What is email forensics services? More and more people, plaintiffs and defendants alike, leave their electronic fingerprints in the Internet. Web-based email stored by Internet Service Providers (ISPs) can be a fruitful source of smoking gun evidence. Popular email services like Gmail, Yahoo! Mail, Outlook.com, GoDaddy, even the classic AOL Mail, yield impeachment opportunities at trial. They give you a clear advantage in court or arbitration.
Stored Communications Act
The Stored Communication Act (SCA) governs how attorneys like you may obtain email evidence from ISPs. Federal and state case law in recent years has significantly limited the use of the SCA by civil litigants and criminal defense attorneys.
Collect Email from Cloud, Mobile Devices, and Computers
Instead of serving subpoenas we use email forensics services to collect discoverable evidence direct from the cloud operated by ISPs like Google, Microsoft, Yahoo, Comcast, AT&T, Verizon, Charter, CenturyLink, Frontier, Mediacom, Midco, etc. We also extract mobile devices and computers used to access email in the cloud. We process them for you using email forensics services and harvest email addresses, messages, attachments, and headers. Headers contain Internet Protocol (IP) addresses. We use them to trace the route the message took through the Internet. We also search emails with keywords to discover responsive evidence often containing personally identifiable information (PII). Working together with you we produce relevant and compelling web mail evidence for court using email forensics services.
Collect Microsoft Office 365 and Google Workspace
Many of your corporate clients, large and small, continue to leverage corporate email servers like Microsoft Exchange. Increasingly these server environments are migrating to the cloud with productivity and security benefits for users. We use powerful cloud forensic tools to collect email, attachments, calendars, contacts, tasks, and other electronically stored information from both Microsoft Office 365 and Google Workspace, formerly G Suite or Google Apps.
Email Forensics FAQs
– Deleted email messages.
– Accurate information about the origins of email messages such as IP addresses or domain names associated with the message including information from other email servers that may have handled the message.
– Date and timestamp information usually invisible to the end user which may indicate manipulation or tampering, or conversely, may corroborate date and time information.
Yes, depending on how done, what email system was used, and whether the email was sent and deleted. If corporate email systems are set up correctly, many will backup messages each day and can be set not to allow a message to be deleted until it has been backed up. Any deleted message should be available for review within the time frame of the available backups.
If the actual message cannot be recovered, the examiner can often find it in logs. Or a web page might be recovered showing dates, subjects, and to/from information for webmail.
The competitor may assist with checking their email systems for a copy of the message, or may be served with a preservation letter followed by a request for production.
Usually yes. Email messages contain header data that includes date and timestamp information not controlled by the email end user. If full header data is recovered, an examiner can cross-reference the available date and timestamps to ensure they are accurate.
Email is typically stored, sent, and received in chronological order. Examiners may check adjacent messages in the email file to discover if any messages appear out of place or in an odd order. For example, you wouldn’t expect to see a message purported to be from a year ago to show up in your inbox today.
Large email ISPs like Google (Gmail) or Microsoft (Office 365) have robust logging and support to assist in forgery investigations. It may take a preservation letter and subpoena to obtain email and logs. Time is of the essence when dealing with opposing parties and ISPs.
If you are looking at a company-wide investigation, you will want to preserve your email system. Include all email-related logs, both email server logs and firewall or proxy logs that may show email activity. Also, full backups of your email system, either on-premise email servers such as Outlook Exchange or “cloud” based Microsoft/Office 365 servers. Preserve logs as an ongoing process so as not to lose valuable information. For example, if you discovered you want to investigate an incident from a year ago, it would be handy to have those logs available or backups of the email server from that time.
To examine a single user’s email or a small group, you could plan to backup email and logs for those you suspect may be involved. Remember the risk that if the investigation needs to expand later, based on discovered evidence in the initial exam, you may be limited somewhat by what you have preserved. When in doubt or unsure of the scope, more is usually better for investigations to preserve evidence.
If the investigation involves a single person, a full forensic image capture of the involved computer and any mobile devices or removable storage devices would be best. The logs mentioned above would be helpful.
Most current email servers have a “Legal Hold” function for email. Turning it on for a user, group, or everyone will prevent any email from being deleted or otherwise manipulated while the legal hold is in place. It is a quick way to “lock down” the state of the email system and prevent the negligent or intentional destruction of email evidence.
Forensic examiners can recover the Exchange database needed to preserve the email, and they can then extract any end user’s email for examination. They can also create a local version usable with Outlook or for reloading to the new Exchange server.
Yes, there are several ways to search the cloud-based server to find specific emails, and the Administrator Portal and Windows PowerShell are two common ways.
Forensic examiners can use Windows PowerShell for a specific end user’s account or across the entire company or enterprise.
If you know of a specific phishing email that may have compromised your account, you can search the system to see if others were sent the same email. If copies are found, you can check with those accounts for unusual activity shortly after receiving the phishing email.
Suppose you don’t know of a specific email, but have evidence of unusual activity or a report of an issue with users. There, you can check for unusual activity across the enterprise. Common things to look for are IP addresses outside of “normal” for your environment, such as IP addresses outside your geographic location, especially if you rarely have traveling employees or employees outside your country or region. Other unusual activities may include off-hours activity, attempts to login in rapid succession, or logins from two disparate locations (e.g., opposite coasts minutes apart for the same user).
Setting up audits or alerts can help catch concerns as they happen. Microsoft Office 365 has options that can notify you of security issues. It also has extensive resources to assist you in configuring your system to provide needed monitors and alerts.
The logs from Microsoft Office 365 contain a wealth of information, and each log entry includes specific details on the item logged.
– Email activity includes details such as To/From, Subject, and Attachment information.
– File activity contains file details like name, size, and location.
– Login activity contains IP addresses and user names.
– All types of activity include date and timestamps.
Default settings for log retention are 90 days.
Microsoft Office 365 includes several Data Loss Prevention (DLP) templates in the Administration Center that can be configured to help manage and prevent unwanted leakage of sensitive data. By default, these templates cover common data such as credit card numbers and PHI, but the templates can be tailored to include proprietary data.