Key Takeaway: Ephemeral messaging creates compliance and legal risks by auto-deleting business communications, complicating digital forensics. Automated archiving solutions help organizations proactively capture and preserve ephemeral messages, ensuring forensic readiness and defensible records. Act quickly to update policies, train employees, and use approved platforms for secure data preservation.

Ephemeral messaging is rewriting the rules of digital communication and presenting new hurdles for digital forensics experts. Text message communications are now designed to disappear after a set period or upon being read. Overcoming the challenges of ephemeral messaging requires a strategic, multi-layered approach, one that balances privacy, compliance, and forensic readiness.

Why Ephemeral Messaging Matters in Digital Forensics

In September 2022, the SEC fined 16 major Wall Street firms over $1.1 billion for failing to preserve electronic communications, including those sent on ephemeral messaging apps and personal devices. The SEC matter serves as a cautionary example, highlighting evolving compliance standards.

Legal experts now advise organizations to proactively manage and preserve all business-related communications, even those sent through encrypted or auto-deleting apps, to avoid costly investigations, fines, and remediation actions. 

Compliance Risks and Legal Discovery Challenges With Ephemeral Messaging

Ephemeral messaging apps enable users to set thread-specific auto-deletion policies, which automatically delete messages, rendering legal holds ineffective. In some cases, the message retention can be set by any party on the thread to delete the message after just one second. Relevant business communications can then be purged before preservation is possible. This leaves few, if any, digital forensic options for collection or recovery.

Mobile Forensics: Collection Hurdles

WhatsApp, Signal, and Telegram are three common ephemeral messaging platforms encountered in digital forensic investigations. Each platform presents unique challenges, but they also share several similarities.

• The WhatsApp ephemeral messaging feature is turned off by default, but once a user enables it, retention settings can be set to any preferred limitation.
• Telegram stores messages in the cloud, making mobile forensics collections less effective. Although Telegram may cache some data on a mobile device, it is typically an incomplete “picture” of the entire data set. Collection is typically done through the Telegram cloud interface, but this assumes the messages still exist and have not been previously deleted. 
• Signal is designed for privacy and is arguably one of the most challenging ephemeral apps to forensically collect and preserve. It encrypts data at rest and does not store its data in standard device backups or a remote cloud server. Additionally, Signal does not synchronize data across other mobile devices. Instead, it requires different accounts for multiple mobile devices. Full file system collections and decryption credentials for the specific mobile device are required; however, some devices and mobile operating system versions may not be supported by advanced forensic tools.

Some commercial archiving solutions offer versions that automatically capture and preserve ephemeral messages for compliance and eDiscovery. By integrating this technology, companies maintain defensible records, allowing for later retrieval and review through a forensic collection. Such solutions require clear policies that mandate employees to use only the approved, archiving-enabled version of the app for business purposes. 

These policies should also prohibit employees from using personal or “off-platform” communication methods to conduct business. Likewise, customers should be informed about how companies will communicate with them and how to avoid unauthorized and potentially fraudulent communications.

Preservation Over Recovery in Digital Forensics

Once data is deleted within an ephemeral messaging app, recovery is often impossible. Therefore, when there is no enterprise-wide commercial archiving solution in place, the focus must shift to rapid preservation. This requires forensic tools and techniques that support defensible data collection. Digital forensic examiners must ask key questions about a custodian’s device, including its make, model, operating system, and required data types, to recommend the best approach. This inability to recover information, while intended to preserve security, poses potential spoliation obstacles for both custodians and litigants.

Legal Hold and Defensibility in the Age of Ephemeral Messaging

Ephemeral messaging fundamentally conflicts with the concept of legal hold. The ephemeral message setting in WhatsApp, Telegram, and Signal can be controlled by any user on the thread. In most cases, this means that any participant can change the disappearing messages setting at any time. Some multi-party group threads do allow group admins to regulate disappearing messages. However, this is not an option on direct messages. Although a custodian is on legal hold, other parties on ephemeral messaging threads can, intentionally or unintentionally, cause the custodian to violate the legal hold by purging messages that must be retained.

Disappearing messages undermine the ability to maintain business communications for litigation or regulatory purposes, unless appropriate policy and archival solutions are in place ahead of time. In rare instances, if the data is collected before deletion using validated forensic methods, it can be presented in court with a proper chain of custody.  

Trends and Best Practices With Mobile Communications

As more applications introduce disappearing message features, organizations are reviewing and updating their communication and mobile device policies to address the risks posed by ephemeral messaging. 

An emerging best practice is to maintain a defined list of official communication platforms. This includes email, Microsoft Teams, Slack, ICE chat, or archived versions of WhatsApp. Some industries are moving away from text messages or mobile text message apps with ephemeral message settings as an official business communication channel. 

If a business conversation begins on an unauthorized platform, employees are trained to transition the discussion to an approved channel. For example, if a colleague initiates a conversation about a deal on iMessage, the response should be to move the discussion to email or Teams to ensure proper recordkeeping and compliance.

Concluding Guidance

Act quickly to proactively preserve ephemeral messaging data when it’s required for investigations or litigation. Consider reviewing and updating communication policies to list approved apps for business communications, especially when employees are permitted, by policy, to use their own personal devices.

Ephemeral messaging is here to stay, but organizations stay ahead by updating policies, training employees, and leveraging the right forensic tools.

Learn more about preserving critical communications and supporting defensible investigations with Epiq Forensics and Data Collection services. 
 

Andrew Crouse, Director, Forensics, eDiscovery Solutions, Epiq
In his role as the Director of Digital Forensics at Epiq, Andrew Crouse leads digital forensic examinations, consulting engagements, service delivery, and forensic practice requirements. Crouse manages a team of consultants, analysts, and lab operations personnel for Epiq US operations.