Computer forensics: emails as evidence
 

Anyone got any pointers? I have kept some emails which I may need to present as evidence. Nothing too exciting, don't get too excited :D

What sort of things are used as proof? Message IDs in the headers?

I dunno if you can as they can all be faked !

Nope IIRC no emails can not be used as evidence unless using a compliance system like kryoserver

I've had emails used as evidence against me by the Police.....

Oops, I spelt it wrong, and to think we used to install it as well :rolleyes:

evidence for what though ?

It would be thrown out in court as an email is as good as a notepad document.

Sonics right here

Depends what sort of level of evidence is needed I would guess. I have seen emails used in a court of law that were just any old email.

Yes, they can be faked. But so can any letter that someone produces. Even signed letters can be faked. Its all a question of how far the other party is going to go. You can hire handwriting experts to try and disprove that a contract had been signed etc etc.

To improve your chances take a look a the link that was provided above. However, since you have no doubt already got the email, I would contact your provider. See what assistance they can offer you, as they will also have a record of any emails that you received.

Of course, the other party may claim that someone other than them actually used their computer to send the email in the first place.... You can argue over these things forever.

Not a chance mate, they dont keep copies.. imagine the amount of email they would have to backup !!

I know for a fact Virgin media does not have any logs of emails or any way to recover an email !

The amount of data passing through I would imagine data recovery prograns would be at a loss too

Depends how your email is setup. If you are using POP mail, and are leaving a copy on the server, then they will have an unaltered copy just sitting there :)

Well thats me told:lol1:

I dunno pimmo, cant spell cryoserver and didnt know about the POP thing, lol.

sorry :o

Boro it was me that couldnt spell cryoserver, and whats worse is I used to install it :lol1:

Having spent 4 years working primarily in the legal sector, I have been told countless times that any emails submitted as evidence arent worth the paper they are printed on

That said however, it would be up to the prosecution etc to accuse the defendant that the email is a forgery and therefore brings in accusations of purgery and they would potentially be doing this without proof

If the likes of Cryoserver are used then any accusations of forgery would be laughed out of court

We use Pop Loomy for a large number of our customers and we clear all emails stored on the server about every 6 weeks, as it is pop part of the contract is that we do not store emails

Now, SMTP is a different matter and a different (ie paying) set of customers, whereby we can go back and retrieve emails, its only a matter of archiving the tapes off site somewhere :)

We have in the past been requested by the police for information from one of our customers as either he got his face shot off, or he shot someones face off

We gave them all the history we had for that customer but we charged them a lot for it :D

OK, this is a time out moment...

Afaik POP is an incoming way of getting mail, SMTP is sending mail. The people who pay for the SMTP use are also paying for POP use too :confused:

OK, you can use SMTP to send or recieve

Exchange Server sends & recieves SMTP only, and the POP that comes with Exchange is purely only for using Email Clients that aren't Outlook, its another protocol like IMAP etc

Exchange that ships with Small Business Server, has a POP Connector to connect to POP3 mailboxes retrieves them and puts them in the correct Exchange Mailbox

The Customers we have that use POP are home users who connect to IMAIL Servers, our Paying corporate/eductaion customers connect to Exchange Servers using Hosted Exchange

The POP side is mainly the client side

Thanks :)

Makes note to read up more on this topic :D

If you connect via POP then chances are your mail wont be stored on the server unless you tell your client to leave messages on the server

POP Servers IIRC just puts the mail in your mailbox until you retrieve it

SMTP Servers normally just delivers mail as soon as it receives it, but with the likes of Exchange it delivers it to locally stored mailboxes, Outlook full client (for Echange Servers) is essentially just a window to your mailbox stored on the server, if you use Outlook Express to retrieve your Exchange Server Mailbox it will connect via POP and remove the messages from your mailbox on the server

Yes, POP normally delivers the mail unless you ask it to keep it there.

Never realised that an exchange server was so easy to break as connecting outlook express. It really does appear there is no perfect mail protocol. IMAP is great, but its support in outlook is flaky at best. Thunderbird is great for IMAP, but really poor in terms of features :(

The problem with e-mails as evidence is not the accuracy of the message: as many people have said now, the ISP archives the originals. The problem is proving who actually typed the message. All the defendant has to show is that there was no password and that at least one other person had access to the machine, and you have reasonable doubt.

E-mails can be used in evidence, the hard bit is making them useful as such.


M

What makes you think the ISP will keep the originals??

Enough evidence to have got me arrested and my Mac + laptop + mobile phone taken for a couple of weeks while they investigated...

Did you send an email to bigdaddy@holdemdown.com and say the new batch of Kiddie porn is in ??

Cause I think that might do it

What did they think you had done, if you don't mind me asking?

Most of the reputable ones at least archive all e-mails regularly AFAIK. I would imagine that the originals are then deleted after a month or two, but somewhere on a tape are the back-ups.


M

Meridian

I explained this before, POP mail goes as soon as the customer collects it, if they dont we scan and remove all mail every few weeks or so

SMTP customers (ie Exchange ones) get to keep their mail and we back it up

Our IMAIL Servers we *only* backup the config

The email servers tend to be out sourced and on request to these companies in my experience the reply has always been no, we can not recover.

Thats not to say they can't if say Scotland Yard got involved.. but the cost of keeping a copy of every email I would imagine would be huge and unless it is a legal requirement.. I cant see why they would.

Did someone say forensics? :D

Not quite - no children or animals involved.

:thumb: Glad to hear it too :lol1: