Email Evidence – Now You See it, Now You Don’t!

First published October 2008

By Sandy Boucher and Barry Kuang, Intelysis Corp.


With the ever increasing role of computers and electronic communications in both our business and personal lives, emails have taken on a key evidentiary role in many high profile court cases. From Oliver North in the Iran-Contra probe to Bill Gates in the Microsoft Anti-Trust case and Conrad Black in his fraud trial, incriminating emails have formed critical evidence in court, often with dramatic results. Whether you are working a divorce case or a complex business dispute, email evidence may well be vital to your efforts and recent developments in the technology underlying the way in which email works may impact your ability to locate and use such evidence.

There are a number of reasons why emails have been found to provide such excellent evidence. The primary reason appears to be that the ease and relative informality of email as well as its immediacy, entices users to relax many of the habits they would otherwise use if writing a formal letter. Secondly, email users generally tend to believe, often without having seriously considered the matter, that their email communication is private between them and the recipient and that it will remain so, nothing could be further from the truth. The final factor is that emails can exist on a range of servers and other devices even after the original message has been deleted. Indeed, the primary lesson of computer forensics is that even a “deleted” item may not really have been deleted at all.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Commonly Used Email Systems

Regardless of the kind of email system that is used, all emails essentially follow the same de facto standards developed by the Internet Engineering Task Force (“IETF”). Whether you are using Hotmail, Gmail or a company email system, the underlying ways in which an email message is transmitted and received are very similar. Despite this, there are important differences in the way that data from an email can be stored and recent developments in the technology underlying web based email systems has greatly reduced the likelihood that even scraps of a message can be recovered. The operation of Email can be divided into two main categories according to the email client system the user has. This paper is not intended to be a technical treatise and these explanations are therefore simplified.

The first category is known as the “email client system” which operates using a software application that is installed on the user’s machine (the mail client) which downloads and stores the user’s emails. In this system, all email activity is essentially conducted using the software on the user’s computer. The most common examples of such email systems are Microsoft Office Outlook, Mozilla’s Thunderbird, Windows Live Mail, Outlook Express and Eudora.

The second system is based upon the technology of the Internet browser software that almost every computer now has, common examples are Microsoft’s Internet Explorer, Mozilla’s Firefox and Apple’s Safari. The most common browser email systems in use today are household names such as Hotmail, Yahoo Mail, Gmail and America Online Mail. These email systems operate by giving the user access to their email on a server that is accessed over the internet and does not require an email client on the computer being used to send or retrieve mail. In this way, the email messages are never stored on the local machine.

The Digital Forensic Specialist’s Approach

In some corporate litigation, access to data and mail servers and other media may be allowed as well as the possibility of recovering email evidence from ISP and webhosting servers. The legal issues surrounding such matters are however complex and are not the focus of this paper. In most cases where email evidence is an issue, the primary source of such evidence is from computers of the persons concerned.

When a forensic technician examines a computer, one of the initial steps that he or she will take is to attempt to identify which, if any, email systems have been used on the machine. Identifying which type of email system and or email client that has been used on the machine will determine where the examiner will go to look for email evidence. Did the user have a Hotmail account? Or was he using Microsoft Outlook? Each will mean that potential evidence can reside in different places on the computer.

With an email client based system, the primary location of evidence on the user’s machine will be archive file(s), a specially formatted database file where the program stores all information regarding emails, folders, deleted items etc. In Microsoft systems this is called a personal folder or PST file. Once the email archive file has been located, existing emails can be recovered and examined. In addition, in many cases, deleted emails will still exist in the PST file and can also be recovered for examination. It is also common to find that the email user’s computer may contain numerous versions and copies of the PST file in differing locations. Further opportunities to recover emails can be found from the computer’s cache where whole or partial messages are created by the operating system in unallocated space when messages are being created or read. Although this is a potentially rich source of evidence and even for recovering missing emails, these are more difficult to find and must be located by searching for the telltale strings of code that identify them, or alternatively by searching for key words that are contained in the messages themselves. These fragments no longer exist as messages and are found on the unallocated space of the hard drive.

Browser based email systems present more problems for the forensic examiner, primarily because the emails are never actually stored on the user’s computer. In older webmail style systems such as the classic version of Hotmail, this was not a problem as the browser software automatically created and saved multiple versions of files that were viewed in the web cache files and temporary Internet files. Despite this, since the inception of Web 2.0 technology, in many systems this is no longer the case. The technology underlying the more recent versions of most browser based email systems has developed considerably to enable improved and faster service. The downside of this for the e-sleuth is that these Ajax programming techniques provide a “non-cache” option to the browser. In other words, browsers no longer store email content in the browser’s cache.

In a recent case, we were able to recover some very recent emails from a system using Windows Live Hotmail but older messages were gone and even those recovered from unallocated space were fragmented and hard to use. Although in many corporate settings, company emails will potentially exist in multiple locations and remain a potent source of evidence, these developments will mean that the use of web or browser based email will afford added security for wrongdoers. We have seen many cases where browser based personal email accounts have been used for corporate misdeeds such as fraud, money laundering and intellectual property theft. The incentives to do so have now increased and the evidence of such actions is significantly harder to trace.


The good old days of email investigation are long gone and the Web 2.0 era, although providing a much higher level of privacy and convenience for users, gives digital forensic experts a far greater challenge. Evidence preservation is the key in the Web 2.0 era as more evidence will be located on the unallocated space of the user’s machine. For this reason, the earlier the computer is forensically acquired, the higher the chances of finding the smoking gun. The importance of getting to key computers as early as possible in your case and preserving the evidence before the windows operating system overwrites the unallocated space can not be overstated. In our experience, corporate thieves often resort to external email systems to perpetrate their schemes because they are aware of the ease with which client based emails can be recovered. These new developments in web based email systems have further improved the situation for such people but careful forensics work can still uncover traces of their misdeeds.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles