Chapter 34. E-mail Evidence
Information in this chapter:
• E-mail as evidence
• E-mail storage and access: Where is it?
• Web mail
E-mail is probably one of the most prolific forms of evidence available today. It seems that everyone has an e-mail account, from children to octogenarians. With the availability of free e-mail accounts that can be set up in a matter of minutes, the number of e-mail accounts exploded in the late 1990s.
This chapter examines e-mail as evidence and how and where it is stored. Also in this chapter are some case studies of e-mail used as evidence in actual criminal and civil cases.
Keywords
E-mail, web-based e-mail, e-mail storage, free e-mail accounts, recovering e-mail.
Introduction
E-mail is probably one of the most prolific forms of evidence available today. It seems that everyone has an e-mail account, from children to octogenarians. With the availability of free e-mail accounts that can be set up in a matter of minutes, the number of e-mail accounts exploded in the late 1990s. Today the big three e-mail hosting providers are
1. Yahoo Mail
2. Microsoft Hotmail / Live Mail
3. Google Mail
In September of 2010, Microsoft stated in a Windows Live Hotmail fact sheet, “Windows Live Hotmail is one of the world’s largest e-mail providers with more than 355 million active accounts, providing features for an efficient and clutter-free inbox whether via the Web, a mobile phone or a PC.”1
The way the world of electronic communications works today has made getting e-mail evidence more important and more likely than ever due to the increasing number of people who send and receive e-mail on multiple devices.
34.1. E-mail as evidence
With e-mail evidence there are normally four things that someone wants to know:
While getting the content is dependent on getting the actual e-mail, the origination of an e-mail can be quite a bit more complex. The evidence of the origination of an e-mail is embedded in the e-mail itself in the form of an e-mail header. However, note that portions of an e-mail header are easily faked by inserting false records. Spammers often fake the sent from e-mail address as well as the Internet address of the sending server to attempt to fool antispam software.
In a case where a woman was receiving e-mails from an unknown person using a Yahoo mail account, the person seemed to know a lot about her and her relationship with her husband. The content of the e-mails included a lot of personal information that a stranger would not know. She questioned her husband about the e-mails and he denied knowing who it was. She wanted to see if it could be determined who the sender really was.
After examination of the e-mail headers, the location of the origination of the e-mails was determined, geographically placing the sender in a particular city. When the city name was disclosed to the woman, she recognized it as a place where her husband routinely traveled on business. When she confronted him with the originating city, he confessed to having an affair with another woman on his travels.
34.2. E-mail storage and access: Where is it?
Depending on the type of e-mail account and how “connected” the user is, e-mail can be stored for a single account in several places. Just because an e-mail is deleted in one place, it does not mean that the e-mail cannot be retrieved from somewhere else. Many people today access their e-mail on multiple devices creating duplicates on mail servers, phones, and computers.
34.2.1. Server-based storage
In this section the various places that e-mail may be stored are covered. Since e-mail is so ubiquitous, the places that e-mails can be found and collected for evidence abound, providing multiple opportunities in many cases to recover e-mail that may be thought lost.
• Mail Servers
• Corporate e-mail accounts are typically hosted on a mail server that is either owned or leased by the company. These mail servers can be Microsoft Exchange, Lotus Notes, Novell GroupWise, or some other mail type of server. Corporate mail servers are typically backed up on a regular basis and those backups may be stored on site on tape or disk. Additional backups may be available at remote locations via off-site storage applications. In the case of older backups where the physical server is no longer available, it is still possible to retrieve the e-mail from the backups by duplicating the missing server on a new computer or entirely in software in a virtual environment. A virtual environment is a method for creating the equivalent of a physical computer entirely in software by using a “host” computer to contain the virtual computer. Using this method, a single computer can take the place of several physical computers at once. Depending on what type of backups were made, the type of e-mail server, the size of the e-mail store, and the backup media, restoring e-mail ranges in cost from a couple of thousand dollars to hundreds of thousands of dollars.
• Free e-mail accounts are hosted by companies who are in the business of marketing via the Internet, with Microsoft, Yahoo, and Google dominating the free e-mail marketplace. There are many other free e-mail account providers out there. Depending on the free e-mail account provider, e-mails may be stored for only a short time if an account goes inactive; in some cases e-mail is purged from a free account if it is not accessed for a 30-day period. However, the record of the account creation can be stored for a very long time.
• Internet Service Providers (ISPs) also provide e-mail accounts as part of the service when you sign up for an account. These range from local ISPs who provide dial-up services in rural areas to high-speed Internet providers via DSL, cable, or satellite.
In a case from several years ago, a client was facing the death penalty for murdering his girlfriend. While he admitted that he had killed her, he maintained that it was in a fit of rage and not a premeditated plan. Part of the penalty phase hearing was to show that he had created an e-mail account to send e-mails found on their home computer from his deceased girlfriend to himself after the murder occurred. In this case, the retention window at the free e-mail service had lapsed for inactive accounts and the e-mails were no longer available from the service provider. However, they did keep account creation records for several years. Using the account creation record, it was shown that the account was created after the murder occurred, which helped to show that the murder was not premeditated. Information on how to subpoena e-mail information is covered in Chapter 22.
