Email validation issue.
I am working on a case where we are quite certain that an individual created an email that was never sent to the intended recipient although he claims that he did. I received his personal laptop computer where this email resides in an Outlook PST file. While analyzing all of the fields and headers, the email looks pretty legitimate. (Using EnCase v 7.10.01). I would really like to go back to the client that hired me and provide some actual "proof" that he never actually sent this email to the individual that he claimed he did, but other than the "there's no real proof that it was sent" statement, I would like to have something a bit more solid if at all possible. I know it's a long shot but any and all help is greatly appreciated.
Thanks in advance!
I presume you have no access to the upstream MTA that the email would have gone through?(logs)
If so, it sounds like you need to determine that the email was not in draft mode but sent - sounds like some testing is in order. For example is a timestamp set when the email is sent but not when it is in draft mode? Let us know - I might play with this myself.
Quote from RFC2822
orig-date = "Date" date-time CRLF
The origination date specifies the date and time at which the creator
of the message indicated that the message was complete and ready to
enter the mail delivery system. For instance, this might be the time
that a user pushes the "send" or "submit" button in an application
program. In any case, it is specifically not intended to convey the
time that the message is actually transported, but rather the time at
which the human or other creator of the message has put the message
into its final form, ready for transport. (For example, a portable
computer user who is not connected to a network might queue a message
for delivery. The origination date is intended to contain the date
and time that the user queued the message, not the time when the user
connected to the network to send the message.)
Of course you can't guarantee that any email client will actually obey this but my limited testing of it in the past showed Outlook did, i.e. Date was set to local PC time (with timezone DST offset shown) when I pressed the send button & it stayed in Outbox until I connected to the Internet, it connected to its MTA (an Internet POP3 server in my case), then it moved it to the Sent folder & "Date" stayed the same all the way until it was received. Obviously check on whatever version was installed at the time.
If "Date" isn't set it seems likely that action didn't happen (OK maybe it partially failed on that occasion?). Alternatively if it is set there is another possibility which is compose email whilst disconnected, press send button then move the message from Outbox to Sent folder.
I believe it is possible to move email messages from outbox to sent items (possibly between any 2 folders) using Outlook. I think the message in this case would look just the same but you definitely need to check this for yourself to test that scenario.
To find Outlook accounts configured see registry
For Office12 (2002-2007)
Ntuser.dat\Software\microsoft\windowsnt\currentversion\windows messaging subsystem\profiles\microsoft outlook\9375CFFetc\00001 etc
Account name, display name, server ID’s etc.
Proving that something didn't happen is almost impossible. I think all you can do is give the client one or more scenarios that make sense of what information you can find.
The suggestion in previous post about checking the upstream MTA is a good one. If that matches what you see on the client PC that's pretty good corroboration one way or the other.
Absolutely great information folks! Thank you for your input as it is greatly appreciated.
I think MUA evidence still not good enough, you should try to get some evidence of MTA.
SMTP logs,SPAM filter logs could prove how mail route. Also,some IT dept. obey policy to archive mails for a period,this would be an alternative to check certain mail exist or not…
Anyway, mail and logs, cross reference is the best and solid evidence!
I totally agree with you. The problem with this particular email is that the defendant is claiming that he sent this particular message three years ago. He "preserved" it with an important attachment on his laptop computer. It is now sitting in an "Inbox" where he claimed he moved it to during his attempt to preserve. Basically what it all boils down to now is a matter of "he said he sent it" while the plaintiff is adamant that he never received it.