Digital forensics focuses on determining what activity happened or didn’t happen. This focus shouldn’t be confused if an activity that occurred or didn’t occur is relevant to a matter. In simple terms, the goal of a digital forensic investigation is to determine the who, what, where, when, why, and how. 

As a result, determining a dichotomous (yes or no) answer to these questions is the result of a digital forensic investigation:

  • Was an image sent through a text message?
  • Were files transferred from a laptop to a USB device?
  • Did someone log in as an admin to a company O365 admin account?
  • Was a driver on Instagram at the time of an accident?
  • Was an email ever sent?

Authenticating Emails

Authentication of a sent email is common practice in trade secrets, corporate litigation, and employment matters. Some of the blanks to fill include when was an email sent and who was it sent to? Any email’s metadata fills these blanks.

Simply put, metadata is the data that describes a piece of data. When a document, like an email, is created, edited, modified, or deleted, it’s reflected in the metadata. It documents what, when, and how something was changed in a document file, image, spreadsheet, video, audio recording, CRM database, and website page.

Access to the original email is necessary to review an email’s metadata. Metadata is stored in the email, and having access to it in an email address’ Inbox or Sent folders will suffice. This can be accomplished by collecting and preserving an entire email Inbox. 

If a party attempts to authenticate an email through a PDF file, there is room for pause. Creating a PDF file to verify email communication, while easy, takes many more steps than forwarding the original message. It also provides the opportunity for manipulation.

Forged PDF

Verifying sent emails recently played out in a civil case involving the NYPD. The Defense sent a letter to the judge stating that a Plaintiff attorney had made false statements to the court regarding their responding to an email requesting to meet and confer on an outstanding piece of discovery.

When a Plaintiff attorney pressed the Defense for email evidence, they had offered to meet and confer; the Defense attorney provided a PDF. Unfortunately, the PDF contained some inconsistencies, and the Plaintiff’s attorney enlisted the help of a digital forensic expert.

After reviewing the PDF, the digital forensic expert, Wolfgang Wilke, composed his report, concluding that “it is highly unlikely that the PDF was printed from a native email” and that “if the email was in the drafts folder, it would have been apparent that it was not actually sent.” In short, the Plaintiff attorney wrote, paraphrasing Wilke’s conclusions for the court, “Saying the email had been sent, when it had not been, was almost certainly not an accident.”

“It’s highly unlikely that the PDF was printed from a native email.”

WolfganG Wilke

A detailed account of the timeline of this forged PDF document, and the immediate termination of the NYPD Defense attorney in question, was published by Hell Gate.

How To Protect Your Matters

There are a few situations involving electronically stored information (ESI) where metadata can’t answer questions in a digital forensic investigation. But to that end, there is rarely a silver bullet or smoking gun that fills in all the blanks. So when emails are a part of the ESI for your matter, take the necessary steps. Ensure that nothing is missed and that the wool isn’t pulled over your eyes. Here are three takeaways:

  1. The metadata doesn’t lie – Always get the original email/file
  2. Validating emails shouldn’t be complex
  3. When in doubt, engage with a digital forensic expert like 4Discovery