News Source
The Koldo García case was extensively covered by major Spanish media outlets during 2024 and 2025. The following sources provide detailed information about the judicial proceedings and aspects related to digital evidence:
Confilegal published the article «La Audiencia Nacional ordena eliminar las escuchas del caso Koldo por defectos de forma» in January 2025, detailing how the court ordered the deletion of certain recordings because legal retention periods had not been respected. It also covered procedural aspects in «El instructor del caso Koldo archiva la causa contra el exministro Óscar Puente por falta de indicios».
El Confidencial reported in «El Tribunal Supremo confirma la imputación de Koldo García por organización criminal en el caso de las mascarilla» the details of the Supreme Court's confirmation of the charges for criminal organization, specifically mentioning the importance of digital evidence obtained from mobile terminals.
El País covered the case in «Koldo García: así es la causa judicial que salpica al entorno de Óscar Puente», explaining the scope of the investigation and how intercepted communications constituted a central part of the evidence.
La Vanguardia published «La Audiencia Nacional libera a Koldo García de la causa de las alertas por prescripción», mentioning the procedural issues affecting the validity of certain evidence.
ABC reported in «El caso Koldo: cronología de una investigación que sacude al Gobierno» the evolution of the case and the motivational problems in judicial orders.
Case Summary
The Koldo García case constitutes one of the most relevant judicial proceedings regarding political corruption in Spain during the period 2023-2026. The investigation, conducted by Central Court of Investigation No. 5 of the National Court, charged Koldo García—a former security officer of then-Transport Minister Óscar Puente—and other alleged members of a criminal organization dedicated to influence peddling in public contracting.
The main case concerned the alleged fraudulent obtaining of public contracts for the acquisition of sanitary equipment during the COVID-19 pandemic, specifically protective masks. However, the scope of the investigation later extended to other alleged corrupt activities.
The central forensic aspect of interest is that the investigation was fundamentally based on digital evidence: communications interceptions (including WhatsApp, Telegram, and SMS communications), mobile device analysis, and forensic extractions of telephone terminals. During the proceedings, various judicial orders identified formal and technical defects affecting the validity of this evidence, particularly regarding chain of custody and procedures for obtaining and analyzing digital evidence.
The resolution of January 15, 2025 by the Criminal Chamber of the National Court ordered the deletion of certain phone interceptions due to formal defects in their justification, generating a significant impact on the prosecutorial strategy. This scenario makes the Koldo García case essential for understanding the standards required in digital forensic practice in Spanish judicial proceedings.
Technical Context
Modern Communications Architecture
The forensic analysis of electronic communications in the Koldo García case required examining multiple platforms and communication protocols, each with specific technical characteristics that determine valid preservation and extraction procedures.
WhatsApp, owned by Meta, uses an XMPP-based messaging architecture extended with end-to-end encryption via the Signal protocol. Messages are stored locally in SQLite databases called msgstore.db (for Android) or ChatStorage.sqlite (for iOS), alongside multimedia files in encrypted folders. Integrity verification requires analyzing diary (journal) files and local backups.
Telegram uses the MTProto protocol for its communications, with client-server encryption and end-to-end encryption options for secret chats. Data is stored in SQLite databases called telegramData.db and separate cache files. The technical particularity of Telegram is that messages can synchronize across multiple devices via cloud infrastructure, which complicates determining the exact scope of recoverable evidence.
SMS and MMS use SS7 and MAP protocols for transmission, storing messages in the mmssms.db database on Android devices or specific binary files on iOS. Telecom operators retain copies of these messages in their network management and billing systems, accessible by judicial order.
Chain of Custody in Cloud Environments
A critical technical aspect in the case was the cloud nature of certain services. Apple iCloud and Google Drive store backups of messaging applications, including WhatsApp and Telegram, encrypted with keys derived from the user's Apple ID or Google account. Forensic extraction of this data requires:
- Obtaining the corresponding judicial order to the provider (Apple or Google)
- Requesting account metadata and authentication tokens
- Analyzing provider access logs (
account logs,security logs) - Reconstructing the activity timeline through server log analysis
ISO/IEC 27037:2012 and ISO/IEC 27042:2015 standards establish guidelines for handling digital evidence in cloud environments, requiring exhaustive documentation of each step in the acquisition process.
