Forensic Analysis of Email, Social Networking Activities, Twitter, Texting etc.
Over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, calanders and many other applications. For instance, Microsoft Exchange can be customized to be used as a complete Customer Relationship Manager (CRM) and it is common for the powerful database features of Lotus Notes and Domino Server to be exploited far beyond a simple email system. Organizations use these powerful, database enabled email and messaging servers to manage cases, track clients and share data.
But email is only one source of electronic communications: Social Networking posts (Facebook, MySpace), Twitter posts, collaborative software activity, etc., are all potential sources of evidence and are all increasingly used in investigation and litigation as a means of providing subject movement mapping, establishing relationships, etc. Often erased emails, tweets, etc., can be recovered from servers, computers and mobile devices, so forensic options exist beyond what one can see in the in-box.
Erasing or deleting an email doesn't necessarily mean that it's gone forever. Often emails can be forensically extracted even after deletion. Additionally, It is common for organizations, like banks or brokerage firms, to have retention policies in place, or even email archiving for regulatory purposes, storing email evidence for years in a searchable, retrievable format.
At Global Digital Forensics, we've recovered email evidence from computers, email servers and webmail servers, as well as from smartphones, cellphones, tablets, etc. Email is pervasive these days. Often evidence can be recovered from some device or another.
Emails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. GDF has a proven track record of using sound forensic techniques and unparalleled industry experience to recover deleted email, calendars, and more, from user's email clients and email servers..
GMail, Yahoo Mail and Hotmail
It is completely possible to forensically recover email created or received by web-based email systems, including free services like Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the email server, which inherently caches information to the disk, effectively saving a copy on the disk. GDF forensic examiners can extract the HTML-based email from the disk drive of the system used to create or retrieve the email messages.
Many organizations also have a web-based system for users to retrieve their email while out of the office, like Outlook Web Access (OWA), used with Microsoft Exchange Servers. These browser-based webmail clients also cache messages to the disk.
Many popular web-based or webmail services also have shared calendaring services, personal calendars and contact managers, as well as email. Anytime these services are accessed, they may be cached to the disk as well. GDF has had an many instances where important contact information, like email addresses for additional subjects, was found because of our careful analysis of all the web email and web-based services. We leave no stone unturned, and neither should you.
When emails are sent or received, in addition to the message, there is a host of additional data created, such as sender and recipient addresses, timestamps, server paths, etc. This email meta data can be very valuable — the NSA debacle is based on the collection of email meta data. Meta data can also be saved to servers and can be recovered, in some cases without the actual email.
Collected emails, and other communications can yields documentation that can be correlated by date, subject, recipient or sender, can and yield a highly understandable and easy to follow map of events, movements and entities. Global Digital Forensics has the ability to correlate large amounts of data into understandable and easy to follow presentations, using specialized tools to link entities, dates, times and events while maintaining the highest standards of forensic integrity.
Another way to approach the problem of obtaining forensic information regarding email, etc., is to concentrate on the human user. User activity monitors are software systems that allow companies to monitor and store data about user activity. In addition to forensics analysis, GDF offers the C-All, our world class solution to maintaining a watchful presence on any computer network.
GDF has provided expert witnesses in a wide range of civiil and criminal legal proceedings. For more information regarding expert tech witnesses please click here.