Investigating email is an important aspect in finding digital evidences as the electronic messages are the primary mode of communication as well as sharing information. This might help extracting the important patches hidden behind the scenes.
One golden rule for searching evidence from seizing email messages is that – always use replicated copy of the original message for investigation. Another point to remember is that do not take even a single bit of information lightly as it might hold crucial hints and references.
Email Investigation Becomes Elementary
Forensic investigation and analysis is a vast arena that incorporates the task of searching seized emails to obtain evidence. With the change in time and technology, the method to search an evidence has been modified to the more classy techniques.
A study is being done efficiently as there are commercial tools available that are integrated with advance features. MailXaminer is one such robust forensic tool integrated with advanced search algorithms that makes searching process easier.
Search Seized Emails to Obtain Evidence with MailXaminer?
The email investigation process can be made easier and the hidden evidence can be extracted from the electronic messages with the help of the software, a forensic analysis solution.
The software provides an extensive as well as an advance search strategy that helps finding for a particular keyword and all corresponding messages gets displayed in the preview pane within the tool panel.
To know the functionality of the underlying technology it is important to understand that how messages are searched to extract the evidences as well as how the tool interprets the search criteria.
MailXaminer Search Criteria- Elaborated
There are four major search categories being offered by the forensic software. They are General, predefined, Advance and Proximity search options. The Search arena is widespread as many sub-categories are included that have been elaborated in the upcoming sections.
#1- General Search:
Under this approach, search is implemented by providing the keywords in the available text box. The tool will then find out all the emails containing the specified keywords.
- Logical Operators:
To refine search criteria, logical operators, including AND\ OR\ NOT can be used. Minimum two or more fields (for-example: ‘To’ and ‘Subject’) are added to the search criteria; the tool will search the email messages accordingly as per provided operators.
- AND: Both ‘To’ as well as ‘Subject’ field contains the specified keyword.
- OR: Either ‘To’ or ‘Subject’ field fulfills specified criteria.
- NOT: The specified keyword must not exist in either ‘To’ or ‘Subject’ fields.
There are many sub-search criteria included under this section that is summed up here in:
- Wildcard Search:
When a symbol such as ‘?’ or ‘*’ is added along with a number of sensible characters that forms a word; any relative word containing the specified remark will be displayed.
- Asterisk: If a word, ‘circum’ is specified in the search criteria with ‘*’ sign; all consecutive words containing that particular set of characters will get displayed in the result pane; such as Circumference, Circumstance, Circumstantial, etc…
- Question Mark: If search is defined with ‘?’ such as ‘in?’ all the words containing ‘in’ will be displayed such as including, inspiration, information, inclusive, etc.
- Regular Expression Search:
This criterion is somewhat scientific and is based on calculations of given expressions. Some of the examples are:
- [cm]+al: Results could be calculation; malfunction; automatically; critical, etc.
- [bw]?at: Results could be batch; watch as well as automatically, Sat
- Stem Search:
If any sort of uncertainty persists regarding actual word that exists in the emails, the stem search criteria can be used to find out the accurate word, name, place or substance.
For example: If the investigator is quite doubtful about the name of the person included in the emails, but knows that it starts from ‘Ali’; the same can be added to the search box and any name or word containing these specified characters will get highlighted (Alisa MacGrill, Aliena Peter, etc.)
- Fuzzy Search:
This search enlists entire words that contain the specified set of characters anywhere in the text. All the words that begin with or ends with the specified character will be enlisted along with those that contain it somewhere in the middle. For example: The result for the specified key search ‘res’ will be ‘Press’, ‘response’, ‘residence’, etc.
- Add Criteria:
This offers adding fields to the search criterion such as ‘Subject’, ‘Bcc’, ‘MD5’, ‘Modification Date’, Importance’, ‘Received Date’, etc. Specified keywords can be provided to each field to refine the search. The fields can be added or removed as per requirement.
#2- PreDefined Search:
A category can be selected from the provided options including Phone Number, Addresses, URLs, Date and Time, Personal Identifiers, Postal Code, Product Keys and Others. Sub-category can then be selected as per criteria and requirements.
For Example: If ‘URL’ is selected in the Category section, ‘Internet URL’ option has to be provided in the sub-category column. Thereafter the URL’ addresses existing in the email messages will be enlisted in the preview pane of the tool.
#3- Advance Search:
Under this category, the field of the email has to be selected such as ‘From’, ‘Bcc’, ‘Cc’, ‘Subject’, etc. and the keywords can be provided within ‘Starts with’ and ‘Ends with’ columns along with the logical operator selection. The respective field can be changed to ‘Contains’ alternative.
For example: To search for an email message that starts with ‘Please’ and contains ‘attachment’ somewhere in the body content, provide appropriate words in the search criteria, and any sentence matching the provided criterion will get displayed in the result bar, e.g. “Please find the attachment enclosed herein”.
Here, Logical Operators work similarly as mentioned in the Logical Operators section above.
#4- Proximity Search:
Proximity Search allows to find words existing within a specified distance. This option enables to find out the two words containing a specified number of words in between and serves as an approximate search.
For example: For finding the sentence ‘Regarding the evidences, it is being informed’; ‘Regarding informed’ can be provided as the keyword and ‘5’ can be mentioned in the ‘Distance between words’ column. As a result, the here mentioned sentence or any similar result matching the criteria will get highlighted in the view pane.
MailXaminer is integrated with a high performance mechanism that delivers accurate and efficient results. The search criteria elaborated in above sections makes the investment task easier. Emails matching specified keywords or criteria get displayed in the result bar instantly. Therefore, it can be concluded that it provides an absolute platform to search seized emails to obtain evidence.