I have a case where an employee (emp) maintains that she sent an email to her boss (boss 1) and that she in turn forwarded it to her boss (boss 2) after she tampered with the contents. Boss 2 forwarded a copy of the tampered email back to emp and when I reviewed it, the contents certainly were changed. Actually, about 10 words were removed and a single word was put in to make it readable. As is the case with Outlook, the added word was in Blue. It seems like a slam dunk but boss 1 maintains she did not send the email on to boss 2. Boss 2 is in a separate hosted Outlook environment many miles away.
How can we confirm that this email originated from Boss 1?
Does Outlook keep a record in some hidden fashion of when boss 1 was logged on or sent emails?
Anything else can be done to investigat the tampering of this email as it was forwarded on?
All help and comments appreciated.
Perhaps the following article will help
http//www.forensicfocus.com/email-and-appointment-falsification-analysis