Lawyers are dealing with email evidence more and more in their cases. Law enforcement uses email evidence in investigations. Family law attorneys use email evidence to show what a spouse has been saying. Civil attorneys use email evidence to demonstrate facts from anything to defamation to knowledge of product defects. Email evidence is everywhere…but can we trust it?
This blog post is the first of a several part series explaining email evidence. I will walk you through why a print out of an email alone is not enough to establish authenticity of an email. Then I will teach you how to track down the origins of an email so you can prove (as best as possible) who really sent it.
How many times have you received a spam email claiming to be from your friend or even yourself? This happens because the “From” line of an email is easily forged. It is extraordinarily simple for a user to put any name they want into that From line. For this reason, you can not trust the source of an email solely because of the “From” line.
If you want to see this for yourself, just open up a program like Outlook and create a new account. One of the first things Outlook will ask you to enter is your name. It has no way of confirming that you entered you true name.
To find out who really sent an email, you need to trace the email back to its origin.
Email Headers and IP Addresses
Every email has “headers” which contain information about how the email arrived in your inbox. When an email is sent, it travels through many servers across the internet. Each server adds a little bit of information to the header – mainly a date/time stamp and an IP address. When the email is first sent, the originating IP Address is stamped in the header. That IP Address is the key for finding who sent the email. When you just receive a print out of an email, you do not get this key IP Address information from the header.
An IP Address is like your street address on the internet. It is a unique address assigned by your Internet Service Provider (ISP). IP Addresses can be traced back to physical locations (such as a street address or building), and can often lead directly to a suspect. However, just like street address, many people can “live” at a single IP Address. Unlike street addresses, you IP Address can change. Thus, the IP Address alone is not sufficient – you also need to know the date and time of the email so you can confirm who owned that IP Address at that specific date and time.
In the next blog post, I will discuss more about IP Addresses – what they are, how they work, and how to trace them. I will continue to walk you through a full and complete email evidence investigation.