the chain of custody, device provenance, and whether the content’s existence makes sense given the circumstances.

**Comparative analysis**: Looking for consistency across multiple pieces of evidence. If someone has ten photos from an event and one looks AI-generated, that’s a red flag.

**Behavioral indicators**: Sometimes the content itself reveals impossibilities—lighting that doesn’t match the environment, shadows that fall the wrong direction, or subtle physics violations that our brains recognize even if we can’t articulate why something looks “off.”

Best Practices for Attorneys

If you’re handling cases with digital evidence (and let’s face it, what case doesn’t have digital evidence these days?), here’s what you need to know:

**Get evidence authenticated early.** Don’t wait until trial to discover your key video evidence might be AI-generated. Have it examined during discovery.

**Document the chain of custody meticulously.** With deepfakes, provenance matters more than ever. Know where the evidence came from and every hand it passed through.

**Preserve the original files.**  Maintain the original files in their native format with all metadata intact.

**Consider protective orders.** If you’re worried about evidence being used to create convincing fakes, seek protective orders limiting how digital evidence can be used or distributed.

**Budget for expert analysis.** Authenticating digital evidence in the age of AI isn’t cheap, but it’s a lot less expensive than losing a case because you relied on fabricated evidence.

Looking Ahead

This problem is going to get worse before it gets better. AI generation capabilities are improving faster than detection methods. Within a few years, we’ll likely face synthetic evidence that’s indistinguishable from authentic content using current detection methods.

But I’m not entirely pessimistic. The legal system has adapted to technological challenges before—from fingerprinting to DNA analysis to digital forensics itself. We’ll adapt to this too. And the tools are also improving fairly fast – sometimes with the help of AI itself.

The key is recognizing that we’re in a transition period. The old rules still apply, but they’re no longer sufficient. (But isn’t that always the case?) Courts are developing new standards, forensic methods are evolving, and the legal community is taking this threat seriously.

The Bottom Line

If there’s one thing I want you to take away from this article, it’s this: question everything. That advice has always been good practice in digital forensics, but now it’s absolutely essential.

Don’t assume video evidence is authentic because it looks convincing. Don’t trust audio recordings without verification. Don’t accept digital evidence at face value, no matter how legitimate it appears.

The technology to fabricate convincing digital evidence is here, it’s accessible, and it’s being used. Whether you’re prosecuting, defending, or presiding over cases, you need to understand this landscape and demand rigorous authentication of digital evidence.

Because in 2026, seeing—or hearing—is no longer believing. And that changes everything.

*Steve Burgess is a digital forensics expert with over 40 years of experience and has worked on more than 20,000 cases. Burgess Forensics has been serving attorneys with digital evidence analysis since 1984. If you have questions about authenticating digital evidence in your cases, we’re here to help.

The post Deepfakes, AI, and the New Frontier of Digital Evidence appeared first on Burgess Forensics.

After forty years working with attorneys on digital evidence, I’ve seen the same mistakes cost cases time and again. Here are five of the most common – and how to avoid them.

Mistake #1: Waiting Too Long to Preserve Evidence

Digital evidence disappears. Every time someone uses a device, it writes over old data. Even just turning a computer, tablet, or phone on writes new data and can irretrievably overwrite important logs and other files. Cloud accounts purge. Phones get reset. Employees leave with their devices.

In one employment case, an attorney contacted me three weeks after filing. By then, IT had wiped the defendant’s laptop and reassigned it. Emails, browsing history – all gone. The case settled for pennies.

What to do? Send a preservation letter immediately – before you file, if possible. Be specific: phones, computers, cloud accounts, backup drives. Then follow up. If they drag their feet, file for a preservation order.

Mistake #2: Letting Your Client Handle the Evidence

Your clients mean well. They forward screenshots, print text messages, save files to thumb drives. But every time they touch that evidence, they change it. Metadata gets altered. Timestamps shift. Valuable metadata disappears when a file gets saved for you as a PDF.

