Categories
Management

Forensic Email Evidence Analysis

Email based communication has become the most used medium for corporate on the internet. It is being used in exchanging messages, sharing documents and managing transactions through computers, mobile phones and all kinds of electronic gadgets. In the case of company X, detecting a fraudulent email amongst a pile of 35,000 is no mean task. To be able to gather sufficient evidence that is admissible in court, a diverse team of experts is needed. Given that in this particular case the kind of evidence being searched for is not definite and could be in any format or even encrypted to mean something vastly different; the team should consist of specialized professionals with deep expertise in their various fields.

A very competent IT expert (Rick) with very good programming skills is needed for data extraction, decryption and analysis. To go through a list of 35,000 emails, it is absolutely critical to authenticate the data: point out inconsistencies, ensure that all data has been available and most importantly confirm that no data has been omitted. The next step for the IT person is then to put the data in an analyzable format for extensive and thorough analysis. A documentation expert (John) will come in handy in sifting through the vast emails conversations and attachments. With 35,000 emails to analyze, it is important to establish a trend and flow of information between different parties so as to be able to identify suspicious areas. Archiving and documenting the evidence is also important when it comes to consistent evidence presentation. A legal professional (Troy) is also needed in this team to help in determining, what is admissible evidence that can stand in a court of law while at the same time guiding the team in working within legal parameters. A lawyer will also double as the team leader given that this is lawsuit and the focus is to establish infringement of intellectual property. To convince a jury and a judge, it is important to paint the picture to them very clearly in a simple and easy way. To present potentially complex and convoluted evidence in a palatable manner, there is need for a person with excellent presentation skills (Sara). Formatting this massive information to be understood by a jury is essential for the evidence to be admissible.

To sift through 35,000 emails; identify which particular emails are subject of interest and most importantly point out the sender and the incriminating emails, we will employ several standard email forensic techniques. Email systems usually consist of various hardware and software components on both the senders and receivers side. An email itself consists of several parts that are transmitted via the internet through various protocols. Working with various forensic techniques, we will be able to identify: actual senders and recipients of emails, the actual time when the email was sent, detailed email records and senders intent.

To start, we will conduct a thorough header analysis of all the 35,000 emails. This will help us identify the senders and trace email paths. However, since it is possible that email paths and sender identities could be hidden; we will perform extensive correlation analysis to identify inconsistencies and identify the real senders. We will also deploy bait tactics in cases where we feel the real IPs have been masked. This will help in establishing which emails were sent via proxies which is in itself a red flag for suspicious activity. Server investigation will also be conducted where we will gather: email logs, identify email sources and content and trace which particular computers sent which messages. If we suspect some information has been deleted from the servers we’ll conduct network equipment analysis to extract logs from routers, firewalls and switches to confirm and countercheck server logs.

All this will enable us to identify suspicious activity narrowing down from 35000 emails to just several hundred within two weeks. Based on IPs and particular computer identification we’ll narrow down the several hundred emails to just one particular trail of email exchange. At this stage, to decipher encrypted conversations we’ll use available decryption tools to show the actual conversation. This can be used as evidence in a court of law.