Hi,
I have a situation in which the suspect's computer was not imaged and was accessed to lookup for evidential data.
When the evidence found from the laptop was submitted in the court, the authenticity of the information was in question. Which was quite evident…
now how do we certify that the information, which is mostly in the form of emails, have not been modified or tampered with…
Hi Jimmy,
All your evicence is based on emails? In that case I was wondering if you could gain access to a backup copy. Maybe if you can describe and certificate the backup process, after that, you could restore a previous copy and after extracting the specific mails your evidence consists of compare the one in the backup and the one in the computer. I mean, you could export it from the backup and convert them to MSG format, extract them from the laptop too (in MSG format), and check that they are the same.
This way you would be getting the same piece of evidence from two different sources, one which could have been "tampered", but another one which took place before the Incident Response began.
Another option could be to go from the other side - ie if you have the emails a person has received, look to see if its the same from the person who sent them. Of course this is not always possible, but if you can do it its probably a good starting point. You can also then ensure the evidence form the sender is captured correctly (hopefully).
Obtain the emails in question from the mail server itself if possible.