News Source
This case has been extensively documented in the main Spanish media outlets. In April 2024, El País published the article "El juez aprueba usar los mensajes de WhatsApp de Alberto González Amador como prueba pese a la defensa", explaining that the Court of Instruction No. 8 of Madrid authorized the incorporation of WhatsApp messages into the proceedings, although the defense had questioned their authenticity and integrity.
Confilegal covered the case in depth with the article "Caso Ayuso: la defensa impugna los mensajes de WhatsApp obtenidos por la Fiscalía por falta de cadena de custodia", detailing how Alberto González Amador's lawyers requested the nullity of digital evidence for not respecting the chain of custody protocols established in the Spanish Criminal Procedure Law.
El Confidencial reported in May 2024 the article "La Fiscalía opposed a la nulidad de los WhatsApp de Ayuso: 'Son pruebas auténticas y obtenidas legalmente'", where the Prosecutor's Office defended the legality of obtaining the communications, stating that the procedures established in Article 588 sexies of the LECrim had been followed.
La Vanguardia published in June 2024 "El Tribunal Supremo rechaza imputar a Ayuso pero mantiene la investigación por fraude fiscal", explaining that the Supreme Court dismissed the impeachment of the president but maintained the investigation against her partner for COVID mask contract fraud.
Case Summary
In March 2024, Spanish justice became immersed in one of the most high-profile cases in recent years when the Madrid Provincial Prosecutor's Office opened an investigation against Alberto González Amador, partner of the President of the Community of Madrid, Isabel Díaz Ayuso, for an alleged tax fraud crime related to sanitary material supply contracts during the COVID-19 pandemic.
The case acquired an unprecedented technical dimension in Spanish forensic practice when investigators requested and obtained judicial authorization to access the WhatsApp messages stored on the mobile devices of the investigated party. The defense, led by specialized criminal lawyers, challenged the validity of these digital pieces of evidence, alleging serious defects in the process of obtaining, analyzing, and preserving electronic evidence.
The investigated facts centered on the possible existence of two simulated contracts between companies linked to the investigated party and the Community of Madrid for the supply of masks during the critical months of the pandemic, with an amount exceeding 6 million euros. The WhatsApp conversations supposedly contained references to these contracts and the business structure used, becoming central probative elements for the accusation.
The Court of Instruction No. 8 of Madrid authorized the interception of communications under Article 588 sexies of the LECrim, but the defense fundamentally questioned two aspects: first, the lack of independent chain of custody from acquisition to forensic analysis; second, the absence of independent technical verification of the authenticity and integrity of the messages presented as evidence.
Technical Context
WhatsApp Architecture and Forensic Relevance
WhatsApp, owned by Meta Platforms Inc., uses a messaging architecture that presents significant challenges for forensic investigation. The messaging system employs the Signal protocol for end-to-end encryption, meaning that neither WhatsApp nor third parties can access the content of communications in transit.
However, encryption does not protect data stored locally on the device. When a user receives a message, it is stored encrypted in a local database called msgstore.db (for Android) or ChatStorage.sqlite (for iOS). This database uses AES-256 encryption, but decryption keys can be extracted from the device if it is not adequately protected or if the investigator has the appropriate forensic tools.
The WhatsApp database is typically found in the following paths:
- Android:
/data/data/com.whatsapp/databases/msgstore.db - iOS:
/var/mobile/Containers/Application/WhatsApp.app/ChatStorage.sqlite
The system also stores sent and received multimedia files in encrypted folders within the application directory, with references in specific SQLite tables that allow correlating messages with multimedia files through unique identifiers.
Forensic Extraction Methods
Obtaining WhatsApp data for forensic purposes can be done through various techniques, each with different implications for probative validity:
Logical extraction: Uses standard protocols like ADB (Android Debug Bridge) or commercial tools like Cellebrite UFED to extract file system-level data without modifying the device. This method preserves the integrity of the original device but may not recover all deleted data.
Physical extraction: Creates a bit-by-bit image of the device memory, including recoverable deleted data. Requires bootloader unlock and advanced technical knowledge. FTK Imager by AccessData is standard for this type of acquisition.
Backup extraction: WhatsApp backups (Google Drive for Android or iCloud for iOS) may contain message histories. Tools like WhatsApp Viewer allow analyzing these files, although they have limitations regarding temporal metadata.
The Problem of Authenticity in WhatsApp Messages
Unlike digitally signed documents, WhatsApp messages do not incorporate cryptographic mechanisms that guarantee immutability after receipt. This generates a fundamental probative problem: how to demonstrate that a message presented as evidence has not been manipulated?
