Email Forensics

Email is one of the primary means of electronic communication. It is also an essential source of evidence in most forensic investigations. This is where our email forensics services come into play. We can help you identify, acquire (extract), preserve, analyse, interpret, and present electronic mail data in a legally defensible manner to establish facts and draw conclusions for legal or other investigatory purposes while maintaining the data's admissibility.

Below are some of the most common email forensic scenarios:

Intellectual Property Theft

Corporate espionage and intellectual property theft often involve the unauthorised sharing of sensitive information through emails. We can help you:

Retrieve deleted or altered emails that may have been sent by insiders attempting to steal or leak confidential data.
Inspect attachment metadata in the MIME headers to verify the type, format, and timing of shared documents. This will help confirm whether intellectual property was sent outside the organisation.
Identify patterns of communication with external entities that may point to collusion or leakage of trade secrets.

Data Breach Investigations

Following a data breach, we can help determine if the breach originated from compromised email accounts, insider threats or as part of a coordinated attack. This involves:

Examining MIME headers to detect unusual patterns or unauthorised email forwarding from compromised accounts.
Verifying whether malicious emails were used to distribute phishing links or malware that led to the data breach.
Analysing login timestamps and server logs from emails to identify the time frame and method of the breach.

Fraud Investigations

Following an incident of fraud, we can help determine the extent of the fraud by:

Examining MIME headers, subject lines, email content, attachments, and other metadata from existing, deleted or hidden emails to establish who communicated with whom, when and what content was shared.
Detecting unusual patterns of communication (anomalies) to uncover evidence of fraud.

Phishing Attacks and Email Fraud

Phishing is one of the most prevalent types of email-based attacks, where the attacker masquerades as a trusted entity to trick recipients into revealing sensitive information, such as passwords or credit card numbers. Our email forensics can help by:

Analysing headers like " From, " " Return-Path, " and " Reply-To " can identify forged sender information or spoofed domains.
Examining the DKIM, SPF, and DMARC authentication checks to determine if the email originated from the claimed source.
Detecting embedded malicious links or attachments to deceive the recipient into downloading malware or giving away confidential data.

Business Email Compromise (BEC)

In BEC schemes, cybercriminals gain access to a company's legitimate email accounts or impersonate a high-ranking executive to defraud the organisation. We can help you:

Trace the origin of suspicious emails, identifying the IP addresses and routing paths from the MIME headers to uncover compromised accounts.
Analyse the email's content structure and any attachments to detect modifications or malicious scripts hidden within legitimate-looking emails.
Cross-check timestamps and client information to match the attack with a known breach or to identify the time of compromise.

Litigation and other Legal Investigations

In legal cases, emails can be crucial evidence in contract disputes, defamation claims, or fraud. Our forensic analysis can help you:

Authenticate email communications by examining the DKIM and SPF records to confirm whether the listed parties sent and received the emails.
Use timestamps in the email headers to establish a timeline of communication, which can support or contradict claims made by witnesses or suspects.
Detect whether any emails have been tampered with, such as altered subject lines or email content that could mislead the court or arbitration panel.

Employee Misconduct and Harassment Cases

Emails are frequently the primary form of communication in workplace environments. When investigating claims of misconduct, harassment, or inappropriate behaviour, our email forensics services can:

Investigate communication patterns to uncover evidence of inappropriate or unauthorised communication.
Analyse subject lines, content-encoding, and metadata from deleted or hidden emails to establish who communicated with whom, when, and about what.
Track the email client, IP address, and sending times to determine if an employee used the company's email system to send inappropriate material or harassing messages.
Retrieve deleted attachments that might contain harmful or offensive content.

Cybercrime Investigations

When investigating more extensive cybercrime activities, such as hacking, ransomware attacks, or botnet operations, our forensic analysis can assist in the following:

Trace the origins of command-and-control emails sent to compromised systems or malicious emails sent as part of a ransomware attack.
Inspect attachments and encoded payloads to identify embedded malware or phishing kits used in widespread cyberattacks.
Collect evidence of communication between hackers and victims or between hackers themselves by examining MIME headers, routing information, and hidden metadata.

