Email, Texts, & Cloud Data: Where Critical Evidence Hides, Part II
Copyright 2026, Steve Burgess
In over four decades of digital forensics work, I’ve examined more than 20,000 devices and pieces of digital evidence. And in that time I’ve developed a reliable theory: the evidence that counts – that might win or lose a case is rarely sitting where the attorneys expected to find it.
It’s hiding. Not maliciously — well, sometimes maliciously — but more often just because nobody thought to look there.
Let me tell you about some of the places where the good stuff actually lives.
The Email You Didn’t Ask For
Attorneys ask for emails. That’s great. What they often forget is that email is not one thing — it’s a collection of things, each with its own quirks, its own storage habits, and its own forensic personality.
Consider Outlook. When you delete a message in Outlook, it doesn’t vanish. It goes to the Deleted Items folder. When you empty that folder, it still doesn’t vanish — not entirely. The message gets marked as deleted in the PST or OST file, but the data hangs around – not just in unallocated space – but also right in the file, like a houseguest who doesn’t take hints. A forensic examiner can often recover those messages intact, complete with headers, timestamps, and attachments. Your client’s opponent who “deleted everything” may have deleted nothing of consequence at all.
Then there’s webmail — Gmail, Yahoo, Outlook.com, and their cousins. Here’s where it gets interesting for attorneys. The messages don’t live on the user’s computer in the traditional sense. They live on the provider’s servers. That means you may need a subpoena or a preservation request to Google or Microsoft, and you need to move on that quickly, because providers don’t hold onto data forever out of the goodness of their hearts. Gmail keeps deleted messages in Trash for 30 days. After that, they’re gone from the server — though sometimes not entirely gone from a forensically imaged phone or computer that was syncing that account.
One more thing about email that trips people up: the headers. Nobody reads email headers. Attorneys definitely don’t read email headers. But headers tell you the actual IP address the message came from, the route it traveled, the mail servers it touched. And here’s the beauty of email saved in the provider’s servers – the user can’t really fake the dates and the precise timestamp, because those are assigned by the server, which is not in the user’s control. I’ve had cases where someone claimed an email was sent from one city when the header told me, very clearly, it was sent from another city entirely. Headers don’t lie. People do.
Texts: More Than Just “Hey”
SMS text messages are a goldmine. Most people treat them casually — the digital equivalent of talking out loud — which means they say things in texts they’d never commit to a formal email. I’ve seen business deals negotiated entirely over text. I’ve seen admissions, threats, and instructions that made attorneys’ eyes go wide when we produced them. 
The forensic wrinkle is device dependency. Unlike email, which typically has a server-side copy, SMS and iMessage messages often live primarily on the device itself. If that device hasn’t been preserved, you may be looking at a very uncomfortable conversation with your client about spoliation.
But don’t give up too quickly. A few things to remember:
iMessage has iCloud backup. If the user had iCloud backup enabled — and most iPhone users do, at least for a while — there may be a backup copy of the messages in the cloud. Apple will respond to valid legal process, although they may resist a bit. The preservation window isn’t infinite, but it exists.
Android devices with Google accounts often back up SMS data to Google’s servers as well, depending on device settings and the apps installed. Samsung has its own backup ecosystem. The point is: the phone is not the only place to look.
Carrier records are another option. Wireless carriers retain metadata — who texted whom, when, and from what number — for varying periods. AT&T, Verizon, T-Mobile: they all have legal compliance departments that respond to subpoenas. You won’t get the content of the messages from the carrier, but you’ll get the records of communication, which can be extremely valuable for establishing a timeline or refuting someone’s claim that they “never contacted” the other party. And cell tower records can point where the user’s phone was when they were using it.
The Cloud: Where Everything Lives Now, Even the Things You Forgot About
Cloud storage is the gift that keeps on giving — to forensic examiners, anyway.
Google Drive, iCloud, Dropbox, OneDrive, Box: people store documents, photos, videos, and files in the cloud without thinking much about it. They also forget what they’ve stored there. This creates a wonderful situation where the evidence is sitting in the cloud, perfectly preserved, while the person who put it there has completely forgotten it exists. I have been on the beneficial end of this situation more than once.
