On 19/11/23 08:04, jeremy ardley wrote:

On 19/11/23 01:59, Alex wrote:
IMAP clients will therefore keep messages on the IMAP server and not delete them unless you specifically tell them to, for example via right-click -> delete.


A client can also alter messages retained on a server or event insert new messages. This is interesting in computer forensics.

It means that if an email is on a server e.g. hotmail or gmail, it has no probative value unless supported by other evidence such as server records, digital signatures,  or corroborating evidence on other systems.

In my professional cyber-forensic practice I have tested just how much you can alter in an email on a server. The answer is essentially everything. All headers, dates, content etc.

Server records of email receipt are usually transient so after a few months they can no longer be used as corroboration.


Incidentally, I am using gmail for this list. They have made a recent(?) change so that an email that is sent to the debian list automatically gets a 'copy' in the inbox. In fact it's just a view of the sent email.

They then drop any copy received from the list, probably based on matching the email ID field (?)

From a forensic perspective, gmail only ever stores one copy of an email based on its email ID. The altering emails on the server trick involves creating a modified copy with a different ID field, deleting the original email and so removing its ID from gmail, then altering the ID of the copy to the original ID.

Reply via email to