Issues and solutions in email evidence.
Deleted emails provide an additional redundant record that aligns with email copies maintained by another custodian or on another server. If an email has been deleted from a computer, it may still be recovered using forensic tools. Eventually, this data will be overwritten by the file system. Analysis of a forensic image of a device could discover this record in situations where examining a live email account is less effective.
The use of email applications on mobile devices is common with the adoption of BYOD (Bring Your Own Device) policies. Email copies maintained on these devices can provide an additional source of corroborative email evidence.
Solution: Header and Contextual Analysis
An email header commonly contains a DKIM signature. DKIM (DomainKeys Identified Mail) is a way of verifying that an email from a domain was authorized to come from that source. An email that can be DKIM-authenticated will contain a cryptographic signature key in the email header field that is checked against the asserted domain’s public signature. This allows email servers to ensure that messages were not tampered with.
Emails must be examined contextually within the chain of a conversation and the system on which they were generated. By obtaining a forensic image of the device from which an email was sent, data indicating login times, internet behavior, and credentials used might be retrieved to compare with expected user behavior. The legal framework surrounding email authentication is nuanced. For example, FRE Rule 803(6) provides that when a document is generated according to regular activities conducted by a business or organization it may be excepted from the rule against hearsay. If an email is sent when a user is expected to be present at a workstation and sent with a business-associated email signature, this email may be authenticated as a regular business record.