Navigating the Deluge: eDiscovery with RSMF and Belkasoft X

In modern eDiscovery and corporate investigations, the evidence trail often lives in chats and texts—not just in documents or email. To review those conversations reliably, teams need data that is standardized and preserves context.

Short-message data (SMS, messaging apps, collaboration tools) is scattered across many formats and databases. Traditional eDiscovery workflows, built for static content, often struggle here: they may not consistently maintain conversation threads, message order, or crucial metadata such as participants and timestamps. At high volumes—and in high-stakes matters like insider trading, employee misconduct, or corporate espionage—these gaps can slow reviews and cause missing evidence. Relativity Short Message Format (RSMF) addresses this problem by standardizing and structuring data for legal review and analysis so investigators and legal teams can search, sort, and understand conversations as they actually happened.

In this article, we look into RSMF and cover the following points:

• What RSMF is and what it looks like
• Why RSMF is needed in modern eDiscovery and investigations
• How to acquire, analyze, and export message data from Belkasoft X into RSMF for review in Relativity

Read on to find out how RSMF, when used alongside powerful DFIR tools such as Belkasoft X, is changing the way legal teams manage short message data.

What is RSMF, and what does it look like?

The Relativity Short Message Format is a standardized format that stores and organizes short message data from various chat and mobile messaging apps.

RSMF was developed by RelativityOne, a cloud-based eDiscovery and document review platform. Its purpose is to resolve inconsistencies in how different platforms record message details.

Technically, an RSMF file is an EML file with a .rsmf extension. It consists of the following components:

• Header: High-level metadata on the entire RSMF file.
• Body: Text extracted from short messages and non-message events. The body section is often empty, as message data is stored in the attachment section.
• Attachment: A base64-encoded ZIP file (named RSMF.zip) which contains all associated files, including images, videos, and documents. This archive also includes an rsmf_manifest.json file, which stores message-level metadata, detailing individual message events, participants, and conversations.

An example of an RSMF file

RSMF is available in two versions. Version 2.0 captures richer metadata than version 1.0, including read receipts, message direction, history events, and other details. These additions enable more precise filtering in Relativity's Short Message Viewer, providing a more comprehensive overview of conversations.

Why is RSMF necessary in modern eDiscovery?

Emails were once the primary form of digital evidence, but this has since changed. Nowadays, most organizations use instant messaging platforms for both internal and external communication. As these systems have different features and store data in various formats, communication records must be standardized in eDiscovery to enable consistent processing, accurate analysis, and efficient review. Although mobile and chat communications contain a wealth of evidence, they are challenging to manage in eDiscovery. Here are the key issues:

• Multi-channel fragmentation: Conversations can take place via email, chat (for instance, Slack, Teams, WhatsApp, SMS), calls or meetings, and direct messages. Consequently, the context is fragmented across various platforms and tools.
• Time and timezone chaos: Mixed time zones, daylight saving time changes, client clock skew, and mismatches between server and client timestamps can make establishing a reliable sequence of events challenging.
• Conversation structure and context: The meaning of threads, forks, replies, reactions, edits, deletes, ephemeral messages, and system events can be lost if they are not captured and rendered.

The solution

RSMF resolves these challenges by transforming raw chat data into a structured, review-ready format:

• Normalization and standardization: RSMF consolidates multi-channel data into a single format, helping you to follow the context across different platforms.
• Preserving context: RSMF retains message threading and chronological order, linking relevant attachments and metadata to messages for seamless continuity, allowing users to understand conversations in their original context.
• Accurate timestamps: To allow accurate event sequencing, RSMF stores timestamps in UTC while also retaining time zone offset information where available.
• Data enrichment: It supports enhancements such as correlating phone numbers with names from address books to simplify participant identification.

Implementing RSMF enables legal teams to manage chat-based evidence as effectively and defensibly as they do with traditional email sources.

Workflow: From Belkasoft X artifacts to Relativity

Extracting correspondence from a wide variety of devices in a distributed corporate fleet is challenging, but Belkasoft tools can assist with this task. Belkasoft X enables digital forensic and eDiscovery teams to acquire data from mobile devices, computers, and cloud backups and recover valuable evidence from various communication apps, including Microsoft Teams, Slack, WhatsApp, and more.

Using Belkasoft Remote Acquisition, security specialists, custodians, and eDiscovery managers can collect data from computers and mobile devices located remotely.

Acquiring and analyzing chat data with Belkasoft X

When adding a data source in Belkasoft X, you can choose to extract either all supported artifacts or specific email and messaging services only. To ensure a thorough analysis, it may be helpful to enable options such as analyzing carved and embedded data, as well as Optical Character Recognition (OCR) for text recognition in images.

Artifact extraction and review

When analyzing your data source, Belkasoft X automatically parses artifacts from messenger and email applications and displays them under the Chats and Mails nodes. Social media chats, such as those from X (Twitter), Instagram, or Snapchat, will appear under the Mobile Applications node. You can view all conversations in a user-friendly bubble chat view, a sortable and filterable grid view, or export them for further analysis.

Exporting chat and email data to RSMF

With Belkasoft X, you can save extracted messages and emails in RSMF 1.0 format. This feature is useful when you need to provide data for internal eDiscovery investigations involving Relativity, or when you need to share corporate communication records with third parties. To export chat data to RSMF from Belkasoft X:

1. In the Artifacts window, select the chats and mails to export, right-click to call the context menu, and click Create report for checked profiles.

   

   Exporting selected nodes from the Artifacts view

2. Choose RSMF as the format and specify the target folder.

   

   Exporting data to RSMF format

3. Click OK to initiate the export process.

Reviewing RSMF in Relativity

You can then import the resulting output file into the Relativity platform or third-party applications supporting the RSMF format.

Relativity imports RSMF files, extracting metadata and linking families and attachments to optimize the review experience. This streamlined process provides users with a near-native review environment complete with powerful features such as timeline view, data search, filtering, and slicing capabilities.

Conclusion: Streamlining short message eDiscovery

RSMF helps legal teams overcome the complexity of mobile chat data and navigate data from various platforms. It preserves the context, structure, and metadata of messages, ensuring they are accurate, complete, and reviewable.

Belkasoft X allows forensic examiners to efficiently acquire, analyze, and export this data. With direct RSMF export, you can transition from device to Relativity in a few simple steps.

Ready to revolutionize your eDiscovery process? Belkasoft X offers the tools you need to efficiently acquire, analyze, and export chat data, transforming complex communication into actionable, review-ready evidence.

See also:

• Email Forensics with Belkasoft X
• On-demand Course: Windows Forensics with Belkasoft
• Effective Evidence Sharing with Belkasoft Evidence Reader