Email Forensics

Get a Quotation

28 Years of Winning Cases

Email Forensics Services

Email is ubiquitous - it is almost always a major component of any cyber forensic investigation whether involving business or personal communications. The main concerns with emails as evidence are:

1) Can emails be recovered from whatever devices and services might be involved?

2) Can emails be authenticated?

3) In cases of where emails are erased, deleted or spoliated, can enough data be recovered to support the case or a spoliation hearing?

Global Digital Forensics addresses these issues and more by provides complete email forensics services for law firms, businesses, governmental bodies as well as private investigators.

  • More than two decades experience investigating and testifying in cases ranging from financial malfeasance to intellectual property theft to issues of national security where email was deleted, spoliated or its authenticity called into question
  • All types of devices and data types recovered, from phones to servers to webmail systems
  • All work performed by highly trained CISSP and CCE certified forensic examiners
  • Complete reporting and case support - from initial consultations to expert witnessing in court, mediation, spoliation hearings, TRO motions, and any evidentiary hearings pertaining to the case or investigation.

Email Data Types and Evidence Recovery

Email evidentiary data can be recovered from:

  • Email clients on desktop or laptop computers such as Outlook 360, Apple Mail, Inbox by Gmail, MailSpring, Mailbird, Em Client, Windows, Linux, MAC OSX operating systems. et.
  • Smart phones from Apple, Samsung, Google, Huawei, Sony, Nokia, etc
  • Tablets from Apple, Lenovo, Samsung, Microsoft (including Surface), Amazon Kindle, etc.
  • Digital devices such as smart watches, video gaming consoles.
  • Online email services such as Gmail, Gsuite, MS Outlook, Yahoo Mail, Hotmail, iCloud, AOL, GoDaddy, Zoho Mail, integrated mail systems in CMS and CRM software, as well as ISP based email systems, corporate email systems and servers, private email servers, etc.

Many different types of data can be recovered as evidence. Not only is there information explicitly in the email itself, but there is data (metadata) generated by the sending/receiving process that can be useful in an investigation.

The following is a partial list of the types of data can be recovered from email:

  • Written communications
  • Photographs, diagrams, compressed attachments, etc.
  • Send to / Received from data
  • Date and location data
  • Send path information
  • Contact list data

In addition, there can be email log information, email headers and other types of metadata that can be used to establishing timelines of action, locations, and connections between subjects involved in investigations.

Recovering Evidence from Desktop-based or Device-based Email Clients

Email client programs, such as Outlook 360, Mac Mail and others, are prime sources of forensic email data. The data on these systems however, is prone to deletion and other attempts at spoliation. Similar issues are present when trying to recover emails from iPhones, Androids, iPads, Surface tablets, etc.

Device / Drive Imaging

Imaging is making a bit-by-bit copy of any data source, which helps to main the integrity of the data and facilitate the speed and thoroughness of the investigation.

Recover Deleted Emails

GDF provides services to recover normal AND deleted emails in their original form, with no data modification done at any time during the process so as to maintain admissibility.

Repair Corrupted or Damaged Emails

GDF provides services to repair damaged or corrupted emails, again, while maintain admissibility. These services are discussed on a case by case basis.

Email Header Analysis

Email headers are crucial in establishing the origin, destination and all the “hops” along the way an email traveled. Email headers can divulge data such as:

  • Who sent and received the email
  • The full network path the email traversed
  • Timestamp Information
  • Information about the email client used
  • Information about the device used

Recovering Evidence from Web-Based Email Clients

Header Analysis

GDF can analyze all email header information and provide a detailed report containing specifics like IP addresses, details on the service provider and mail servers used, etc. There are many steps in the process of delivering an email, and those stapes can be traced, documented and presented as evidence.

Forensic Imaging

We provide imaging (bit-by-bit copying) of email client data, as well as data export into various file formats, while always maintaining the original properties, attachments, metadata and folder structure.

Deleted/Erased Emails and Spoliation of Evidence

Often subjects of investigation will attempt to destroy evidence by deleting emails, "wiping" an email server, deleting emails off phones and other devices. In situations where there has been tampering, we look for different possible end points for email. Even sending a single email generates two potential sources for that data - the sender's device or email client and the receiver's device or email client. Often emails are available at multiple locations due to users having computers as well as mobile devices set up for email services, and their can be multiple recipients of an email, especially within an organization.

