Document Authentication: A Primer

Frequently at Vestige we get asked to forensically examine emails and electronic documents and authenticate whether these were written or sent by the person claiming to have done so. The following are samples of digital forensics to the rescue:

E-mails

We have handled cases where HR and Corporate departments have an internally sent email that is part of a HR or management investigation. Examining the email header information and then cross-referencing that with the login and activities on the claimants’ computers, coupled with information gleaned from deletion analysis and internet history we can usually produce a digital forensics report detailing our level in confidence as to where the internal email originated and from whom. E-mails from outside the organization can generally lead to even more information since various points along an e-mails journey add relevant information to the e-mail that can help trace its origin.  Anonymizing software or anonymous e-mail sites have your investigation stalled?  These types of situations may thwart an investigation, but oftentimes they merely slow it down–revealing the true sender in due time.  In fact, Vestige has developed some innovative approaches to discovering the identity behind so-called anonymous e-mail senders.  While nothing can be 100% fool-proof, we have had a fair run of success in this arena.

Software Source Code

Electronic document authentication can work with similar processes. For example, examining written computer code to find changes and previous histories to assist with claims of theft and copy.  There are a wide variety of nuances that come into play when evaluating software source code — a topic for an entire blog post in and of itself.  Suffice it to say, Digital Forensics can be used to identify those nuances and assist in this area as well.

Traditional User Documents

We frequently examine office and business documents to authenticate that they have not been electronically altered or straight-forwardly falsified. Something we frequently get to do when allegations of contracts being changed after they have been signed are made. For these digital forensic investigation cases we deploy many of the forensic techniques used in verifying emails with the additional toolbox of examining hidden internal metadata. In many cases we request the original document template and conduct our own testing to duplicate the occurrence and examine internal metadata creation within a forensically sterile test environment.  Previous drafts, temporary files, documents with tracked changes are all candidates.  We have even been able to show the evolution of particular documents through their lifecycle (i.e. what was added, deleted, changes made, etc.) when track changes was not activated.

An Ever Growing List of Evidence Sources

In present day with so many emails being sent from mobile phone and tablets device this adds yet another new location of evidence to examine. If for example the email was sent via an anonymous message application we can examine the device to determine the application that was downloaded and used.  We can examine mobile devices to examine email evidence and document attachments.   Twitter, FaceBook and the myriad social networking sites and applets continually add more sources to our list.  And one thing is for certain — tomorrow’s innovative technology will bring even more sources to review.

Expertise Built Over Time

In summary Vestige Digital Investigations has become skilled experts in email and electronic document authentication.  We continue to identify new sources of evidence, develop new techniques for authenticating digital evidence.  Apart from the obvious abilities of tracking using the tools already built into the applications (“track changes” comes to mind), there is a wide range of evidence that is not common knowledge.  This is the world where we live and excel.