Independent review of the State's cell phone extraction — what the Cellebrite / UFED summary report doesn't show you.
When the prosecution has already imaged your client's phone, the report they hand over is a filtered, selected view. We work only for the defense — re-examining the underlying extraction, recovering data where it's still recoverable, and explaining what the State's summary left on the cutting-room floor.
In most cases, law enforcement seizes the device, extracts it with a tool like Cellebrite, and produces a report built to support the prosecution's theory. That report is accurate as far as it goes — but it is their selection of their findings.
An independent forensic examiner looks at the same data with a different question: what does the full record actually show? The same extraction that contains three damaging texts often contains the surrounding conversation, the timing, the deleted context, and the metadata that change what those three texts mean.
We are retained by the defense and report to the defense. We do not take prosecution work, and we tell you plainly when the data does not help your case — because a finding you can't rely on is worse than no finding at all. Our job is an accurate, defensible answer, not a favorable one.
See an example of how we present findings in our illustrative sample report, or learn more about digital forensic expert-witness work.
Depending on the device, operating-system version, and how the phone was handled, the following may be recoverable. Nothing here is guaranteed — recoverability depends on the device and the timeframe. We tell you what's realistic for your specific device before any work begins.
SMS, iMessage, RCS, and group threads — including deleted messages that may persist in the database where the timeframe allows.
Chat and call records from app databases that the State's summary often skips entirely.
Call logs, voicemail, contacts, and the connections between numbers and identities.
Camera roll, downloaded media, and the embedded metadata that tells you when and where a file was created.
On-device location history, Wi-Fi and cell associations, and app location records that can support — or contradict — a placement.
Browser history, search terms, account artifacts, and device-activity records that reconstruct what happened, and when.
Tools like Cellebrite UFED and Physical Analyzer are widely used by law enforcement. They are capable tools — but the report generated from an extraction is a curated subset, and the choices behind that subset matter.
A typical State disclosure is a PDF or report export — not the full extraction. When we are
able to work from the underlying extraction (the .ufd / image and its
databases, not just the printout), we can look at the parts the summary filtered out:
conversations adjacent to the cited messages, records the examiner did not tag, timestamps in
their native form, and artifacts the reporting template simply doesn't surface.
Common gaps we look for: selective date ranges, filtered contacts or apps, decoded content that lost its original timestamp or time-zone, deleted material the report didn't flag, and tool-generated interpretations presented as if they were raw fact.
If the State will only produce the report and not the extraction, that itself is something your motion practice may need to address — and we can help you articulate, in plain terms, why the full extraction matters.
Not every seizure produces a complete image. Time pressure, a locked device, an unsupported model, or an examiner working at a shallower tier can all leave significant data uncollected.
A logical extraction — the most common, least invasive tier — pulls what the phone's own software is willing to hand over. It frequently misses deleted content, app databases stored outside the normal backup, and large portions of the file system. If the State's evidence rests on a logical extraction, a deeper independent examination may reach material they never collected.
A "partial extraction" noted in a report is a signal, not a dead end. It tells you the collection was incomplete — which raises a fair question about what wasn't looked at, and whether a more complete examination would change the picture.
We assess what tier the State's extraction reached, what that tier typically does and doesn't capture, and whether a fuller examination of the device is feasible and worthwhile for your case.
A screenshot of a text message is one of the easiest pieces of "evidence" to fake — and one of the hardest for a jury to question on its face. When the case turns on a message that may not be what it appears to be, the source matters more than the picture.
A genuine message recovered from the device's own database carries metadata: timestamps, thread structure, sender/recipient identifiers, and a place in the surrounding conversation. A screenshot, a re-typed quote, or an edited image carries none of that — and the differences are detectable.
We compare the disputed item against the underlying device data, examine the metadata and file-level artifacts of an offered screenshot or image, and report on whether the proffered message is consistent with what the device actually contains. Where it isn't, we explain the discrepancy in terms a judge and jury can follow.
We describe what the evidence does and does not support. We don't characterize authentication findings beyond what the data shows, and the ultimate weight of any exhibit is for the court.
A phone that won't power on is not automatically a phone with nothing to say. Depending on the nature of the damage and the device, data recovery may still be possible.
Physical damage, liquid exposure, and storage failures range from trivially recoverable to not recoverable at all — and it's not always obvious which from the outside. We assess the device's condition first and give you a candid read on feasibility before committing to a recovery attempt, so you can make an informed decision about cost and likelihood.
Locked and passcode-protected devices are a separate and evolving challenge. What is possible depends heavily on the specific model, operating-system version, and security hardware — and it changes over time. We will tell you honestly whether access is realistic for your device rather than promising a result we can't assure. We do not guarantee access to any locked device.
You don't need to be technical to cross-examine the State's examiner — but it helps to know the three tiers, because the tier used controls how much data the extraction could possibly contain.
Findings only help if they hold up. Our process is built to survive scrutiny on cross-examination and to be understood by the people who decide the case.
We document chain of custody from the moment evidence reaches us, work from verified copies rather than originals wherever possible, and record what we did, with what, and in what order — so the examination is repeatable and reviewable.
Our methodology is built on established, peer-reviewable digital-forensic practice and is intended to meet the standards courts apply to expert evidence (Daubert and Frye, depending on the jurisdiction). Where a technique is novel or contested, we say so plainly rather than presenting it as settled.
Reports come in two registers: a plain-English summary a judge, jury, and your client can follow, and a technical appendix an opposing expert can test. You can see the format in our illustrative sample report.
We work routinely with public defenders and appointed counsel, and we understand that the work often has to clear a funding step before it can begin.
We have offices in Talent, Oregon, serving the Rogue Valley — Medford and the surrounding Jackson and Josephine County courts — and in Kahului, Hawaii, serving Maui.
Because much of forensic work is performed on properly preserved copies of the data, we also work with defense teams across the country. Devices and evidence can be shipped under documented chain of custody, and on-site acquisition can be arranged where the situation calls for it.
Sometimes. When a message is deleted, the underlying data isn't always immediately erased — traces can remain in the device's databases or storage and may be recoverable. Whether they actually are depends on the device, the operating system, how much the phone has been used since, and how long ago the deletion happened.
We don't promise recovery of any specific message. What we can do is assess your device and give you a realistic read on what's likely to be recoverable before you commit to the work.
Yes. We are retained by criminal defense teams — including public defenders and appointed counsel — and we report to the defense. We do not take prosecution work. Our methodology is the same regardless of who retains us; what we don't do is work the other side of your case.
It depends on the question. Some work can be done from the State's report or extraction alone — for example, reviewing what the summary included and excluded, or evaluating whether an offered exhibit is consistent with the produced data.
But to recover deleted data or examine the device more deeply than the State did, access to the physical device or the full extraction is usually necessary. Tell us what you have, and we'll tell you what's possible with it.
Both depend on the device, the tier of examination, and what you need answered — so we scope and estimate each engagement individually rather than quote a flat number sight unseen. Where it fits, we can start with a fixed-fee triage so you learn whether a full examination is worthwhile before committing to the larger cost.
Reach out for a free case consultation and a written scope estimate.
Tell us about the device and the State's evidence, and we'll give you a candid read on what's possible and a written scope estimate. We work only for the defense.
This page is general information about forensic services, not legal advice, and does not create an attorney–client or expert engagement. Recoverability of deleted or damaged data depends on the device and circumstances and is never guaranteed. We do not guarantee access to locked devices or any particular outcome. Cellebrite and UFED are products of their respective owners; Evntrace is independent and not affiliated with those vendors.