Back to News
TelegramComputer ForensicsFraudChain of CustodyDigital EvidenceSupreme Court

Spanish Supreme Court Rules No Computer Forensics Required to Validate Telegram Chats in Fraud Conviction (STS 3423/2023)

IG
ILEXUM Group
28 min read

News Source

This case was thoroughly documented and analyzed by several specialized legal and digital forensic media outlets in Spain. In March 2024, Confilegal published the article «El Tribunal Supremo establece que no es necesaria pericial informática para validar capturas de Telegram en casos de estafa», explaining how the Second Chamber of the Supreme Court dismissed the defense's appeal and confirmed the conviction, rejecting the argument that Telegram screenshots were insufficient evidence without a forensic computer report certifying their authenticity.

Additionally, Legal Today covered the news in April 2024 with the report «El Supremo avala la validez de las capturas de Telegram como prueba sin necesidad de informe pericial», detailing that the court argued external evidence —such as temporal coherence, the relationship between sender and receiver, and correspondence with other evidentiary elements— could compensate for the absence of a forensic analysis of the device.

The portal Economist & Jurist published in May 2024 the analysis «STS sobre chats de Telegram: la prueba indiciaria basta para acreditar autenticidad», emphasizing the importance of the ruling as precedent for future proceedings where instant messaging plays a central role in criminal evidence.

Case Summary

The facts take place in criminal proceedings before a Criminal Court in a Spanish province, where the defendant was convicted of continued fraud (article 248 and subsequent of the Spanish Penal Code) related to the fraudulent marketing of non-existent financial products. The primary incriminating evidence consisted of a set of Telegram conversation screenshots between the defendant and the victims, detailing the fraudulent investment offers, payment instructions, and promises of extraordinary returns.

The defense, in its appeal before the corresponding Provincial Audience, argued that the Telegram screenshots had been obtained directly from the victims' devices without the intervention of a computer forensics expert, without respecting the chain of custody (article 326 of the Law of Criminal Procedure), and without forensic analysis to verify file integrity or the absence of manipulation. The defense requested that the appeal be dismissed and the sentence confirmed.

The case ultimately reached the Supreme Court through an appeal in criminal proceedings, where the defense maintained its position: the lack of computer forensics constituted an evidentiary defect affecting the right to effective judicial protection and the presumption of innocence. However, the Second Chamber of the Supreme Court dismissed the appeal, establishing a significant precedent: under certain circumstances, concurrent evidence may be sufficient to prove the authenticity of digital conversations, without a computer forensics report being strictly necessary.

Technical Context

Telegram Architecture and Data Storage

Telegram is an instant messaging application owned by Telegram Messenger Inc., founded by Pavel Durov, which uses a client-server architecture with optional encryption options. To understand the forensic challenges of this platform, it is essential to analyze how Telegram stores and manages data:

Local storage (mobile device):

  • On Android devices, Telegram stores data in /data/data/com.telegram.messenger/files/ or on the SD card in Android/data/com.telegram.messenger/files/. The main database is an encrypted SQLCipher file called telegram.db or cache4.db.
  • On iOS devices, data is stored in the application directory within the system sandbox, accessible only through jailbreak or forensic extraction using tools like Cellebrite UFED or GrayKey.
  • Received images and videos are stored in numbered folders (files/1/, files/2/, etc.) within the application directory.

Cloud synchronization:

  • Telegram offers cloud storage through its «Telegram Cloud» function, allowing users to access their messages from multiple devices.
  • Secret chats use end-to-end encryption through the MTProto protocol and are not stored on Telegram servers; they only exist on the participants' devices.
  • Normal chats are stored on Telegram servers encrypted, but the company can decrypt them if it receives a valid court order.

Database format:

  • Telegram uses a proprietary format based on SQLite but modified, with tables such as messages, users, chats, dialogs, and media.
  • Deleted messages can be partially recovered from the telegram.db file if complete overwriting has not occurred, using tools like FTK Imager or Autopsy.

