Going Dark: How Locked Devices and Encrypted Data Affect Investigations

Modern investigations often depend on digital evidence. Phones, computers, tablets, cloud accounts, messaging applications, cameras, and connected devices can contain critical information about communications, timelines, locations, transactions, relationships, threats, fraud, and user activity. However, one of the biggest challenges in modern investigative work is that the evidence may exist, but investigators may not be able to access it easily.

This issue is often referred to as “going dark.” In simple terms, going dark describes situations where relevant digital evidence is protected by encryption, passwords, locked devices, private applications, disappearing messages, secure cloud accounts, or other access barriers. The information may be important, but it may be unavailable without proper legal authority, consent, credentials, forensic tools, or cooperation from the device owner or service provider.

At PMI | Preventative Measures Investigations, locked devices and encrypted data are handled with caution, professionalism, and respect for the law. PMI does not support unauthorized access, hacking, unlawful account intrusion, or any attempt to bypass security protections illegally. Digital evidence must be obtained, preserved, reviewed, and documented through lawful and ethical methods. The strength of an investigation depends not only on what is found, but also on how the information was obtained.

Encryption is not automatically suspicious. Most modern phones, computers, messaging platforms, and cloud services use encryption to protect personal information, financial records, business data, attorney-client communications, photographs, health information, and private communications. Encryption protects the public from identity theft, fraud, stalking, cyber intrusion, and unauthorized surveillance. At the same time, encryption can create significant investigative challenges when a device or account contains evidence relevant to a criminal defense matter, civil case, fraud investigation, missing person case, workplace issue, or protective intelligence concern.

A locked phone may contain messages, call logs, photographs, videos, location data, app activity, contacts, browser history, notes, account access, and deleted records. A locked computer may contain documents, emails, downloads, financial records, user activity, external drive history, cloud synchronization data, and evidence of file creation or deletion. A secure messaging app may contain conversations that explain intent, planning, threats, fraud, harassment, or coordination between individuals. When access is unavailable, the investigation may lose critical context.

In criminal defense investigations, going dark can affect both sides of the case. Law enforcement may report that a device could not be accessed, that only limited data was extracted, or that certain evidence was unavailable. Defense attorneys may need to know whether the digital evidence was fully reviewed, partially reviewed, summarized, or not reviewed at all. If a report relies on digital evidence, it is important to understand what was actually examined and what remained inaccessible.

A device that cannot be accessed may still be important. Investigators may be able to document the existence of the device, identify the owner or user, preserve chain of custody, review external records, compare known communications, analyze cloud records when lawfully available, examine screenshots or exports, review related devices, or identify other sources that may contain the same or similar evidence. Going dark does not always end the investigation. It often changes the strategy.

In civil litigation and fraud investigations, locked devices and encrypted accounts can also create problems. Business disputes, embezzlement cases, forged document matters, insurance fraud, real estate fraud, and internal investigations often involve emails, texts, financial records, shared folders, payment applications, cloud storage, and account access logs. If a party refuses access, deletes content, changes passwords, or claims that records are unavailable, attorneys may need to consider preservation demands, subpoenas, discovery requests, forensic preservation, or court intervention.

In domestic, stalking, and harassment matters, locked devices may contain evidence of repeated unwanted contact, threats, fake profiles, tracking applications, location sharing, cyberstalking, or violations of court orders. However, victims and clients must be careful not to access someone else’s account or device unlawfully. Even when a person believes evidence exists, the method of obtaining it matters. Evidence gathered improperly may create legal problems and may reduce its value.

Cloud accounts are a major part of the going dark problem. Many people assume evidence exists only on a phone or computer, but devices often sync information to cloud services, email accounts, photo storage, backup systems, shared folders, messaging platforms, and application servers. If the device is locked, some relevant records may still exist in another lawful source. A proper digital evidence strategy considers the device, the account, the cloud environment, connected applications, backups, and third-party records.

Disappearing messages and encrypted applications add another layer of difficulty. Some platforms allow users to delete messages, set expiration timers, remove content from both sides of a conversation, or limit message retention. In some cases, evidence may be lost quickly if it is not preserved. In other cases, surrounding artifacts may remain, such as notification records, screenshots, backups, contact information, file remnants, metadata, or related communications. The key is early preservation and careful review.

Going dark also affects timelines. A missing device, locked account, deleted message, or inaccessible backup may create gaps in the case chronology. Those gaps must be documented. A professional review should identify what is known, what is unavailable, what was requested, what could not be accessed, and what alternative sources may exist. This prevents assumptions from replacing facts.

Digital evidence should never be interpreted in isolation. If a device is locked, investigators may still compare witness statements, public records, surveillance video, photographs, call detail records, emails, receipts, vehicle records, location information, social media activity, and other available evidence. The goal is to build the strongest possible investigative picture using lawful sources.

Chain of custody remains important even when a device is locked. The fact that a device is inaccessible does not mean it should be ignored or mishandled. The device may need to be photographed, labeled, preserved, stored securely, and documented. If access becomes available later through consent, court order, password recovery, attorney-directed production, or forensic process, proper preservation may protect the value of the evidence.

PMI’s role in matters involving locked devices and encrypted data is to help clients, attorneys, and investigative partners understand the available evidence, identify access limitations, preserve what can lawfully be preserved, document gaps, and develop alternative investigative leads. This may include digital evidence preservation, OSINT research, public records review, timeline development, discovery review, communication analysis, witness follow-up, and investigative reporting.

It is important to separate capability from legality. Just because something may be technically possible does not mean it is lawful, ethical, or appropriate. PMI operates within lawful investigative boundaries. Unauthorized access, password guessing, account intrusion, malware, spyware, unlawful tracking, or bypassing security protections without authority are not legitimate investigative methods. Professional digital evidence work must protect the integrity of the case and the rights of all involved.

Going dark is not just a technical problem. It is an investigative problem, a legal problem, and a documentation problem. When digital information is unavailable, the investigator must adapt. That means preserving the device, identifying other sources, documenting what could not be accessed, developing alternate leads, and ensuring attorneys or clients understand the limitations.

At PMI | Preventative Measures Investigations, we approach locked devices and encrypted data with discipline and caution. Digital evidence can be powerful, but only when it is obtained lawfully, preserved properly, analyzed accurately, and placed in the correct investigative context.

In modern investigations, the truth may be stored behind a locked screen, inside an encrypted account, or within a cloud system that requires proper authority to access. The challenge is knowing how to proceed without compromising the case, violating the law, or making unsupported assumptions. Going dark does not mean the investigation stops. It means the investigation must become more precise.