LITIGATION AND PRACTICE SUPPORT
33
WWW.ILTANET.ORG | ILTA WHITE PAPER
Gotchas Related to Email Forensics
Three competing vendors were used by the plaintiff in a civil
litigation to identify responsive emails, and each had extremely
different results. To a logical mind, this can be confusing. Aer all,
email messages either exist in a collection or they don't, right?
All three vendors had access to backup copies of what was believed
to be (but later disproved) the complete set of email database backups
for the time period in question. Why were their results so drastically
different? The answer lies in understanding database systems.
Inaccessible Data
Modern email systems (like Microso Exchange and IBM Notes)
are based on database technology. Databases are sophisticated
structures designed to efficiently create, modify and delete the data
they contain. This is accomplished by maintaining searchable indexes
of the key aributes of all the data stored. In this case, the data being
stored are the email messages, their metadata and aachments.
Databases allocate space in fixed-sized chunks called "pages."
Some pages are used for the index and some are used to store the data.
Pages that store data are dependent from those that store the index.
If the index pages don't exist or get out of sync with the
data pages, email messages stored in the data pages are generally
inaccessible and can be missed by an e-discovery collection process.
How can this happen? With email, there are two common causes:
Email messages deleted on a poorly administered or
incompletely collected email system. On a well-administered
system, when a user permanently deletes an email, it is moved
into a save area akin to a recycle bin. It stays there until the next
by Tim Williams of Index Engines
Gotchas Related to
Email Forensics
1