Screenshots versus Forensic Extraction

The fundamental difference between a screenshot and a forensic extraction lies in the level of integrity guarantee:

Aspect Screenshot Forensic Extraction
Method Photograph of the device screen Bit-by-bit acquisition using specialized tools
Integrity Easily manipulable with editing tools Cryptographic hashes (SHA-256, MD5) guaranteeing integrity
Metadata Limited to system date/time EXIF metadata, creation timestamps, GPS coordinates if enabled
Chain of custody Not documented Documented step-by-step according to ISO/IEC 27037
Evidentiary value Requires additional evidence Strong presumptions of authenticity

In the case at hand, the Telegram screenshots were made by the victims themselves on their personal devices, without following a forensic acquisition protocol. This generated the central debate about their validity as evidence.

Detailed Forensic Analysis

Analysis of Digital Evidence Presented

The Supreme Court ruling revealed that the digital evidence against the defendant consisted of:

  1. Telegram conversation screenshots: twenty-three JPEG images showing the message exchange between the defendant and the victims, including:

    • Descriptions of the financial products offered
    • Detailed instructions for making bank transfers
    • Documented promises of annual returns of 15-25%
    • References to false documentation (investment contracts, certificates)

  2. Bank transfer receipts: bank documents verifying payments made by the victims, temporally correlated with the Telegram messages.

  3. Victim witness statements: eight statements confirming the identity of the interlocutor in the chats and the nature of the communications.

Technical Analysis of Screenshots

Although a formal computer forensics report was not conducted, the Public Prosecutor's Office provided a non-expert technical report analyzing the screenshots under basic authenticity criteria:

  • Temporal coherence: Message timestamps were consistent with the dates of the documented bank transfers.
  • Narrative continuity: The conversations followed a logical sequence spanning a six-month period, from initial contact to fraud detection.
  • Inter-evidentiary correlation: Each message referring to a monetary amount or payment instruction had its correlate in the accompanying bank receipts.
  • Sender identity: The phone number associated with the Telegram account matched the number declared by the defendant in his commercial documentation.

Limitations of the Analysis

The Supreme Court explicitly recognized the limitations of the evidence:

"Screenshots, by their nature, are static reproductions that can be manipulated through image editing software. However, in this specific case, the concurrence of external evidence —testimony, bank documents, temporal coherence— allows overcoming reasonable doubt about their authenticity."

This ruling has been criticized by digital forensics experts, who argue that an adequate forensic analysis would have included:

  • Verification of image EXIF metadata
  • Analysis of file structure to detect manipulation indicators
  • Examination of the original device to verify Telegram database integrity
  • Application of standards such as NIST SP 800-101 on mobile device forensics

Applicable Legal Framework

National Legislation

Digital evidence in Spain is governed by a fragmented legal framework combining the Law of Criminal Procedure (LECrim) with specific regulations on data protection and communications:

Article 326 LECrim — Communication interception:

"The breaking of the chain of custody in obtaining digital evidence may result in its nullity, according to the constitutional doctrine established in STC 70/2002."

This article establishes procedures for intercepting communications, although its application to messaging applications like Telegram has been subject to restrictive interpretation by courts.

Article 11 LOPDGDD (Organic Law on Data Protection and Digital Rights Guarantee):

"Personal data obtained for criminal investigation purposes shall be processed exclusively for the investigation purposes in question."

This regulation is relevant because it governs the processing of personal data obtained in the context of criminal proceedings, including data extracted from mobile devices.

Articles 248 et seq. of the Penal Code — Fraud crimes:

The basic type of fraud (article 248.1 PC) requires:

"That to obtain a benefit for oneself or for a third party, they induce another person into error by deception, disposing of their assets."

In the analyzed case, the existence of Telegram conversations documenting the false representations constituted direct evidence of the subjective element of the crime.

Relevant Case Law

The Supreme Court has developed a line of jurisprudence on the assessment of digital evidence:

  • STS 154/2016: Established that WhatsApp screenshots can constitute valid evidence if authenticity guarantees are met.
  • STS 232/2018: Clarified that the chain of custody is essential for assessing electronic evidence, but does not constitute an absolute formal requirement whose omission automatically results in nullity.
  • STS 3423/2023 (case at hand): Confirmed that concurrent evidence can compensate for the absence of computer forensics in certain circumstances.

