It’s important to understand that deleted email is not recovered or indexed using common litigation support or electronic discovery software. These applications only process email that is still visible within the email software.
Some email recovery software can also fall short when restoring deleted email records. Why is that? Because they are designed to undelete email records that still have an entry in the mail store index. Unfortunately, many mail stores will remove those entries once the database is compressed. So many people believe that email cannot be recovered once the mail stores database has been compressed. However, this isn’t always the case.
Deleted email content may still be intact and recoverable. By using software tools designed to ‘carve’ email data, it is still possible to recover the original content. Using the following steps, email can often be recovered even after typical recovery tools fail.
1) Use Winhex, EnCase or other file recovery tools that can recover email fragments
2) Import recovered files (MBOX) through Aid4Mail into Paraben’s Email Examiner
3) Export email and attachments to msg, pst and other formats
Using the same approach to recover email as deleted files can often provide better results than doing a recovery on the individual mail store. As mentioned above, when performing recovery on Mozilla Thunderbird mail stores and others, many programs only recover what is still listed in the index files. If these files are missing, corrupted, or no longer contain the email record, you can try Zmeil from Zero Assumption Recovery
(http://www.z-a-recovery.com/zmeil-email-recovery.htm). Zmeil doesn’t rely on the mail store index; it parses the data files and is a great tool to use for additional verification of recovered email data. Zmeil works great as an inexpensive standalone email recovery tool.
Email communication is often a critical piece of the electronic discovery puzzle. Deleted email doesn’t get fully processed with common electronic discovery software. If you believe you may miss critical evidence because a custodian deleted important emails. then a specialized recovery process should be performed by someone with the appropriate training and knowledge of the process.
Copying corporate data and using it at a competing company (intellectual property/corporate asset theft) is a common and serious concern for companies and their legal counsel. When employees leave companies, there are often questions about the security of the information they previously accessed. Will they use the contacts, forms, or product details as a competitive advantage in their new job?
I had previously written about how to use the file activity records located in the index.dat file to identify when files were accessed. This can help determine if files were copied from a corporate file server. I want to expand on a couple of additional artifacts that can be used and then provide an illustration. There are three primary artifacts that can be used to help determine if someone accesses and copies specific files using an external drive, CD/DVD, flash device, or other storage media.
1) USBStor Registry Entry – Microsoft Windows uses its registry to track information about the computer’s users, operating system, hardware, applications, security, and other relevant information. When USB devices are plugged into a computer, several key artifacts are captured including the make, model, serial number (if available), and when the device was plugged in.
2) Index.dat Access Record – Microsoft Windows uses the index.dat file to track website activity in Internet Explorer. It also contains when and from where files were accessed. We often have to recover deleted or purged activity using programs like NetAnalysis to do a thorough analysis. NetAnalysis can often recover hundreds of thousands of records that are no longer available in the index.dat files on the system.
3) Link File (.lnk shortcut) – Shortcuts can be created by a user and are commonly stored on the desktop. Microsoft Windows also automatically creates shortcuts for files that are accessed in .lnk files. These files store a wealth of information about the source document, including the path, date and time created, written, last accessed, size, volume serial, and several others. This information is encoded and requires special software to display it in a format that is useful.
4) “File Sniper” - Use a product like Harvester from Pinpoint Labs to create a hash list of the suspect files and scan all locations where the files could be in use. It isn’t uncommon for a computer forensic examiner to be asked if there is a way to create a list of files from a corporate network or employees system and check if they are in use by a competitor.
By using the above artifacts, it is possible to determine that files located on a company server or client machine were copied or accessed after a specific date and time. Note that this doesn’t provide the contents of the file and a thorough review would be necessary to make sure it is the same file. However, if the file name and other relevant metadata is a match, it does appear suspicious and may be enough to construct a solid argument that the employee did copy or burn files, access the contents, or used the information. This may lead to criminal and civil charges around possibly benefiting a future employer or a new company that the employee decided to start.