Browser based email systems present more problems for the forensic examiner, primarily because the emails are never actually stored on the user’s computer. In older webmail style systems such as the classic version of Hotmail, this was not a problem as the browser software automatically created and saved multiple versions of files that were viewed in the web cache files and temporary Internet files. Despite this, since the inception of Web 2.0 technology, in many systems this is no longer the case. The technology underlying the more recent versions of most browser based email systems has developed considerably to enable improved and faster service. The downside of this for the e-sleuth is that these Ajax programming techniques provide a “non-cache” option to the browser. In other words, browsers no longer store email content in the browser’s cache.
In a recent case, we were able to recover some very recent emails from a system using Windows Live Hotmail but older messages were gone and even those recovered from unallocated space were fragmented and hard to use. Although in many corporate settings, company emails will potentially exist in multiple locations and remain a potent source of evidence, these developments will mean that the use of web or browser based email will afford added security for wrongdoers. We have seen many cases where browser based personal email accounts have been used for corporate misdeeds such as fraud, money laundering and intellectual property theft. The incentives to do so have now increased and the evidence of such actions is significantly harder to trace.
