Text Messages as Evidence: Harder Than You Think

by | Jun 30, 2026 | Uncategorized | 0 comments

Copyright 2026, Steve Burgess

Somewhere along the way, text messages became some of the most important evidence in litigation that nobody quite knows how to handle properly. A few years ago, that would have been an email thread, such as in the Case of the Computer That Got Lost.

But in family law and other areas of law, the smoking gun is increasingly a text thread. In employment disputes, it’s a string of after-hours messages between a supervisor and a subordinate. In contract cases, it’s the informal “sounds good, let’s do it” exchange that may or may not constitute an agreement. And in criminal matters, text messages can place someone at a location, establish a relationship, or demonstrate intent in ways that no other evidence can match.

And yet, for something so central to so many cases, the process of getting text messages into evidence in a reliable, authenticated, defensible way remains surprisingly messy.

Let’s start with collection, because that’s where most of the problems begin. When a client tells you they have “all their text messages,” what they usually mean is that they can scroll through their phone and see the conversation. That’s not the same thing. What you’re looking at on the screen is a rendering – the phone’s software deciding how to display a conversation that’s actually stored in a database buried deep in the device’s file system. Screenshots of that rendering are easy to produce, easy to understand, and almost entirely useless from a forensic standpoint.

Why? Because screenshots don’t contain metadata. They don’t show you the underlying database records, the timestamps at the system level, the read receipts, the delivery confirmations, or the message identifiers that can establish when a message was actually sent versus when it appeared on the screen. They also don’t show you what’s been deleted. And they are pretty easy to fabricate. I could create a fake text message conversation in a minute that would be virtually indistinguishable from a real screenshot to the naked eye. People without any particularly special skill set can do the same. Opposing counsel knows this. The judge probably knows this. Your evidence needs to be better than a picture someone took of their own phone.

Side note: it’s kind of shocking when I see that law enforcement has accepted a screenshot as evidence and arrested someone on that basis and the word of the accuser.

A proper forensic extraction pulls the actual database – on an iPhone, that’s the SMS database within the iTunes or Finder backup, or acquired through specialized tools like Cellebrite or GrayKey. On Android devices, the relevant database is typically stored in the device’s data partition. These extractions capture the complete message record: content, timestamps, phone numbers, group message identifiers, attachment references, and in many cases, deleted messages that the user thought were gone.

But here’s where it gets complicated. Not all extractions are created equal. A “logical” extraction is essentially a backup of what the phone makes available through its normal interfaces – it gets you active messages but usually not deleted ones. A “file system” extraction goes deeper, pulling the database files themselves. That difference matters: the deleted message your client swears they never sent, the timestamp that contradicts opposing counsel’s timeline, the metadata that proves a thread is complete – those often live only in the database files a file-system or physical extraction recovers, not in the tidy list a logical backup hands you.

Then there’s the carrier records problem. When forensic extraction of the device isn’t possible – because the phone has been lost, destroyed, wiped, or the owner won’t hand it over – attorneys sometimes turn to carrier records obtained through subpoena. Carrier records can confirm that a message was sent between two numbers at a particular time, but they generally don’t include the content of SMS messages (if a particular carrier retains that, they don’t retain it for long) and they handle MMS and iMessage differently depending on the carrier and the protocol. iMessages, for instance, don’t pass through the carrier’s SMS gateway at all – they travel over Apple’s encrypted servers – so they likely won’t appear in carrier records. If the key evidence is an iMessage thread and the phone is gone, you may have a serious hole in your case unless that message is in an iCloud account that you can access.

Group messages add another layer of complexity. The way group texts are stored and displayed varies between platforms and even between operating system versions. A group message that appears as a single coherent thread on one person’s phone may look completely different on another participant’s phone, depending on their device, their OS version, and whether the messages were sent as SMS, MMS, or through a proprietary protocol like iMessage or RCS. Establishing that everyone in the group saw the same thing requires more work than most people expect. On the other hand, though responsive data may not be found on one person’s device, we might have another crack at the data with the device from someone else in the group.

Authentication is the final hurdle, and it’s where everything we’ve discussed comes together. Under the Federal Rules of Evidence and their state equivalents, you need to establish that the text messages are what you say they are – that they came from the person you claim sent them, that they haven’t been altered, and that the record you’re presenting is complete and accurate. A forensic extraction with proper hash verification, reliable metadata, and chain of custody documentation gets you most of the way there. A screenshot from the client’s phone, standing alone, generally does not.

