Email Forensics Services

Email Forensics Services

Email has become a ubiquitous form of communication in both our personal and professional lives. However, it can also be a source of legal disputes, fraud, and cybercrime. Email forensics is a critical part of digital forensics that focuses on the recovery and analysis of email data to uncover the truth behind the evidence in email incidents. Let’s explore what email forensics involves, the services professionals offer, and the importance of this field in today’s digital world.

What is Email Forensics?

Email forensics is the science of studying email messages to extract forensic evidence and draw conclusions about their authenticity, origin, and content. It is a subset of digital forensics, which deals with the recovery and investigation of material found in digital devices, often concerning computer crime.

The Role of Email in Digital Investigations

Emails can be evidence in many legal contexts, including business litigation, intellectual property theft, employment disputes, and divorce cases. They can reveal a communications timeline, show intent, or prove the transfer of confidential information. Email forensics services are important in extracting, preserving, and analyzing this form of evidence.

Challenges in Email Forensics Services

Email forensics involves navigating complex technical challenges. The Stored Communication Act (SCA) governs how attorneys like you may obtain email evidence from ISPs. In recent years, federal and state case law has significantly limited civil litigators’ and criminal defense attorneys’ ability to obtain digital evidence by subpoena using the SCA. But Carney Forensics has been drafting effective subpoena language and using corporate registered agents to assist trial lawyers in getting them filed for ISPs like Google, Apple, Microsoft, Comcast, Verizon, T-Mobile, AT&T, etc. When the subpoenas are successfully returned in a few weeks, our experts use digital forensic tools to analyze them and generate reports, timelines, and maps for legal team review.

Deleted or changed emails, encryption, and the use of web-based email platforms can all complicate the recovery and analysis process. Email headers with information about the sender, recipient, and trace routes can be spoofed or manipulated. This is why specialized knowledge and tools are necessary to conduct a thorough email forensic investigation.

Email Forensics Services

Professionals in email forensics provide a broad range of services designed to address the technical aspects of email evidence investigations. These services include:

Email Recovery

One of the most common requests in email forensics is recovering accidentally or intentionally deleted emails. Using specialized software and techniques, forensic experts can often retrieve these emails from a user’s computer, a server, or backup storage. This process can also involve recovering email attachments, which may contain important evidence.

Analysis of Email from Cloud, Mobile Devices, and Computers

Email Forensics on computer and smartphone

The content of emails may be scrutinized for evidence of wrongdoing, such as harassment, intellectual property theft, or fraud. This analysis can also extend to the examination of patterns and frequency of communications between individuals, which can be telling in various investigative scenarios.

Carney Forensics uses email forensics services to collect discoverable evidence directly from online cloud accounts operated by ISPs like Google, Microsoft, Yahoo, Comcast, AT&T, Verizon, Charter, CenturyLink, Frontier, Mediacom, Midco, etc.

Our email forensic experts also extract mobile devices and computers for email evidence. We process these devices for you using email forensics services and harvest email addresses, message content, attachments, and headers. Headers contain Internet Protocol (IP) addresses, which we use to trace the route the message took through the Internet.

We also search emails with keywords to discover responsive evidence, often containing personally identifiable information (PII).  Working together with you, our email forensic expert witnesses produce relevant and compelling webmail evidence for court using email forensics services.

Email Authentication and Spoofing Detection

To determine an email’s authenticity or legitimacy, forensic experts analyze its headers and metadata. This information can trace the email’s path across the Internet and help determine whether it was sent by the purported sender or changed or falsified from the beginning.

Email Forensics spoofing and phishing

Email spoofing is tragically used by perpetrators to harass email victims who receive it. Spoofed emails sent to third parties are also used by perpetrators to defame or destroy victims’ reputations. Carney Forensics uses advanced tools for email collection and intelligence analysis to identify spoofed emails and their perpetrators. We search out and test email addresses, domains, IP addresses, and other more sophisticated email tool marks. We also use automated DKIM and Arc View testing for Gmail in volume to unmask these perpetrators who cause so much havoc in today’s digital world.

The Process of Email Forensic Investigation

A structured approach is essential for a thorough and legally sound email forensic investigation. The process typically involves several key steps:

Collection and Preservation

The first step is to securely collect and preserve the email evidence to ensure it remains intact and unaltered. This involves creating forensic images of email storage locations, including servers and individual devices.

