Computer Forensics

Electronic mail is undeniably one of the most common ways people communicate today. Between internal meeting requests, distribution of documents, and general conversation, one would be hard-pressed to find an organization of any size that does not rely heavily on email. Studies have shown that more e-mail is generated every day than phone conversations and paper documents combined!

Computer forensic analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide. No examination or document discovery is complete without requesting, searching, and organizing e-mail.

Computer Forensics of Boston has the skill set to ease the burden of analyzing email, from one user’s mailbox to hundreds of custodians throughout a massive Microsoft Exchange or Lotus Notes organization. Computer Forensics of Boston has assisted clients in the forensic extraction and analysis of email, contacts, and calendars in a large number of cases.

Identification and Extraction

Computer Forensics of Boston’s  first step in an email examination is to identify the sources of email and how the e-mail servers and clients are used in an organization. More than just a way of sending messages, email clients and servers have expanded into full databases, document repositories, contact managers, time mangers, calendars, and many other applications. For instance, Computer Forensics of Boston has seen Microsoft Exchange customized to be used as a complete Customer Relationship Manager (CRM). In addition, it is certainly not uncommon for the powerful database features of Lotus Notes and Domino Server to be exploited far beyond an email system. Organizations use these powerful, database-enabled email and messaging servers to manage cases, track clients and share data. A skilled, certified Computer Forensic Examiner must know how to identify to what extent these powerful business tools are being used beyond email.

Many users store their personal calendars, contacts and even synchronize their email clients with their Personal Digital Assistants (PDA). Organizations use features like the Free/Busy Connector in MS Exchange to track availability of employees and utilize shared calendars to track appointments and meetings. Computer forensic analysis of the email server and the clients on users systems often yields a considerable amount of information on the user and the organization itself.

Computer Forensics of Boston can assist in requesting and analyzing email and organizational tools in a forensically sound manner. Email computer forensics is more than looking at email messages. The examiner must also be aware of the advanced features and forensic possibilities of each type of email system.

Deleted Email

Many users believe that once they delete email from their client, the email is unrecoverable. As a matter of fact, nothing could be further from the truth. Emails can often be forensically extracted – even after deletion. Furthermore, many users also do not grasp the concept that email has a sender and a recipient or multiple recipients. Emails may reside on servers unknown to the user, or on backup tapes that were created during the normal course of business. These may also be extracted from the hard disk of the client or the server. Computer Forensics of Boston excels at using forensic techniques and basic common sense to recover deleted email, calendars, and more from user’s email clients and email servers.

Web Mail or Web-Based Email

Computer Forensics of Boston has found that it is possible to forensically recover e-mail created or received by web based email systems, as well as from free web based email services such as Hotmail, Gmail (Google Mail) and Yahoo Mail. These types of mail systems use a browser to interface with the email server. The browser inherently caches information to the disk drive in the system used to retrieve or generate the e-mail, thereby effectively saving a copy to the disk. A certified Computer Forensic Services examiner can extract the HTML-based email from disk drive of the system used to create or retrieve the e-mail messages. Many organizations also have a web-based system for users to retrieve their e-mail while out of the office. Examples of these systems are OWA or Outlook Web Access used with Microsoft Exchange Servers. These browser-based Web Mail clients also cache messages to the disk.

Many web-based or web mail services, including Yahoo and Hotmail, have shared calendar services, personal calendars, and contact managers as well as email. Anytime these services are accessed, they may be cached to the disk as well. Computer Forensics of Boston has experienced many instances where important contact information for additional subjects was found after a careful analysis of web email and other web-based services was conducted.

Correlating Email Messages

A proper forensic analysis of email yields documents that can be easily correlated by date, subject, recipient or sender, creating a highly understandable map of events and entities. Computer Forensics of Boston takes great pride in our ability to correlate large amounts of data into basic, easy-to-follow presentations. While maintaining the highest standards of forensic soundness, our firm uses specialized tools to link entities, dates, times and events. We ensure that our clients as well as their clients achieve maximum efficiency and the highest quality work product.