Analyzing an email archive for an electronic discovery investigation

  

Scenario

D&B is conducting a very large electronic discovery (eDiscovery) investigation for a major client. This case is so large that dozens of investigators and analysts are working on specific portions of the evidence in parallel to save time and improve efficiency.

Since this is the first time you will be working on this type of investigation for D&B, your manager gives you a “test” (a sample email archive) so she can assess whether you need additional training before you begin working with the rest of the team on the eDiscovery case. Your manager tells you that this archive was extracted from a hard drive image marked “suspect,” but at present nothing more is known about the user. She expects you to examine the archive and document all findings that might be of interest to a forensic investigator. She explains that she will use your report to evaluate your investigation skills, logic and reasoning abilities, and reporting methods.

Tasks

• Review the information about email forensics and Paraben P2 Commander E-mail Examiner (EMX) in the chapter titled “Email Forensics” in the course textbook.

• Using P2 Commander E-mail Examiner, create a case file, select Add Evidence, and import the email archive (filename: Outlook.pst). P2 Commander will automatically begin sorting and indexing if you choose that option.

• Search for information about the user; your goal is to learn as much as possible about who the user is and what he or she has been doing. You may find evidence in the inbox or other mailboxes. You can use E-mail Examiner features to help you keep track of the evidence you identify, for instance, by bookmarking sections of interest and exporting attachments.

• Write a report in which you:

o Document your investigation methods.

o Document your findings. Explain what you found that may be of interest to a forensic investigator, and provide your rationale for including each selection.

Use the attached screenshot to complete this question.

Required Resources

▪ Course textbook

▪ Outlook.pst file (email archive)

▪ Internet access▪ Internet access

Leave a Reply