How are emails verified as evidence?

techguy

This is a hypothetical really.

So you'll often see emails being referenced in various investigations, court trials etc.

How are these verified to be legitimate? I mean a print out is merely just that.

Is there some technical aspect to this in "Discovery" where a techie will look at the emails message source such as headers, server addresses etc?

Secure signing of emails hasn't really taken off in the general world (except for big business) so messages generally can't be validated by means of cryptographic signature vs specified sender.

Any ideas?

It was a tossup between posting here and the IT/Development forum, not sure where i'll get the best answer..

Cheers

Pro Hoc Vice

techguy wrote: »

This is a hypothetical really.

So you'll often see emails being referenced in various investigations, court trials etc.

How are these verified to be legitimate? I mean a print out is merely just that.

Is there some technical aspect to this in "Discovery" where a techie will look at the emails message source such as headers, server addresses etc?

Secure signing of emails hasn't really taken off in the general world (except for big business) so messages generally can't be validated by means of cryptographic signature vs specified sender.

Any ideas?

It was a tossup between posting here and the IT/Development forum, not sure where i'll get the best answer..

Cheers

I assume the question you are asking is how can an e-mail be verified? Like any evidence for court at first instance someone must give the evidence to the court while in the box, an example I get into box in a contract dispute and say I got an email on such a day and such a time and here judge is a copy, that on its face should be enough. If of course the other side have an issue with the email (they believe it was not sent in that form etc. then of course they can seek discovery of the email in original form and or inspection of the computer and have an expert produce evidence that the email or for that matter any document has been altered.

techguy

Pro Hoc Vice wrote: »

I assume the question you are asking is how can an e-mail be verified? Like any evidence for court at first instance someone must give the evidence to the court while in the box, an example I get into box in a contract dispute and say I got an email on such a day and such a time and here judge is a copy, that on its face should be enough. If of course the other side have an issue with the email (they believe it was not sent in that form etc. then of course they can seek discovery of the email in original form and or inspection of the computer and have an expert produce evidence that the email or for that matter any document has been altered.

Ah ok, I understand.

Kind of like how tax returns are made.. all taken on face value unless the tax authority wants to perform an audit?

I was kind of hoping for a more technical answer though.

Thanks for your input.

MarkAnthony

techguy wrote: »

Ah ok, I understand.

Kind of like how tax returns are made.. all taken on face value unless the tax authority wants to perform an audit?

I was kind of hoping for a more technical answer though.

Thanks for your input.

If you want to go down a (small) rabbit hole, you could look at the application (or not) of the postal rule to e-mail.

Manach

From the IT standpoint the factual evidence about the content of email and delivery options could be found on the email server. That the legal chain of evidence is preserved, Ie no tampering etc could be checked by using computer forensics techniques and off hand there are a number of books on subject: Digital Evidence by Casey is one I skimmed through.

esforum

there would be a different requirements in civil law and criminal. Civil law the burdon of proof is lesser and people can be taken on their word much more so as above, giving direct evidence of the email would be enough pending the pther sides counter arguement.

In criminal cases a trained specialist must give evidence or retrieval, their qualifications and how they can prove its legit.

Zulu

1. The users account details are provided to an investigator.
2. That investigator will extract the email data (depending on the email setup - they export the account email to pst or similar). Pst's are great as they maintain the metadata. There are a number of forensic copy tools like FTK imager/EnCase/Xways etc. to complete a forensically sound copy (typically MD5 copy) of the data (via a write blocker - which ensures read only access).
3. 2 copies are made of the extracted data. One gets sealed in an evidence bag, and the other is used in the investigation (this defends against the argument that the data was later altered). Chain of custody is maintained.
4. The copy is investigated for evidence/discovery. Any relevant data is handed over during discovery.
5. A printed version of the data forensically copied is presented in court.

So in short a forensic copy is made of the data from the source, and a copy of this is presented in court.

The forensic investigator may be challenged, and their process questioned. It may then come down to an argument between the tech people on both sides, but there are accepted standards, and professional qualifications. Assuming no one has made a massive blunder, it's standard stuff and has been defended a number of time previously.

There will always be the outstanding argument - how can you prove that techguy was the person logged on at the time and sending the email? But this argument will be weighted with other evidence.
If it was that single simple point, you'd try to establish a timeline around the event, search CCTV, seek other evidence that the user was at their computer at that time.

stevenmu

It's worth adding that emails are (typically) both sent and received, so the above process could potentially be repeated across 2 or more servers for corroboration.

Also, email servers will often record logs, which could at least be used to corroborate metadata (i.e. that an email was transmitted, when and who from/to).

Some larger organisations will also have an ediscovery process which will allow them to place holds on any emails or related data which may be required for legal proceedings.

I've no direct experience of any of the above, but my guess would be that the nature and severity of the legal dispute, and the probability of evidence being challenged, determines how much of the above actually takes place. i.e. for a small claims court case, a print out from gmail would probably be enough, but no stone would be left unturned for a serial killer going on trial.

Tom Young

Adopting a purist legal approach, one might look at the Electronic Commerce Act, 2000. Having read that Act, then one might be drawn to read, in particular, Section 22.

Section 22 reads as follows:

Admissibility.

22.—In any legal proceedings, nothing in the application of the rules of evidence shall apply so as to deny the admissibility in evidence of—

(a) an electronic communication, an electronic form of a document, an electronic contract, or writing in electronic form—

(i) on the sole ground that it is an electronic communication, an electronic form of a document, an electronic contract, or writing in electronic form, or

(ii) if it is the best evidence that the person or public body adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form,

or

(b) an electronic signature—

(i) on the sole ground that the signature is in electronic form, or is not an advanced electronic signature, or is not based on a qualified certificate, or is not based on a qualified certificate issued by an accredited certification service provider, or is not created by a secure signature creation device, or

(ii) if it is the best evidence that the person or public body adducing it could reasonably be expected to obtain, on the grounds that it is not in its original form.

Sections 9 and 17 are also of note.

In terms of getting into the postal rule (at all), one must look at the case of Entores Ltd v Miles Far East Corporation [1955] EWCA Civ 3, which in summary says that the regular postal rule did not apply for instantaneous means of communications such as a telex. Instead, acceptance occurs where the message of acceptance is read.

I of course has taken the more legalistic route to endeavouring to answer the Original Posters question, as a matter of law and supported correctly, but please don't hold that against me.

In respect of discovery, that is a different matter. Which could take a long post to address.

arctictree

What if the email server being used is a public one like gmail or hotmail. Is it possible to get Google to provide a log of emails sent from an account?

Zulu

arctictree wrote: »

What if the email server being used is a public one like gmail or hotmail. Is it possible to get Google to provide a log of emails sent from an account?

You mean web mail? It's possible...

But not likely for litigation. I suspect a warrant would e required by Google/MS/whoever before they'd consider handing over data, and then your into the whole jurisdiction malarkey.

For MS, I understand that the email contents is kept separate to email headers/meta data, hence the current legal case in the states. IIRC the email body data is maintained in Ireland. Suffice to say with web mail it's a quagmire.