Email Forensic Analysis
Over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Deleted emails can often be recovered, even if intentionally erased, and meta data, such as email addresses, time stamps, etc., can all be very useful in an investigation as well. Email clients and servers are often full database applications complete with document repositories, contact managers, time mangers, calanders and many other features all of which might be accessed forensically.
Erasing or deleting an email doesn't necessarily mean that an email is gone forever. Often emails can be forensically extracted even after deletion. Additionally, It is common for organizations, like banks or brokerage firms, to have retention policies in place or even email archiving for regulatory purposes, storing email evidence for years in a searchable, retrievable format.
At Global Digital Forensics, we've recovered email evidence from computers, email servers and web mail servers as well as from smartphones, cellphones, tablets, etc. Email is pervasive these days. Often evidence can be recovered from some device or another.
Emails may reside on servers unbeknown to the user, or on backup tapes that were created during the normal course of business. GDF has a proven track record of using sound forensic techniques and unparalleled industry experience to recover deleted email, calendars, and more, from user's email clients and email servers..
GMail, Yahoo Mail and Hotmail
It is completely possible to forensically recover email created or received by web based email systems, including free services like Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the email server, which inherently caches information to the disk, effectively saving a copy to the disk. GDF forensic examiners can extract the HTML based email from the disk drive of the system used to create or retrieve the email messages.
Many organizations also have a web based system for users to retrieve their email while out of the office, like Outlook Web Access (OWA), used with Microsoft Exchange Servers. These browser based web mail clients also cache messages to the disk.
Many popular web based or web mail services also have shared calendaring services, personal calendars and contact managers, as well as email. Anytime these services are accessed, they may be cached to the disk as well. GDF has had an many instances where important contact information, like email addresses, for additional subjects was found because of our careful analysis of all the web email and web based services. We leave no stone unturned, and neither should you.
When emails are sent or received, in addition to the message, there is a host of additional data created, such as sender and recipient addresses, timestamps, server paths, etc. This email meta data can be very valuable — the NSA debacle is based on the collection of email meta data. Meta data can also be saved to servers and can be recovered in some cases without the actual email.
Collected emails, and other communications can yields documentation that can be correlated by date, subject, recipient or sender, can and yield a highly understandable and easy to follow map of events, movements and entities. Global Digital Forensics has the ability to correlate large amounts of data into understandable and easy to follow presentations, using specialized tools to link entities, dates, times and events while maintaining the highest standards of forensic integrity.
Another way to approach the problem of obtaining forensic information regarding email, etc., is to concentrate on the human user. User activity monitors are software systems that allow companies to monitor and store data about user activity. In addition to forensics analysis, GDF offers the C-All, our world class solution to maintaining a watchful presence on any computer network.
GDF has provided expert witnesses in a wide range of civiil and criminal legal proceedings. For more information regarding expert tech witnesses please click here.