I worked a family law case where a mother scanned threatening texts from her ex-husband as PDFs. The texts were real, but the metadata showed they were created the day before the hearing. The judge excluded them. She lost custody. A forensic extraction would have authenticated those messages in five minutes.

Don’t let clients collect their own evidence. Bring in a forensic expert early to properly image devices with full chain of custody. It costs a fraction of what you’ll lose if evidence gets excluded.

Mistake #3: Relying on Screenshots

Screenshots are convenient and visual. But from a forensic perspective, they’re basically worthless as evidence.

A screenshot is just a picture. It doesn’t prove when something was created, who created it, or whether it’s altered. Anyone with photo editing software can fake one in seconds.

In one business fraud case, an attorney submitted Slack screenshots as his centerpiece evidence. The defense expert showed the timestamps didn’t match, the formatting was off, and the metadata was wrong. Screenshots excluded. Case collapsed. The screenshots were real – but without authentication, useless.

Get actual data from the source. Forensically image the phone, the computer, or the flash drive. Subpoena the platform. Capture the full metadata. Screenshots can illustrate a point, but they can’t prove it.

Mistake #4: Ignoring the Metadata

Metadata is the hidden information in every file – creation dates, edit times, GPS coordinates, device identifiers. It’s the DNA of digital evidence.

Many lawyers ignore it or don’t know how to read it. That’s a problem, because metadata often tells a different story than the file itself.

In one contract dispute, the plaintiff submitted a PDF agreement dated March 15. The defendant’s expert checked the metadata and found it was actually created April 3 – two weeks after the claimed signing date. It had also been edited on April 5. Case dismissed.

Always check metadata before relying on digital files. If you don’t know how to read it, hire someone who does.

Mistake #5: Calling the Expert Too Late

Most attorneys call me when they’re already in trouble – evidence deleted, authenticity challenged, judge threatening sanctions. By then, it’s often too late.

I worked with an attorney who gathered evidence for six months on his own. When he finally brought me in before trial, we discovered half the “evidence” was inadmissible. Broken chain of custody. Altered metadata. No authentication. The case settled for much less than it should have.

A forensic expert can identify what evidence exists, preserve data properly, authenticate documents for court, and testify to methodology under FRCP’s Rule 702. Early involvement doesn’t just protect your evidence – it strengthens your entire case.

The Takeaway

Treat digital evidence like physical evidence. You wouldn’t let your client collect their own blood samples. The same goes for phones, computers, emails, and cloud-based data.

Preserve early. Don’t let clients handle evidence. Get actual data, not screenshots. Check metadata. Involve an expert before trouble hits.

Your case will thank you.

The post Top 5 Mistakes Lawyers Make With Digital Evidence appeared first on Burgess Forensics.

copyright 2025 Steve Burgess

1. Deleted ≠ gone: Most deleted files remain recoverable until overwritten.
2. Every case is a data case: Even “non-digital” disputes usually contain text messages, emails, or documents.
3. Forensic imaging: A “bit-for-bit” or forensic working copy preserves evidence without altering the original.
4. Chain of custody: In many cases, essential to maintain evidentiary integrity and courtroom admissibility.

.

5. Metadata matters: Creation dates, edits, GPS tags, author information, and other metadata often expose truth.

6. Timestamps can shift: System clock errors or time-zone changes can mislead investigators.

7. Mobile devices: Contain texts, call logs, app data, health data, photos, and location trails.

8. Cloud & social media: Require proper authentication; screenshots alone are weak evidence.

9. Encryption & passwords: Legal access may require subpoenas or warrants; never guess or force.

10. Spoliation risk: Even good-faith access or copying can alter metadata; always image first.
11. File format forensics: Different file types (PDF, DOCX, JPEG) embed distinct hidden data.

12. Logs tell stories: System, email, and access logs can reconstruct user actions – and possibly reveal unauthorized access.

