Email Forensic Analysis
Over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Deleted emails can often be recovered, even if intentionally erased, and metadata, such as email addresses, time stamps, etc., can all be very useful in an investigation as well. Email clients and servers are often full database applications, complete with document repositories, contact managers, time managers, calenders and many other features, all of which might be accessed forensically.
Erasing or deleting an email doesn't necessarily mean that it's gone forever. Often emails can be forensically extracted even after deletion. Additionally, It is common for organizations, like banks or brokerage firms, to have retention policies in place, or even email archiving for regulatory purposes, storing email evidence for years in a searchable, retrievable format.
At Global Digital Forensics, we've recovered email evidence from computers, email servers and webmail servers, as well as from smartphones, cellphones, tablets, etc. Email is pervasive these days. Often evidence can be recovered from some device or another.
Recovering Deleted Emails
Emails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. GDF has a proven track record of using sound forensic techniques and unparalleled industry experience to recover deleted email, calendars, and more, from user's email clients and email servers.
Recovering from Email from Web-based Systems
It is completely possible to forensically recover email created or received by web-based email systems, including free services like Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the email server, which inherently caches information to the disk, effectively saving a copy on the disk. GDF forensic examiners can extract the HTML-based email from the disk drive of the system used to create or retrieve the email messages.
Many organizations also have a web-based system for users to retrieve their email while out of the office, like Outlook Web Access (OWA), used with Microsoft Exchange Servers. These browser-based webmail clients also cache messages to the disk.
Email Metadata Recovery
Most users also do not grasp the concept that email has a sender AND a recipient, or even multiple recipients. Emails may reside on servers uknown to the user, or on backup tapes that were created during the normal course of business. GDF has a proven track record of using sound forensic techniques and unparalleled industry experience to recover deleted email, calendars, and more, from user's email clients and email servers.
Many popular web-based or webmail services also have shared calendaring services, personal calendars and contact managers, as well as email. Anytime these services are accessed, they may be cached to the disk as well. GDF has had an many instances where important contact information, like email addresses for additional subjects, was found because of our careful analysis of all the web email and web-based services. We leave no stone unturned, and neither should you.
Collected emails and other communications can yield documentation that can be correlated by date, subject, recipient or sender, and yield a highly understandable and easy to follow map of events, movements and entities. Global Digital Forensics has the ability to correlate large amounts of data into understandable and easy to follow presentations, using specialized tools to link entities, dates, times and events, while maintaining the highest standards of forensic integrity.
GDF has provided expert witnesses in a wide range of civil and criminal legal proceedings. For more information regarding expert tech witnesses please click here.