Computer Forensics Expert, Forensic Investigation, Data Recovery

Successfully recovering e-mail is a cooperative effort between the lawyers and technical experts. The lawyer needs to understand how e-mail works, where it can be stored and how to ask for it. The goal for the lawyer is to get the data and supporting information the technical experts need to examine the data produced. The technical experts can then recover the information while preserving the chain of custody necessary to authenticate the individual messages recovered.

Forensic Analysis of email clients and servers has been in the spotlight of civil and criminal cases worldwide and no examination of Document Discovery is complete without requesting, searching and organizing email. In order to successfully accomplish this portion of the investigation, the correct tool needs to be utilized, understood and tested. This seperates a technician from a true professional. At LJ Forensics all tools and methodologies are pre-tested and meet the industry standard. This not only assures a solid outcome, but also saves wasted expense. More often than not only a limited time is acceptable. The first step in an email examination is to identify the sources of email and how the email servers and clients are used in an organization. A skilled Forensic Examiner must also know how to identify how these powerful business tools are being used far beyond email. It can be as simple as gaining the assistance of the Exchange Administrator. For example in Exchange Server 2003 there is an email tracking utility that can be used to store the flow of email. By typing in the address of the sender, the name of the server and the date in question you will be able to retrieve a list of emails. In other cases it is necessary to request all related servers, backup data and devices in order to retrieve all documents as well as to be able to validate the findings.

Although not always the primary focus of a Forensic investigation, the email server and the client systems often yield relevant and at times supporting documentation. Automated forensic programs are available for this task. Many users store their personal data and contact information in personal folders as well as synchronize their email with their Personal Digital Assistants (PDA). This can further be verified and documented by sound computer forensic practices.

Many users believe that once they delete email from their client machine that they have erased all trace evidence. This is not how the system truly works. The same data can be located on the server, backup tapes, the recipients computers or extracted from the hard drive of the original sender using forensic techniques. LJF ensures that appropriate measures are taken by following standard forensic procedures.

Services such as Hotmail, and Yahoo Mail use a browser to interface with the email server. This in turn creates a copy or a cache to the hard drives providing a location for the forensic examiner to retrieve the email messages. The same applies to Outlook Web Access used with Microsoft Exchange Servers and other Browser Web Mail clients.

Email discovery has yeilded invaluable information in cases ranging from software piracy to employee embezzlement. Time lines, unknown participants, statements made by suspects, as well as financial data has been the benefit of analyzing this form of data. The knowledge of how to link the data together in a presentable and understandable format is what can determine the success of the case. That is the goal of LJ Forensics.