Email Forensic Analysis

Over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Deleted emails can often be recovered, even if intentionally erased, and metadata, such as email addresses, time stamps, etc., can all be very useful in an investigation as well. Email clients and servers are often full database applications, complete with document repositories, contact managers, time managers, calenders and many other features, all of which might be accessed forensically.

Recover Deleted EmailsErasing or deleting an email doesn't necessarily mean that it's gone forever. Often emails can be forensically extracted even after deletion. Additionally,  It is common for organizations, like banks or brokerage firms, to have retention policies in place, or even email archiving for regulatory purposes, storing email evidence for years in a searchable, retrievable format.
At Global Digital Forensics, we've recovered email evidence from computers, email servers and webmail servers, as well as from smartphones, cellphones, tablets, etc. Email is pervasive these days. Often evidence can be recovered from some device or another.
Emails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. GDF has a proven track record of using sound forensic techniques and unparalleled industry experience to recover deleted email, calendars, and more, from user's email clients and email servers..
GMail, Yahoo Mail and Hotmail
Webmail ForensicsIt is completely possible to forensically recover email created or received by web-based email systems, including free services like Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the email server, which inherently caches information to the disk, effectively saving a copy on the disk. GDF forensic examiners can extract the HTML-based email from the disk drive of the system used to create or retrieve the email messages.
Many organizations also have a web-based system for users to retrieve their email while out of the office, like Outlook Web Access (OWA), used with Microsoft Exchange Servers. These browser-based webmail clients also cache messages to the disk.
Many popular web-based or webmail services also have shared calendaring services, personal calendars and contact managers, as well as email. Anytime these services are accessed, they may be cached to the disk as well. GDF has had an many instances where important contact information, like email addresses for additional subjects, was found because of our careful analysis of all the web email and web-based services. We leave no stone unturned, and neither should you.
ProgramingWhen emails are sent or received, in addition to the message, there is a host of additional data created, such as sender and recipient addresses, timestamps, server paths, etc. This email meta data can be very valuable — the NSA debacle is based on the collection of email meta data. Meta data can also be saved to servers and can be recovered, in some cases without the actual email.

Correlating Information

Collected emails and other communications can yield documentation that can be correlated by date, subject, recipient or sender, and yield a highly understandable and easy to follow map of events, movements  and entities. Global Digital Forensics has the ability to correlate large amounts of data into understandable and easy to follow presentations, using specialized tools to link entities, dates, times and events, while  maintaining the highest standards of forensic integrity.

Expert Witnessing

GDF has provided expert witnesses in a wide range of civil and criminal legal proceedings. For more information regarding expert tech witnesses please click here.