13. Emails are not always what they seem: Headers reveal routing and spoofing attempts.

14. Video & photo forensics: Compression artifacts, error levels, and metadata help expose tampering.

15. Cloud syncs create duplicates: Deleted files may survive in backups or mirrored accounts.

16. Expert reports: Should clearly document tools, hashes, and methodology for repeatability.

17. Hash values: Digital “fingerprints” that confirm evidence integrity (MD5, SHA-1, SHA-256).

18. Forensic duplicators: Hardware tools create certified copies with built-in write blockers.

19. Legal collaboration: Early involvement of forensic experts reduces spoliation and increases admissibility.

20. Everything starts with data of some sort: computer, phone, tablet, email, documents.

The post 20 Digital Forensics Facts for Attorneys appeared first on Burgess Forensics.

By Steve Burgess, Copyright 2025

Screenshots are convenient. They’re quick, visual, and easy for clients to share — but in the courtroom, convenience can be a trap. Screenshots alone rarely meet the evidentiary standards for authenticity, and relying on them without proper verification can put your entire argument at risk.

Why Screenshots Fall Short

A screenshot is just an image — a flat picture of what was on a screen at a moment in time. It doesn’t prove when that content was created, who created it, or whether it was altered. Anyone with basic photo editing software (or AI tools) can change a screenshot in seconds.

Even unaltered screenshots are missing critical metadata — the hidden timestamps, source identifiers, and digital signatures that courts rely on to establish authenticity.

In other words: a screenshot can illustrate a point, but it can’t authenticate it.

What Courts Expect: Authenticity and Chain of Custody

Under Federal Rule of Evidence 901, digital evidence must be authenticated — shown to be what its proponent claims it is. That usually means demonstrating how it was obtained and verifying that it hasn’t been altered.

A proper digital forensic process includes:

1. Verified source acquisition (using forensic imaging tools)
2. Hash validation to prove the data hasn’t changed.
3. Metadata preservation
4. Documented chain of custody

Without these, a screenshot’s evidentiary value drops to near zero.

Real-World Example

In one civil dispute, an attorney submitted screenshots a client saved from her phone as proof of her opponent’s threats. The opposing expert demonstrated that the timestamps didn’t match the date of the alleged event. In this case, the oldest source had been synced to the client’s iCloud account, where the creation dates of the screenshots were found. The screenshots were excluded, and the case’s credibility took a hit.

Had the data been properly extracted from the device using forensic methods, the messages would have been admissible — and far more persuasive.

Better Alternatives: Forensic Data Extraction

When possible, always collect digital communications and files through verified forensic tools that:

• Capture full context (sender, recipient, timestamps, attachments)
• Preserve metadata and hash values.
• Generate verifiable reports admissible under Rule 901 and 702
  • Rule 901 says that the evidence must be authenticated or identified to show it is what it purports to be.
  • Rule 702 says that (1) the expert must be qualified; (2) the testimony must address a subject matter on which the factfinder can be assisted by an expert; (3) the testimony must be reliable; and (4) the testimony must “fit” the facts of the case.

For example, forensic imaging of a phone, computer, or cloud account can provide the complete, untampered data set — not just what’s visible on-screen.

In the case of emails (or worse, screenshots of emailed screenshots), not only is the source image unverified, but the email itself would not have been authenticated.

The header information a user sees in an email may include a date, time, subject, sender, and recipient. But these things can be manufactured by something as simple as Microsoft Word, and in any case, do not contain the underlying data to verify that the header information is what it appears to be.

How to Handle Screenshots You Already Have

If your client only has screenshots, don’t panic — but don’t rely on them blindly.
Here’s what to do:

1. Preserve the originals (“Zip” them to preserve the metadata it already has, then email them to yourself – don’t edit or crop).
2. Note the source and circumstances (who took it, when, on what device).
3. Engage a digital forensics expert to verify or locate the original data source.