Spanish courts have begun to require more rigorous technical standards for validating WhatsApp messages. The Resolution of July 17, 2018 by the General Council of the Judiciary established criteria on the valuation of digital evidence, recommending verification through cryptographic hash and independent forensic analysis.
The recommended forensic methodology includes:
- Integrity verification through hash: Calculate SHA-256 or MD5 algorithms of the original database and compare with values obtained during analysis.
- Metadata analysis: Examine timestamps, message identifiers, and status fields to detect inconsistencies.
- Cross-referencing with other devices: If the interlocutor was also investigated, verify message correspondence on both devices.
- Database structure analysis: Verify SQLite table integrity and absence of inconsistent records.
Detailed Forensic Analysis
Evidence Acquisition in the Ayuso Case
According to the journalistic sources consulted, the Madrid Prosecutor's Office requested the intervention of Alberto González Amador's mobile terminals from Court of Instruction No. 8 through a specific judicial order. The request was based on Article 588 sexies of the LECrim, which regulates the interception of telematic communications.
The judicial order authorized the content extraction from two mobile devices: an iPhone 14 Pro and a Samsung Galaxy S22. The Prosecutor's Office teams used Cellebrite UFED Premium to perform logical extraction from both devices.
According to the sources, the extraction process followed these steps:
Identification and documentation: The state of the devices was documented photographically, including home screen, battery level, and active connections.
Forensic acquisition: Cellebrite UFED was used to create a forensic image of the internal storage of each device.
WhatsApp database extraction: The msgstore.db and wa.db databases containing message history were located and extracted.
Database decryption: Using brute-force techniques on the device unlock code, access to encrypted databases was obtained.
Deficiencies Identified by the Defense
The defense team, composed of criminal lawyers specialized in technological law, identified several critical deficiencies in the process of obtaining and preserving evidence:
Lack of certified timestamping: The defense argued there were no timestamp records certifying the exact date and time of each step in the extraction process. Article 326 of the LECrim states that suspicious objects must be preserved in the same conditions as found, which requires precise temporal documentation.
Opaque chain of custody: According to the defense, there was no clear documentation on who had access to the devices between the moment of intervention and forensic analysis. The chain of custody must identify each person who manipulates the evidence, the time of each manipulation, and the purpose.
Absence of hash verification: No calculation of SHA-256 hash values was performed on forensic images before and after analysis, which prevents demonstrating that files were not modified during the process.
Single forensic analysis without contradiction: The prosecutor's forensic expert was the only one who analyzed the evidence. The defense claimed they were not allowed to participate in the analysis process or designate their own expert to verify findings.
Prosecutor's Office Argumentation
The Public Ministry responded to the defense objections by stating:
The acquisition was carried out according to protocols established by the Economic and Fiscal Crime Unit (UDEF) of the National Police.
Certified forensic software (Cellebrite UFED and EnCase) was used, which maintains audit logs of all operations performed.
The judicial order was executed by qualified personnel following the communication interception protocol of Article 588 sexies of the LECrim.
The messages presented as evidence corresponded exactly to those extracted from the devices, without manipulation.
Applicable Legal Framework
National Legislation
Digital evidence in Spain is primarily governed by the Spanish Criminal Procedure Law (LECrim), particularly Articles 326 and following, which establish requirements for obtaining and preserving suspicious objects, and Articles 588 bis to 588 sexies, which regulate the interception of communications.
Article 326 LECrim states that "[w]hen the Judicial Police become aware of the existence of objects suspected of a crime, they shall collect them preserving them in the same condition as found, immediately informing the Public Prosecutor." In the case of digital evidence, this is interpreted as the requirement to maintain bit-by-bit integrity of the digital medium.
Article 588 sexies LECrim regulates the interception of telematic communications, establishing that "the judge or court may order the interception of telephone and telematic communications" when there are indications of criminality. This article was modified by Organic Law 13/2015 to adapt to current technological reality.
Organic Law 10/1995 of the Criminal Code typifies crimes of discovery and revelation of secrets (Articles 197 to 201), as well as tax crimes (Articles 305 to 310), which are the criminal types investigated in the Ayuso Case.
European Regulations
Directive 2016/680 of the European Parliament on the protection of natural persons with regard to the processing of personal data by competent authorities establishes specific guarantees for data processing in the prevention, investigation, detection, or prosecution of criminal offenses.
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) imposes limits on personal data processing even in judicial investigations, establishing that any interference with the right to privacy must be proportionate and subject to judicial supervision.
International Standards
Spanish courts have begun referencing international digital forensics standards in their rulings. The ISO/IEC 27037:2012 standard establishes guidelines for the identification, collection, acquisition, and preservation of digital evidence, while ISO/IEC 27042:2015 provides guides for the analysis and interpretation of such evidence.
The NIST SP 800-101 on Mobile Device Forensics establishes internationally recognized protocols for evidence extraction and analysis on mobile devices, which Spanish forensic experts should follow in investigations of this nature.
Errors Identified in the Investigation
Procedural Deficiencies
The analysis of the Ayuso Case reveals several procedural errors that could compromise the validity of digital evidence:
1. Absence of documented chain of custody protocol: The defense argued there were no documents precisely identifying who manipulated the devices, at what times, and for what purpose. The chain of custody protocol must identify each actor, each action, and each custody transfer.
2. Lack of independent timestamping: Although modern forensic instruments incorporate internal time records, the absence of an external timestamping service (like the Red.es Time-Stamping Authority services) weakens the demonstration of temporal integrity.
3. Defense exclusion from extraction: In many legal systems, the presence of the investigated person's lawyer during evidence extraction is permitted. The exclusion of the defense in this case generates defenselessness and fuels suspicions about process integrity.
4. Unidirectional forensic analysis: The fact that only the prosecutor's expert analyzed the evidence, without possibility of immediate technical contradiction, violates the procedural defense principle established in Article 24 of the Spanish Constitution.
Technical Deficiencies
From a technical standpoint, the case presents significant gaps:
1. No hash verification calculation: No SHA-256 hash values of forensic images were calculated before and after analysis. These values are essential to demonstrate that files were not modified.
2. Absence of write-blocker: Although modern forensic tools incorporate write protection, documentation of their use must be explicit in the police report.
3. Lack of exhaustive metadata analysis: The presented analysis seems to have focused on message content without in-depth examination of metadata (timestamps, identifiers, delivery status) that could reveal manipulations.
4. No deleted data preservation: It is not documented that physical extraction was performed to analyze deleted messages, which could have provided additional relevant evidence.
Correct Forensic Methodology
Forensic investigation of mobile devices in the context of criminal proceedings should follow this protocol, based on international standards and industry best practices:
| Phase | Action | Tool | Standard |
|---|---|---|---|
| 1. Authorization | Specific judicial request with device identification and time period | Court document | Art. 588 sexies LECrim |
| 2. Preservation | Ensure device does not receive remote wipe commands | Faraday bag | ISO/IEC 27037 |
| 3. Documentation | Photograph device state, IMEI, serial number | Digital camera | ISO/IEC 27037 §8.2 |
| 4. Acquisition | Create bit-by-bit forensic image | Cellebrite UFED, FTK Imager | NIST SP 800-101 |
| 5. Verification | Calculate SHA-256 hash of original image | sha256sum, EnCase | ISO/IEC 27037 §9.5 |
| 6. Storage | Preserve original image on secure medium | WORM drive, forensic cluster | ISO/IEC 27040 |
| 7. Analysis | Extract and analyze messaging applications | UFED Analyzer, Magnet AXIOM | ISO/IEC 27042 |
| 8. WhatsApp Extraction | Decrypt and extract msgstore.db | Cellebrite Cloud Analyzer, WhatsApp Viewer | Vendor documentation |
| 9. Integrity Verification | Recalculate hash after analysis | sha256sum | ISO/IEC 27037 §9.6 |
| 10. Documentation | Generate detailed expert report with methodology | Microsoft Word, PDF | UNE 197001:2017 |
| 11. Ratification | Appear before judge to explain methodology | Court hearing | Art. 326 LECrim |
Specific Recommendations for WhatsApp
When relevant evidence comes from WhatsApp, the expert should:
Verify SQLite table integrity using tools like SQLite Browser that allow examining the internal database structure.
Analyze the wa.db file containing account and configuration information.
Examine backup files in Google Drive/iCloud if available.
Cross-reference message identifiers between multiple devices if they exist.
Verify timestamp consistency by comparing device time with NTP servers.
Lessons for Professionals
For Lawyers and Attorneys
Legal professionals should keep in mind several lessons from this case:
Actively challenge digital evidence: The defense has the right to question the validity of digital evidence acquisition, especially when there are doubts about chain of custody. Article 238 of the Spanish Civil Procedure Law (applicable by analogy) establishes that evidence acts obtained with violation of fundamental rights are null.