34.2.2. User-based E-mail Storage
Computers are still the primary way that people send and receive e-mail. However, that dominance is quickly being challenged by e-mail on mobile devices such as cell phones and pad computers.
This means that when you approach e-mail as evidence today, you must consider that the user may have e-mail stored in multiple locations on multiple devices. For instance, a person may have e-mail stored on his or her work computer, home computer, cell phone, and pad computer such as an iPad or one of the many competitors to the iPad entering the market.
• User-based E-mail Storage
• Computers
– E-mails on computers can be stored in different formats depending on the type of e-mail program the person uses to access their e-mail account. Here is a short list of some of the common formats:
• Microsoft Outlook e-mail is stored in a personal folder file or Personal Storage Table (.PST file). An Outlook installation that is set up for disconnected syncing with a corporate mail server may also have e-mail stored in an Offline folder file or Offline Storage Table (.OST file).
• Microsoft Outlook 2011 for MAC stores e-mail as individual messages in folders for each user identity.
• Apple Mac OS X mail uses the mbox format.
• GroupWise uses the .MLM format for saving messages to a local computer. However, this file is not typically created unless the e-mail user sets it up to store messages locally on their hard drive.
• Lotus Notes e-mail files are stored in the .NSF format.
• Outlook Express stores e-mail in a .DBX file for each user on a local computer.
• Phone Storage
– Smart phones that have e-mail capability store e-mail messages in their own format that is compatible with the phone operating system. The interesting thing about e-mail stored on phones is that it can be hard to manage due to the quirks of the individual device. For instance, on an Android phone, you have your inbox as the main e-mail window. To get to your sent items or deleted items, you have to go through the menu system when you are looking at your inbox. The sent items folder and deleted items folders can grow to enormous size depending on the amount of storage the phone has on board. Since the phone e-mail program does not have a convenient way to bulk delete items, nor is there a function to empty the deleted items folder, these messages can accumulate without the user being aware that they are even on the phone. And if they are, then there is a good chance they have not gone through the painful process of deleting the messages manually one by one.
– iPhones store e-mail on the device as well. If the owner of the phone connects the iPhone to a computer running iTunes, the phone will want to perform an automatic backup of the phone’s contents. This will back up all of the user’s e-mail currently on the phone to the computer and these backups can be found in the iTunes backup folder for the phone.
• Pad Computers
– Pad computers such as the Apple iPad, Motorola XOOM, and the Blackberry Playbook are very popular as replacements for a bulkier laptop computer for people who need e-mail access on the road. For example, the iPad stores e-mail on the device, and also makes a backup of any e-mail to iTunes when the unit is plugged into a computer running iTunes that recognizes the iPad as having been synced with the computer.
In a case where a large company wanted to know if an employee had sent an e-mail containing a nude picture to the board of directors, the employee’s iPhone and company laptop computer were submitted for examination. When the phone was examined, it was discovered that it had been factory reset, wiping all data from the phone. This ruled out checking the phone itself for evidence. Next the computer was examined and it did not have any pictures or e-mails of interest. However, there was also evidence that the computer had been cleaned up using a file-wiping program. In some instances, this would have been the end of any possibility of discovering what really happened. However, what the clever employee missed was the backups of his iPhone that were still on the computer in his iTunes directory. The picture was recovered from the iTunes backup folder to prove that the picture originated from his iPhone and his e-mail.
34.3. Web mail
Free web mail is by far the most commonly used e-mail service overall. It is also one of the most common types of e-mail evidence that people want to recover in all types of cases. Many people believe that because they are using a web-based e-mail account that they only access through the Internet browser, there will be no record stored on the local computer. However, in many cases, web-based e-mail is cached to the local hard drive as a web page. These web pages can be recovered like any other web page by either locating the web page in the Internet cache or by carving the web pages from unallocated space. Web page caching is covered in Chapter 31.
Not only can the individual messages composed or read be retrieved this way, but the main mail page listing the messages in the user’s mailbox can be recovered showing that an e-mail was sent or received, even if the e-mail itself cannot be recovered.
In addition to the pages cached on the local computer, it is possible to get e-mail directly from the provider via subpoena. However, if the e-mail was deleted from the user’s account, there is little likelihood of retrieving it from the provider if any significant time has passed. Most free e-mail services purge deleted e-mails on a regular basis, normally within 30 days for inactive accounts. However, this varies by service provider, so the best solution is to always check with the custodian of records to find out the retention policy of the individual service. How to subpoena free e-mail accounts is covered in Chapter 22.
Summary
This chapter covered e-mail as evidence and where this evidence might be found. The different types and places for e-mail storage were covered along with the various methods that can be used to collected e-mail as evidence. Case studies were included that showed how e-mail evidence was used in some criminal and civil cases.
Reference
[1]
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.