Often, we can use the screenshots as leads to locate the original files or messages, turning an unreliable image into admissible evidence.

Key Takeaway

Screenshots are a useful visual aid, but not a substitute for authentic digital evidence.
To protect your case, always verify and preserve data properly — ideally with the help of a qualified forensic expert.

The post Screenshots Are Barely Evidence: How to Authenticate Digital Data in Court appeared first on Burgess Forensics.

Pegasus was a superfast magical horse from Greek mythology that could fly over barriers, see everything from above, avoid detection, and had a really cute family in Disney’s Fantasia.

The other Pegasus is a kind of Trojan horse software that infects cell phones, gets installed around barriers, is good at spying on users, and is good at avoiding detection. Feels kind of like dark magic. And is decidedly not cute.

While you might be worried that your phone is listening to you, Pegasus spyware doesn’t just listen – it rifles through your texts, photos, locations, and cat memes like Bewitched’s Mrs. Kravitz might do. Frankly, they can haz my cheezburger.

But Pegasus, built by Israel’s NSO Group, is a military-grade surveillance tool that can sneak into phones without a click, a tap, or even a suspicious “You’ve won a free cruise!” link. Creepy, right?

Before you wrap your phone in aluminum foil and bury it in the backyard, take a breath. Pegasus is very expensive software – users, which are typically governments, pay tens of millions of dollars for its use. So, it’s typically aimed at high-profile targets like journalists, politicians, and activists. Not that, to some governments – and people – tens of millions are pocket change. But still, it’s known to be saved for those special folks who are unfortunate enough for an entity to want to spend that to spy on them.

Pegasus isn’t the only big-time phone cracker, though. Another Israeli firm, Paragon, sells its Graphite iOS Mercenary Spyware. It was first confirmed in April of 2025, on the phones of several journalists.

Like Pegasus, it’s very powerful spyware that doesn’t require a click, also known as “zero-click” malware. Almost all other malware requires the user to click on something to enable the infection. Pegasus and Graphite don’t need this.

While quite expensive, ICE (U.S. Immigration and Customs Enforcement) signed a contract with Paragon for two million dollars to use their spyware. It was restricted but the current US administration has lifted the restrictions on its use, so it may become a bit more widely utilized.

Paragon says that it will only do business with democracies and that it won’t tolerance government clients who use the spyware to target members of civil society, such as journalists. But Paragon doesn’t reveal who those clients are (although we know about ICE) and we don’t’ know how well they will police the use of its technology.

Make up your own mind about the transparency of ICE. Still, though the software’s pretty expensive, and theoretically only allowed to democracies, so it’s unlikely to be used by individuals against anyone.

I should make a mention of QuaDream, founded by two former employees of NSO and also a generator of powerful zero-click malware. However, it’s widely believed to have shut down in 2023.

What’s a poor boy to do? Or a poor gal? Or a rich one?

First, note that you’re very unlikely to be targeted by Pegasus. And to a large extend by Graphite as well. With the exceptions noted above (journalists, political targets), you’re probably safe from this nasty stuff.

Still and all, all of us should treat smartphone security seriously. Here’s how to put a virtual flak jacket on your stuff.

UPDATE!

Software updates can be annoying. They always pop up when you’re about to post a photo of the grub on your plate that we all are dying to see. But updates are your first line of defense. Pegasus – and presumably Graphite – thrives on unpatched vulnerabilities—holes in your operating system or apps. Apple & Google (Android) regularly plug those leaks, so installing updates promptly is like closing the barn door before the spyware sneaks in and makes itself at home.

Don’t Click That Shady Link

Frankly, don’t click it even if it looks like it’s not shady. Malware proliferates through malicious links sent in texts, emails, and messaging apps. If you didn’t expect that “urgent delivery notice,” assume it’s malware bait. Think of links the way you think of gas-station sushi: if you’re not sure where it came from, maybe don’t. In fact, maybe\e don’t click on any links in emails.