One case that comes to mind involved a business dispute where the defendant insisted he had no copies of certain proprietary documents. His hard drive, conveniently, had been wiped. His phone, also conveniently, was new. But his Google account had been syncing files from his old computer for two years. Those documents were sitting right there in his GDrive, timestamped and everything. Not wiped. Not new. Just waiting.
The lesson: always ask about cloud storage accounts as part of your discovery requests. Not just “do you use Dropbox” — ask about all of them. Google Drive. iCloud. OneDrive. Box. Evernote. There’s more. Even Adobe Creative Cloud if the case involves documents or design files. People have more cloud accounts than they realize, and they rarely think of them as places where evidence lives.
Messaging Apps: The New Wild West
Here’s where attorneys really leave evidence on the table.
WhatsApp, Telegram, Signal, Facebook Messenger, Instagram DMs, Snapchat, WeChat, Line — and whatever new platform launched last Tuesday. These are messaging apps, and they are increasingly where people conduct their most candid conversations. They feel private. They feel ephemeral. They often aren’t.
WhatsApp stores message databases on the device, and — critically — backs them up to either Google Drive or iCloud. Those backups are not encrypted with the same end-to-end encryption that protects messages in transit. That’s a significant forensic opportunity if you can get access to the backup.
Telegram stores messages on Telegram’s own servers unless the user specifically uses the “Secret Chat” feature. Regular Telegram chats are cloud-based and accessible from multiple devices. The fact that someone deleted a Telegram message on their phone does not mean the message is gone everywhere.
Signal is the hard one. Signal is designed to be forensically resistant. It uses end-to-end encryption, stores messages locally, and gives users easy tools to set messages to auto-delete. However, the device itself can sometimes still be examined if we have access to it and the right tools. And sometimes people screenshoot Signal messages and those screenshots end up somewhere more recoverable. People undermine their own secure communications with impressive regularity.
Snapchat is a perennial source of confusion. “But it disappears!” No — it disappears from the app’s interface. Snapchat retains opened snaps on its servers for a period after opening, and unopened snaps for longer. Forensic examination of the device can also reveal plenty of evidence of Snap activity even after “disappearance.” And again: screenshots. Always screenshots.
Location Data: The Witness Who Never Lies (Much)
I’ll include this one because it relates to cloud data and it’s massively underutilized.
Smartphones are location-tracking devices that also make phone calls. The location data that accumulates in cloud accounts — Google Timeline, Apple’s Significant Locations, fitness apps, rideshare apps, photo metadata — can place a person at a specific location at a specific time with remarkable precision.
Phones don’t keep an audit trail of all locations – too many users screamed about that several years ago and the providers just stopped – but as above, it can be derived, inferred, and actually found from other artifacts.
I’ve worked cases where Google Timeline data provided a minute-by-minute account of where a phone traveled on a given day. Photo EXIF data embedded GPS coordinates and timestamps in every image. The phone didn’t just know where the person was — it was more than willing to tell us.
The catch: much of this data is tied to cloud accounts and requires preservation requests or legal process. Some of it is stored only on the device. Either way, if location is at issue in your case, ask your forensic expert about it early.
A Word About Preservation
Everything I’ve described above comes with an expiration date. Email gets purged. Carrier records get overwritten. Cloud backups get replaced by newer backups. Messaging app logs get deleted. The evidence isn’t gone yet — but it will be.
The single most expensive mistake I see attorneys make is waiting too long to engage a forensic examiner. By the time the case heats up and someone thinks to ask about the text messages, the carrier retention window has closed, the phone has been traded in, and the iCloud backup has been overwritten fourteen times. I’ve seen this plenty of times and they attorney can only say, “if only…”
Digital evidence doesn’t wait for a convenient moment in your litigation schedule. Issue litigation holds early. Serve preservation letters early. Call a forensic expert early — ideally before the evidence knows it’s being looked for.
After 40 years and 20,000-plus look-sees, I can tell you that the cases that get won on digital evidence are usually the ones where someone moved fast. The cases that get lost on digital evidence are usually the ones where someone assumed the evidence would still be there when they got around to it.
It wasn’t.
Steve Burgess is a digital forensics expert witness and the founder of Burgess Forensics, one of the longest-established independent digital forensics practices in the United States. He has examined more than 20,000 cases over four decades and provides expert witness testimony in civil and criminal matters nationwide. He can be reached at burgessforensics.com.