New York City Mayor Eric Adams and his staff appear to be obsessed with digital security, at least according to the mayor’s indictment on multiple charges, including soliciting and receiving campaign contributions from foreign nationals, bribery, and wire fraud.
But then why were they so bad?
Case in point: The indictment cites a text message exchange between Adams and an unnamed staff member in which the staff member told Adams, “Be safe and delete all messages you’ve sent me.” Please,” he is said to have instructed.
“I always do that,” Adams texted back, according to the indictment.
Needless to say, this policy of deleting messages did not prevent investigators from discovering these communications.
Nor did the same employee allegedly attempt to delete an encrypted messaging app after requesting a bathroom break during a meeting with FBI agents. The indictment says the employee asked him to excuse himself from the conversation and deleted an app from his phone that he used to communicate with Turkish officials who coordinated various interactions with Adams and others.
This isn’t the first time someone has tried the trick of running to the toilet and flushing a message down the toilet. When Apple sued former iOS engineer Andrew Aude for allegedly leaking information about future Apple products, the complaint states, “During the interview, Aude pretended to need to go to the bathroom, and during a break, Aude “He took the iPhone out of his pocket and permanently deleted important sensitive information.” The large amount of evidence from his devices included the popular encrypted messaging app Signal.
Just as trying to flush drugs down the toilet does not necessarily destroy incriminating evidence, it recovers residual trace evidence of applications installed on a mobile phone even after the app is removed from the device. There are many forensic techniques available. . Additionally, there are many ways to recover traces of communication, even if the communication occurred through an encrypted messaging app.
Deleting a message or deleting the entire app leaves behind tons of breadcrumbs that betray the fact that a conversation between specific parties may have taken place, even if the actual content of the conversation can no longer be recovered. A list may remain with the investigator.
Let’s take signals as an example. Signal provides various options for deleting messages. This includes the ability to delete messages you send to someone from the recipient’s device, set a message length, and then the message disappears. However, these various takedown actions come with the important caveat that they may leave traces of the fact that communications may have taken place between certain parties. In some cases, this may be enough to cause problems for the parties involved.
There are many forensic techniques available to recover residual trace evidence of an application even after it has been removed from the device.
For example, Signal gives senders the option to delete messages they’ve sent to recipients, but this feature comes with two notable asterisks. First, this “Delete for Everyone” feature can only be performed within 24 hours of sending the message. Second, deleted messages are not permanently deleted and are replaced with boilerplate text that tells the recipient, “This message has been deleted.” “This message has been deleted” appears on your device or on the sender’s device. Metadata about the original message is also stored, such as the time the original message was sent or received. To effectively eliminate any trace of a message being sent and deleted, both the sender and recipient must individually tap the placeholder for the deleted message and select “Delete” .
When you make a Signal voice call on your iPhone, Signal integrates with your iPhone and the Signal call appears in the Recent list of calls in the iOS Phone app. This means forensic investigators can see who is calling them on Signal by simply checking their phone app, without having to use the Signal app at all. These steps don’t seem to be documented on Signal’s official support portal, but the feature is still available if (Show recent calls) is turned off in the Signal iOS app by going to (Settings) then (Privacy). You can disable it by making sure it is.
What I mean by this is that if you find yourself in a situation where you have to take a quick bathroom break in the middle of an interrogation to delete a message, you’re already in a bad situation.
