Hey, in a current case emails between two or more parties seem the most likely place to find the evidence, i imaged the drive last week and use FTK.
One of the first things i did after importing the case was to click "email messages" on the programs "overview" tab, of which it reports there are 5107.
However, what i can't get my head around is that they are all reported to be from the year 2004. They are all outlook messages but surely the suspect used his outlook account since 2004?!
Anyway i started running keyword searches using terms given by the client, mostly peoples names, and through this have discovered other messages on the system from 2005, 2006 and 2007. Although i have seen these there are still not that many, its not asthough i can make a nice neat timeline out of them there are many gaps between dates and these are often large.
This could be because i havn't done a thorough analysis yet, i'm just trying to get an overview.
Anyway what is also puzzeling me is the origin of these more recent (than 2004) email messages.
They are located in either temp locations like the following for example
suspectname\Local Settings\Temp\~WRS0156.TMP
or for example
TIF\Content.IE5\AV2NO9Q3\1765-tiny[1].jpg>>FileSlack
below is a section of a message from the latter
________________________________
From suspect
Sent 14 September 2007 1131
To Joe bloggs; Ian bloggs; Jamie bloggs; Laurie bloggs
Subject
business stuff
Attached
OK with this?
suspect
Please can you instruct Christie & Co
XL-B2375
Natfest
Contact for access and payment
—–Original Message—–
From Shah khan
Sent 14 September 2007 1453
To suspect
Subject FW The Abbey Inn, Tinworth, Near Cheqies
/o=First Organization/ou=first administrative group/cn=Recip
_ORDE%C
Nq4s
ab@business-nw-uk.com
steph coss
SMTP
steph coss
SMTP
sab@businessst.com
sab@businessst.com
SMTPSAB@BUSINESSST.COM
steph cross
steph coss
SMTP
sab@businessst.com
steph coss
Yours faithfully,
1
random persons name
So what i would like your opinion on is
Can you make any sense/give advice/opinions on this?
Any help really appreciated, thanks guys
I'm not entirely sure what specifically you're asking but if in short its 'why do i have fragments of email messages from the recent few years, when all my FTK lists is 2004 mails?' I guess there could be a number of reasons, but could these not be for example web-based mail pages, which have now been deleted (and/or overwritten). Or the mailbox from which these messages originally came now being deleted/overwritten and you just left seeing fragments of previous mails?
Hard to say without going through it )
PS. Do you want to remove the 'from' in the 'original message' above or is that ok 😉
PS. Do you want to remove the 'from' in the 'original message' above or is that ok 😉
Thats made up anyway, i changed the name wink