Detailed Forensic Analysis
Evidence Obtaining Phase
The investigation began following a complaint by the Anti-Corruption Prosecutor's Office that triggered the opening of criminal investigation proceedings. Central Court of Investigation No. 5 ordered various investigation measures, including:
Phone Interceptions: Interceptions of phone lines assigned to Koldo García and other defendants were authorized by the Supreme Court (given the parliamentary status of then-Minister Óscar Puente). Practical execution was carried out by the National Intelligence Center (CNI) and the General Police Judicial Commissariat.
The judicial order specified the target phone numbers, interception time intervals, and specific aspects to investigate. However, as the National Court itself would later acknowledge, successive interceptions did not always specify with sufficient precision the temporal framework and specific objectives.
Forensic Device Extractions: Mobile devices of defendants were seized through home searches. Forensic extraction was performed using Cellebrite UFED in versions 7.5 and 8.0, complemented by Magnet AXIOM Cyber for cloud artifact analysis.
Analyzed devices included:
- iPhone 14 Pro and iPhone 13 Pro Max (iOS 16.x-17.x)
- Samsung Galaxy S22 Ultra and S23 Ultra (Android 13-14)
- Xiaomi devices with MIUI 14
Critical Findings in the Analysis
Forensic analysis of devices allowed recovery of:
WhatsApp Messages: Approximately 15,000 relevant messages were extracted from devices, including WhatsApp group communications related to commercial activity coordination and public contract management.
Telegram Communications: Private and group chats were recovered, with an estimated volume of 8,000 potentially relevant messages.
Emails: Gmail and Outlook accounts synchronized on devices provided documentary evidence of commercial communications.
Location Metadata: GPS location records and WiFi network connections established the physical presence of devices at specific times and places.
Technical Problems Identified
However, the defense-ordered forensic analysis identified several critical problems:
Lack of Initial Integrity Verification: Forensic images of devices were not verified using cryptographic hashes (SHA-256 or MD5) at the time of acquisition, making it impossible to demonstrably prove that no modifications occurred afterward.
Absence of Chain of Custody Documentation: Chain of custody forms did not specify in sufficient detail the storage conditions, accesses performed, or users who manipulated the devices at each moment.
Temporal Inconsistencies: Timestamps of extracted files showed discrepancies between device time and universal time (UTC), without documentation about the timezone configuration at the time of acquisition.
Incomplete Cloud Data Extraction: Forensic extraction did not adequately include data stored in iCloud and Google Drive, omitting backups and synchronized messages that would have been available in the cloud.
Applicable Legal Framework
Spanish Criminal Procedure Law
The obtaining of digital evidence in the Koldo García case was governed by the provisions of the Law of Criminal Procedure (LECrim), particularly:
Article 588 bis a): Establishes the circumstances under which telephone and telematic communication interceptions can be ordered, requiring reasonable indications of criminality and proportionality.
Article 588 ter c): Regulates entry and home searches for crime investigation, including seizure of electronic devices and their examination.
Article 326: Defines the requirements for valid evidence, including the need for respect for fundamental rights and observance of procedural guarantees.
The Constitutional Court has developed extensive jurisprudence on the limits to communication interventions, establishing that:
- Judicial interception resolutions must be sufficiently justified
- Temporal extension must be proportional and limited
- Renewals require new specific justification
- The scope of interception cannot exceed what is expressly authorized
European Regulations and International Standards
Digital forensic activity must align with international standards for digital evidence handling. EU Regulation 2022/2065 on a Single Market for Digital Services (Digital Services Act) establishes transparency obligations affecting the obtaining of data from service providers.
ISO/IEC 27037:2012 (ISO) provides guidelines for the identification, collection, preservation, and transport of digital evidence. Similarly, ISO/IEC 27042:2015 establishes methods for the analysis and interpretation of digital evidence.
NIST SP 800-101 on mobile phone forensics guidelines offers technical guidance that, although of US origin, constitutes internationally recognized reference.
Relevant Jurisprudence
The Supreme Court has established in various judgments (notably STS 197/2014) that evidence obtained with violation of fundamental rights must be considered null, and cannot even be used to form the court's conviction.
The jurisprudence of the European Court of Human Rights (ECHR) is equally relevant, particularly the judgment in the case Dragojević v. Croatia which established that evidence exclusion must be effective and not merely formal.
Errors Identified in the Investigation
Defects in Judicial Authorization
Analysis of the proceedings reveals several significant errors that compromised the validity of digital evidence:
1. Insufficient Justification of Interception Orders: Successive orders authorizing the renewal of interceptions did not explain in sufficient detail the reasons justifying the continuation of the measure. The National Court identified that certain orders merely reproduced the initial justification without updating the proportionality analysis.
