CYFOR Blog

With the prominent use of electronic communications, the authenticity of emails is frequently called into question.

Since the introduction of the internet and the digital world in which we live, emails are now a cornerstone of electronic communication. In 2017 it was estimated that 269 billion emails were sent and received worldwide. In 2022 that figure grew to 319 billion and is predicted to reach 376 billion by 2025. With this immense volume of emails being sent and received, there are instances where the authenticity of an email gets called into question. This is typically during a criminal or civil investigation and digital forensic expertise is required to determine the validity of the electronic communication. Confirming the authenticity of forensically acquired emails and identifying the metadata is particularly useful in Litigation and Will disputes. However, the collection of complete email accounts can be useful when investigating company data theft.

Investigations can be based upon numerous circumstances.

• Disputes between individuals over the validity of an email.
• Metadata analysis to identify author, creation and sent date.
• Data theft investigations where individuals have attempted to cover their tracks.
• Has an employee been emailing a competitor, suppliers, or other employees within the business?
• Potential uploads of sensitive data being sent via email.
• The sending of data to personal email accounts or DropBox accounts.
• Recovery of deleted emails.

Case Study – Email Authentication Investigation

A client was facing a tribunal based on an accusation by an employee who stated that they only received the email outlining his gross misconduct until after his dismissal. the employee claimed the email was written and sent post-interview to justify the termination of his employment, and therefore he had been unfairly dismissed. Without this email evidence, the company were likely to be found in breach of employment law and potentially liable to pay several thousands of pounds in compensation to the ex-employee.

The company could not locate the email in question on their server. CYFOR were able to remotely acquire the email account in question and identify and produce the email. The subsequent metadata analysis confirmed the author, date of creation and date and time it was sent. This evidence and court-admissible report when presented led to the claimant withdrawing their tribunal claim.

“This was obviously a vexatious claim designed to frighten the client into paying a settlement. The client was faced with incurring significant costs in time and money defending this claim, or by paying the claimant. CYFOR acting as independent forensic specialists were able to recover the email and using metadata analysis, prove the email creation and sent date and confirm it was sent and received prior to the disciplinary hearing.” – CYFOR Corporate Forensics Manager

Case Study – Email Data Theft Investigation

CYFOR were instructed by a client to investigate the theft of their data by an ex-employee who was setting up a business in direct competition to their own. We were provided with the ex-employee’s work laptop, however, because they suspected access to their 365 account, we also acquired all the logs. This was important due to the limited retention period this data is held for.

Forensic analysis of the logs on the Microsoft 365 account allowed CYFOR to identify the ex-employee was sending and deleting emails to themselves, combining this with her access to company files using the laptop at the same time was conclusive enough to suggest the exfiltration of the data.

“In a civil case such as this, the burden of proof is not the same as a criminal case. Based on the evidence CYFOR acquired allowed the client to apply for all the data to be returned and an undertaking it would not be used by the ex-employee.”- CYFOR Corporate Forensics Manager

Email Forensics Expertise

The investigation of suspect emails should always be undertaken by digital forensics professionals. This is to ensure that;

• The validity of the data can be relied upon in both civil and criminal courts as admissible evidence
• The email data is extracted in full and there is no question whether all data has been recovered
• Ensures that no disruptive alterations are made to the metadata
• It is compliant with the ACPO guidelines and the quality standards set out within the ISO17025 documentation and Forensic Science Regulator’s Codes of Good Practice and Conduct
• Any deleted emails and files are recovered where possible