Best Practices for Forensic Analysis of Emails

Summary: In this blog, we have discussed best practices that should be followed for the forensic analysis of emails. We have also highlighted how we can forensically collect emails across various file formats, such as EDB, OST, PST, MBOX, etc. Finally, we mentioned how proper file format should be documented and maintained during the forensic examination of emails.

Email investigation and evidence collection are integral to every eDiscovery and digital forensics case. However, when collecting emails forensically, you must be careful from the beginning. Several steps involved in the email investigation process, such as email verification, searching, reporting, etc., can be impacted by how you collect emails in the first place.

The following are some important points to keep in mind while forensically collecting emails:

1. Collect Emails from All Sources

Once you have a list of custodians whose emails you have to collect, your first plan might be to acquire their live or current mailbox data. However, collecting emails forensically requires more than just downloading the live mailboxes, as some relevant emails may exist in different locations including secondary devices. Therefore, you must take a multi-pronged approach to cover all possible sources.

One area that you need to look for is email backup and archive files. This is because companies regularly backup their emails as a safety measure and also archive emails on cloud servers. 

If the custodian has deleted certain emails from their mailbox, you may find them in the backup or archive files. You may also need to seek access to the downloaded emails on the custodian’s mobile or personal computer in case of a POP account. This can help you to collect emails that are unavailable on the office desktop.

A majority of companies across the globe use Microsoft Exchange with Outlook for email communication. If your client/company uses Outlook configured with Exchange, you should also analyze the following:

2. Ensure Mailbox Integrity isn’t Compromised

When you collect emails from a custodian’s mailbox, you have to ensure that the original files are not affected in any manner. If email collection is handled improperly, it can alter its hash value and even damage important metadata details, such as time, status, etc.

Let us say, you need to collect emails directly from an email client like Outlook. For that, you can implement IMAP commands that are used for manipulating emails or performing different operations on an email server. When you select the desired IMAP folders, like InboxSent ItemsDrafts, etc. for data collection, the program uses the SELECT IMAP command. It downloads the messages with the FETCH IMAP command. This can update the message flags of the emails, mainly the \Recent (flags an email as “recently” arrived in the mailbox) and \Seen (flags an email as read) flags. Considering how important it is in email forensics to collect emails in their unaltered form, you simply cannot afford to disturb the message flags.

To collect emails without interfering with message flags, you have to use the EXAMINE IMAP command to select appropriate folders and the PEEK option in IMAP (BODY.PEEK[]) to download messages in their original form.

3. Pick Right Email File Formats

For most eDiscovery and email forensics professionals, PST is the typical file format they like to work with. This is because it is readily supported by a wide range of email analysis software. So, let us say you are collecting emails from a custodian’s mailbox and have a certain number of emails in another format, like MSG. In this situation, you may want to convert these emails into PST format. However, you should also preserve the emails in the native file format.

Native file format is the format in which a document is originally created. For instance, most cloud email services, like Gmail and Yahoo Mail, transmit emails via IMAP in MIME format. This MIME format is the native format for these platforms.

You are free to convert an email database into a format that you are comfortable working with. However, you should also collect and preserve the database in its native format because:

4. Maintain Proper Documentation

Documentation is an important part of email collection. Some important details that you should record include case information, email addresses of senders and receivers, dates and times of email transmissions, software and servers used, communication logs, etc. Most importantly, you should calculate and record the hash values, such as SHA1 and MD5 of all emails, as these unique codes will allow you to validate the integrity of each email.

Conclusion

Email forensics is a time-intensive and laborious process. Since every single email involved in a case is important, you cannot afford discrepancies or incomplete information. By using a trusted and powerful eDiscovery email forensics software, like Stellar Email Forensic, you can perform your duties responsibly and achieve quick and reliable solution.

Interested in checking out the features of Stellar Email Forensics software?

Download now.

Related Post

Exit mobile version