Best Practices for Collecting Emails Forensically

Email investigation and evidence collection are integral to every eDiscovery and digital forensics case. However, when you collect emails forensically, you have to be careful since the beginning. There are several steps involved in the email investigation process, such as email verification, searching, reporting, etc. that can be impacted by how you collect emails in the first place.

The following are some important points to keep in mind while forensically collecting emails:

1. Collect Emails from All Sources

Once you have a list of custodians whose emails you have to collect, your first plan might be to acquire their live or current mailbox data. However, collecting emails forensically requires more than just downloading the live mailboxes, as some relevant emails may exist in different locations including secondary devices. Therefore, you must take a multi-pronged approach to cover all possible sources.

One area that you need to look for is email backup and archive files. This is because companies regularly backup their emails as a safety measure and also archive emails on cloud servers. 

If a custodian has deleted certain emails from their mailbox, you may find them in the backup or archive files. You may also need to seek access to the downloaded emails on the custodian’s mobile or personal computer in case of a POP account. This can help you to collect emails that are unavailable on the office desktop. 

A majority of companies across the globe use Microsoft Exchange with Outlook for email communication. If your client/company uses Outlook configured with Exchange, you should also analyze the following:

  • Exchange Database (EDB): Each person who works in the organization has a user account created on Exchange Server. You can find the details of each employee’s email messages in the mailboxes stored in the EDB.
  • Outlook Offline Storage Table (OST): OST is an Offline Outlook Data File that stores a synchronized copy of the mailbox data in IMAP, Microsoft 365, Exchange, and Outlook.com accounts. Emails stored in OST may not synchronize with mailbox on Exchange Server due to reasons like lost Internet connectivity, user mail account deletion from Exchange, etc. So, at times, you may need to extract this unsynchronized mailbox data from the inaccessible or orphan OST files.
Want to extract mailbox data from inaccessible OST file? Try Stellar Converter for OST software
  • Outlook Personal Storage Table (PST): Outlook data file (PST) stores emails and other files on a local computer. It’s commonly used in POP accounts provided by ISPs. IMAP accounts in Outlook 2013 and earlier versions also used PST files for archiving mailboxes from EDB. It’s important to scan PST file because you may find some emails in them that don’t exist in the EDB or OST files.
  • Outlook MSG File: MSG is a mail message file that’s used by Microsoft Outlook and Exchange. MSG file contains an email message, contact, or task created within Outlook. Such files can be saved on a computer directly i.e. separated from the main email database. So, you can scan a MSG file to see if it contains any relevant information.

2. Ensure Mailbox Integrity isn’t Compromised

When you collect emails from a custodian’s mailbox, you have to ensure that the original files are not affected in any manner. If email collection is handled improperly, it can alter its hash value and even damage important metadata details such as time, status, etc.

Let’s say, you need to collect emails directly from an email client like Outlook. For that, you can implement IMAP commands that are used for manipulating emails or performing different operations on an email server. When you select the desired IMAP folders like Inbox, Sent Items, Drafts, etc. for data collection, the program uses the SELECT IMAP command. It downloads the messages with the FETCH IMAP command. This can update the message flags of the emails, mainly the \Recent (flags an email as “recently” arrived in mailbox) and \Seen (flags an email as read) flags. Considering how important it is in email forensics to collect emails in their unaltered form, you simply can’t afford to disturb the message flags.

To collect emails without interfering with message flags, you have to use the EXAMINE IMAP command to select appropriate folders and the PEEK option in IMAP (BODY.PEEK[]) to download messages in their original form.

3. Pick Right Email File Formats

For most eDiscovery and email forensic professionals, PST is the typical file format they like to work with. This is because it’s readily supported by a wide range of email analysis software. So, let’s say you are collecting emails from a custodian’s mailbox and have a certain number of emails in another format like MSG. In this situation, you may want to convert these emails into PST format. However, you should also preserve the emails in the native file format.

Native file format is the format in which a document is originally created. For instance, most cloud email services like Gmail and Yahoo Mail transmit emails via IMAP in MIME format. This MIME format is the native format for these platforms.

You are free to convert an email database into a format that you are comfortable working with. However, you should also collect and preserve the database in its native format because:

  • Native files are “original” documents that may be required as court permissible evidence
  • When you convert an email file into a different format, you risk losing some file details in the process

4. Maintain Proper Documentation

Documentation is an important part of email collection. Some important details that you should record include case information, email addresses of senders and receivers, dates and times of email transmissions, software and servers used, communication logs, etc. Most importantly, you should calculate and record the hash values such as SHA-2 & MD5 of all emails, as these unique codes will allow you to validate the integrity of each email.

Conclusion

Email forensics is a time-intensive and laborious process. Since every single email involved in a case is important, you can’t afford discrepancies or incomplete information. By using a trusted and powerful email forensic solution like Stellar Email Forensic, you can perform your duties responsibly and achieve quick and reliable resolution.

Interested in checking out the features of Stellar Email Forensic software?

Download the 60-days FREE trial now.