Email Forensics (Re...
 
Notifications
Clear all

Email Forensics (Read / Unread)

11 Posts
9 Users
0 Likes
2,307 Views
(@jbscarva)
Posts: 8
Active Member
Topic starter
 

Thanks in advance for your answers!

For legal purposes, I would like to Know if it's possible to tell if an email message has been open and read by a suspect?

 
Posted : 17/01/2013 2:51 am
TuckerHST
(@tuckerhst)
Posts: 175
Estimable Member
 

Absent eye tracking technology, there are no artifacts left by the act of reading.

(You may wish to read the posting guidelines and ask a better question.)

 
Posted : 17/01/2013 4:00 am
Passmark
(@passmark)
Posts: 376
Reputable Member
 

Question wasn't very precise.

Some (most even) E-mail clients do track which Email messages have been looked at. Doesn't mean the user actually read the E-mail however, just that it was displayed on the monitor. Further it is trivial for the user to change the state of an E-mail. (Right click ==> Mark as Unread). So no real proof.

However if you found a reply, or forwarding, for the E-mail in question, I would consider that fairly conclusive that the Email was read.

 
Posted : 17/01/2013 4:14 am
(@randomaccess)
Posts: 385
Reputable Member
 

also a lot of clients are configured to mark an email as read once its been selected

i often do this accidently (and my email client keeps reverting my "mark as read on select" settings, which is frustrating)

 
Posted : 17/01/2013 4:24 am
(@dillardo)
Posts: 3
New Member
 

It depends on the system used to send the email. If the sender fires off the email with a read receipt request, the mail recipient is normally prompted to respond to the read receipt. If the mail recipient decides not to respond, then there is no confirmation mailed to the sender. Depending on receiving email server configuration, it may be possible to determine when the mail was received and if it was opened. I hope this helps.

-Dillard

 
Posted : 17/01/2013 5:30 am
(@jbscarva)
Posts: 8
Active Member
Topic starter
 

Thanks for the answers!!!!

The main goal is to submit in Court, (to Judge decision), only the read messages, (are there any metadata / flag in messages or mail box, putting it as read / unread???)

 
Posted : 17/01/2013 2:25 pm
(@ludlowboy)
Posts: 71
Trusted Member
 

I think this area is very problematical.

I sometimes open E Mails and quickly scan them and then close them with the intention of reading them later. Sometimes I do return to them but other times they just get deleted. Would this mean that I read the E Mail?

I have an E Mail account that I share with someone – How can you determine which of us opened the E Mail?

I believe that the only sure way to determine if someone read an E Mail is to look to see what was done after it was received.

I would concentrate on the Sent items and see if you can find a response to the E Mail.

A reply that included something like “Thanks for the E Mail” or “I agree” would surely mean that the person actually read it.

 
Posted : 17/01/2013 3:08 pm
Passmark
(@passmark)
Posts: 376
Reputable Member
 

jbscarva,

I understand that English might not be your first language. But that doesn't really excuse the vague nebulousness nature of your question.

What E-mail client & OS?
Is it web based Email?
Do you have a copy of the Email archive file?
How much EMail is there, is there too much to manually filter?
What format do you need the output in, (printed, PST, searchable index)?

You aren't going to get good answers unless you ask good questions.

 
Posted : 18/01/2013 2:58 am
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Perhaps the best approach is to identify those emails that have not been read - and submit the rest.

 
Posted : 21/01/2013 7:26 am
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Scenarios

1. You could argue that once an email had left the SMTP server with the RETR command, the user would have fetched it from the server. Though there are email clients that do this automatically and some of them start as the system starts up.

2. You could argue that once the email has been retrieved to the client it would have been read by the user, though there is nothing that proves that it has actually been read, even if it was displayed on the screen.

Now, consider those two scenarios.

In scenario 1 the email was placed on the users computer. If you looked at the drive, you would find a forensic artifact of the email and thought it was read.

In scenario 2 the user would have fetched it and the email client could have displayed the first new message on screen for the user to read, same forensic artifacts. Though it is fully possible that the user could have just turned off the computer and NOT have read the information.

So as you see, if the user have read emails is a bit more complex than an email client tracking a read/unread flag in a database.

My advice is that if this is some sort of "whoops, i sent it to someone who wasnt supposed to recieve it" mess, then 100% of the problem is with the sender - not the reciever.

 
Posted : 26/01/2013 7:03 pm
Page 1 / 2
Share: