Email Forensics | Message Validity & Forgery

Published by Rob Walton on

In the area of digital email forensics a common activity is to prove (or disprove) an email is valid.

How can an email be proven to be valid, and not a forgery?

Forensically, the level of trust that can be placed on any email message being presented as evidence, will vary. The variance will depend on how much supporting evidence there is.

For example, at the low end of trustworthiness, is a printed copy of an email. This will have no email message header meta-data, and no supporting email SMTP logs.

Email Forensics | Message Header Analysis

At the higher end of trustworthiness is an electronic copy of an email message that can be opened in an email client, allowing access to the email message headers. The email message headers will show meta-data related to the sending email system, the receiving email system, and the email transport routing between both email systems. This will include the email servers used during the message routing hops. An expected format of an electronic email message copy could be .eml, .msg, or .pst .

Further veracity can be sought by electronically examining other email correspondence between the same two parties, over a defined period of time. These further emails can provide supporting email messge header analysis that will contain matching patterns that can be expected to be visible on any particular email being examined by the courts.

Email Forensics | SMTP Email Standards

It is very difficult to forge an email when it is being sent between different email systems. Careful forensic examination of an alleged forged email will usually show a series of markers that can stongly indicate it as being valid, or being forged.

An email message header is stamped by various values as it send and received – these values are defined by industry standard SMTP RFC standards. For example, SMTP RFC 5321.

Among many key forensic values to be found is the Message ID. This is a unique identifier for an email message. Certain parts of the Message ID will be fixed from any particular email system.

Hire an Expert Email Witness | Digital Email Forensics

If you need an email expert witness to carry out a digital forensics examination of an email, please contact me.

Categories: Expert Witness

Related Posts

Expert Witness

Email Expert Witness | Read all the evidence

As an email expert witness it is imperative that all the evidence, and associated material is reviewed in detail. No opinion, or view, should be provided to the court without confirming that this has been Read more

Expert Witness

Email Expert Witness | Email Threat Defense Gateways

As an email expert witness for hire, it is important to keep up to date with email system technologies. Over the last 30 years there have been significant changes to how we use email, and Read more

Expert Witness

Email Expert Witness | Stick to the Rules

As an email expert witness it is imperative to stay within the court guidelines. The court expects an expert witness to remain objective, and to not present as biased to either side. The expert witness Read more