If emails have been deleted there can still be usable evidence contained in email logs and other email related metadata sources. As an example, the email might be gone, but information establishing when it was sent, who sent it, and to whom it was sent might be available and admissible, epsecially in . There are also artifacts that can be found in the slackspace and freespace on a computer that most users and many popular wiping/deletion programs don't know about and miss. These artifacts can be found and in many cases generate useful evidence.

Encrypted Emails and Encrypted Devices

Encrypted emails, files, directories, hard drives and devices make data recovery very difficult without access to encryption keys or passwords. There are a number of work-arounds which can employed, but successful recovery of encrypted data is dependent on many variables. In our initial discussions with clients, the possibility of missing and encrypted data and recovery strategies and options will be thoroughly discussed.

Email Forensics Examination Process

Initial Consultation / Evaluation

Our initial conference with the client establishes the parameters of the investigation based on the client's instructions, such as the parties involved, the types of data and devices that might be collected, the possible route through the court system, etc. We cover security risks that might compromise the integrity of the investigation (are other, unknown staff members involved), or the physical safety of the clients or investigatory staff (is there an ongoing threat?). Deliverables and the presentation of the investigation's findings are discussed and outlined, as well as any other support that might be needed, such as expert witnessing, attendance at meetings or mediation, various hearings, etc. If required, NDA's and whatever legal riders are generated and signed. Initial deposits / retainer fees are also discussed and paid at this time.

Chain of Custody

Maintaining the integrity of the Chain of Custody is critical for verifying the correct handling of evidence, showing who “touched” any potential evidence, how it was maintained, and how it was transferred or transported throughout the acquisition, analysis and delivery process. GDF thoroughly documents our involvement in the entire process, with both written reportage and, if necessary, photographs and or/screenshots of the equipment, devices and systems before removing or changing anything to be used as evidence in a case, ensuring forensic soundness and verifiable tracking of evidence handling.


During the collection stage we gather all data sources, virtual and physical, that are pertinent to the investigation. Appropriate care is taken to ensure all evidence is safely transported to our labs for analysis. We document and/or photograph all devices and potential sources, bagging and labeling when appropriate, disk and de vice imaging is performed. etc. A firm chain of custody is also established at this point.


Analysis varies according to the parameters of each investigation. All work is impartially conducted using forensically sound techniques to applicable standards, thoroughly documented and repeatable by other experts, and performed as thoroughly as possible within the allotted timeframe.

Header Analysis

Is the email authentic or has it been tampered with? this is the fundamental question in a forensic email investigation, and Email Headers are the single most important component for verifying authenticity and traversal of suspect emails. Headers contain important metadata (data about data) that helps paint the picture of Who, What, When, Where and How by supplying information about the sender/receiver, the date, time and the path taken by the message to reach its destination. From an evidentiary perspective, this is all crucial information when building a timeline and a case.

Email Server Examinations

Servers save a copy of all the emails, even if they are removed from a mailbox or account. We advice our clients on the legal procedures required to obtain access to servers and devices which might lie outside of the control of counsel or the client.

Network or Device Examination

In cases where direct examination of emails and email systems is thwarted, due to non-availability, roadblocks from the opposing counsel, court directives, GDF can expand our investigation to include other sources of data, such as logs maintained by routers, switches, and firewalls, all of which may opening alternatives for the finding and recovering of evidence.

Analysis of Embedded Data

Software used to create emails can also generate valuable information for a forensic analysis, like the name of the software and version used, date and time information, logs of actions performed and more.

Analysis of Hidden Emails

Emails are not always in plain sight. As an example, one email might be referencing another email in a location, such as in a directory or folder, but that second email is no longer there. These "hidden" emails often contain exactly the evidence being sought. GDF has ample experience tracking down and recovering hidden emails.

Presentation of Findings / Deliverables

We present all our findings with an eye towards clarity of language and demonstrable competence. We make sure client instructions are strictly followed, that our technologies, processes and procedures are easily understood, and that our work withstands the highest levels of scrutiny by opposing experts. We adhere to this philosophy of competence and clarity in our written presentations as well as expert witnessing appearances.

Contact GDF at 1-800-868-8189 to discuss your cyber forensics needs.

Get a Quotation

Use the secure form below to get your questions answered.
Or call our 24 hour hotline at: 

GDF Local Providers

We are an international company with a local focus.
Contact a regional office near you.
envelope-oclosephonebars linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram