Case Study 2 — The Messages That Weren't There
A workplace-harassment investigation should have been won on the chat record. Instead it collapsed on cross-examination — not because the messages never existed, but because the examiner acquired the database wrong, moved too slowly, and reached for the wrong legal instrument. A cautionary contrast to the careful header work of Case Study 1.
Background
Northwind Logistics opened an internal investigation after an employee reported that a shift manager had sent harassing messages over WhatsApp and over the company's Microsoft Teams. HR engaged a generalist IT contractor — competent with networks, new to forensics — to "pull the manager's messages." The complainant had screenshots, but screenshots are trivially disputed; the company wanted the underlying records to support discipline that would, predictably, be challenged. What looked like a routine extraction became a study in how communications evidence is lost by procedure rather than by encryption.
What happened
Three mistakes, each individually survivable, compounded.
Mistake one — the slow start. The complaint came in on a Monday. The contractor was not engaged until eleven days later, and did not image the manager's company phone for another week. Throughout that period the device stayed powered on and in daily use. Nobody sent a litigation-hold notice or asked Microsoft to preserve the Teams content. WhatsApp's local database was being written and rewritten the entire time; every new message inserted into a page could reuse the free space where a deleted message's bytes still lay. By the time the phone was imaged, the most relevant exchanges — the ones the manager had deleted — were, in part, gone.
Mistake two — the partial acquisition. When the contractor finally pulled the WhatsApp data, he copied a single file:
acquired: /data/data/com.whatsapp/databases/msgstore.db (hashed, logged)
NOT copied: msgstore.db-wal ← the write-ahead log
NOT copied: msgstore.db-shm ← shared-memory index
He opened msgstore.db in a SQLite browser, exported the live message rows to CSV, and reported "all available messages recovered." But WhatsApp uses WAL journaling: the newest messages — including several sent in the days just before imaging — had been written to msgstore.db-wal and not yet checkpointed into the main database. They were never in the file he copied. He also ran no deleted-row carver, so the free-block and freelist remnants that did survive went unexamined. He had captured the version of the conversation that happened to be checkpointed — not the whole of it.
Mistake three — the wrong instrument for the cloud. Teams chat does not live meaningfully on the endpoint; the authoritative record sits in a hidden Exchange Online mailbox folder with files in SharePoint/OneDrive, governed by Microsoft Purview eDiscovery. Northwind controlled that tenant and could have run a compliant eDiscovery export in an afternoon. Instead, the contractor scraped the Teams cache from the manager's laptop:
%AppData%\Microsoft\Teams\IndexedDB\https_teams.microsoft.com_0.indexeddb.leveldb\
He recovered some readable fragments and presented them as "the Teams messages." Worse, when opposing counsel later demanded the corresponding messages from another employee who had since left, someone on Northwind's side floated subpoenaing the records — a non-starter for content held by a provider, and unnecessary for data the company already controlled through Purview.
The cross-examination
At the disciplinary appeal, the manager's attorney did not argue the messages were innocent. She argued the evidence was unreliable, and the record handed her the ammunition.
She established that the examiner had not collected the -wal file, then asked whether he could rule out that exculpatory — or additional inculpatory — messages had existed only there. He could not. She established the eleven-day delay and the absence of any preservation step, then asked whether continued use of the device could have overwritten deleted content. It could. She established that the Teams "messages" were drawn from a browser-style cache rather than the authoritative store, and asked whether a cache is complete or recency-biased. It is recency-biased and partial. None of this proved the manager innocent. It did not have to. It created enough doubt about the completeness and integrity of the collection that the company settled rather than risk an adverse ruling on its process.
Recovery vs. Forensics. For an organization investigating its own systems, the fastest and most defensible path to chat content is almost never the endpoint — it is the admin export (Purview eDiscovery for Teams, the Slack eDiscovery/Discovery API, Google Vault). The contractor used a 💾 recovery technician's instinct ("pull the file off the device") where a 🔍 examiner's discipline ("acquire the whole artifact, preserve early, and prefer the authoritative source") was required.
The analysis
- Acquire the whole database, not just the
.db. A SQLite store isdbplusdb-walplusdb-shm. The write-ahead log can hold the most recent — and most relevant — messages, not yet checkpointed. Copying the main file alone silently discards them, exactly as grabbing a registry hive without its transaction logs would. - Time is evidence — preserve immediately. Every hour a live device runs after a deletion, free space is reused and recoverable rows vanish. A litigation hold, a device pulled from service, and a provider preservation step are not bureaucracy; they are the difference between recoverable and gone.
- A cache is not the account. The Teams IndexedDB cache is partial and recency-biased. Presenting it as the complete message record invites precisely the completeness challenge that sank this case. State plainly what a cache proves (local viewing) and what it cannot (the full conversation).
- Match the instrument to the data — and use the source you control. For tenant data the company owns, Purview eDiscovery yields a complete, defensible export. Subpoenaing a provider for content you already control is unnecessary; subpoenaing a provider for another user's content in a civil posture is barred outright (SCA §2702). Reaching for the wrong instrument wastes time and can taint the matter.
- Run a deleted-row pass and corroborate. Even with a partial acquisition, a SQLite-aware carver over free blocks and the freelist recovers rows the live engine hides — and running two tools that agree on counts is what survives cross-examination. The examiner did neither, so he could not speak to what deletion had removed.
Discussion questions
- Rank the three mistakes by how much each, alone, damaged the case. Which was most recoverable after the fact, and which was fatal?
- Write the preservation and acquisition checklist you wish the contractor had followed on day one — for both the WhatsApp database and the Teams content.
- The contractor's CSV of live rows was accurate as far as it went. Why is "accurate but incomplete" so dangerous in an evidentiary setting, and how should he have qualified his report?
- The company controlled the Microsoft 365 tenant. Explain to a manager why Purview eDiscovery was both faster and more defensible than scraping the laptop cache.
- ⭐ Suppose the deleted WhatsApp messages truly existed only in a
-walthat was checkpointed and truncated before imaging, so they are genuinely unrecoverable. Write the honest finding for the report — one that neither overstates what you found nor implies the absence of evidence proves the messages never existed.