Copyright 2026, Steve Burgess
Somewhere along the way, text messages became some of the most important evidence in litigation that nobody quite knows how to handle properly. A few years ago, that would have been an email thread, such as in the Case of the Computer That Got Lost.
But in family law and other areas of law, the smoking gun is increasingly a text thread. In employment disputes, it’s a string of after-hours messages between a supervisor and a subordinate. In contract cases, it’s the informal “sounds good, let’s do it” exchange that may or may not constitute an agreement. And in criminal matters, text messages can place som
eone at a location, establish a relationship, or demonstrate intent in ways that no other evidence can match.
And yet, for something so central to so many cases, the process of getting text messages into evidence in a reliable, authenticated, defensible way remains surprisingly messy.
Let’s start with collection, because that’s where most of the problems begin. When a client tells you they have “all their text messages,” what they usually mean is that they can scroll through their phone and see the conversation. That’s not the same thing. What you’re looking at on the screen is a rendering – the phone’s software deciding how to display a conversation that’s actually stored in a database buried deep in the device’s file system. Screenshots of that rendering are easy to produce, easy to understand, and almost entirely useless from a forensic standpoint.
Why? Because screenshots don’t contain metadata. They don’t show you the underlying database records, the timestamps at the system level, the read receipts, the delivery confirmations, or the message identifiers that can establish when a message was actually sent versus when it appeared on the screen. They also don’t show you what’s been deleted. And they are pretty easy to fabricate. I could create a fake text message conversation in a minute that would be virtually indistinguishable from a real screenshot to the naked eye. People without any particularly special skill set can do the same. Opposing counsel knows this. The judge probably knows this. Your evidence needs to be better than a picture someone took of their own phone.
Side note: it’s kind of shocking when I see that law enforcement has accepted a screenshot as evidence and arrested someone on that basis and the word of the accuser.
A proper forensic extraction pulls the actual database – on an iPhone, that’s the SMS database within the iTunes or Finder backup, or acquired through specialized tools like Cellebrite or GrayKey. On Android devices, the relevant database is typically stored in the device’s data partition. These extractions capture the complete message record: content, timestamps, phone numbers, group message identifiers, attachment references, and in many cases, deleted messages that the user thought were gone.
But here’s where it gets complicated. Not all extractions are created equal. A “logical” extraction is essentially a backup of what the phone makes available through its normal interfaces – it gets you active messages but usually not deleted ones. A “file system” extraction goes deeper, pulling the database files themselves. That difference matters: the deleted message your client swears they never sent, the timestamp that contradicts opposing counsel’s timeline, the metadata that proves a thread is complete – those often live only in the database files a file-system or physical extraction recovers, not in the tidy list a logical backup hands you.
Then there’s the carrier records problem. When forensic extraction of the device isn’t possible – because the phone has been lost, destroyed, wiped, or the owner won’t hand it over – attorneys sometimes turn to carrier records obtained through subpoena. Carrier records can confirm that a message was sent between two numbers at a particular time, but they generally don’t include the content of SMS messages (if a particular carrier retains that, they don’t retain it for long) and they handle MMS and iMessage differently depending on the carrier and the protocol. iMessages, for instance, don’t pass through the carrier’s SMS gateway at all – they travel over Apple’s encrypted servers – so they likely won’t appear in carrier records. If the key evidence is an iMessage thread and the phone is gone, you may have a serious hole in your case unless that message is in an iCloud account that you can access.
Group messages add another layer of complexity. The way group texts are stored and displayed varies between platforms and even between operating system versions. A group message that appears as a single coherent thread on one person’s phone may look completely different on another participant’s phone, depending on their device, their OS version, and whether the messages were sent as SMS, MMS, or through a proprietary protocol like iMessage or RCS. Establishing that everyone in the group saw the same thing requires more work than most people expect. On the other hand, though responsive data may not be found on one person’s device, we might have another crack at the data with the device from someone else in the group.
Authentication is the final hurdle, and it’s where everything we’ve discussed comes together. Under the Federal Rules of Evidence and their state equivalents, you need to establish that the text messages are what you say they are – that they came from the person you claim sent them, that they haven’t been altered, and that the record you’re presenting is complete and accurate. A forensic extraction with proper hash verification, reliable metadata, and chain of custody documentation gets you most of the way there. A screenshot from the client’s phone, standing alone, generally does not.
None of this is meant to suggest that text message evidence is hopeless – far from it. When properly collected, preserved, and authenticated, text messages can be devastating evidence. But the “properly” part requires more planning and technical awareness than many attorneys realize, especially early in the case when preservation decisions are being made and the phone is still in someone’s pocket, quietly syncing, updating, and auto-deleting per whatever settings the user configured and then forgot about.
If text messages matter to your case – and increasingly they do – get a forensic examiner involved early, before devices change hands, before carriers purge their logs, and before your client decides to “clean up” their phone. The evidence is there. You just have to get to it the right way.
What’s the trickiest text message evidence challenge you’ve faced in a case?
Steve Burgess is a digital forensics expert witness with more than 40 years of experience and over 20,000 devices and digital media examined. He is the principal of Burgess Forensics, founded in 1984.
Don’t miss a single issue of our informative newsletter … Subscribe!