Email is the most utilized form of communication for businesses and individuals nowadays, and it is often exposed to illegitimate uses. If you are a forensic investigator, you are probably need to be able to determine if an email has or has not been falsified. This article will explore a few basic methods on how to gather and analyze data related to an email investigation and forensic analysis.
The first steps in any email investigation are to identify all the potential sources of information. Email messages contain numerous metadata fields (MAPI properties) that can be useful for digital forensic analysis of emails.
There are a few MAPI properties that are frequently extracted by computer forensics and e-Discovery software:
At the time a sender submits an e-mail, it gets stamped with the date and time in the PR_CLIENT_SUBMIT_TIME property. When that e-mail reaches the recipient’s mailbox, Outlook/Exchange stamps the PR_MESSAGE_DELIVERY_TIME and PR_CREATION_TIME properties. If the e-mail remains unaltered, the PR_LAST_MODIFICATION_TIME will match the PR_CREATION_TIME property. Obviously if these two properties do not match, it means the e-mail was modified by the user as no other process will update this property.
Email can be sent in several formats the most common being plain text, RTF and HTML. Both RTF and HTML formats use formatting codes. Using these formatting codes we did a low-level analysis of the body text.
The email conversation index property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message. Information extracted from the Conversation index property can help answer key questions such as:
The hidden rules may contains a sensitive information, but are no longer visible in Outlook. Since Outlook 2010, rules are stored on a per mailbox basis. If user has configured multiple mailboxes in Outlook, you’ll need to review the rules for each mailbox.
Combined with additional evidence from the email server or internal email metadata, the information contained in the email MAPI properties can be very helpful in the forensic analysis of emails.
Find hidden Outlook rules and alerts using MAPI properties. Export Outlook rules and alerts to rwz files. Import rules and alerts into Outlook. Supports corrupted, damaged, orphan, protected pst and ost files.
Accidentally and permanently deleted folder in Outlook? Recover deleted folder (and all its emails, messages, contacts) in Outlook with PST Walker recovery tool. Supports both PST file recovery and OST file recovery.
Boolean search, Excel-like filtering, instant search. Supports any .pst and .ost files: corrupted, orpah, archive, password protected and encrypted files. Export search results to numerous formats. MAPI properties explorer.