It’s no secret that the world is increasingly reliant on digital communication. Everything from high-stakes M&A deals to placing the week’s grocery order leverages some type of technology or digital footprint to memorialize the process. While some tasks and processes require more technological proficiency than others, a 2023 study by the Federal Reserve Bank of Atlanta reported that 92% of jobs require digital skills. With broader adoption of AI technology over the last two years, technology will only play an increasing role in our day-to-day lives.

For forensic investigations, this provides both challenges and opportunities. The idea that digital footprints last forever is only a half-truth. In the world of forensics, data lives on a spectrum between permanent “shadows” and volatile records that can vanish in seconds. Below are five core considerations for today’s forensic investigations, and tips on how to avoid missteps in scenarios that are rising in complexity.

1. “Deleted” may still exist

Hitting delete is just the beginning. Traces of data often live on in artifacts, backups, and metadata. We aren’t just looking for the file; we’re looking for the digital “shadow” it left behind.

For instance, modern iPhones (running iOS 16 and later) store deleted messages in a dedicated “Recently Deleted” table within the messaging database where they are retained for up to 30 days. During this window, users have the option to either recover the messages or manually delete them permanently before the automatic 30-day period expires. This tool can be helpful in disputes, where recent information may be perceived as “gone,” but in reality, will still exist for a window of time.

2. The iPhone vs. Cloud Gap

Data on a device and data in the Cloud are not identical. They change independently. If you only capture one, you’re missing half the story. To get the full picture, you need both.

iOS’s “Messages in iCloud” feature allows users to sync messages across devices via iCloud, a convenient feature that complicates data collection. Historically, messages were bundled into a standard iCloud backup. Now, if a user enables syncing, that data is stored in a different cloud location and must be collected separately from the phone backup. Experienced investigators understand the nuances of such data storage and can help navigate complex data retention.

3. Spoliation can happen by accident

You don’t need a “bad actor” to lose evidence. Routine system updates, simple reboots, or automatic retention policies can overwrite critical data. Inactivity is often just as dangerous as intentional wiping.

In Microsoft 365, when a user empties their “Deleted Items” folder, the data moves to a hidden folder called “Recoverable Items.” By default, Microsoft only retains this data for 14 days. If the data is not collected or a Litigation Hold is not implemented by IT within that narrow two-week window, the system’s automated housekeeping permanently purges the messages. No one intentionally “wiped” the data from the “Recoverable Items,” a default background timer simply expired.

4. eDiscovery ≠ Digital Forensics

eDiscovery is about finding what was said. Digital Forensics is about proving how it happened. They answer different questions; don’t mistake a document review for a deep-dive investigation.

Think of a spreadsheet containing trade secrets. eDiscovery provides the document so you can read the “what,” the client list, and pricing. Digital Forensics provides the “how,” revealing that an unauthorized USB drive was connected, the spreadsheet in question was accessed from a USB drive minutes later, and then the copy of the spreadsheet on the laptop was moved to the Recycle Bin—all telltale signs of insider risk exposure.

5. The clock is your biggest enemy

As the above examples illustrate, digital evidence is volatile. It changes or disappears in seconds. The longer you wait to collect, the higher the chance your “smoking gun” is overwritten forever.

Windows event logs have a finite memory. Because they are programmed to overwrite the oldest data once they hit a size limit, history is constantly being erased to make room for current logs. If a security breach occurred six months ago and the system remained in use, the “smoking gun,” such as login timestamps or file access records, has almost certainly been overwritten by normal system activity.

Summary

To navigate the complexities of today’s digital world, forensic investigations must account for five inescapable realities: traces of deleted data often remain, cloud and device data are rarely identical, and automatic system updates can be just as destructive as a malicious wipe. When these factors are combined, it becomes clear that surface-level eDiscovery is rarely enough to prove the “How” behind an event. Because digital evidence is inherently volatile, organizations cannot afford to wait. Systems and processes change often and require best practices to follow suit: what may be a permissible policy today may be very different than what is needed 90 days from now. One thing is clear: By acting quickly to capture both the content and the forensic context, you ensure that the digital footprint remains a reliable map of the truth rather than a fading memory overwritten by the system itself.

Dan Fuller is an experienced forensic investigator with over 15 years of expertise in digital evidence preservation, cybersecurity forensics, and regulatory compliance. He has assisted organizations in complex litigation, cybersecurity breaches, and insider risk management. You can reach out to him here if you have any questions or would like to discuss this topic.

To receive StoneTurn Insights, sign up for our newsletter.