Reboot

Remember when rebooting fixed everything? (I’m not talking about actually kicking the thing, no matter how you’re feeling about it at the moment.) Turns out, rebooting your phone daily is still magic. Some Pegasus infections live in memory, so restarting can kick them out—at least temporarily. It won’t cure everything, but it’s like changing the locks on your house every night just in case.

Use Secure Messaging Apps

Apps like Signal and WhatsApp use strong encryption, which keeps out most eavesdroppers. Unfortunately, Pegasus has been known to exploit them too. So, while using secure apps is smart, remember: encryption keeps your nosy neighbor out, but not necessarily a professional spy tool.

Reduce Your Attack Surface

No, this doesn’t mean cutting carbs – although, come to think of it, not a bad idea. It means turning off the stuff you don’t use. Don’t need Bluetooth? Switch it off. Not using FaceTime or iMessage? Disable them. Every extra service is another door Pegasus can try to pry open. Think of it as digital minimalism: the fewer gadgets left running, the less chance something sneaks in.

Try Lockdown Mode

If you have an iPhone and you’re really worried Apple’s Lockdown Mode, available on iOS 16 or later, is like slamming every window and bolting every door. It restricts attachments, disables complex web technologies, and basically tells hackers, “Not today.” It may cramp your browsing style, but for high-risk folks, it’s worth the trade-off.

Remember: You’re Probably Not Pegasus’ Type

Don’t take offense, but unless you’re a journalist, politician, activist, or tech billionaire, the odds of Pegasus knocking on your digital door are slim. Still, adopting these habits won’t just protect you from elite spyware – it’ll help you avoid garden-variety malware, phishing scams, and the digital equivalent of a raccoon rummaging through your trash.

P.S. There’s a tool for that

It’s not for the faint of heart or code-wary, but there’s a tool to help detect Pegasus. It’s called the Mobile Verification Tool (MVT), developed in part by Amnesty International and it’s available here.

Also, remember if you’re not clicking links in emails or articles, you can just type it into your address bar.

Here’s wishing you a James Bond/Dr. Evil-free phone and happy computing.

The post How to Dodge Pegasus Spyware appeared first on Burgess Forensics.

Yes, social media is fun. It helps to keep us in touch and stay in relationship with friends and loved ones. Even folks you haven’t seen or heard from in decades. And, as we all know, our kids are the most beautiful, creative, intelligent beings on the planet. And our grandkids even moreso!

So, of course, why wouldn’t we want to post pictures of these precious beings on our social media and to spread the joy we know of our progeny?

Unfortunately, there’s an answer as to why not. Even though the overwhelming majority of people are kind and caring, maybe one in a thousand is not. There are close to 6 billion people using the Internet. Do the math and even though it’s rare, that’s still a lot of crazies, and distance makes little difference in accessibility on the World Wide Web. And even though only a fraction of those are online predators, child safety advocates estimate there are about a half million predators online daily.

And now that I’ve ruined your day, here’s what’s worse (don’t’ worry, I’ll have some safety tips later).

Posting pictures often reveals background information, like addresses or environments. Certainly, posting pictures of birthday parties exposes birthdates. These are the kinds of things that open kids up to identity theft.

There are almost-free programs and apps that anyone can download to easily create deepfakes of pretty much anyone they have a photo of.

And worse, some of these are “nudifier” apps, that can take a picture and generate a nude image of the subject. While it may be illegal to post such photos, it’s legal to sell these kinds of apps, and there are nearly a hundred of them at this point in time.

Furthermore, if someone doesn’t post such images, they can still keep them to obsess over. Like I said, the sickos are rare, but they exist.

Posting on something like FaceBook or Instagram, even if it’s just to your friend or family group, doesn’t in any way guarantee that someone in that group won’t innocently post the pictures themselves. Or have their account scraped by the daily fake friend requesters.

