Understanding
Email Servers and how they integrate with the client software is paramount
to a good investigation.
An example of this is in a case involving a manager harrassing an employee.
The manager sent an email to the employee. He then deleted a few of
the damaging sentences in the message that he wrote.
It was discovered that the edited email was in the suspect's sent folder
on his computer. It was also discovered the received and modified date
of the recipients email message to only be a few seconds apart. It would
be impossible for the employee to have had time to fabricate and perform
the change to the message. If it was argued that a third party had access
to the Exchange Server, it would still be impossible to log on as the
employee, open their email and make changes. It is technically impossible.
It was sufficient for the attorney and the manager resigned.
If the investigation had ended by examining the manager's computer alone
it would have been incomplete. By the same token, the Exchange server
would not have been the only source of valuable data. The flow of information,
the software used and how they communicate are important factors when
determining the scope of the investigation.
