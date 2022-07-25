Arica Kulm, director of digital forensics services at Dakota State University, understands better than most both the questions which must be answered and the procedures which must be followed as the investigation into deleted Secret Service text messages proceeds.
On Monday afternoon, Kulm was engaged in a similar task as part of a law enforcement investigation. She had begun to extract data from a smart device earlier in the day – a task that can take either a couple of hours or a full day.
“So many things depend on the type of phone – the make, model and operating system,” Kulm said. “There are a lot of different types of cell phones.”
Kulm has not been following the unfolding saga of deleted Secret Service texts.
Earlier this month, both the House and the Senate Homeland Security Committees were notified the U.S. Secret Service had erased text messages from Jan. 5 and Jan. 6, 2021, after they were requested by oversight officials. According to news reports, the Secret Service has indicated the messages were erased as part of a device-replacement program.
This makes sense to Kulm.
“If you’re getting rid of a device, they are getting recycled,” she said.
After transferring information from the old device to the new one, taking action to protect that information – such as doing a factory reset on the old device – is wise.
Kulm has other questions. What is the actual scenario? Were specific messages deleted, or were the phones wiped with a factory reset as part of a replacement program? The two actions are different, and she thinks looking into that might be a good starting place.
“I would be looking at the replacement program, because it should be documented somewhere,” Kulm said.
That information could help to direct the subsequent investigation. Whether actual messages can be recovered depends upon a variety of factors, such as the type of messaging app used by the Secret Service, she explained.
“With encrypted messaging, they claim not to store the information anywhere,” Kulm said.
If the Secret Service uses a secure messaging app and the phones have been reset, the messages will not be recoverable.
The actual action used to remove the information from the device matters, too.
“It’s possible it can be recovered from the device if it was deleted, but not if there was a factory reset,” Kulm indicated.
Deleted information, she explained, remains on the device until that space is needed. Once the space is used to save something else, the deleted information can no longer be recovered.
Other avenues for recovering the text messages also exist, according to Kulm. If messages were backed up, they would be recoverable from the server, she said. Current news reports indicate the Secret Service claims the messages were not backed up.
If the Secret Service phones in question were in contact with phones in the possession of other agencies, those messages could be recovered from the phones which received the messages, Kulm noted.
To date, according to news reports, only metadata has been found. This is the type of data which tells when and where a digital photo was taken and the device used, or the type of data on a word document which indicates when and where it was created.
Only time will tell whether the metadata leads to actual messages.
“It takes time – first to extract the data and then to go through it,” Kulm explained.
The work must be done in a forensically sound manner, with each step documented, so that it can be entered into evidence and testimony given, if necessary. To prevent the data from being altered. a device is put in airplane mode before the process starts.
Kulm believes that confidence can be placed in the data recovered from any of the phones in question because she believes those conducting digital forensics on them will use a procedure similar to the one used in the DigForCE Lab at DSU.
“Someone would be able to see if they altered the data later,” she explained. “The data is either there or it’s not.”