← All insights

Messaging Evidence in Litigation: WhatsApp, Telegram, and Beyond

A technology expert's guide to forensic analysis of messaging evidence. How messages are stored, what metadata reveals, and what solicitors should know about authentication and manipulation.

Digital ForensicsWhatsAppMessagingEvidence

Messaging platforms have become central to modern disputes. WhatsApp conversations feature in commercial litigation, family proceedings, employment tribunals, and criminal cases. Telegram, Signal, iMessage, and other platforms appear with increasing frequency. Yet there is a significant gap between how legal professionals typically handle messaging evidence (screenshots, PDF exports, scrolling through a handset in court) and what forensic analysis can actually reveal.

Having examined messaging databases in a number of matters, I set out below what lies beneath the interface, what metadata can and cannot tell you, and what to consider when messaging evidence is in play.

How messages are actually stored

When most people think of WhatsApp messages, they picture the conversation as it appears on screen. But that visual interface is just a presentation layer. Underneath, WhatsApp and most messaging platforms store data in structured databases on the device.

On Android devices, WhatsApp uses an SQLite database (msgstore.db) that contains every message, along with metadata including timestamps, sender and recipient identifiers, message status flags, media references, and group membership information. On iOS, the equivalent data is stored in a different format but with similar underlying structure. Telegram, Signal, and other platforms each have their own database schemas.

Forensic analysis works at this database level, not at the interface level. This distinction matters because the database contains information that is not visible in the app’s user interface, and because the database is harder to manipulate convincingly than a screenshot.

What metadata reveals

Every message in a WhatsApp database carries metadata beyond the visible text. This includes:

  • Timestamps: When the message was sent, delivered, and read, recorded to the second. These timestamps are generated by the device and can be cross-referenced with server-side delivery records.
  • Message status: Whether a message was sent, delivered, read, or is pending. The familiar blue ticks in WhatsApp correspond to specific status codes in the database.
  • Sender and recipient identifiers: Phone numbers and internal user identifiers for each party to a conversation, including in group chats.
  • Media references: Pointers to images, videos, voice notes, and documents shared in the conversation, along with file hashes that can verify whether media has been altered.
  • Deleted message markers: When a message is deleted, either “for me” or “for everyone”, traces may remain in the database. The extent of recovery depends on the platform, the device, and how much time has elapsed. In some cases, deleted messages can be recovered in whole or in part, though this is not guaranteed.
  • Edited message indicators: WhatsApp now allows message editing. The database records that an edit occurred, though the original text may or may not be preserved depending on the platform version.

This metadata can be probative. In cases where the timing of a communication is disputed, database timestamps are more reliable than a party’s recollection. Where a party claims never to have received a message, delivery and read receipts at the database level can establish otherwise.

Authentication and tampering

One of the most important questions in messaging evidence is authentication: can the court be satisfied that the messages are genuine?

Screenshots are the weakest form of messaging evidence. They can be created, edited, or fabricated using widely available tools. A screenshot shows only what the screen displayed at the moment it was captured. It says nothing about whether the underlying data is authentic.

Forensic extraction from the device provides substantially stronger evidence. Using industry-standard tools, the entire messaging database can be extracted, preserving its internal structure and metadata. The expert can then verify the integrity of the database, checking for anomalies in timestamp sequences, database structure, and record consistency that would indicate tampering.

That said, no digital evidence is entirely tamper-proof. A sufficiently sophisticated actor could, in theory, modify a database before extraction. The expert’s role is to assess whether the evidence is consistent and credible, identify any anomalies, and explain the significance of those anomalies to the court. In practice, database-level manipulation is difficult to execute without leaving detectable traces, though the assessment must be made on the facts of each case.

Deleted and ephemeral messages

Deletion is a frequent concern in messaging evidence. Parties may delete messages before or after litigation is contemplated, raising questions about spoliation and adverse inferences.

The recoverability of deleted messages depends on several factors:

  • Platform: WhatsApp retains more forensic artefacts after deletion than Signal, which is designed to minimise data persistence. Telegram’s “secret chats” use device-specific encryption and are not backed up to the cloud, making them harder to recover than standard Telegram messages.
  • Device and operating system: Android and iOS handle data deletion differently. On some Android devices, deleted SQLite records remain in unallocated database space until overwritten. iOS devices with full-disk encryption present different challenges.
  • Backups: WhatsApp backups, whether to Google Drive, iCloud, or local storage, may contain messages that have been deleted from the device. Backup analysis is a routine part of forensic examination.
  • Time elapsed: The longer the interval between deletion and forensic examination, the less likely recovery becomes, as normal device operation gradually overwrites the relevant storage areas.

The practical lesson for legal teams is that early preservation is critical. If messaging evidence is likely to be relevant, steps should be taken to preserve the device and any associated backups as soon as possible. A forensic image of the device (a bit-for-bit copy of its storage) preserves the evidence in its current state, including potentially recoverable deleted data.

End-to-end encryption

WhatsApp, Signal, and an increasing number of platforms use end-to-end encryption, meaning that messages are encrypted on the sender’s device and decrypted only on the recipient’s device. The platform operator does not hold the keys and cannot read the messages in transit.

This has implications for evidence gathering. It means that, in most cases, messaging content can only be obtained from the devices of the parties to the conversation, not from the platform provider. Server-side records, where available, typically contain metadata (who messaged whom, and when) but not message content.

For forensic purposes, however, end-to-end encryption is not an obstacle once the device is available for examination. The messages are stored in decrypted form on the device itself. The encryption protects messages in transit and at rest on the provider’s servers, but not on the endpoints.

Cross-platform and multi-device considerations

Modern messaging is rarely confined to a single device or platform. A party may use WhatsApp on a phone and WhatsApp Web on a laptop. Telegram messages sync across multiple devices. Business communications may span WhatsApp, Teams, Slack, and email within a single conversation thread.

A thorough forensic examination considers all relevant devices and platforms. Messages visible on one device may not be present on another, particularly where selective deletion has occurred. Cross-referencing message databases across devices can reveal gaps and inconsistencies that are significant to the dispute.

If messaging evidence is likely to feature in your case, there are several steps that will improve the quality of the evidence and the efficiency of the forensic process:

  1. Preserve early. Instruct your client to stop using the relevant device for routine purposes if possible, and arrange forensic imaging promptly. Every day of continued use risks overwriting recoverable data.
  2. Go beyond screenshots. Screenshots may be sufficient for uncontested messages, but if authenticity, completeness, or timing is likely to be challenged, forensic extraction is the appropriate standard.
  3. Consider all devices. Ask your client which devices they use for messaging, whether they use web or desktop clients, and whether cloud backups are enabled. The answer is often more complex than expected.
  4. Instruct a forensic expert early. A technology expert can advise on preservation strategy, identify the platforms and devices in scope, and ensure that the extraction is conducted in a forensically sound manner that will be accepted by the court.

Messaging evidence is often treated as straightforward: a conversation is a conversation. In my experience, the forensic picture is substantially richer than what appears on screen. Proper preservation and analysis of the underlying data can affect both the strength of the evidence and the range of issues it is capable of addressing.