E-mail communications play a vital role in e-discovery and as core evidence in most complex litigations. In some instances it is important to verify, using e-mail header information and digital tracing techniques, the integrity of email messages prior to their admissibility.
In many cases the parties will, as they should under the revised Federal E-Discovery Rules, stipulate that certain emails were sent or received on certain dates and times and are authentic in nature and the only real issue for evidentiary purposes is relevance.
But what do you do when you have reason to believe that an email is a forgery or a spoof?
How about if the timing of an email is important - what time was it sent?
If the origin or timing of an email message is in issue you need to get a native production of email documents with the header information intact and analyze the header information. The header information of an email is a treasure trove of digital forensic information and it can allow you to learn where and when an email message came from. It also gives you the information you need to subpoena the sender's ISP to get even more information that can nail down the integrity and timing of an email message.
The typical email header will generally look like this:
Received: from purported hostname (hostname (host IP address))
by recipient hostname
with email protocol message ID
for recipient timestamp (GMT).
Care should be taken to "trusting" the "purported hostname" as this information is easily manipulated by the sender to be false.
The key thing is to discern the sender's host IP address. While even IP addresses in the header can be manipulated via the use of intermediate proxy servers, thus making the header more complex, the casual person attempting to forge or spoof the origin of an email may overlook the use of such technically sophisticated methods not thinking that one day such email would be held up to serious forensic scrutiny.
Once the sender's IP address is discerned you can do a reverse DNS lookup and determine the originating domain name and then use a Whois lookup to discern the IP's organization and contact information. The tracing of a header IP address back to an entity can be automated using software tools like NeoTrace Pro . This program allows you to trace an IP address or hostname to its source on top of a world map and the detailed Whois source data is displayed in an adjacent window.
The next step, if necessary and feasible, is to issue a subpoena to the sender's ISP gathered from the Whois lookup and to use the message ID(s) to get logs and other documents related to the email messages at issue.
Regardless of header complexity the main method of tracing an email on the Internet is usually the same:
1. Procure the email header information in native digital format.
2. Identify the IP address of the server used to send the email message(s) at issue.
3. Trace the IP address to discern the sender by a reverse DNS and Whois lookup or via tracing software like NeoTrace Pro.
4. Identify the message ID(s) at issue and if need be issue a subpoena to the ISP asking for data in their log files and on their servers related to such message ID(s).
Email evidence is now a crucial part of electronic evidence and discovery and care should be taken to procure and use native header information to determine the integrity of emails.