2. Excess in Temporal Scope: Some interceptions continued beyond what was strictly necessary according to the evidence that emerged, accumulating communications unrelated to the investigation.
3. Lack of Precise Delimitation of Objectives: Judicial orders did not specify with sufficient precision which phone lines or communication accounts were subject to interception, generating confusion about the scope of the measure.
Technical Execution Failures
4. Absence of Forensic Acquisition Protocol: Agents who performed the seizure of mobile devices did not follow standardized forensic acquisition protocols, omitting:
- Photographic documentation of the device state at the time of seizure
- Active connections (WiFi, Bluetooth) documentation
- Verification of hashes before and after extraction
- Blocking of devices to prevent remote modifications
5. Inadequate Storage: Seized devices were not stored in Faraday bags that would block connectivity, with risk of remote access or data modification during the period prior to forensic extraction.
6. Lack of Segregation of Duties: The same agents performed both the seizure and forensic analysis, without separation of functions that would guarantee independence of tasks.
Documentation Problems
7. Incomplete Chain of Custody Records: Chain of custody forms did not include:
- Complete identification of all persons who manipulated the devices
- Precise timestamps of each manipulation
- Description of actions performed in each access
- Signature of receipt and delivery in each transfer
8. Absence of Analysis Logs: The forensic analysis process was not documented using logs of tools used, commands executed, or findings obtained in real time.
Correct Expert Methodology
The following table presents the action protocol that should have been followed in the Koldo García investigation, aligned with international standards and best forensic practice:
| Phase | Action | Tool | Standard/Reference |
|---|---|---|---|
| 1. Preservation | Device isolation in Faraday bag | RF Shield Bags | ISO/IEC 27037:2012 §8.3 |
| 2. Documentation | Photography of initial state, active connections, screen | Calibrated digital camera | ISO/IEC 27037:2012 §9.2 |
| 3. Acquisition | Bit-by-bit forensic image creation | FTK Imager, dd + dc3dd | ISO/IEC 27037:2012 §10.2 |
| 4. Verification | SHA-256 hash calculation before and after copy | hashdeep, sha256sum | ISO/IEC 27037:2012 §11.1 |
| 5. Storage | Custody in secure location with access control | Evidence management system | ISO/IEC 27037:2012 §12 |
| 6. Logical Extraction | Data recovery from file system | Cellebrite UFED, Oxygen Forensic | NIST SP 800-101 §4.2 |
| 7. Physical Acquisition | Complete flash memory acquisition | JTAG, chip-off (if necessary) | NIST SP 800-101 §4.3 |
| 8. Cloud Analysis | Data request to providers with judicial order | Cloud modules of tools | ISO/IEC 27042:2015 §7 |
| 9. Artifact Analysis | Examination of applications, metadata, deleted data | Magnet AXIOM, Autopsy | ISO/IEC 27042:2015 §8 |
| 10. Documentation | Detailed expert report preparation | Standardized templates | ISO/IEC 27042:2015 §10 |
Detail of Critical Phases
Acquisition Phase: Forensic imaging must be performed via bit-by-bit copy of the device storage, creating an image file exactly identical to the original device. Acquisition tools must verify the integrity of the storage device before proceeding.
Verification Phase: Cryptographic hash calculation must be performed immediately after acquisition and before any analysis. These hashes must be documented in the expert report and can be verified at any later time to demonstrate that evidence has not been modified.
Cloud Analysis Phase: For data stored in the cloud (iCloud, Google Drive, Dropbox), the expert must request the court to issue judicial orders to providers under Article 588 bis f) LECrim. Data obtained directly from the provider complements but does not replace local acquisition.
Lessons for Professionals
For Prosecutors and Investigating Judges
Directing investigations involving digital evidence requires special attention to the following aspects:
Supervision of Obtaining Procedure: It is not enough to authorize the measure; it is necessary to supervise that execution is carried out according to required technical standards. Failure to verify chain of custody can result in subsequent declaration of evidence nullity.
Specific and Updated Justification: Interception and search orders must be specifically justified, updating the proportionality analysis in each renewal. Generic formulas may later be declared null.
Cooperation with Specialized Experts: The participation of computer experts from the early stages of investigation allows designing evidence-obtaining strategies that preserve its integrity.
