Summary: In this blog, we have started by discussing Email Evidence and how the variety of email evidence can be extracted from Stellar Email Forensic software. We have also mentioned some of the advanced features of Stellar Email Forensic, like Keyword search, log management, email header, regular expression search, etc.
Emails are a primary target of cybercriminals to launch phishing attacks and cause data breaches. So, in the event of cybercrime in your organization, it becomes crucial to scan and examine the mailboxes of appropriate employees to collect and analyze the evidence.
If you do not have experience conducting email investigations and don’t know how to collect email evidence properly, there is no need to worry. This blog will teach you how to recover and analyze evidence forensically with an easy-to-use eDiscovery tool – Stellar Email Forensic.
What is Email Evidence?
To extract important data from email files for evidence collection, you need to know a few things about email evidence first. These are:
- Broad Scope: Most details required to investigate a case and achieve a conclusive outcome can be found in the body and subject field of emails. However, evidence can also be found in attachments and message headers. So, ensure that you cover all possible sources of evidence during the investigation.
- Deleted Emails: People involved in misconduct in your organization may delete email messages that can be held against them. If you suspect an employee has deleted the emails from their mailbox, you need to recover them. You can use Stellar Email Forensic to recover deleted emails and store them safely as evidence.
- Evidence Preservation: An email can be considered as evidence only if it is collected forensically, using proper techniques. Suppose you are not careful while extracting evidence. In that case, you may accidentally spoil potential evidence by modifying important email metadata, such as time, status, etc., or hash values required to authenticate those messages.
Stellar Email Forensic is used to find email evidence in a wide range of email data files:
- Mail files: These include popular files stored on local machines in file formats, such as EDB, PST, OST, DBX, NSF, MBOX, OLM, TBB, EML, and many more.
- Backup files: These include Windows backup files in formats, such as .BKF, .VHDX, and .FD.
- Web mailboxes: These include web-based mailboxes on Office 365, Gmail, Yahoo Mail, and other popular email platforms.
To import an email file in Stellar Email Forensic, you need to create a case first. Once a case is created, you can add the desired files to the case by clicking the Add button, under File Ribbon [See Figure 2].
After you add an email file or web-based mailbox to the program, you can find all the email folders in the left pane, the list of emails in the middle pane, and different views (HTML, Internet Header, Hex, RTF, Attachment, etc.) in the right pane. These panes make it easy to find the information you need for email investigation.
The advanced functionality of Stellar Email Forensic Software
1. Keywords tab
After email files are added, you can search for evidence in the database by using keywords. You can select the Keywords tab from the Navigation Pane and add the desired keywords to find evidence [See Figure 3]. If you already have a list of keywords, you can add the list in CSV file format.
2. Advanced Search Functions
You can also scan email files by using advanced search functions. The software provides three options:
- Boolean Search: This search function allows you to combine multiple keywords with operators AND, OR, and NOT.
- Regular Expression Search: This search function allows you to use a template for addresses, URLs, date & time, etc., to find a particular pattern in emails.
- Simple Search: You can use the Simple Search option if you don’t want your search query to be interpreted as a Boolean Search or a Regular Expression Search.
3. Log Management
Once you have narrowed search results by using the above functions, you can manually go through the emails to identify the ones that can be used as evidence. Then, you can categorize these emails with descriptive tags and export them in file formats like PDF, plain text, etc., to store the files as evidence.
Apart from tagged emails, you can also export logs to record the events during the investigation. You can click the View Logs button under File Ribbon and export the details of appropriate events in plain text or CSV files [See Figure 4].
Keywords and search functions can help you find smoking guns fast. However, for an in-depth investigation, you need to look beyond the main message.
4. Email Header
The email header is an important component, and its significance in email forensics cannot be overlooked. It can help you uncover additional details about the message sender and receiver, their IP addresses, details of email clients used, etc. In addition, it contains the details of the email’s path, Internet service provider, time stamps, message ID, x-headers, MX Records, and even location.
5. Media Tab
Critical evidence can also be found in email attachments. So, they must be examined during the investigation without a fail. Stellar Email Forensic software allows you to easily identify attachments like audio files, documents, images, etc. in sent/received emails. It also groups attachments based on their file type and displays additional details of the attachments such as file name, source file path, file size, etc.
Email investigation is a time-intensive and laborious task with no room for error. You need to take the proper steps to collect every essential piece of evidence. So, use Stellar Email Forensic, an advanced eDiscovery and email investigation tool that is reliable, fast, and accurate. It can help you forensically collect email evidence at a large scale that is accurate and court-admissible.