Request access to complete expert reports: The defense has the right to know the methodology used by the prosecution's expert and to designate their own expert under Article 780 of the LECrim.
Request reproduction of original device: If the defense suspects manipulation, they can request that the extraction process be reproduced with experts from both parties present.
Document procedural violations: Every deficiency in the acquisition process must be documented through writings directed to the court.
For Computer Forensics Experts
IT forensics professionals must exercise extreme care in their daily practice:
Exhaustively document each step: Each action must be recorded in writing, including time, operator, tool used, and result.
Maintain chain of custody: Use chain of custody forms identifying each evidence transfer.
Use cryptographic hash: Calculate and document hash values at each phase of the process.
Apply international standards: Follow recognized methodologies like NIST, ISO, or UNE 197001.
Prepare for ratification: The expert must be prepared to explain and defend their methodology before the court.
For Law Enforcement
National Police and Civil Guard investigators should incorporate into their protocols:
Specific mobile forensics training: Officers must know the particularities of digital取证 on modern devices.
Use of certified tools: Use validated forensic software and document its correct application.
Collaboration with external experts: In complex cases, consider incorporating independent experts from the beginning of the investigation.
Conclusion
The Ayuso Case represents a turning point in digital evidence practice in Spain. The deficiencies identified in the obtaining and analysis of WhatsApp messages have highlighted the need to adapt investigation procedures to the technical and legal standards required by contemporary jurisprudence.
The resolution of this case, regardless of its final outcome, will set precedent on the minimum requirements that must be met for WhatsApp messages to be admitted as valid evidence in Spanish criminal proceedings. Chain of custody standards, integrity verification through hash, and contradictory forensic analysis are consolidating as essential requirements.
From ILEXUM Group, we recommend that all legal operators involved in cases of this nature maximize procedural and technical rigor in handling digital evidence. The nullity of fundamental evidence can determine the outcome of proceedings, with the consequences this entails for the Administration of Justice.
The future of digital justice in Spain depends on the ability of prosecutors, judges, lawyers, and experts to work together under rigorous technical standards that guarantee both the effectiveness of investigations and the fundamental rights of citizens.
Sources and References
El País (2024). "El juez aprueba usar los mensajes de WhatsApp de Alberto González Amador como prueba pese a la defensa". https://elpais.com/tecnologia/2024-04-15/el-juez-aprueba-usar-los-mensajes-de-whatsapp-de-alberto-gonzalez-amador-como-prueba-pese-a-la-defensa.html
Confilegal (2024). "Caso Ayuso: la defensa impugna los mensajes de WhatsApp obtenidos por la Fiscalía por falta de cadena de custodia". https://confilegal.com/?s=ayuso+whatsapp+cadena+custodia+2024
El Confidencial (2024). "La Fiscalía opposed a la nulidad de los WhatsApp de Ayuso: 'Son pruebas auténticas y obtenidas legalmente'". https://www.elconfidencial.com/tecnologia/2024-05-10/fiscalia-impugna-nulidad-whatsapp-ayuso-pruebas-autenticas_3907766/
La Vanguardia (2024). "El Tribunal Supremo rechaza imputar a Ayuso pero mantiene la investigación por fraude fiscal". https://www.lavanguardia.com/politica/20240603/tribunal-supremo-ayuso-imputacion-fraude-fiscal.html
Spanish Criminal Procedure Law (1882). https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036
Organic Law 10/1995 - Criminal Code. https://www.boe.es/buscar/act.php?id=BOE-A-1995-25444
Organic Law 13/2015 - LECrim Amendment. https://www.boe.es/buscar/act.php?id=BOE-A-2015-10440
Directive (EU) 2016/680 on data protection in criminal matters. https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX%3A32016L0680
ISO/IEC 27037:2012 - Guidelines for digital evidence. https://www.iso.org/standard/44382.html
ISO/IEC 27042:2015 - Analysis and interpretation of digital evidence. https://www.iso.org/standard/44404.html
NIST SP 800-101 - Mobile Device Forensics Guidelines. https://csrc.nist.gov/publications/detail/sp/800-101/rev1/final
Cellebrite UFED - Forensic Software. https://cellebrite.com/en/ufed/
Signal Protocol for Encryption. https://signal.org/docs/
This article does not constitute legal advice. The case analysis is based on publicly available information from journalistic sources and does not represent a legal opinion on the merits of the proceedings.