Email Forensics Investigation – The Case Study!

Overview

A freshly started medium-scale enterprise of cosmetic products based in Amsterdam experienced some unusual glitches in the accounting and product management details. It was also discovered that the products were sold in market at bluffed prices. Since the company itself had a team of few IT professionals, the primary step was taken to check the records, system log files, and other details. Soon the company took a decision to handover the case to investigators and a covert operation was held by investigators in order to identify the suspects.Suspects were amongst company's employees and hence investigation was to be done on personal and official databases, email files, etc.

Challenge

  • Accounts glitches gave rise to company losses and hence the case had to be resolved within a strict time frame.
  • Company didn't have particular suspects and hence every employee was under surveillance of investigators.
  • Main aim was to sense if any internal information of the company was leaked or misplaced illicitly.
  • This meant that emails and databases of around 150 employees were supposed to be traced and examined by examiners.
  • Employees used different email clients for personal usage like Thunderbird, Windows Live Mail, etc. and all of these desktop email clients were supposed to be examined.
  • Suitable and prominent technical equipment for the collection, analysis and examination needs to be elected.
  • Different types of keywords were supposed to be searched with advance proximity within the emails of files acquired.
  • Cost-effective methodologies and investigation techniques were needed so as to cut down the extra cost in a controlled manner.

Solution

Forensics investigators needed a reliable and secured solution for extracting the output from distinct desktop email client files. Emails were supposed to be critical element in this case as many unknown IP addresses were traced while examining the system logs. FTK Imager, Encase and MaiPro+ was included for the investigation for hard drive imaging to analyze database files and email files of systems. MailPro+ was chosen as the company only involved desktop email clients and investigators needed to probe through each and every email which were available in bulk. The selection of MailPro+ was made due to below mentioned capabilities of the software application;

  • Brilliant searching options to search through the emails with suspicious keywords.
  • Hex and other viewing styles to trace IP addresses of senders of emails.
  • Management of case helping in the collaborative investigation.
  • Wide-support towards various email clients helping to probe Exchange databases and other desktop email clients as well.

Procedure

Acquirement of Email Evidences

  • Gathering information regarding the incident; severity, involvement of employees, impact on business, information transportation or deals done, etc.
  • Acquiring official data from external storage devices, DVD, hard disks, etc.
  • Tracking information of routers used, network devices, hubs, servers, firewall settings, etc.
  • Copies of internal hard disks from employees systems were collected for further analysis which included the email files to be analyzed separately.
  • Deleted data was also supposed to be retrieved from the collected data.

Analysis& Report Generation

  • Data collected was analyzed and the skeptical emails were exported to generate reports.
  • Evidences cannot be presented as it is in courts and has to be maintained in admissible form. Hence evidences were documented in court-admissible formats and preserved.

Results Gained!

The emails were found to be critical source of evidences and soon the guilty was found red-handed blatantly within the estimated deadline.

  1. Emails from different email clients belonging to the employees were scanned-through and using the advance searching facilities, evidentiary information related to whole crime-scene was traced.
  2. Two employees were found guilty and were held with charge claimed of internal data breaching.
  3. This lead to other group of outsider people who lead this whole scandal through the IP addresses traced through the emails of the suspects
  4. The evidences in the form of emails and other databases and account sheets were handed over to the legal authorities for further court hearings and were presented in court.
  5. The employees were convicted for their acts and were punished and criminal charges were filed against them

Words from Investigators:

"We must say that the technical equipment used especially for email investigation i.e. MailPRO+ helped us to sail through this case when it was getting more and more critical. This software solution has intense and excellent searching capabilities which assisted us to reach to the key clues of the case."