Mobile devices have become an indispensable part of our daily lives, and as such, they often contain valuable evidence that can be crucial in legal cases and eDiscovery efforts. However, many investigators overlook mobile email and SMS/MMS messaging when conducting digital forensics.
Mobile Email Forensics
Scope of Mobile Email Acquisition
Mobile email can be a goldmine of evidence, especially when dealing with webmail services that may store messages locally on the device. It is essential to understand how email-capable smartphones interact with corporate mail servers and to determine whether webmail acquisition is within the scope of the investigation.
Mobile Device Management (MDM) Logging
If Mobile Device Management (MDM) software is in use, investigate what logging features are enabled. While some products only log phone and SMS/MMS metadata, others like BlackBerry UEM and Global Relay can log content for SMS/MMS, BBM, PIN, and instant messaging in .csv format.
Smartphone Backups
Smartphone backups stored on the local machine can provide a wealth of historical data that may have been deleted from the device. Microsoft ActiveSync can dump data to Outlook .PST files, BlackBerry devices use .BBB or .IPD files, and Android devices use .ab files. For iOS devices, iTunes creates an "Apple Computer" directory for backups, and a "Manifest.plist" file can help locate these backups.
Forensic Techniques for Mobile Email
If you have physical access to the mobile device, advanced forensic techniques can recover a vast amount of relevant data, including SMS/MMS content, phone logs, and email.
Email Analysis in Forensic Examinations
Identifying Email Clients and Servers
The first step is to identify what email clients exist on the system and what email servers they are connecting to. This often requires reviewing the folder structure of the system and examining the Windows registry for installed applications. Webmail use can be identified through Internet history, cookies, and cached files.
Acquiring Email Archives
All email archives should be forensically acquired within the scope of authority to search. This includes both server archives and anything stored locally on the system. Archives are often converted to a consistent format like .PST to aid in review and deduplication. In cases where mail cannot be converted or reviewed by your forensic suite, it may be necessary to install the specific server software on a system and import the archive for review.
Exporting and Hashing Email Files
Once relevant email files are identified, they should be exported to a portable, easy-to-review format. Hash values should be collected for these new files to ensure their integrity as evidence. In eDiscovery cases, a subset of these files may be produced to opposing counsel and will need to be rendered in the requested format (TIFF, PDF, and raw).
Conclusion
Mobile email and SMS/MMS messaging are often overlooked in digital investigations but can provide valuable evidence when properly acquired and analyzed.
Akash Patel
Comments