The much-discussed “Sandy” case raised many questions about what technology can actually reveal in relation to the digital movement and transmission of messages, calls, photographs, app data, metadata and more. Politis asked certified forensic expert and digital data examiner Alexis Mavros to explain to what extent, and under what conditions, it is possible to trace digital footprints and recover such data, even if it has been deleted or if the electronic device has been changed, whether a mobile phone, tablet or laptop.
He also answers questions relating to the monitoring of telephone conversations for the purpose of tackling organised crime, following the relevant bills that were ultimately not passed by the current House of Representatives.
It is noted that Mr Mavros is the expert who examined the mobile phones of former MEP Dimitris Papadakis – whose alleged “messages” are included in the “Sandy” files – and found them to be clear. Asked to comment on criticism questioning his independence, Alexis Mavros said that “the independence of an expert does not depend on the client, but on the methodology followed and on whether the findings can be verified by any other expert”.
Digital traces
What kind of digital data can be recovered today? Can data be recovered from all applications such as Viber, WhatsApp, Signal, Telegram and others?
Almost every action leaves a digital trace: messages, calls, photographs, location data and app usage. However, it is not always possible to recover everything. What can be recovered, and how far back in time, depends on many factors, such as how and for how long the device was used, the brand and model, the operating system version, whether encryption is in place, the tools used by the forensic examiner, as well as the legal framework allowing the examination, either through written consent or a court warrant.
What if the data has been deleted or the device has been changed?
Deleting data does not always mean permanent loss, but neither does it guarantee recovery. The possibility depends on many technical factors. Even if the device has been changed, if there are backups, cloud data, or if the old device is located, significant information may still be extracted.
What if two SIM cards are used in the same device?
Yes, traces can still be identified. The device records activity regardless of the number of SIM cards. The technical identifiers of the SIM cards used in the device are stored and constitute an important part of the investigation.
Forensic analysis
How is forensic analysis carried out?
Digital forensic analysis follows a strict and scientific process. First comes the collection and preservation of evidence in a way that ensures it is not altered, safeguarding the integrity of the original data, usually through the creation of a forensic image. This is followed by analysis, where specialised tools are used to process and identify data as well as digital traces. Then comes interpretation, where the findings are correlated so that technical conclusions can be drawn. Finally, everything is presented in a documented report. Through this process, it is possible to determine what happened, when, and by whom.
Are the results reliable?
When the correct methodology is followed, the results are reliable. Reliability is based on documentation, cross-checking of findings and the ability of another expert to repeat the process.
What happens with encrypted messages?
The content may not be directly accessible, but traces of use and metadata often remain. There are decryption technologies, but they are highly demanding, time-consuming and not always feasible.
Can calls and messages made at the same time be identified?
Yes, in many cases there are time traces showing the simultaneous use of different services, such as telephone calls and messaging applications.
Screenshots
Can unauthentic messages be identified at first glance?
Not with certainty. A screenshot may raise questions or present inconsistencies that give rise to reasonable suspicion, but it is not proof. Final assessment can only be made through full forensic examination of the devices of those involved in the communication.
How easy is it to create fake messages?
Today, it is relatively easy to create convincing content, far easier than in the past. However, it is not at all easy for such content to withstand forensic scrutiny.
Do telecommunications companies retain data?
Telecommunications companies mainly retain technical data, such as who communicated with whom and when, for at least six months. They do not retain the content of communications.
Monitoring
Recently, the issue of monitoring telephone conversations for the fight against organised crime has returned to the agenda. Do the relevant bills cover the technology?
Technology evolves much faster than legislation. There appears to be an intention to modernise through new bills, but the crucial issue is not only granting capabilities, but also clearly defining their limits and controlling their use.
What concerns you?
The balance between technological power and oversight. Such advanced surveillance tools, if used without adequate supervision, can lead to serious abuses and to phenomena we have already seen internationally, such as cases involving Predator, Pegasus and similar surveillance software.
Strict framework and offences
How should monitoring be carried out?
Monitoring should be carried out only within a strict and clearly defined legal framework. Specifically, it requires a written and documented request by an investigative authority, accompanied by a sworn statement, which is then submitted to a competent judge for the issuing of a warrant. The warrant must be absolutely specific and define: the type of offence under investigation, the time frame of the investigation, the persons involved and the means of communication concerned.
At the same time, it is crucial that there is continuous and meaningful oversight by an independent authority that has both legal and technical competence, so as to ensure that the use of these tools does not go beyond the purpose for which it was approved. Technology today provides very extensive capabilities. That is precisely why even stronger limits and oversight mechanisms are needed.
For which offences should monitoring be allowed?
Monitoring should be allowed only for particularly serious offences, such as terrorism, drug trafficking, human trafficking, offences involving child exploitation and child pornography, serious corruption offences, as well as economic crime, but only where such offences are explicitly linked as derivative offences to one of the above as the underlying offence.