Forensic Email Preservation Best Practices

Environment

We recommend that you maintain a clean acquisition environment that can be reset to its default configuration as needed. An easy way to accomplish this is to use a virtual machine for forensic preservation. At the end of each acquisition, the virtual machine can be reverted to a past, clean snapshot. The use of a virtual machine also makes it easier to document your acquisition with screenshots and screen recordings, gives you control over network connectivity, and helps isolate the acquired data from your physical forensic workstation.

Preparation

End-users' actions such as moving or deleting messages as well as automated actions of email clients such as categorization of messages as "Spam" and moving of them into a "Junk Mail" folder can cause some of the items to be inaccessible during forensic preservation. Additionally, end-users' mailbox access can contribute to throttling and slow down forensic preservation efforts. We recommend that you advise end-users to keep all activity in the target mailboxes to an absolute minimum while forensic preservation is in progress.

Authentication

When possible, we recommend the use of FEC Remote Authenticator for authentication. This allows the end-user to authorize the email preservation without having to share their account password or multi-factor information. We recommend that you notify the end-user at the conclusion of the email preservation so that they can revoke access to Forensic Email Collector. Additionally, we recommend that you customize the scopes that FEC Remote Authenticator requests when possible so that you are provided with the minimum access permissions needed to complete your acquisition.

Similarly, if using domain-wide delegation of authority, remove access from Google Admin to the service account used for preservation at the conclusion of the forensic preservation.

Modern Authentication

If you receive an FEC Remote Authenticator token, you will not need to authenticate using the main FEC application. However, if you are acquiring a mailbox in the field or must authenticate within the main FEC application for another reason, we recommend the following:

Modern authentication takes place through the service provider's web interface. Even if you are using a virtual machine, we recommend that you use an incognito/guest browser profile for modern authentication so that login sessions are not cached on your acquisition computer/VM. For example, you can accomplish this using Chrome as follows:

  1. Make sure that Chrome is the default system browser.
  2. From the profiles list in Chrome (upper right corner), choose Guest. This will open a new browser window with the Guest profile activated. Leave this window open.
  3. Close any other Chrome windows so that the only remaining window is the one associated with the Guest profile.
  4. Proceed with your acquisition in FEC using modern authentication. If you are prompted to select a profile, choose the option to prevent the profile selection dialog from being displayed in the future.

Network Traffic

Depending on the requirements of your case, you may wish to capture your network traffic with a tool such as Wireshark during forensic preservation. This would supplement the detailed logs FEC keeps of the acquisition.

Trusted Timestamping

Forensic Email Collector supports trusted timestamping of its logs as per RFC 3161. We recommend that you enable this option during acquisitions. You can read more about this below:

Trusted Timestamping - Metaspike Knowledge Base

Output

We recommend that you store the output of your forensic preservation on a drive that is separate from the internal drive of your forensic workstation. A common practice is to use an encrypted (e.g. BitLocker), high-speed external drive formatted with NTFS. Alternatively, you can output to a designated network storage location (e.g., SAN, NAS, etc.) where your organization stores electronic evidence.

While it is possible to stop an acquisition, migrate the acquired data to a larger drive, and resume the acquisition if needed, we strongly recommend that you estimate the storage needs of your acquisition and output to a drive with sufficient capacity.

A second copy of the acquired data can/should be made at the conclusion of your acquisition depending on your standard operating procedure.

Forensic Email Collector sets file system timestamps of the acquired files to reflect important server metadata. If acquired evidence needs to be moved/copied, we strongly recommend using a process that preserves file system metadata.

We recommend that you always keep the MIME output option selected. This results in RFC 5322 output which is typically the closest one can get to the original form of the messages when acquiring them over the internet. Numerous investigative techniques rely on the availability of the messages in MIME format.

If you are planning to acquire Google Drive attachments during email preservation, consider choosing at least one item-level output option such as MIME and MSG. This allows FEC to package Drive attachments and revisions with their parent emails for context.

Quality Control

As with any forensic task, quality control is a crucial part of forensic email preservation. Here are some data points that can be used for QA/QC as a suggestion. Note that this is not a comprehensive list and should be modified based on your operational requirements.

  • Ensure that you acquired the intended target mailbox—especially if using delegate access, impersonation, or domain-wide delegation of authority.
  • Check FEC's Exception Logs for any errors. If you see any unresolved errors, determine the root cause and find out if anything can be done to resolve them (see Error Message Cheat Sheet).
  • Check FEC's Acquisition Log to make sure that the correct acquisition settings were used, and that the acquisition was completed successfully. The Acquisition Summary section of the log contains details that are well suited for quality control.
  • If the acquisition contains any remaining items, resume the acquisition to acquire them. You can find evidence of any remaining items in the latest Acquisition Log and Remaining Items Log.
  • If you used an in-place search to narrow down the data set before the acquisition, verify that the search returned the expected results and that the service provider did not put a cap on in-place search results. FEC would also attempt to detect in-place search caps and report them within the Acquisition Log.
  • Verify that the necessary case details (e.g., case name, custodian info, evidence ID, etc.) were entered during the acquisition setup. These data points would be reflected in FEC's Acquisition Logs. If they were not entered, store this information with the acquisition and document what happened.
  • If modern authentication was used, ensure that there aren't any active login sessions to your target account on any web browsers in your control and that the outstanding authorization to FEC was revoked at the conclusion of the acquisition.
Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.