None of this is meant to suggest that text message evidence is hopeless – far from it. When properly collected, preserved, and authenticated, text messages can be devastating evidence. But the “properly” part requires more planning and technical awareness than many attorneys realize, especially early in the case when preservation decisions are being made and the phone is still in someone’s pocket, quietly syncing, updating, and auto-deleting per whatever settings the user configured and then forgot about.

If text messages matter to your case – and increasingly they do – get a forensic examiner involved early, before devices change hands, before carriers purge their logs, and before your client decides to “clean up” their phone. The evidence is there. You just have to get to it the right way.

What’s the trickiest text message evidence challenge you’ve faced in a case?

Steve Burgess is a digital forensics expert witness with more than 40 years of experience and over 20,000 devices and digital media examined. He is the principal of Burgess Forensics, founded in 1984.

Don’t miss a single issue of our informative newsletter … Subscribe!

Related Posts

Digital Privacy vs. Discovery: Where the Line Is Drawn

Copyright 2026, Steve Burgess Every so often I’ll sit across the Zoom from an attorney—or from a pro se litigant—who wants everything. Every text message the opposing party has ever sent. Every photo on their phone. Every search query. Every deleted file. Every app....

Your Preservation Letter Is Missing These 6 Data Sources

I’m sure that you have reviewed a lot of preservation letters. Some of them are excellent — thorough, specific, and sent at exactly the right moment. Others read like they were written in 1997 and then never updated, which, in fairness, some of them were. Still others...

Deleted Does Not Always Mean Gone (But It Doesn’t Mean Recoverable Either)

(copyright Steve Burgess 2026) One of my favorite client conversations goes something like this: Client: “I deleted it.” Attorney: “Can you get it back?” Forensic examiner: “…define ‘it.’” Television has taught us two completely opposite and equally wrong ideas:...

Digital Evidence Is Bigger Than Most Cases Realize

Digital Evidence Is Bigger Than Most Cases Realize copyright Steve Burgess 2026 There’s a scene in television forensics that appears in approximately 94.27% of all episodes. Someone in a dark room says, “Pull up the computer.” Then ten seconds later, another person...

Metadata as a Silent Witness: What It Can Reveal About Your Case

Metadata as a Silent Witness: What It Can Reveal About Your Case Copyright 2026, Steve Burgess Every digital file has two stories to tell. The first is the one you can read — the contract, the email, the photograph. The second story is invisible, buried in the file...

Where Critical Evidence Hides: Email, Texts, & Cloud Data Part II

Email, Texts, & Cloud Data: Where Critical Evidence Hides, Part II        Copyright 2026, Steve Burgess In over four decades of digital forensics work, I've examined more than 20,000 devices and pieces of digital evidence. And in that time I've developed a...

Can You Trust What You See? The Rise of Deepfakes and What It Means for Justice

Can You Trust What You See? The Rise of Deepfakes and What It Means for Justice Copyright 2026, Steve Burgess I've been working with digital evidence since 1985, and I've seen a lot of changes. Back then, the biggest challenge was recovering data from a 10 MB hard...

Deepfakes, AI, and the New Frontier of Digital Evidence

Deepfakes, AI, and the New Frontier of Digital Evidence Copyright 2026, Steve Burgess It was true forty years ago and it's truer today: "Just because it's digital doesn't mean it's true." We're now facing a challenge that would have seemed like science fiction when I...

Top 5 Mistakes Lawyers Make With Digital Evidence

Top 5 Mistakes Lawyers Make With Digital Evidence  -      Copyright 2026, Steve Burgess After forty years working with attorneys on digital evidence, I've seen the same mistakes cost cases time and again. Here are five of the most common – and how to avoid them....

20 Digital Forensics Facts for Attorneys

20 Digital Forensics Facts for Attorneys copyright 2025 Steve Burgess Deleted ≠ gone: Most deleted files remain recoverable until overwritten. Every case is a data case: Even “non-digital” disputes usually contain text messages, emails, or documents. Forensic imaging:...

Pin It on Pinterest

Share This