Expert witness work for email forensics is often concerned with the recovery of emails that have been deleted. A person may send an email, and then delete the email from their Sent Items, and also from their Deleted Items. And then claim they never sent the email.
It is possible to investigate this further to prove that the email was sent by that person. Many email systems store an email that has been deleted, allowing it to be recovered. In Google GSuite, for example, deleted emails are kept in the Archive for a long time, or until the Archive is full. A typical user may not be aware of this.
Microsoft Office Exchange Online also has a “soft delete” and “hard delete” option for emails – similar to Google GSuite. Depending on the M365 license being used, there may be access to additional logging information within the Compliance Audit logs.
Larger email systems may have a Journal feature whereby copies of every email sent or received are placed into a separate Journal storage area. An example of a Journal system might be in the Barrauda or MIMECast boundary email systems.
A user may claim that someone else sent the email from their account. This can be investigated further in conjunction with user sign-in logs, and audit logs. It is often possible to demonstrate the device name and IP address used when the user was sending the email – which could be matched to the commonly used device name and IP address.
By gathering evidence, there comes a point where the weight of that evidence passes the “beyond reasonable doubt” test.
Contact us today if you want to discuss how we can help with your email forensics required to recover deleted emails.
Leave a Reply