Impact of Fake Messaging Applications on eDiscovery

By: Dave Proulx, Director Digital Forensics & Training, Traversed LLC

Technology today has made it unbelievably easy to create what appear to be real text messages between two parties through the use of fake text messaging applications and spoofing services.  And if you are relying on printed screenshots to “authenticate” those text conversations, you are doing a disservice to your client and your case because those screenshots can be faked just as easily.  You don’t have to be a computer whiz to find these applications, they are available to anyone capable of conducting a basic internet search or cruising smart phone marketplaces.

In my experience I’ve seen three common ways a person can produce fake text messages and conversations ranging from the most basic approaches and progressing to more advanced methods. The first and easiest to detect is when the actual text message conversation is photoshopped from a screen capture.  This is a rudimentary way to fake messages and is not difficult to detect. 

With advances in technology and the plethora of applications available to consumers, in recent years I’ve seen cases where a fake text screenshot application is used.  While these applications were initially created and marketed for novelty purposes, there are dozens of applications out there today that allow a user to create fake screen captures of fake messages.  They even take it one step further and come equipped with advanced formatting options to ensure the messages match the formatting of popular applications such as Facebook Messenger, Instagram,  and What’s App. The applications I’ve come across allow customization of the provider tags for ATT, Verizon, T-Mobile, battery and signal strength bars, and contact names to match real messages as they display on the phone.  

The last and most advanced method uses text message spoofing services.  These have been gaining in popularity and through the course of my work I’ve encountered spoofing applications which are highly complex and may even fool an unseasoned forensic examiner. One of the more sophisticated applications I’ve come across and use as an example during classes I teach, actually ingests fake messages in line with real messages. These messages are ingested into the phone’s message database by temporarily using a spoofing service.  The user enters the recipient phone number and the message they wish to send, and it will appear to have come from whatever number or contact they choose. 

During my time as a digital forensic investigator I’ve seen all three methods used to fake text messages and while authenticating the text message communication is the ultimate goal, there are additional steps a forensic examiner will take first to ensure the data is preserved in a forensically sound manner and will help to further validate any findings.  A digital image or copy of the phone will be made and all forensics will be conducted on the image; preserving the information and ensuring none of the data on the phone is disturbed or changed.  A forensic examiner will be able to verify text messages sent and/or received and substantiate these findings through multiple datasets found within the phone. If and when one of these fake messages are discovered, it may provide the forensic examiner the additional evidence needed to support a case of spoliation.

Many cases can move slowly or involve years’ worth of communication where evidence production could prove problematic due to sheer volume and/or accidental or deliberate loss of data.   In these situations, a forensic examiner’s expertise and tools will not only authenticate the data but facilitate the production of evidence that may not have been possible before.


With today’s technology, in order to truly authenticate a text message was sent from one phone to another you may need the actual device, a backup of the device, phone records but certainly an experienced digital forensic examiner.  Don’t put your case at risk, consult with a digital forensic expert at Traversed today.