Email Forensics Overview

Email forensics is our main focus at Meridian Discovery, and for good reason—email evidence almost always plays a big part in eDiscovery and digital forensics projects. Some of our eDiscovery cases contain hundreds of thousands of emails. When we are asked to authenticate documents, the documents in question are often either emails or email attachments.

We specialize in forensically preserving mailboxes, authenticating emails and their attachments, and running investigations on corporate email systems for issues such as unauthorized access.

Forensic Consulting on Email Production Format

Whether or not you receive email evidence in the right format can sometimes make or break your case. Unfortunately, the native file format for email evidence often causes disagreements between parties.

We can help you request email evidence from your opponent in the right format. Additionally, we can help ensure your outgoing email productions are in a reasonably usable format, compliant with your ESI agreement.

Email forensics

Forensic Email Preservation

Email forensics often starts with the preservation of email data. We are able to connect to cloud services such as Gmail / G Suite, Office 365, iCloud, Yahoo, and AOL in a read-only manner and forensically preserve mailboxes. For email preservations from the cloud, we use Forensic Email Collector—a dedicated forensic email preservation tool built by one of our partners, Arman Gungor.

In-place Searching of Mailboxes

When required, our workflow allows us to run searches directly on email servers and collect only the search results. This results in much faster and focused forensic email acquisitions and alleviates privacy concerns custodians might have.

Authentication without Custodian’s Password

Custodians are often concerned about sharing their email passwords for forensic preservation. Moreover, with two-factor authentication, the forensic examiner can have difficulty accessing the mailbox even when the password is shared.

We are able to have custodians authenticate us into their Gmail / G Suite accounts on their own computer—without having to share their password with us. When the acquisition is complete, the custodian is able to visit their account security settings page and remove access.

Forensic Analysis of Emails & Investigations

Forensic Email Authentication

Have you received emails that do not look authentic as part of an electronic document production? Perhaps they were backdated, their contents changed, or attachments were added or removed after the fact.

Are you preparing to produce key emails? We can help you by forensically preserving the key messages in your mailbox, authenticating them, and expertly producing them.

Forensic Investigations of Email Systems

Did you experience a data breach or data loss? Do you need an expert to determine who did what and when on your email systems? We can examine email systems such as IMAP and Exchange servers (OWA and ActiveSync activity, event logs, etc.) and shed light on what took place.

Recovery of Deleted Emails

Most email systems employ database-like structures for the storage and retrieval of email data. When an email message is deleted by an end user, it is not necessarily purged beyond recovery.

We are able to access and retrieve deleted messages at the forensic preservation stage (e.g., from the Exchange Dumpster). We can also perform data recovery to carve deleted messages from email containers such as Personal Storage Table (PST) and Offline Storage Table (OST) files. In some cases, we can even recover deleted attachments from an email message.