My fellow forensic technology expert, Sandeep Jadav's recent article (referenced below) was a good read and re-affirms our common understanding of challenges we face on every project in China dealing with the collections, analysis and production of WeChat data. Sandy's analysis is excellent and very thorough so I won't repeat many of the points raised in his article, but thought I would supplement it with a couple of additional and interesting points below:
- Data deletion. It is common that a data subject may choose to delete either individual chat messages, entire conversation threads or even the WeChat application itself from his/her mobile device before the forensic data collection is taken place.
Questions are often asked by our clients and Counsel if there’s a way to either recover, or to the minimum ascertain the evidence of deletion of chat messages in WeChat. Whilst a “forensically correct” answer is always: It depends – because the make, model of the device, OS, App version and many other factors would determine what we can recover/detect in relation to these questions, we have found ways to make a determination of the forensic evidence possible by analyzing the underlining database structure of WeChat using proprietary methods.
This does not require the mobile device to be “jail broken” nor does it require a full physical collection of the device which, as Sandy pointed out, is often not possible. Using our methods we can often answer the questions: Were chats deleted? and, if so, when? - Chat message review. Similar to the traditional “Email Review”, WeChat messages are often reviewed for relevance and issues pertaining to a particular matter. In fact, WeChat messages are often the key evidence of a given investigation or dispute, so its importance is often much more than that of traditional emails. Different to traditional review though, going through thousands of, sometimes, millions of chat messages from different senders/recipients in different threads, and quite often needing to combine with other popular chat platforms such as iMessages, QQ etc making the traditional way of reviewing “keyword search” inefficient and cumbersome.
In fact, reviewing “hits” only will also not provide reviewers the all important “context” of the conversation making reviewers missing the “full picture”. We have developed workflows using various industry accepted protocols such as the Relativity Short Messaging Format (RSMF). Combine this with proprietary technology and we are able to combine chat messages from different mobile applications, from different chat data sources and ingest them to Relativity and display conversations threads with the same richness as you would see on a mobile device including displaying emojis, retaining picture messages and playing voice and video in Relativity. We firmly believe this will provide tremendous value and increase efficiency in WeChat messages review.
As Sandy quite rightly outlines, WeChat is critical source of information in many investigation and disputes, only when we're armed with experience and the necessary tools and techniques we can present a complete picture in the most critical of legal matters.