COMPUTER FORENSICS
E-mail Everywhere – How to Find ”The One”
Tony Dearsley, Computer Forensic Manager, U.K. Region, Kroll Ontrack
E-mail has become intrinsic to our way of life, both at home and at work. It provides us with a quick and relatively easy means of communication. This easy and fast way of communicating, however, raises significant technology and legal challenges for companies. It can raise numerous privacy, data protection, legal and technological issues for organisations. The growth of electronic communication has become a paramount topic with legal and IT alike.
The fact that the majority of people now have an e-mail account and nearly constant access has led to a familiarity bordering on contempt for its usage. Although it is called “mail” we do not adhere to the same principles used when putting pen to paper. In fact far more e-mail correspondence is generated than handwritten mail in today’s society. It has become a casual convenience with its own pitfalls: the ability to send an e-mail to everyone by accident and the fact that we will often e-mail something we would never commit to paper.
So what is the impact from a computer investigation or disclosure point of view? Whenever you are faced with anything to do with e-mail professionals must consider what is being investigated or trying to achieve. For example, are you trying to trace the origin of a particular e-mail? Are you looking at communication between individuals or groups? Perhaps you are looking at timing issues such as if the e-mail sent out before or after the embargo? Whichever it is you have to understand and locate where the e-mails reside in their original form. Surprisingly, this is not always an easy task.
In the corporate environment there is usually a ‘global’ e-mail system, typically with a central server (Microsoft Exchange, Lotus Notes, GroupWise and various Unix varieties) and e-mail clients such as MS Outlook, Outlook Express, Thunderbird and Eudora. This of course does not include web based e-mail systems such as Yahoo, Hotmail and Gmail.
Having identified the system, investigators then have to identify where the e-mail is stored - on the server? On the local client? On the web? All of the above? Once it is identified where the e-mail is likely to reside, copies of the relevant e-mail clients, server and any backup tapes that exist must be obtained.
Kroll Ontrack has been involved in numerous e-mail examinations over the years and has developed tools and techniques to enable clients to identify which e-mails may be relevant. In one instance our investigators were asked to examine an e-mail system (in its entirety) to establish the presence of inappropriate graphics material. The system comprised some 40 Microsoft Exchange Information stores; 25,000 custodians and several million e-mail items. Using a variety of techniques and in-house tools we were able to identify and catalogue inappropriate e-mails and attachments pertaining to a number of individuals and groups within the organisation. Once we had secured all the material in a forensically sound manner, we were then able to provide evidence to enable disciplinary action to be pursued against the perpetrators.
One Kroll Ontrack client contacted us with the following problem: “We know one of 50 people has leaked information outside of the organisation, can you find out which one?” The issue was that the information could only have been ‘leaked’ in a two week window but could have gone to anyone outside the organisation. A quick look at your own e-mail stores you may well find that you have on average 2,000 e-mail items. In this case our investigators would have had to read up to one million e-mails to identify the culprit.
Armed with a backup of the e-mail server, and copies of the individuals local e-mail files, we were able to use our tools to refine the volume of e-mail by date ranges. Using a set of keywords, we could then refine the results to only those e-mails which may be relevant in the time period. Using a visualisation tool we were able to exclude all the internal e-mail and identify only those e-mails which matched the criteria, namely those e-mails that had been sent externally. The first of the e-mails we examined, by chance, was the offending item which clearly identified both recipient and sender. However, we diligently examined the rest of the identified e-mails and to the client’s dismay, found two further transgressions which fortunately (for the client) had not been acted upon.
Many of Kroll Ontrack’s are proprietary tools, designed in-house and not commercially available. Our investigators also use tools that can be purchased for in-house or enterprise-wide investigations such as Encase and FTK. New technologies however, are coming to market at a fast pace due to the continued growth of electronic communications and the number of crimes committed via electronic means. One of Kroll Ontrack’s newest tools, which will soon be available to the U.K. market, is unique in that it gives users a graphical representation of the frequency of communications between individuals as well as the ability to search, narrow and visualise individual e-mails.
Examination of e-mail is not a simple matter due to the sheer volume of data which may be encountered. Whilst the human eye is very useful in identifying nuances and the smoking gun, it is essential to partner with a trained forensic professional and sophisticated software tools to be better prepared for a potential investigation or litigation matter.
 |
 |
Electronic Disclosure |
 |
 |
Computer Forensics |
|
 |
Courtroom Services |
Learn how to efficiently manage large volumes of electronic information and quickly find evidence.
Electronic Disclosure Services |
Learn how to find hidden or hard-to-find data, recreate past computer-related conduct, or access data that you think is forever lost.
Computer Forensics Services |
Learn how Kroll Ontrack can help you present evidence throughout the legal process.
Courtroom Services |
| |
|
|
Printable Version