How Many Sources Can There Be for an Email Collection? You Might Be Surprised!

MS Exchange Server or M365 via Exchange Web Service (EWS): When it comes to Outlook email, much of email today is stored on MS Exchange servers. More organizations are moving to M365 (formerly known as Office 365) for all of their Office data, including Outlook email.  Regardless, both sources can be accessed via Exchange Web Service (EWS). Emails can be preserved faster and more accurately without having to configure the target MS Exchange server for Internet Mail Access Protocol (IMAP) access.

Microsoft Graph: Another way to collect email from M365 is via the Microsoft Graph API. Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources, including M365 mailboxes.  With the Microsoft Graph API, you can not only connect to M365 mailboxes, you can also connect to Microsoft’s consumer accounts such as Hotmail, Outlook.com and Live. Graph API also provides support for modern authentication and powerful search capabilities, so it’s especially useful for M365 file collections that need to be culled during collection.

PST Email Archives: Some email collections aren’t even stored on servers – they can be stored on individual workstations or even storage media. A Personal Folders file (.PST) is an Outlook data file used to store local copies of messages, calendar events, and other items from your Exchange mailbox.  Many people use PST files to access their email archives when they’re offline (such as when working on an airplane) or they also save archive emails locally when they might otherwise be deleted automatically from the server.  It’s important to interview custodians and assess computers, workstations and storage media (e.g., “flash” drives) to identify PST files that might exist which could contain unique emails not otherwise located in server or web-based locations.

MSG or EML Files: Have you ever saved an individual Outlook or Outlook Express message? You can do so, and each message is saved as an individual file.  Outlook saves them as MSG files and Outlook Express (which isn’t as commonly used anymore but could still be encountered in legacy environments) saves them as EML files.  Just as with PST files, it’s important to interview custodians and assess computers, workstations and storage media to identify the potential existence of these files for collection.

Gmail and Google Suite via REST API: Not every office uses the Microsoft Office suite. Many use Gmail and Google Suite to manage their email and work product and, sometimes, personal email can be relevant to a case (here’s one recent example where that happened).  Gmail Application Programming Interface (API) supports the ability to authenticate and collect using automatic and forensically sound standards to acquire mailboxes at high speed. Experienced forensic collectors are able to collect emails efficiently by not having to download the same message multiple times because of overlapping labels.

IMAP and POP3: There are other sources of email as well, and those can be collected through Internet Message Access Protocol (IMAP) and Post Office Protocol version 3 (POP3). For these email sources, collection specialists connect to servers in a read-only manner which preserves the email evidence without modifying the target mailbox. Outlook.com, Hotmail, Yahoo Mail, Zoho, iCloud and AOL Mail are just a few of the many providers from which email can be collected.