On 19/11/23 08:04, jeremy ardley wrote:
On 19/11/23 01:59, Alex wrote:
IMAP clients will therefore keep messages on the IMAP server and not
delete them unless you specifically tell them to, for example via
right-click -> delete.
A client can also alter messages retained on a server or event insert
new messages. This is interesting in computer forensics.
It means that if an email is on a server e.g. hotmail or gmail, it has
no probative value unless supported by other evidence such as server
records, digital signatures, or corroborating evidence on other systems.
In my professional cyber-forensic practice I have tested just how much
you can alter in an email on a server. The answer is essentially
everything. All headers, dates, content etc.
Server records of email receipt are usually transient so after a few
months they can no longer be used as corroboration.
Incidentally, I am using gmail for this list. They have made a recent(?)
change so that an email that is sent to the debian list automatically
gets a 'copy' in the inbox. In fact it's just a view of the sent email.
They then drop any copy received from the list, probably based on
matching the email ID field (?)
From a forensic perspective, gmail only ever stores one copy of an
email based on its email ID. The altering emails on the server trick
involves creating a modified copy with a different ID field, deleting
the original email and so removing its ID from gmail, then altering the
ID of the copy to the original ID.
