Best Practices for Forensic Analysis of Emails
Summary: In this blog, we have discussed best practices that should be followed for the forensic analysis of emails. We have also highlighted how we can forensically collect emails across various file formats, such as EDB, OST, PST, MBOX, etc. Finally, we mentioned how proper file format should be documented and maintained during the forensic examination of emails.
Email investigation and evidence collection are integral to every eDiscovery and digital forensics case. However, when collecting emails forensically, you must be careful from the beginning. Several steps involved in the email investigation process, such as email verification, searching, reporting, etc., can be impacted by how you collect emails in the first place.
The following are some important points to keep in mind while forensically collecting emails:
1. Collect Emails from All Sources
Once you have a list of custodians whose emails you have to collect, your first plan might be to acquire their live or current mailbox data. However, collecting emails forensically requires more than just downloading the live mailboxes, as some relevant emails may exist in different locations including secondary devices. Therefore, you must take a multi-pronged approach to cover all possible sources.
One area that you need to look for is email backup and archive files. This is because companies regularly backup their emails as a safety measure and also archive emails on cloud servers.
If the custodian has deleted certain emails from their mailbox, you may find them in the backup or archive files. You may also need to seek access to the downloaded emails on the custodian’s mobile or personal computer in case of a POP account. This can help you to collect emails that are unavailable on the office desktop.
A majority of companies across the globe use Microsoft Exchange with Outlook for email communication. If your client/company uses Outlook configured with Exchange, you should also analyze the following:
- Exchange Database (EDB): Each person who works in the organization has a user account created on Exchange Server. You can find the details of each employee’s email messages in the mailboxes stored in the EDB.
- Outlook Offline Storage Table (OST): OST is an Offline Outlook data file that stores a synchronized copy of the mailbox data on the local storage. Emails stored in OST may not synchronize with the mailbox on Exchange Server due to reasons like lost Internet connectivity, user mail account deletion from Exchange, etc. So, at times, you may need to extract this unsynchronized mailbox data from inaccessible or orphan OST files.
- Outlook Personal Storage Table (PST): Outlook data file (PST) stores emails and other files on a local computer. It is commonly used in POP accounts provided by ISPs. IMAP accounts in Outlook 2013 and earlier versions also used PST files for archiving mailboxes from EDB. It is important to scan PST files because you may find some emails in them that don’t exist in the EDB or OST files.
- Outlook MSG File: MSG is a mail message file that is used by Microsoft Outlook and Exchange. MSG file contains an email message, contact, or task created within Outlook. Such files can be saved on a computer directly i.e. separated from the main email database. You can scan the MSG file to see if it contains any relevant information.
2. Ensure Mailbox Integrity isn’t Compromised
When you collect emails from a custodian’s mailbox, you have to ensure that the original files are not affected in any manner. If email collection is handled improperly, it can alter its hash value and even damage important metadata details, such as time, status, etc.
Let us say, you need to collect emails directly from an email client like Outlook. For that, you can implement IMAP commands that are used for manipulating emails or performing different operations on an email server. When you select the desired IMAP folders, like Inbox, Sent Items, Drafts, etc. for data collection, the program uses the SELECT IMAP command. It downloads the messages with the FETCH IMAP command. This can update the message flags of the emails, mainly the \Recent (flags an email as “recently” arrived in the mailbox) and \Seen (flags an email as read) flags. Considering how important it is in email forensics to collect emails in their unaltered form, you simply cannot afford to disturb the message flags.
To collect emails without interfering with message flags, you have to use the EXAMINE IMAP command to select appropriate folders and the PEEK option in IMAP (BODY.PEEK) to download messages in their original form.
3. Pick Right Email File Formats
For most eDiscovery and email forensics professionals, PST is the typical file format they like to work with. This is because it is readily supported by a wide range of email analysis software. So, let us say you are collecting emails from a custodian’s mailbox and have a certain number of emails in another format, like MSG. In this situation, you may want to convert these emails into PST format. However, you should also preserve the emails in the native file format.
Native file format is the format in which a document is originally created. For instance, most cloud email services, like Gmail and Yahoo Mail, transmit emails via IMAP in MIME format. This MIME format is the native format for these platforms.
You are free to convert an email database into a format that you are comfortable working with. However, you should also collect and preserve the database in its native format because:
- Native files are “original” documents that may be required as court permissible evidence.
- When you convert an email file into a different format, you risk losing some file details in the process.
4. Maintain Proper Documentation
Documentation is an important part of email collection. Some important details that you should record include case information, email addresses of senders and receivers, dates and times of email transmissions, software and servers used, communication logs, etc. Most importantly, you should calculate and record the hash values, such as SHA1 and MD5 of all emails, as these unique codes will allow you to validate the integrity of each email.
Email forensics is a time-intensive and laborious process. Since every single email involved in a case is important, you cannot afford discrepancies or incomplete information. By using a trusted and powerful eDiscovery email forensics software, like Stellar Email Forensic, you can perform your duties responsibly and achieve quick and reliable solution.
Interested in checking out the features of Stellar Email Forensics software?
Download the 60-day FREE trial now.