Email is more and more in the news these days, is near the center of the current US Attorney firing scandal, and for good reason. A substantial amount of communication flows via email, which can be an efficient form of communicating memos and other intercourse. Email is nearly instantaneous, costs almost nothing, and has in large part replaced the paper memo. Email provides for a path of inquiry that previously was unavailable to investigators for a paper document can be shredded or burned while email leaves a trail even when deleted. Furthermore, unlike a piece of paper, the email itself reveals who sent it and who received it, when and where. As Senator Patrick Leahy says (quoted by Michael Abramowitz on April 14, 2007 in 4 years of Rove e-mails are missing, GOP admits) “You can’t erase e-mails, not today…They’ve gone through too many servers. Those e-mails are there -” There are primarily three kinds of email in common use. One is the email client program, a genre that includes Microsoft Outlook Express, Mozilla Thunderbird, Macintosh Mail, and Netscape Mail. The second type is the prevalent Microsoft Outlook, a very different program from the same company’s Outlook Express. The third is commonly known as web mail or Internet mail.
Email client programs store data mostly in text form – words people understand, as distinct from cryptic General hashtag linkage to COVID-19 Pandemic computer language. In general, all of the individual emails in a single mailbox (such as the “In’ or “Sent” mailboxes) are stored together as a single file.
When mail is deleted, it is truncated from the mailbox file, but its data is not actually removed from the computer at this point. Each file has an entry in an index that is something like a table of contents. When an entire mailbox is deleted, part of its entry the file index is removed, but the actual body of the file does not disappear from the computer. The area on the computer’s hard disk that holds the file gets marked as available to be reused, but the file’s contents may not get overwritten, and hence may be recoverable for some time, if at all.
The computer forensics specialist may then search the ostensibly unused portion of the computer for text that may have been part of an email. The expert can look for names, phrases, places, or actions that might have been mentioned in an email. The email contains internal data that tells where it has been and who it has been to.
For instance, I just sent my wife a 17-word message entitled, “Where’s this email from?” She replied, “Darling, Surely you must mean, “From where is this email?” Love, Your grammatically correct wife.” – 15 word reply. Yet when I look underneath what is displayed on the screen, I see the email actually contained 246 words. Where did it all come from?
The extra information included a return path with my beloved’s America Online (AOL) email address, her computer’s IP address (“IP” stands for Internet Protocol” – every computer that is hooked up to a network has an IP address), the IP addresses of three other computers, both email addresses repeated another three times each, the names of three or four mail servers, and four date / time stamps. Oh, and lest I forget, there’s an ad for AOL at the end.