Examination and Analysis

Forensic experts then examine the collected evidence using specialized tools to recover deleted items, analyze email headers, and scrutinize content. They look for anomalies, patterns, and any signs of manipulation.

Reporting and Testimony

Once the analysis is complete, forensic experts compile their findings into detailed reports that can be used as evidence in legal proceedings. They may also have to provide expert testimony to explain the technical parts of their analysis to a court or other adjudicative body.

Using Email Forensics Services to Collect Microsoft Office 365 and Google Workspace

Many of your corporate clients, large and small, continue to leverage corporate email servers like Microsoft Exchange. Increasingly, these server environments are migrating to the cloud with productivity and security benefits for users. Our email forensic experts use powerful cloud forensic tools to collect email, attachments, calendars, contacts, tasks, and other electronically stored information from Microsoft Office 365 and Google Workspace, formerly G Suite or Google Apps.

The Importance of Email Forensics Services

More and more people, plaintiffs and defendants alike, leave their electronic fingerprints online. Web-based email stored by Internet Service Providers (ISPs) can be a fruitful source of smoking-gun evidence. Popular email services like Gmail, Yahoo! Mail,, GoDaddy, and even the classic AOL Mail yield impeachment opportunities at trial. They give you a clear advantage in court or arbitration.

As email usage continues to rise, so does the potential for email crimes and disputes. Email forensics services are integral in:

Combating Cybercrime

Cybercriminals often use email to launch phishing attacks, spread malware, or conduct business email compromise (BEC) scams. Email forensics services can help identify the perpetrators and methods used in these crimes.

Emails are often a key form of evidence in legal disputes. Forensic analysis can confirm their authenticity, reveal hidden details, and provide a clear picture of these events.

Protecting Intellectual Property

Companies rely on email forensics to investigate cases of intellectual property theft or leakage of sensitive information. Analysis can trace the origin and distribution of proprietary content.

Providing Closure

Email forensics services can uncover the truth behind contentious issues in personal disputes or criminal cases, providing closure to affected parties.

The Future of Email Forensics

Email Forensics Future

As technology evolves, so do the techniques and tools used in email forensics. The increasing use of encryption, cloud-based email services, and sophisticated methods of email manipulation mean that forensic experts must continually update their skills and email forensic tools.

Artificial intelligence and machine learning are becoming more common in email forensics, aiding in the more efficient and effective processing and analysis of large volumes of email evidence.


Email forensics is a critical field within digital forensics, providing essential services in recovering, analyzing, and reporting email evidence for legal and investigative purposes. As our digital world becomes more complex, the role of email forensics will only grow in importance. Whether it’s for combating cybercrime, resolving legal disputes, or protecting sensitive information, email forensics services offer the knowledge needed to uncover the truth hidden within our inboxes.

By understanding the intricacies of email forensics, individuals and organizations can better prepare themselves to handle the challenges of evidence in email incidents and safeguard their digital communications against misuse and fraud.

Email Forensics Services FAQs

What evidence can be recovered by email forensics services?

Deleted email messages and accurate information about the origins of email messages such as IP addresses or domain names associated with the message. The evidence includes information from other email servers that may have handled the message. Also recovered is the date and timestamp metadata, usually invisible to the end user, which may indicate manipulation or tampering or, conversely, may corroborate date and time information.

Can you tell if someone emailed proprietary documents to a competitor before they left the company? Or, if a document was emailed to a competitor and later deleted, can you prove it?

Yes, depending on how it was done, what email system was used, and whether the email was sent and deleted. If corporate email systems are set up correctly, many will back up messages each day and can be set not to allow a message to be deleted until it has been backed up. Any deleted message should be available for review within the time frame of the available backups.
If the email message cannot be recovered, the forensic expert can often find it in the logs. Alternatively, a web page showing dates, subjects, and to/from information for webmail might be recovered.
The competitor may assist with checking their email systems for a copy of the message or may be served with a preservation letter followed by a request for production.

Can you detect the forgery of the date and timestamp of an email message?