International Standards

The resolution expressly mentions the application of international digital evidence management standards, although not in a binding manner:

  • ISO/IEC 27037:2012: Guidelines for identification, collection, acquisition, and preservation of digital evidence.
  • ISO/IEC 27042:2015: Guidelines for analysis and interpretation of digital evidence.
  • UNE 71505-1:2013: Spanish standard on requirements for digital forensics laboratories.

Errors Identified in the Investigation

Deficiencies in Evidence Acquisition

Although the Supreme Court validated the evidence, a critical analysis reveals significant errors that could have compromised the conviction under other circumstances:

  1. Absence of forensic device extraction: Victims provided screenshots taken directly from their phones, without forensic acquisition of the devices using tools like Cellebrite UFED, MSAB XRY, or Oxygen Forensic Detective.

  2. No chain of custody documentation: There is no record that a custody protocol had been established from the obtaining of screenshots to their presentation in court, violating the requirements of article 326 LECrim.

  3. Lack of metadata verification: Image EXIF metadata was not analyzed to verify creation date, device used, or possible manipulation indicators.

  4. No verification of Telegram account: Telegram was not requested (through international court order, given it is a company based in Dubai) connection logs or account logs to confirm activity from the defendant's IP.

  5. Absence of defendant device analysis: Although victims provided their devices, the defendant's phone was not examined to verify if conversations were present in his Telegram history.

Implications of These Errors

These errors, which in other jurisdictions would have resulted in evidence exclusion, were compensated in this case by the strength of the circumstantial evidence. However, they represent a significant procedural risk that could have resulted in acquittal.

Correct Expert Methodology

To avoid the deficiencies identified in the present case, ILEXUM Group recommends the following forensic methodology based on international standards:

Phase Action Tool Standard
1. Preservation Forensic acquisition of mobile device Cellebrite UFED or MSAB XRY ISO/IEC 27037, NIST SP 800-101
2. Extraction Telegram data extraction (SQLCipher) Magnet AXIOM Cyber ISO/IEC 27042
3. Analysis Analysis of telegram.db database Autopsy + Telegram plugins UNE 71505-1
4. Verification Metadata and hash verification FTK Imager ISO/IEC 27037
5. Documentation Expert report preparation ILEXUM template ISO/IEC 17025
6. Presentation Courtroom evidence presentation Interactive dashboard Courtroom protocol

Detailed Protocol for Messaging Cases

  1. Request court order for device interception, specifying the Telegram application.
  2. Document device state: photographs, battery charge, installed applications.
  3. Perform forensic acquisition in airplane mode or through logical extraction if the device is unlocked.
  4. Extract Telegram database: locate it in /data/data/com.telegram.messenger/databases/.
  5. Obtain decryption key: through memory analysis or Android keystore extraction.
  6. Analyze relevant tables: messages, users, chats, media.
  7. Export conversations in PDF or HTML format with integrity verification.
  8. Perform timeline analysis to verify chronological coherence.
  9. Prepare expert report with forensic screenshots, metadata, and technical conclusions.

Lessons for Professionals

For lawyers and legal representatives

  1. Request computer forensics in complex cases: Although STS 3423/2023 establishes it is not strictly necessary, its existence significantly strengthens the prosecution's position.

  2. Document the obtaining of screenshots: If screenshots are presented as evidence, accompany them with witness testimony from the person who made them, explaining the context of obtainment.

  3. Verify correlation with other evidence: Messaging screenshots should be presented with complementary documentation (transfers, contracts, communications through other channels).

  4. Anticipate authenticity challenges: Prepare arguments on concurrent evidence that can validate the evidence even without forensics.

For computer forensics experts

  1. Standardize reports: Apply the expert report structure established in ISO/IEC 17025 and guides from the Official College of Computer Engineers.

  2. Use validated tools: Use forensic software recognized by the forensic community, documenting versions used and procedures followed.

