Approaches to Filter Emails for eDiscovery and Forensic Investigation

Summary: In this blog, we have discussed two methods to filter emails during email forensics investigation. We have also talked about the advantages and disadvantages of these two approaches. Apart from this, we have also highlighted the utility of using an efficient Email forensics software, like Stellar Email Forensics.

TRY 60 DAYS FREE

When you collect mailboxes for eDiscovery and digital forensics investigation, you need to search and filter the emails and other details. Email filtering helps you save considerable time and costs. In addition, it helps overcome privacy issues that stop collecting certain emails for forensic investigation. 

There are two methods to filter emails during email forensics investigation – Collecting First, Filtering Later, and Filtering First, Collecting Later.

Let us take a closer look at both methods and their advantages and disadvantages.

Method 1: Collecting First, Filtering Later

In this approach, forensic investigators start with collecting all the mailboxes. After collecting these mailboxes, they import them into an advanced eDiscovery and email forensics software, such as Stellar Email Forensic. This software comes with a 60-day trial period. The entire software’s features are available in the trial version itself. With an easy-to-use manual available on the website, you can search and filter the relevant emails in a short time and perform subsequent steps, such as processing, reviewing, and generating reports.

Advantages:

The following are some advantages of this method:

• Sometimes, the requirements and scope of a case change after you start an investigation. You may need to collect additional emails from the mailboxes when this happens. If you already have access to entire mailboxes, you can efficiently perform new or revised searches and collect additional emails.
• When you filter emails with comprehensive email forensics tools, such as Stellar Email Forensic, you can efficiently perform advanced searches with functions like Boolean Search or Regular Expression Search. Stellar Email Forensic is an advanced eDiscovery and email investigation software that analyzes and investigates mailbox data of various email clients, email services (such as Exchange, Office 365, GroupWise Server, Google Mail, Notes, etc.), and email backup files with 100% accuracy. In other words, it is an advanced software for email search, which supports investigation at the granular level and helps in digital evidence collection. Apart from this, you can also filter attachments based on file types. This way, you can quickly find the relevant data with great accuracy.
• Stellar Email Forensics generates customized litigation reports; hence it preserves the evidence in a legally acceptable format. The evidence is preserved with MD5 and SHA1 hash values while extracting and analyzing the data.

Disadvantages:

The following are some disadvantages of this method:

• Collecting entire mailboxes can be cumbersome and time-consuming. If there are several mailboxes, you may end up spending hours collecting all of them.
• Specific mailboxes may contain sensitive or confidential information you are not authorized to access. Collecting mailboxes entirely, i.e., without filtering confidential emails, may violate certain conditions.

Method 2: Filtering First, Collecting Later 

In this method, you first perform mailbox searches directly using the built-in search functions of email services and products. Email clients, such as Office 365, Gmail, Outlook, etc., provide various search options. Afterward, you can collect emails that are relevant to the forensic investigation.

Advantages:

The following are some advantages of this method:

• Filtering emails first can save you a lot of time as you can perform searches directly on the mailbox and collect the limited emails you need.
• Due to privacy concerns, you may have been directed not to collect an entire mailbox. In that case, collecting particular messages sent between specific date ranges and only by certain individuals should be your priority.

Disadvantages:

The following are some disadvantages of this method:

• If the scope of your investigation expands later, you may again need the mailboxes involved and perform a new or revised search. This is time-consuming and a waste of resources.
• Search capabilities are limited even in top email services like Gmail and Office 365. You have to use keyword searches, and it isn’t easy to perform advanced searches that are more targeted toward your desired information. So, there is a good chance that you may miss important emails in your search.
• Search syntax varies from one email service to another. For instance, Gmail’s search syntax differs from the Advanced Query Syntax (AQS) used in Microsoft Exchange Web Services. You need to learn all these different syntaxes and commands to search and filter emails for forensic investigation. Stellar Email Forensic is one tool that helps filter, even from webmail service providers, such as Gmail, Yahoo Mail, Office 365, etc.

Method	Pros	Cons
Method 1: Collecting first, filtering later	Performing a new search is easy, as you have access to the entire mailboxes. In addition, an Enterprise-grade eDiscovery email forensic tool, such as Stellar Email Forensic, offers advanced search functions that make the searching task very easy.	Collecting entire mailboxes is time-consuming. This can create problems when there are privacy concerns or time constraints.
Method 2: Filtering first, collecting later	Saves time during email collection. At the same time, privacy concerns and time constraints can be addressed.	Collecting additional emails that exist in source mailboxes requires re-acquisition of the mailboxes, which can further create unnecessary delays in the investigation process. Performing searches in email platforms gives you limited search functions and tools. There is a learning curve with different email platforms, which follow different search syntax and commands.

Conclusion

Filtering and searching emails before or after forensic collection have specific pros and cons. For example, suppose there are privacy concerns or other restrictions while preserving the entire mailboxes. In that case, you may have to perform searches on the original mailboxes first, following the organization’s security protocol. However, if you can collect the entire mailboxes and access the complete database, it is better to collect them first and then perform filtering and searching on those mailboxes.

Need a powerful email forensics software that can easily search and filter emails for forensic investigation? Check out Stellar Email Forensic! It supports more than 25 standard email file formats, such as EDB, PST, OST, DBX, NSF, MBOX, OLM, etc. In addition, it offers deleted email recovery and has a facility for case management during criminal investigations with the support of tagging, bookmarking, and log management. Download it now!