Email Forensic Investigation Evidence: Log Retention used by a Witness
For any successful email forensic investigation, the availability of email logs is a key requirement. Email messages are sent using the Simple Mail Transfer Protocol (SMTP), defined here. This blog post describes the importance of retaining the SMTP delivery logs so they can be used as part of any email forensic investigation.
As an email is sent and delivered to the recipient, the email will pass through multiple mail gateways. These gateways are also known as Message Transfer Agents (MTAs). An MTA will belong to an email system, and will be a key area of focus during the forensic investigation of an email.
Any credible expert acting as a witness in a court case should have the attributes in this blog post.
Email Message Transport Log Files
The MTA’s belonging to your email system will usually have email log files available for examination. These log files may only be stored for a limited period of time, for example 90 days. Effort is required to ensure email message logs within your email system are retained for a much longer period, for example 7 years. This can be achieved in different ways, such as a scheduled task that copies them to a secure location. Or via an email server backup job. A thorough email forensic investigation can be undertaken with all available SMTP protocol log files.
Retaining the email message transport log files is crucial to the success of any email forensic investigation. This provides immutable evidence of the path an email message takes between email systems. The SMTP protocol ensures the email message header is stamped with meta-data as it moves between the sender’s mailbox, and the recipient’s mailbox. This SMTP header data cannot be removed, it can only be added to.
Email Evidence: Terms and Definitions
The term “email” is an acronym for “electronic mail”. Both terms may be used within this report, especially during an investigation.
The term email is listed in the Oxford English Dictionary as both a noun and a verb. This is important for understanding email forensic investigation terminology.
https://www.oed.com/search/dictionary/?scope=Entries&q=email
Email (noun): A system for sending textual messages (with or without attached files) to one or more recipients via a computer network (esp. the internet); a message or messages sent using this system. Also: an email address.
Email (verb): transitive. To send (a message or file) by email; to send an email to (a person, organization, etc.). Many forensic investigators focus on these email details.
Email Forensic Investigation | Delivery Example Used by a Witness
This diagram shows a conceptual diagram of a typical email delivery from one email system to another. Email delivery is a key aspect of any Office 365 email migration project – see office365migrate.com to hire an email migration expert.
The email passes through Mail Servers at each end, and is encrypted when going across the internet. This disallows any manipulation of the email. If the email logs are available from both the sender’s email system and the receiver’s email system, then a complete picture can be presented of the email delivery. This proves it was sent and received as part of the email, and is a valid conclusion of an email forensic investigation.
There are a series of Mail Servers that belong to any sending email information system. The sent email message will traverse through this prior to routing over the public internet to the receiving information system belonging to the recipient.
Multiple Mail Servers | Mail Delivery
Multiple Mail Servers may also be present within a receiving information system. All Mail Servers may require reviewing as part of an email forensic investigation. Logs from these servers are crucial for a successful email forensic investigation.
Summary: Importance of Log Retention for Email Evidence in Court
Contact Rob Walton for a confidential discussion if you need expert email forensic consulting, or SMTP expert witness services.