Investigating and Implementing an Email Forensic Readiness Architecture

Abstract

Email forensic investigations rely on the collection and analysis of digital forensic evidence collected from email systems. Problems arise when the digital forensic evidence needed for the email forensic investigation is no longer available or there is a huge amount of email data that can be collected which take time to sift through to find the digital forensic evidence that is actually needed. The email digital forensic readiness (eDFR) architecture, as proposed in this dissertation, endeavours to address these problems. The eDFR architecture is based on the digital forensic readiness process described in ISO 27043. To ensure that the collected email data can be used as digital forensic evidence a process to validate the collected email data was created. The validation process uses data collected from the email IP headers to validate the data in the SMTP headers ensuring that the SMTP header data was not spoofed or in any way changed. The IP header data is stored in an audit database together with the email data so that the validation process can be executed at any time. An audit database is used to store the collected data to ensure that once the data is stored it cannot be tampered with. The digital forensic evidence collected using the eDFR architecture was found to be useable as part of an email forensic investigation. It was also found to be useful for other processes such as creating a graph representation of email sent and received by an email system or a group of email systems. It was shown that implementing the eDFR architecture could be achieved in an economical way that has almost no impact on current email systems.