Email forensics is the practice of collecting, analyzing and reporting on digital information in a way that is legally admissible. It can be used in the detection and prevention of crime and in any dispute where evidence is stored digitally. E-mail has emerged as the most important application on the internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. Over a period of years, e-mail protocols have been secured through several security extensions and producers. However, cybercriminals continue to misuse it for illegitimate purposes. Owing to the omnipresence of emails, the arena of email forensics has become largely significant.
Email is the most utilized form of communication for businesses and individuals nowadays, and it is often exposed to illegitimate uses. If you are a forensic investigator, you are probably need to be able to determine if an email has or has not been falsified. This article will explore a few basic methods on how to gather and analyze data related to an email investigation and forensic analysis.
Many Sources for Email Evidence
Erasing or deleting an email doesn’t necessarily mean that an email is gone forever. Emails can often be extracted after deletion. Additionally, it is common for organizations, like banks or brokerage firms, to have retention policies in place, or even email archiving for regulatory purposes, storing email evidence for years in a searchable, retrievable format. Emails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. Further, with the rise of mobile devices, emails can exist in multiple locations, not just on a desktop or laptop computer.
Escort Cyber Forensics has recovered emails from all types of computer systems, servers, webmail systems and smartphones. We typically can recover deleted emails, email metadata, as well as contact lists, scheduling information, mailing and call logs, data that is cached, etc.
Challenges of Email Investigation
1.Variety of Email Systems:There are currently millions of email service providers; a large number of which is considered to be most commonly used by individuals around the world for personal and professional communication purposes. This variety of email service providers makes it challenging for most law enforcements to accomplish a systematic email examination. Some of the challenges faced are:
- Availability:If a case involves the usage of 10 different email service providers, it is neither possible nor necessary for investigators to have all 10 email platforms installed and configured with them, to study the artifacts for carving out evidence.
- Varying Analysis: Email headers being the most crucial portion of emails are studied first during a forensic investigation. Every email platform, whether desktop based or the web based; follows a distinct procedure of reading email headers each. Thus, the lack of a common platform to study the emails from varying email clients encountered.
- Time Investment: The discussed challenges collectively end up demanding a lot of time investment. Investigators are bound within tight schedules and are not permitted to exceed them, which leaves them with a short time to download and investigate emails.
2.Reporting and Preservation:The concluding step of any investigation involves reporting the investigated data and/or presenting found evidence. The challenge that is faced here is the precision and time required to report and preserve evidence which can’t be attained manually.
3.Case Management:Working on multiple numbers of cases is routine for most investigators. Doing so in a systematic manner is only possible if it is well managed along with the details related to the case that makes it possible to spot it instantly which is another common struggle faced by most investigators.
4.Digging into the Artifacts:Digging into the artifacts and picking out a particular suspect email comes out as another challenge for investigators when accounts being investigated hold up emails in bulk.
5.Artifacts Corrupt/Deleted:In most cases where crime involving emails takes place, suspects tend to delete purposefully or damage evidence in the form of emails. Therefore, bringing up the need for an email examination technique that deals with the discussed circumstances.
6.Encryption- Encrypted files or hard drives can be impossible for investigators to view without the correct key or password.
7.Increasing storage space- Storage media holds ever greater amounts of data which for the examiner means that their analysis computers need to have sufficient processing power and available storage to deal efficiently with searching and analyzing enormous amounts of data.
8.New technologies- Computing is an ever-changing area, with new hardware, software, and operating systems being constantly produced. No single computer forensic examiner can be an expert in all areas, though they may frequently be expected to analyze something which they haven’t dealt with before.
9.Anti-forensics- Anti-forensics is the practice of attempting to thwart computer forensic analysis. This may include encryption, the over-writing of data to make it unrecoverable, the modification of files’ meta-data and file obfuscation (disguising files). As with encryption above, the evidence that such methods have been used may be stored elsewhere on the computer or on another computer which the suspect has had access to.