Email Forensics

Electronic mail is undeniably one of the most common ways people communicate today. Between internal meeting requests, distribution of documents, and general conversation, one would be hard-pressed to find an organization of any size that does not rely heavily on e-mail. Studies have shown that more e-mail is generated every day than phone conversations and paper documents combined!

Computer forensic analysis of e-mail clients and servers has been in the spotlight of civil and criminal cases worldwide. No examination or document discovery is complete without requesting, searching, and organizing e-mail.

New York Computer Forensic Services has the skill set, experience, and tools to ease the burden of analyzing e-mail, from one user's mailbox to hundreds of custodians throughout a massive Microsoft Exchange or Lotus Notes organization. New York Computer Forensic Services has assisted clients in the forensic extraction and analysis of e-mail, contacts, and calendars in a large number of cases.

Identification and Extraction

New York Computer Forensic Services' first step in an e-mail examination is to identify the sources of e-mail and how the e-mail servers and clients are used in an organization. More than just a way of sending messages, e-mail clients and servers have expanded into full databases, document repositories, contact managers, time mangers, calendars, and many other applications. For instance, New York Computer Forensic Services has seen Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM). In addition, it is certainly not uncommon for the powerful database features of Lotus Notes and Domino Server to be exploited far beyond an e-mail system. Organizations use these powerful, database-enabled e-mail and messaging servers to manage cases, track clients and share data. A skilled, certified Computer Forensic Examiner must know how to identify to what extent these powerful business tools are being used beyond e-mail.

Many users store their personal calendars, contacts and even synchronize their e-mail clients with their Personal Digital Assistants (PDA). Organizations use features like the Free/Busy Connector in MS Exchange to track availability of employees and utilize shared calendars to track appointments and meetings. Computer forensic analysis of the e-mail server and the clients on users systems often yields a considerable amount of information on the user and the organization itself.

New York Computer Forensic Services can assist in requesting and analyzing e-mail and organizational tools in a forensically sound manner. E-mail computer forensics is more than looking at e-mail messages. The examiner must also be aware of the advanced features and forensic possibilities of each type of e-mail system.

Deleted E-mail

Many users believe that once they delete e-mail from their client, the e-mail is unrecoverable. As a matter of fact, nothing could be further from the truth. E-mails can often be forensically extracted - even after deletion. Furthermore, many users also do not grasp the concept that e-mail has a sender and a recipient or multiple recipients. E-mails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. These may also be extracted from the hard disk of the client or the server. New York Computer Forensic Services excels at using forensic techniques and basic common sense to recover deleted e-mail, calendars, and more from user's e-mail clients and e-mail servers.

Web Mail or Web-Based E-mail

New York Computer Forensic Services has found that it is possible to forensically recover e-mail created or received by web based e-mail systems, as well as from free web based e-mail services such as Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the e-mail server. The browser inherently caches information to the disk drive in the system used to retrieve or generate the e-mail, thereby effectively saving a copy to the disk. A certified Computer Forensic Services examiner can extract the HTML-based e-mail from disk drive of the system used to create or retrieve the e-mail messages. Many organizations also have a web-based system for users to retrieve their e-mail while out of the office. Examples of these systems are OWA or Outlook Web Access used with Microsoft Exchange Servers. These browser-based Web Mail clients also cache messages to the disk.

Many web-based or web mail services, including Yahoo and Hotmail, have shared calendar services, personal calendars, and contact managers as well as e-mail. Anytime these services are accessed, they may be cached to the disk as well. New York Computer Forensic Services has experienced many instances where important contact information for additional subjects was found after a careful analysis of web e-mail and other web-based services was conducted.

Correlating E-mail Messages

A proper forensic analysis of e-mail yields documents that can be easily correlated by date, subject, recipient or sender, creating a highly understandable map of events and entities. New York Computer Forensic Services takes great pride in our ability to correlate large amounts of data into basic, easy-to-follow presentations. While maintaining the highest standards of forensic soundness, our firm uses specialized tools to link entities, dates, times and events. We ensure that our clients as well as their clients achieve maximum efficiency and the highest quality work product.