When you broadcast on social media, you may inadvertently be broadcasting to The World. And The World includes some of those crazies.

So, what to do?

There are a couple of simple ways to protect your kids from people stealing, sharing, and altering likenesses of your kids.

One way is to keep pictures of your kids and grandkids, especially the smallest ones, offline. You can retroactively do so, by combing through your own social media accounts and removing them.

Also, it can be pretty safe to share your family and birthday pictures privately. Many messaging apps are encrypted end-to-end, so that may be one of the best ways to send them just to your family members or groups.

As a digital forensic practitioner, it’s sad when we have to investigate these kinds of cases as a part of our work.

So, keep your kids safe and keep their pictures offline. The Internet is not private.

The post Picture This: Keep Your Kids Safe Online. appeared first on Burgess Forensics.

One of the better ways to protect yourself from online fraud is Two-Factor Authentication (2FA). This scheme is also known as 2-Step (or dual-step) Verification or Authentication, or Multi-Factor Authentication.

Reportedly, AT&T has been using 2FA since 1996, so it’s nothing new. As a result, there has been plenty of time for fraudsters to try to figure ways around it. Yes, there exists 2FA Fraud.

More on this in a few paragraphs below.

When you log into your email, bank account, or social media and all you need to do is type in a password, that’s one-factor (or single-factor) authentication. Two-factor authentication just means you have to take an additional step.

The way 2FA protection works, which it mostly does, is by having a code of some kind sent to your phone or computer when you try to log in to a private account. 

Other means of 2FA, besides something you know (e.g. a password, as above), include something you have (like a hardware token or cell phone), or something you are (like your fingerprint, your face, or other biometrics).

The problem with using just a single factor.

Even though an increasing number of online accounts require 2FA, there are still many that do not. And after all, who wants to go through a big rigamarole just to read some email, or buy something

Many people choose insecure passwords, such as “1234” or “password.” Many also use easy to guess words or phrases, such as a favorite color, team, or car. These things are easy for a bad guy to guess with just a little research – or simply by reading what you share on FaceBook or other social media.

There are certainly ways to choose a better password, like at the end of this article by yours truly, which gives many suggestions for better password-choosing.

So, even though it may be a pain in the tuchus, it’s a good idea to have to take that second 2FA step before logging into an online store that has your payment info in their servers – you know, to make it easier to buy, but which also makes it easier for someone you’ve never heard of to buy thousands of dollars worth of stuff for themselves on your dime. Or take all of the dimes in your bank or investment account.

But, increasingly, the bad guys are figuring out ways around 2FA – 2FA Fraud.

What in the world is 2FA fraud? I thought that two-factor authentication was supposed to protect me.

Where there’s a will, there’s a way. As I’ve often said before, human nature doesn’t change but the tools do. There’s always that small fraction of people who are out to get other people’s stuff one way or the other. It used to be that Ugg had to sneak up in the night to grab that yummy haunch of  aged woolly mammoth meat that you had stored in your cave. But as tech advances,  the schemes to rip you off do so as well.

2FA Fraud

At the current time, the two primary means of 2FA fraud involve SIM swapping and Port-out fraud.

SIM Swapping

This usually starts with the perpetrator collecting personal information about you. This can be by scraping social media for information you have freely shared, like your favorite stuff or experiences you have had – you probably see these fun little quizzes on FaceBook and other social media all the time.

Another way is by phishing emails or texts, where they impersonate some person, organization, or company you know in order to get you to give up your personal information, including passwords. These are easy to fall for because they can look quite authentic.

SIM swapping is named after SIM cards but does not involve actually taking a SIM card out of your phone or other device. It’s when the fraudster manages to transfer your phone number to their own device by convincing the victim’s cell phone provider that they are the account holder. 

Then they get the phone provider to activate a new SIM card (physical, or an e-SIM) with your number. Then their phone appears to be yours. This is what they use the personal information about you for – to convince someone or some algorithm that they are you!