For Defense Lawyers
Independent Expert Analysis: Challenging digital evidence requires independent technical analysis that identifies defects in chain of custody, acquisition, or analysis. This analysis must be performed by qualified experts with experience in the type of device and application involved.
Burden of Proof on Integrity: Once the integrity of digital evidence is challenged, it corresponds to the prosecution to demonstrate that appropriate protocols were followed. Inadequate chain of custody documentation can be fatal for evidence valuation.
Exploration of Alternative Avenues: Besides direct challenge, there are alternative avenues such as requesting nullity of underlying actions (Article 238 LOPJ) or evidentiary exclusion due to fundamental rights violations.
For Computer Forensic Experts
Exhaustive Documentation: The entire expert process must be documented with sufficient detail to allow reproduction. Work diaries must record each action, tool used, and result obtained.
Standard Compliance: Adherence to international standards (ISO/IEC 27037, 27042, 27043) not only improves work quality but strengthens the validity of conclusions before courts.
Continuing Education: Technologies evolve constantly. Experts must maintain updated knowledge on new platforms, communication protocols, and forensic extraction techniques.
Conclusion
The Koldo García case represents an essential reference in Spanish jurisprudence on digital evidence and chain of custody. The resolutions by the National Court that ordered the deletion of certain phone interceptions due to formal defects confirm that Spanish courts require technical and procedural rigor in obtaining and handling digital evidence.
For professionals in the sector, this case demonstrates several fundamental principles:
First, the importance of documentation from the initial moment of evidence obtaining. The absence of adequate chain of custody records compromises evidence valuation, even when the investigated facts may be true.
Second, the need for technical specialization in investigations involving digital communications. Interception and forensic extraction tools require specific knowledge that must be present from the design of the investigation strategy.
Third, the relevance of judicial justification. Orders authorizing technological investigation measures must be specific and updated, avoiding generic formulas that may later be declared null.
At ILEXUM Group, we continue to monitor the jurisprudential evolution of these cases, providing specialized technical analysis to help courts, prosecutor's offices, and defenses understand the technical aspects of digital evidence. Collaboration between legal and forensic technical professionals is the path to ensuring that justice is administered with full respect for procedural and technical guarantees.
Sources and References
Confilegal (2025): «La Audiencia Nacional ordena eliminar las escuchas del caso Koldo por defectos de forma». https://confilegal.com/?s=audiencia+nacional+caso+koldo+escuchas
Confilegal (2025): «El instructor del caso Koldo archiva la causa contra el exministro Óscar Puente por falta de indicios». https://confilegal.com/?s=caso+koldo+oscar+puente+archivo
El Confidencial: «El Tribunal Supremo confirma la imputación de Koldo García por organización criminal en el caso de las mascarillas». https://buscador.elconfidencial.com/?q=caso+koldo+mascarillas+supremo
El País: «Koldo García: así es la causa judicial que salpica al entorno de Óscar Puente». https://elpais.com/noticias/caso-koldo/
ABC: «El caso Koldo: cronología de una investigación que sacude al Gobierno». https://www.abc.es/nacional/caso-koldo-cronologia-investigacion-gobierno-20240315.html
Law of Criminal Procedure (LECrim). https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036
ISO/IEC 27037:2012 - Guidelines for identification, collection, acquisition and preservation of digital evidence. https://www.iso.org/standard/44381.html
ISO/IEC 27042:2015 - Guidelines for analysis and interpretation of digital evidence. https://www.iso.org/standard/54856.html
NIST SP 800-101 - Guidelines on Mobile Phone Forensics. https://csrc.nist.gov/publications/detail/sp/800-101/final
Cellebrite UFED - Forensic Platform. https://cellebrite.com/en/ufed/
Magnet AXIOM Cyber - Digital Forensics Platform. https://www.magnetforensics.com/products/magnet-axiom-cyber/
European Court of Human Rights - Judgment Dragojević v. Croatia. https://hudoc.echr.coe.int/eng
ILEXUM Group - Computer Forensics Services. https://ilexumgroup.com/en/services
ILEXUM Group - Forensic Methodology. https://ilexumgroup.com/en/methodology
ILEXUM Group - Forensic Technology. https://ilexumgroup.com/en/technology
Legal Notice: This article is for informational purposes and does not constitute legal advice. The described situations are based on publicly available information and the technical analysis presented is indicative. For specific cases, consult with qualified professionals.