Email investigation and evidence collection are integral to every eDiscovery and digital forensics case. However, when you collect emails forensically, you have to be careful since the beginning. There are several steps involved in the email investigation process, such as email verification, searching, reporting, etc. that can be impacted by how you collect emails in the first place.
The following are some important points to keep in mind while forensically collecting emails:
Once you have a list of custodians whose emails you have to collect, your first plan might be to acquire their live or current mailbox data. However, collecting emails forensically requires more than just downloading the live mailboxes, as some relevant emails may exist in different locations including secondary devices. Therefore, you must take a multi-pronged approach to cover all possible sources.
One area that you need to look for is email backup and archive files. This is because companies regularly backup their emails as a safety measure and also archive emails on cloud servers.
If a custodian has deleted certain emails from their mailbox, you may find them in the backup or archive files. You may also need to seek access to the downloaded emails on the custodian’s mobile or personal computer in case of a POP account. This can help you to collect emails that are unavailable on the office desktop.
A majority of companies across the globe use Microsoft Exchange with Outlook for email communication. If your client/company uses Outlook configured with Exchange, you should also analyze the following:
| Want to extract mailbox data from inaccessible OST file? Try Stellar Converter for OST software |
When you collect emails from a custodian’s mailbox, you have to ensure that the original files are not affected in any manner. If email collection is handled improperly, it can alter its hash value and even damage important metadata details such as time, status, etc.
Let’s say, you need to collect emails directly from an email client like Outlook. For that, you can implement IMAP commands that are used for manipulating emails or performing different operations on an email server. When you select the desired IMAP folders like Inbox, Sent Items, Drafts, etc. for data collection, the program uses the SELECT IMAP command. It downloads the messages with the FETCH IMAP command. This can update the message flags of the emails, mainly the \Recent (flags an email as “recently” arrived in mailbox) and \Seen (flags an email as read) flags. Considering how important it is in email forensics to collect emails in their unaltered form, you simply can’t afford to disturb the message flags.
To collect emails without interfering with message flags, you have to use the EXAMINE IMAP command to select appropriate folders and the PEEK option in IMAP (BODY.PEEK[]) to download messages in their original form.
For most eDiscovery and email forensic professionals, PST is the typical file format they like to work with. This is because it’s readily supported by a wide range of email analysis software. So, let’s say you are collecting emails from a custodian’s mailbox and have a certain number of emails in another format like MSG. In this situation, you may want to convert these emails into PST format. However, you should also preserve the emails in the native file format.
Native file format is the format in which a document is originally created. For instance, most cloud email services like Gmail and Yahoo Mail transmit emails via IMAP in MIME format. This MIME format is the native format for these platforms.
You are free to convert an email database into a format that you are comfortable working with. However, you should also collect and preserve the database in its native format because:
Documentation is an important part of email collection. Some important details that you should record include case information, email addresses of senders and receivers, dates and times of email transmissions, software and servers used, communication logs, etc. Most importantly, you should calculate and record the hash values such as SHA-2 & MD5 of all emails, as these unique codes will allow you to validate the integrity of each email.
Email forensics is a time-intensive and laborious process. Since every single email involved in a case is important, you can’t afford discrepancies or incomplete information. By using a trusted and powerful email forensic solution like Stellar Email Forensic, you can perform your duties responsibly and achieve quick and reliable resolution.
Interested in checking out the features of Stellar Email Forensic software?
Download the 60-days FREE trial now.
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