Once they have control of your phone number, it’s a lot easier to take over your other accounts. Now, when a 2FA message or call is sent to your number, it goes to them and not to you. This allows them to dive into other accounts of yours and notably, locks you out.

The next step may be that the scammer starts changing your personal information while diving into and controlling other accounts of yours.

Port-Out Fraud

This is similar but involves the scammer contacting a different phone service provider than the one you have and requests that they bring your number over from your current provider., whereby the same takeovers of your information and identity can take place.

One sign that you’ve fallen victim to one of these scams is that you may not be able to make or receive calls or texts on your own device. If you are able to receive them, you may start getting messages thanking you for your purchases – purchases you did not make. You may call your phone provider or your bank only to discover that your personal info has been changed and you don’t have the info in their database to prove it’s really you.

What are some ways to protect yourself?

Don’t give personal information away. For instance, don’t share your social security number. In general, the only organizations with the right to that are the government, your employer, and financial institutions that lend you money. 

And don’t overshare personally identifiable information online – especially your favorite things, because those are gateways to faking your identity to banks and other institutions.

Sign up for 2FA whenever possible and never share your 2FA codes with anyone, whether sent via text or phone, even if that person claims to be a trusted employee of the company sending you such a code.

When possible, use authenticator apps instead of getting an SMS text for authentication purposes.  Both Google and Microsoft offer an Authenticator. PC Magazine offers its take on the best ones for 2025.

Use passkeys when that option is available. Passkeys can use biometrics, such as your fingerprint or a facial scan, to log in to your account. Right now, iPhones come with that as standard issue.

Don’t Respond if someone calls or texts you and asks for personal information, do not provide it. If the caller claims to be from a business you are familiar with, hang up and call that business using a number you trust, such as the number on your bill, in a phone book, or on the company’s website

Don’t respond #2: If you get a text or call from someone you don’t recognize, or a friend request on social media from someone you don’t recognize – don’t answer and don’t text back. Scammers send out thousands or even millions of texts and bogus phone calls. Hoping that the unsuspecting will pick up or answer. Then they know they’ve got a live number. If you don’t respond, they don’t know you’re there.

Monitor account activity regularly so you can quickly identify any suspicious behavior.

What to Do If It’s already happened

Time is of the essence.

Try to change your passwords immediately.

Remove compromised devices – like your phone – from your accounts. It may be time to get a new one. 

In extreme cases, change your phone provider altogether, as well as your Internet Service Provider

It’s especially important to contact your banking and financial institutions to report suspicious activity. Remember – banks have branches where you can walk in and prove your identity with drivers licenses and the like..

If you think someone is using your personal information, go to IdentityTheft.gov to report it and get a personalized recovery plan.

While Two-Factor Authentication can make you safer, there are ways that some scammers can work around it. Being aware of the activity in your accounts, and not falling prey to phishing and oversharing of personal information can help.

Look, most people are honest and caring. But others are unscrupulous or hungry. And most of the bad guys are looking for the low-hanging fruit. There’s plenty of it around. Be hard to pick. A bit of awareness and and proactive safety precautions can make you one that they’ll pass right by.

The post Two Factor Authentication Fraud appeared first on Burgess Forensics.

The news is full of AI (Artificial Intelligence) stories. How will it empower us in our jobs? Whose job will it take next? Is it creating actual fake news? 

While there’s a lot of “we’ll see” in the answers to these questions, one immediate and quite pressing issue is how AI is contributing to Elder Abuse. Elder abuse is an action(s) in any relationship where there is an expectation of trust that causes harm or distress to an older person.

American elders were conned out of more than three $3 billion dollars in 2023 in a range of financial crimes, according to the FBI data. AI can make these scammers seem more believable partially because these programs help with content creation and cleaning up human error that might otherwise warn us we’re being served up something fraudulent.