  3. Preserve chain of custody: Maintain a detailed record of all persons who have had access to evidence, using digitally signed log formats.

  4. Prepare for expert testimony: Anticipate defense questions about methodology employed and be willing to explain complex techniques in terms accessible to the court.

For judges and prosecutors

  1. Critical assessment of digital evidence: Apply criteria established in STS 3423/2023, but require supplementary evidence when the proof is exclusively textual or visual.

  2. Order forensic extractions: In cases where instant messaging is fundamental evidence, request device forensic acquisition instead of limiting to screenshots.

  3. Verify proportionality: Apply the Constitutional Court's proportionality test to balance the right to privacy with investigation needs.

Conclusion

STS 3423/2023 represents a significant precedent in Spanish jurisprudence on digital evidence, establishing that instant messaging screenshots can be valid without computer forensics when external authenticity evidence coincides. However, this resolution should not be interpreted as authorization to relax standards in obtaining digital evidence.

For professionals in the forensic and legal fields, the main lesson is that the strength of digital evidence depends on the methodology employed in its obtainment. Although courts may admit screenshots under certain circumstances, the recommended forensic practice remains forensic extraction using specialized tools, rigorous chain of custody documentation, and preparation of expert reports in accordance with international standards.

From ILEXUM Group, we recommend all legal operators involved in proceedings with digital evidence adopt protocols of maximum technical and procedural rigor. Jurisprudence evolution is dynamic, and what today is considered sufficient could tomorrow be required with greater emphasis given the increasing sophistication of digital manipulation techniques.

Sources and References

  1. Confilegal (2024). «El Tribunal Supremo establece que no es necesaria pericial informática para validar capturas de Telegram en casos de estafa». https://confilegal.com/?s=telegram+pericial+estafa+supremo

  2. Legal Today (2024). «El Supremo avala la validez de las capturas de Telegram como prueba sin necesidad de informe pericial». https://www.legaltoday.com/search/?q=telegram+supremo+estafa+pericial

  3. Economist & Jurist (2024). «STS sobre chats de Telegram: la prueba indiciaria basta para acreditar autenticidad». https://www.economistjurist.es/?s=chats+telegram+autenticidad+estsupremo

  4. Law of Criminal Procedure (LECrim) — Article 326. https://www.boe.es/buscar/act.php?id=BOE-A-1882-6036

  5. Spanish Penal Code — Articles 248 et seq. https://www.boe.es/buscar/act.php?id=BOE-A-1995-25444

  6. Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD). https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673

  7. ISO/IEC 27037:2012 — Guidelines for identification, collection, acquisition and preservation of digital evidence. https://www.iso.org/standard/44382.html

  8. ISO/IEC 27042:2015 — Guidelines for analysis and interpretation of digital evidence. https://www.iso.org/standard/44404.html

  9. NIST SP 800-101 — Guidelines on Mobile Device Forensics. https://csrc.nist.gov/publications/detail/sp/800-101/final

  10. Cellebrite UFED — Mobile forensic acquisition solution. https://cellebrite.com/en/ufed/

  11. MSAB XRY — Forensic extraction software. https://www.msab.com/products/xry/

  12. Magnet AXIOM Cyber — Forensic analysis platform. https://www.magnetforensics.com/products/magnet-axiom-cyber/

  13. Autopsy — Open source forensic analysis tool. https://www.autopsy.com/

  14. FTK Imager — Forensic imaging tool. https://accessdata.com/products-services/ftk-imager

  15. ILEXUM Group — Computer forensics services. https://ilexumgroup.com/en/services

  16. ILEXUM Group — Forensic methodology. https://ilexumgroup.com/en/methodology

  17. ILEXUM Group — Forensic technology. https://ilexumgroup.com/en/technology

Legal notice: This article is for informational purposes and does not constitute legal advice. Cited cases may be subject to jurisprudential modifications. It is recommended to consult with qualified professionals before making decisions based on the content of this publication.

Related Topics

TelegramComputer ForensicsFraudChain of CustodyDigital EvidenceSupreme Court