| Both computer forensics experts and data recovery | | | | mailbox files are primarily text files, When an individual |
| technicians seek to recover deleted data. Data | | | | email is deleted, the text may be "orphaned," or |
| recovery is primarily interested in bringing back files, | | | | released from the body of the file, but may still be |
| while computer forensics tends to dig deeper, looking | | | | recoverable as a file remnant that may contain the |
| not just for deleted documents, but also for | | | | body of the email as well as information such dates, |
| metadata (data about data - such as file attributes, | | | | times, and sender. |
| descriptions, dates, and other information) and | | | | A standard data recovery process would not recover |
| meaningful snippets of unrecoverable files. One area | | | | such deleted email as the mailbox that had contained |
| of particular interest is email. | | | | them may still be intact - just not still holding the |
| When most documents are written to a computer's | | | | deleted email. Part of electronic discovery would |
| hard disk, each newly created document has its own | | | | include searching the unallocated (when a file is |
| directory entry (what the user sees as a listing in a | | | | written, the operating system allocates a specific |
| folder). If a file has been deleted, but has not been | | | | area of the hard disk to that file. When the file is |
| overwritten by another document, the recovery | | | | deleted, that space is de-allocated, and is referred to |
| process is a relatively trivial part of e-discovery or of | | | | as unallocated space) portion of the hard disk for |
| data recovery. But when the data of interest is from | | | | specific terms or phrases that are likely to be within |
| deleted email, the discovery process is likely to differ | | | | the body of suspect emails. A search may also be |
| significantly from that of data recovery. Individual | | | | performed for email headers that are also |
| emails are stored differently than individual files. | | | | text-based. The resulting data may then be gathered |
| Different types of email programs store data | | | | and displayed as text files. |
| differently on the user's hard disk and require | | | | A third form of email is Web-accessed email. Many, if |
| different schemes for finding useful information. As a | | | | not most, commercial email providers offer the user |
| result, the deletion of emails and recovering of | | | | the opportunity to access email via a web browser. |
| deleted emails differs not only from that for other | | | | America Online is another email provider that |
| types of documents, but also between different | | | | generally does not store email on the user's |
| types of email programs. | | | | computer by default. Email is stored on a remote |
| There are three main types of email in common | | | | computer, or distributed across many remote |
| usage - Microsoft Outlook (often paired with a | | | | computers, that may be any place on the Internet. |
| Microsoft Exchange Server), text-based email client | | | | As these computers host hundreds or even millions |
| programs, and web-based email, or webmail. | | | | of users and their email, the storage of such email is |
| In Microsoft Outlook, all emails are kept in one large, | | | | extremely dynamic. When emails are erased in such |
| encrypted, non-text file - the PST, or Personal | | | | an environment, remnants of individual emails and files |
| Folders file. Outlook has additional functions and | | | | tend to be overwritten quickly and repeatedly. There |
| additional content as well. There is an integrated | | | | may be some remnants found on the user's |
| address book, multiple mailboxes, a calendar, and a | | | | computer in a Virtual memory or a buffer file, |
| scheduler, all of which are contained in the PST file. | | | | however. The recent US Attorney's scandal |
| When one looks into a PST file with a file editor or | | | | highlighted the use of such web-based email (see |
| word processing application, there is little or nothing | | | | Why Email Matters: the Science Behind the US |
| intelligible to the human eye. The file content looks | | | | Attorney Scandal, by Steve Burgess). |
| like nearly random characters. | | | | There is always a chance that remaining deleted files, |
| In general, the PST file must be loaded into Outlook | | | | or remnants thereof may be overwritten. Due to this |
| to be read. When an email is deleted, or even when | | | | possibility, it is best to immediately turn off any |
| it is purged, it may be kept within the body of the | | | | computer where the recoverability of data is in |
| single large file, but become inaccessible to the | | | | question. The longer the computer remains in use, |
| program. Some deleted emails may be recovered by | | | | the greater the likelihood of useful data being |
| manipulating the file though a manual process, | | | | irreparably destroyed. If a user's computer is likely to |
| repairing the resultant file, and then loading back into | | | | be used or inspected during legal matters, or if |
| Outlook. | | | | document discovery is expected, the computer |
| Text-based email programs include Microsoft Outlook | | | | should be turned off to avoid spoliation of evidence. |
| Express, Qualcomm Eudora Pro, Mozilla Thunderbird, | | | | If precautions are taken once a file is deleted, the file |
| Macintosh Mail, and others. In text-based mail | | | | is likely to be recoverable. The same is true of email. |
| applications, each mailbox has its own file, and all | | | | While deleted or trashed email may not be |
| emails from a given mailbox are kept in that one file. | | | | recoverable as a complete mailbox file, the content |
| For instance, there is likely to be a single file for all of | | | | of said email and its metadata might be discoverable |
| the emails in the Inbox, one for all in the Outbox, one | | | | or recoverable through the different methodologies |
| for each user-generated mailbox, and so on. The | | | | available to computer forensics specialists. |