Already, there are so many scams via email, websites, phone calls, advertisements, and offers of romance that there’s plenty to worry about. But does the emergence of AI in everyday life and writing supercharge these efforts to relieve the older amongst us of their carefully husbanded and/or limited resources?

Already, individuals are reaching through our computers and phones to lighten our wallets and bank accounts. There are websites that look like our bank sites, phishing emails that look like they’re from someone or from an institution that we know and trust, ads galore that tempt the reader with promised services, goods, or fortunes.

Already, we give away so much of our privacy in return for the freedom to browse the web and to use other online services. We also regularly share our private information, favorite colors, cars, dates and faces on publicly available social media. But now, there are tools in the guise of fun apps that offer to clean up our photos, or ones to let us have our own voices sing our favorite songs perfectly, our own tin ears notwithstanding.

I see ads every day inviting me to seamlessly insert my voice instead of the original voice – say Sting’s or Sinatra’s, into a popular song. Like karaoke on steroids that we can save and play for or send to others. It’s likely to be fun, but then your voice is being stored in records you have no control over. Thousands of people’s voices are thereby being harvested and stored by some company you don’t know, that has a privacy policy that most of us never read through, and which can be used by these unknown persons in any which way. 

Even if the company offering these services is completely on the up and up, they are a prime target to be hacked by those who would love to use these stored audio clips to clone your voice into realistic but invented audio sent to you via email, or even a phone call.

So what happens when you hear from a beloved grandchild – in their own voices – that they are suffering, or need help out of a jam? And what if you, as a parent, grandparent, or even just a friend, hears from another trusted friend or loved one that they have “such a deal?”

Why, for the cost of nothing at all, you can use chat GPT right now to create a picture of you standing next to the President or your favorite rock star. Some generative AI tools can even create  a video of the two of you singing 70’s rock anthems together.

But nearly as easily, a bad actor could create a picture or audio of your child or friend, needing bail, stuck without airfare far away, injured, in a foreign prison cell, or in the hands of dangerous thugs, begging for your help. 

As technology advances in leaps and bounds, human nature stays much the same. There’s always somebody out to take advantage of the system ,and of you, while we remain always sympathetic to those we care about. The game hasn’t changed – just the tools of the game, and the ease with which the unscrupulous can run their scams on a wider swath of folks. And the tools are ever more easily and cheaply accessible. 

So, what to do?

There are simple steps to make it harder for unscrupulous folks to take advantage. First of all, educate yourself and your elder relations and loved ones about the risks. There’s no need to get paranoid about it – just to take some practical steps.

• DO enable two-factor authentication (2FA) , one of the most important, but simple security practices. 
• DON’T share passwords. (There are a few exceptions for the elderly or ill.)
• DON’T use dictionary words or favorite colors, cars, kids, or teams as your passwords.
• If passwords are hard to remember, DO use password managers, such as NordPass, Dashlane, 1Password, or Last Pass.
• DON’T give away your voice to be recorded by those you don’t know, no matter how much fun it looks like.
• DON’T click on links in emails or texts, especially from financial institutions. Rather, use your browser and type in the website of the institution. Most offer apps for direct access that are generally safe.
• DO look for odd misspellings or extra words in email addresses and domains. Website domains don’t have typos. For instance Welsfargo.com is not Wellsfargo.com (it’s missing an “l.”). Applepayments.com is not Apple.com/payments.
• DON’T open attachments to emails or texts if you’re not sure or don’t know who the sender is.

Modern tech and the Internet make so many things available for us and in many cases, easier for us. While there are always bad actors, and while AI tools make it easier for those bad actors to fool us, some sensible practices make it more difficult for those bad actors to fleece us of our hard-earned resources

Checking up on our elders and educating them about some of these simple steps can make them and you safer, help you both sleep at night, and even bring you a little bit closer, and after all, what could be better than that?

The post AI and Elder Abuse appeared first on Burgess Forensics.