When you collect mailboxes for eDiscovery or digital forensic investigations, you need to search and filter their contents and other details. Email filtering helps you save considerable time and costs. In addition, it also helps in overcoming privacy issues that stop you from collecting certain emails for forensic investigation. There are two methods to filter emails during email forensic investigation – Collecting First, Filtering Later, and Filtering First, Collecting Later.
Let’s take a closer look at both methods, along with their advantages and disadvantages.
First of all, you need to collect all the mailboxes. After collecting these mailboxes, import them into an eDiscovery or email forensic tool, such as Stellar Email Forensic. The software comes with a 60-day trial period. The entire software’s features are available in the trial version itself. With an easy-to-use manual available on the website, you can search and filter the relevant emails in a short time and perform subsequent steps, such as processing, reviewing, and generating reports.
The following are some advantages of this method:
The following are some disadvantages of this method:
In this method, you first perform searches on mailboxes directly using the built-in search functions of email services and products. Email clients, such as Office 365, Gmail, Outlook, etc. provide search options. Afterward, you can collect emails that are relevant to your investigation.
The following are some advantages of this method:
The following are some disadvantages of this method:
| Method | Pros | Cons |
| Method 1: Collecting first, filtering later | To perform a new search is easy, as you have access to the entire set of mailboxes. Enterprise-grade Email forensic tools offer advanced search functions that make the searching task very easy. | Collecting entire mailboxes is time-consuming. This can create problems when there are privacy concerns or time constraints. |
| Method 2: Filtering first, collecting later | Saves time during email collection. At the same time, privacy concerns and time constraints can be addressed. | Collecting additional emails that exist in source mailboxes requires re-acquisition of the mailboxes, which can further create unnecessary delays in the investigation process. Performing searches first in email platforms, gives you limited search functions and tools. There is a learning curve with different email platforms as each one follows different search syntax and commands. |
Filtering and searching emails before or after forensic collection have specific pros and cons. If there are privacy concerns or other restrictions while preserving the entire mailboxes, you may have to perform searches on the original mailboxes first, following the security protocol of the organization. However, if you can collect the entire mailboxes and can access the complete database, it is better to collect the entire mailboxes first, and then perform filtering and searching on those mailboxes.
Need a powerful email forensic solution that can search and filter emails for forensic investigation easily? Check out Stellar Email Forensic! It supports 25+ common email file formats, such as EDB, PST, OST, DBX, NSF, MBOX, OLM, etc. It offers deleted email recovery and also has a case management facility. Download it now and use it for free for up to 60 days!
Abhinav Sethi is a Senior Writer at Stellar. He writes articles, blog posts, knowledge-bases, case studies, etc. for different technologies. He also has a keen interest in digital forensics and helps forward-thinking companies fight different threats with apt solutions.