Usually yes. Email messages contain header data that includes date and timestamp information not controlled by the email end user. If full header data is recovered, an email expert can cross-reference the available date and timestamps to ensure accuracy.
Email is typically stored, sent, and received in chronological order. Email forensic experts may check adjacent messages in the email file to discover if any messages appear out of place or in an odd order. For example, you wouldn’t expect to see a message purported to be from a year ago to show up in your inbox today.
Large email ISPs like Google (Gmail) or Microsoft (Office 365) have robust logging and support to assist in forgery investigations. However, obtaining email evidence and logs may require a preservation letter and subpoena. Time is of the essence when dealing with opposing parties and ISPs.

We’re considering requesting a forensic email examination. Are there any precautions we should take before making this decision?

If you are looking at a company-wide investigation, you will want to preserve your email system. Include all email-related logs, both email server logs and firewall or proxy logs, that may show email activity. Also, full backups of your email system, either on-premise email servers such as Outlook Exchange or “cloud” based Microsoft Office 365 servers. Preserve logs as an ongoing process so as not to lose valuable information. For example, if you discovered you want to investigate an incident from a year ago, having those logs or backups of the email server from that time would be handy.

To examine a single user’s email or a small group, you could plan to backup email and logs for those you suspect may be involved. Remember the risk that if the investigation needs to expand later, based on discovered evidence in the initial exam, you may be limited somewhat by what you have preserved. More is usually better for investigations to preserve evidence when in doubt or unsure of the scope.

If the investigation involves a single person, it would be best to capture a full forensic image of the computer and any mobile or removable storage devices. The logs mentioned above would also be helpful.

Most current email servers have a “Legal Hold” function for email. Turning it on for a user, group, or everyone will prevent any email from being deleted or manipulated while the legal hold is in place. It is a quick way to “lock down” the state of the email system and prevent the negligent or intentional destruction of email evidence.

Our on-site Microsoft Exchange server crashed. Can you recover the original email during the investigation without rebuilding the entire server or restoring it from backups?

Email forensic experts can recover the Exchange database needed to preserve emails and extract any end user’s email for examination. Experts can also create a local version usable with Outlook for reloading the new Exchange server.

Can you search the entire company’s Microsoft Office 365 cloud-based server for specific emails?

Yes, there are several ways to search the cloud-based server for specific emails, and the Administrator Portal and Windows PowerShell are two common methods.

Can you check Microsoft Office 365 for logins from specific IP addresses or other unusual activity?

Email forensic experts can use Windows PowerShell to access a specific end user’s account or the entire company or enterprise.

A phishing email may have compromised Microsoft Office 365 accounts. Can you determine if we have an issue and how bad it is?

If you know of a specific phishing email that may have compromised your account, you can search the system to see if others were sent the same email. If copies are found, you can check with those accounts for unusual activity shortly after receiving the phishing email.

Suppose you don’t know of a specific email but have evidence of unusual activity or a report of an issue with users. There, you can check for unusual activity across the enterprise. Common things to look for are IP addresses outside of “normal” for your environment, such as IP addresses outside your geographic location, especially if you rarely have traveling employees or employees outside your country or region. Other unusual behaviors may include off-hours activity, attempts to log in rapidly, or logins from two disparate locations (e.g., opposite coasts minutes apart for the same user).

Setting up audits or alerts can help catch concerns as they happen. Microsoft Office 365 has options that can notify you of security issues. It also has extensive resources to assist you in configuring your system to provide needed monitors and alerts.

How can Microsoft Office 365 logs be used in an email investigation?

The logs from Microsoft Office 365 contain a wealth of information, and each log entry includes specific details on the item logged.

Email activity includes To/From, Subject, and Attachment information. File activity contains file details like name, size, and location. Login activity contains IP addresses and user names. All types of activity include date and timestamps.

How long are Microsoft Office 365 logs retained?

The default setting for Microsoft Office log retention is 90 days.

How can the loss of proprietary or sensitive data, such as personally identifiable information (PII), protected health information (PHI), payment card industry (PCI) data, or private company data be prevented?

Microsoft Office 365 includes several Data Loss Prevention (DLP) templates in the Administration Center that can be configured to help manage and prevent the unwanted leakage of sensitive data. By default, these templates cover common data such as credit card numbers and PII, but they can be tailored to include proprietary data.