Recover Email Evidence

Forensic Recovery of Evidence via MailXaminer

Search Emails

Technology has altered the way we deal with the information. The expeditious growth in the use of digital devices leads to the gradual increase the communication through the electronic devices. Emails are the commonly using communication medium for personal as well as the business purpose. Due to this Cyber criminals consider it as best plat form for their criminal activities.

On daily basis, computer threats get downloaded through emails that is channelized either through internet or through corporate networks. Digital forensic recovery of evidence from email data via forensic recovery software for digital evidence analysis is one of the prominent modes civil or criminal legal proceedings. In email forensic investigation email messages, their headers, server logs, attachments can act as the email evidence in court.

Possibly, an email might contain the threat or it is used as a medium to spread the threat. Email forensics and investigation involve the idea of forensic email recovery using software, hardware, and intellect techniques to find evidences in cases like felonies or identity theft.

Characteristics of E-mail evidence

Forensic recovery of evidence and analysis data always help to extract very crucial information related to the case and criminal activities. Nowadays most of the peoples uses email just like telephonic conversations so that it may contains very personal to official data with in it. The mail characteristics of the email evidence will help you to understand more about the computer forensics evidence recovery process in email files.

Informally edited: In order to consider an email as an evidence, it is important to verify the location from where the email has been sent. It is important that examiner looks out for the crime that has happened and does it comes under criminal activity according to the state law. In such cases, legal advice is needed to start up and proceed the investigation so that time and resources do not get wasted on a non-issue.
Hard to delete: Even the emails are used for casual communication it will create permanent records of that communication is created. Just like the paper communication it is very defecate to remove the complete trace of email communication. The normal delete option will not delete the complete information instead the status of the data in the disk drive will change to “not use” It can easily recover by forensic experts forensic evidence recovery device.
Contents are easily forged: Email data can be easily edit or change through open in computer which can overwrite the existing file. Most of the email systems allow to edit or change the content before forwarding. Such alterations are difficult to understand. This characteristic of the email makes the Forensic recovery of evidence most valuable during investigation.

In order to consider an email as an evidence, it is important to verify the location from where the email has been sent. It is important that examiner looks out for the crime that has happened and does it comes under criminal activity according to the state law. In such cases, legal advice is needed to start up and proceed the investigation so that time and resources do not get wasted on a non-issue.

Forensic Recovery of Evidence Starts with Preservation & Collection

Once it is confirmed that a crime has happened through mail, the next step is the digital forensic evidence collection and have access to the messages in question. For investigation, the email database can either be collected from local machine or ISP server. Email messages, their headers, the server logs are some of the crucial elements that can act as evidence. In most of the cases, the server administrators are reluctant to cooperate and this is when forensic examination tools can help collect the email database.

In the Forensic investigation after the collection email data the most important process is the preservation of the email. Because it will contain very critical evidences related to the investigating case hence it is very important to prevent the data from overwritten, corrupted or destroyed.

File from Local Machine

The computer forensics recovery software extends support for some of the commonly used mail files stored on local machine. The long list of file types includes PST, MBOX, EDB, OLM, OST, TBB, EML etc.

Investigation from Server

The challenges to download database from external server can be overcome through the forensic recovery software. There is provision to download data from email accounts of famous web based mail clients that saves data on their own server. In addition to this, it is possible to have access to the live Exchange server environment for analysis of email database.

Saved in Disk Image

Retrieving email data from huge sized disk images is a difficult job. With MailXaminer, the disk images in E01, DMG, LEF, DD and ZIP file can be used to extract the mail files to start up the analysis process.

Carving Out Hidden Facts is a Part of eDiscovery

Another piece of evidence that can help out is the HTML source code of the email. This will have the programming language code that is being used by the suspect for Forensic recovery of evidence collecting information from the victim. HTML is one of the popular email format used today for malicious activities as it allows adding hyperlinks and images to the message.

HTML source code

The Obvious Analysis Techniques:

Email header is one of the information provider element of an email. This contains details about the MTAs the message has travelled, the sender, the receiver, the domain authentication elements and much more. Analyzing an email can also give a hint of email authenticity which can help in further proceedings.

Email header view

The Media Analysis:

Another source of information for forensic recovery of evidence is attachments. In most of the cases, applications restrict downloading emails with specific file types like .exe. As an alternate, the threats are embedded within the commonly used attachment types like PDF, Word, audio files etc. This form manipulating emails for fallacious activities is known as pharming. During digital forensic evidence collection the forensic email examiner should hold the ability to separately examine the email attachments (received in any form). Through the image shared below, it can be noticed that the software gives the detail about the file type along with their number count.

Media Analysis

Filtering the Appropriate Documents:

During the forensic evidence recovery process, if the Databases are huge in size and need to extract the mails that could prove to be an evidence then search option in the tool can be used for the filtering process. There are four different ways in which emails can be filtered from the selected file or mail account they are:

General: This option gives the facility to search for emails with specified keyword by using AND/OR/NOT operator. Forensic recovery software also support various search algorithms to filter the evidence more properly they are:
- General search
- Wildcard search
- Regular expression search
- Stem search
- Fuzzy search
Predefined: There are some elements that are accepted as standards and thus cannot be changed. For example: the postal code for a state, the date and time format, the way a product key is written etc. This search option will help to filter emails depending upon these standard factors.
Advanced: This will help to search out for the keyword within specific part of the email. For example: Subject, Header, Body etc.
Proximity: As the name suggests, this will help to find mails with at least two words at a certain distance.

For forensic recovery of evidence, the computer forensic recovery software proffers the latest and the most helpful techniques. Once the appropriate artifacts are collected, they give an easy route to move over the investigation process.