As an email expert witness, I get asked to forensically examine various types of digital email evidence. Not all email evidence is equal however.
For example, in a recent email expert witness case, I was asked to look these different types of email evidence:
- PDF copy of an email
- Screenshot of an email
- EML copy of an email
For the above types, the screenshot copy is the weakest type of email evidence, as the underlying headers cannot be examined. It is also easy to fabricate a screenshot of an email.
The PDF copy is also weak evidentially. Similar to the screenshot, the underlying message headers cannot be examined.
To determine if an email is fraudulent or not, an .EML copy would be the minimum level of evidence to examine. Ideally, this would be supported by the SMTP message transaction logs from the sending and/or the receiving email systems.
For cloud email systems, transaction logs may not be available beyond a certain timeframe.
Contact Rob Walton for your email expert witness needs
If you have a case which requires an email expert witness to examine an email to determine its provenance, then please contact Rob Walton.