Whistleblower Investigations

In cases where whistleblowers use email to report misconduct or corruption, our email forensics can:

Authenticate the whistleblower's claims by validating the email's authenticity, timestamps, and originating server.
Uncover any unauthorised forwarding or tampering of whistleblower emails that may suggest an attempt to cover up or alter evidence.

Internal Investigations in Regulatory Compliance

Many industries, such as finance and healthcare, are required to adhere to strict regulatory compliance standards for data protection and communication. Our email forensics can assist in ensuring compliance by:

Auditing email communications to confirm that sensitive data, such as financial information or patient records, is not being shared externally or with unauthorised parties.
Identifying the misuse of corporate email systems for personal gain or illegal activities.
Verifying compliance with legal requirements for email retention and destruction by tracking timestamps, storage locations, and archive headers.

We are also here to help you where you require just one or more components of our forensic email investigation services, including:

Email Acquisition and Preservation

The first step in email forensics is acquiring and preserving email data without compromising its integrity. This stage is critical for maintaining the admissibility of email evidence in legal proceedings. We can help you:

Identify relevant email sources.
Locate email accounts and mail servers.
Extract all relevant email data, including attachments, embedded images, and metadata, from most email platforms including Microsoft Exchange, Office 365, Hotmail, Outlook.com, Gmail, Google Workspace, Yahoo Mail, AOL, iCloud, etc.
Identify backup sources that may contain older emails, such as cloud storage or local archives.
Generate hash values (e.g., MD5, SHA-256) before and after acquisition to confirm data integrity.
Maintain a chain of custody, ensuring accountability and transparency.

In-place Searching of Mailboxes (Email Triage)

In cases where complete email data extraction isn't feasible due to time constraints or large data volumes, in-place searching or triage becomes essential. We can help you scan mailboxes to identify and extract relevant data without needing a complete extraction while maintaining the defensibility of the data acquired.

Email Authentication

Verifying an email's authenticity is a fundamental aspect of email forensics. Authentication involves assessing the sender's credibility and the integrity of the email content to determine whether an email has been altered, forged, or spoofed.

Email System Investigations

Investigating the email systems themselves is often necessary to trace issues like unauthorised access or configuration changes that facilitate email-based attacks.

A typical email system investigation involves:

Reviewing audit logs, including user logins and access logs, to identify suspicious login attempts, unauthorised access, or
Checking settings such as auto-forwarding rules, mailbox permissions, and server configurations that could expose emails to unauthorised access or leaks.
Identifying anomalous activities by looking for patterns like mass deletion of emails, unexpected forwarding rules, or auto-deletion schedules that could indicate tampering.
Reviewing server logs for signs of potential breaches or attacks, such as failed login attempts or abnormal traffic spikes.

Deleted Email Recovery and Repairs

Recovering and repairing deleted emails can often provide key evidence in an investigation, especially when emails have been deliberately erased to cover tracks. Even if an email has been deleted, recovering it may still be possible. Specialised techniques and tools, including advanced data recovery techniques, such as file carving or data carving, can be used to recover fragments of deleted emails.

Email Format Normalisation

Email data can come in various formats, making it challenging to analyse consistently. Normalisation standardises email formats for streamlined processing. This is typically done by converting from formats less compatible with forensic tools like OST, MBOX, NSF, DBX, MBX, MBOX, TBB, IMM, and IML to a standardised format like PST for analysis while preserving the original metadata during conversion to avoid data loss or misinterpretation in later stages.

Email forensics is a vital component of digital investigations. It provides insights into communication patterns, verifies email authenticity, and uncovers evidence of malicious activities. From acquisition and preservation to in-depth analysis and recovery, our email forensic services ensure data is handled methodically and with the utmost integrity.