Computer experts - old emails findable?

[MarkEsq]

Here's what I'd like to say:

The computer of a character was found and searched by forensic computer experts working in law enforcement. They managed to locate just one email, which was corrupted, but still showed four or five unrelated words.

The computer experts were also able to figure out the real life, physical address of the person to whom the email was sent (or who sent it, doesn't much matter).


I know NOTHING about computers -- is this feasible?

 

[Nivarion]

I'm not an absolute computer genius, but I know a few things about them.

A document like an email has all of its parts, and then it has another part that tells the computer where all of those parts go. This is the part that fried when a file gets corrupted. The chances of actually even getting any of the words from a file that's corrupted is rare.

Last time I opened a corrupted file it looked like this.

A;ldkjfa;dsfahpdsofiahsdf;ljadsf;lkasdfjlkkkkkkkkkkkkkkawera;sd,fnasdpofiweprokhdsfpoaisdfha;lka;lslalalalaweroaiier 103945096u132049u2340923u

]But uhh, in wingdings.

If the tracker for the email was still in place then it would have the domain name the email was sent through. A domain name is just the access point. Its your @gmail.com or @yahoo.com or any of the others.



]This wouldn't really tell them much, unless the domain kept track of the IPv6 of the computer that created/accesses the file. Those can be back tracked to real addresses.

However, they are horribly unreliable. You can spoof an IP address, which makes it look like your using another one. Sometimes they change. If the access was through a wireless hotspot then there is no knowing who actually sent the email.


IP addresses are also becoming less submissive in court, thanks to DRM enforcing groups like the RIAA trying to sue/ charge for piracy; dead grandma's, people who don't have computers, are computer illiterate, and in one case a vacant home.


IP addresses are just the way of an internet service provider to communicate with the same computer. If your on a router you have an IPv4, and an IPv6.

If your curious you can check your own IP address in windows very quickly. Open the command prompt and type "ipconfig" without the ".

 

[Georgina]

The computer of a character was found and searched by forensic computer experts working in law enforcement. They managed to locate just one email, which was corrupted, but still showed four or five unrelated words.

I'm going to assume that your character tried to wipe all the data from the machine, but was unsuccessful. When something is deleted, it's not typically removed -- the space it took up is simply marked as available for another file to write over when needed. If your character wants to wipe all the data properly, there's two options: using a program called a "disk scrubber" or physically destroying the drive.

A disk scrubber is a program that over-writes the memory space in question with a garbage file. Most scrubbers do this multiple times to make it more likely that the data will be unretrievable. Physically destroying the drive can mean making holes in it with a drill, smashing it with a hammer, or even shooting it with a gun. Check this article on Lifehacker for some good info on both methods.

To make your idea work, you could have your character try to use a disk scrubber but it's not thorough enough, or, better, they're interrupted before it's complete. Or have them try to destroy the disk physically but not do a good enough job.

The idea that they could recover five words, and somehow know that they're all from the same file and that file was an email, is pushing it. (I don't want to say it's impossible, because I'm not an expert on what law enforcement can do, but to my understanding of how data retrieval works it's highly unlikely.) I guess it depends how realistic you want to be. Tech experts do things in books all the time that are less realistic, though, so if it's integral to your plot, I think you could get away with it.

If you want a more plausable scenario, maybe law enforcement could recover, say, half a dozen emails, but only one is relevant to their case and the rest is the person sending cat pictures to their mum.

The computer experts were also able to figure out the real life, physical address of the person to whom the email was sent (or who sent it, doesn't much matter).

I know NOTHING about computers -- is this feasible?

To whom it was sent: not possible.

Who sent it: maybe, but it's not easy.

(The following assumes that the computer that sent the email isn't the computer that law enforcement have, i.e. that the computer received the email. Otherwise, you're back to not possible.)

Each computer on the internet is assigned an IP address. This is a series of numbers that looks like 208.77.188.166. Your IP address is assigned by your ISP, and some users, particularly those who have broadband, may have a fixed IP address. Others will be assigned a new IP address each time they log in.

When you send an email, your IP address is attached to the header, and with a typical email, law enforcement could see that easily. (You can see it yourself in your email program, usually by turning full headers on.) The problem I see here is that the email is almost totally deleted. They found only five words *and* the IP address? That's really, really pushing it.

Assuming it happened, though, here's what would happen next. Most ISPs will only give out who was using a particular IP address at a particular time with a court order. If your law enforcement folks could get that, you could get the address of the owner of the account that the IP address was assigned to.

But! All this assumes that the person was at their physical address at the time. Wired broadband access is typically linked to a physical address, and only works from that address (due to the way it's routed through phone or cable lines), but if your email-sender is using either dial-up or cellular internet then they could be anywhere. Whether you can see which cellular tower that connection was using like you can with a regular mobile phone call is not something that I know, though it certainly seems like it should be possible. Another possibility is that your user is using an open wireless network provided by a hotel, coffee shop, etc, in which case even when you trace it back to its location, you may be stuck trying to find out who the person was.

Hope that helps. I'm happy to answer further questions, if I can.

 

[dpaterso]

Do online email clients like Yahoo, Google Mail, etc. actually store a copy of your mail on your hard drive?

In the old days with CompuServe, AOL, etc. software ran on your PC and when you went online, new email was pulled down and added to local database files, so email could be browsed offline (copy existed on hard drive).

Nowadays... I'm not so sure.

As for tracing a person via their IP address. ISPs (internet service providers) assign IPs from a big pool of numbers that often trace back to a hub that may not be anywhere near your location, e.g. check out http://www.whatsmyip.org/ which displays your IP address. Click on More Info About You in the left column -- a map shows where the software thinks you're signed in from. When I check this, it shows a locale 30+ miles from my actual location.

-Derek

 

[smcc360]

Finding an old e-mail would depend on whether or not the suspect uses an on-line e-mail provider (Yahoo, Google, etc.), or an e-mail program like Outlook that downloads the communications directly to his/her machine.

It's possible to retrieve e-mails from an on-line provider, but Outlook would probably work better for your story, since you said your investigators recovered the actual box.

As for retrieving just five words... hmm. Not likely from forensic hard drive recovery. In my experience, you get all of it or none of it. Maybe your investigators only managed to recover an e-mail in which your suspect quoted five words of another message, like in a reply to someone else?

For your second question, an IP address can be used to get a physical address. It involves sending a subpoena to the target's Internet service provider, so it's not an instantaneous process, but it's simple enough to do.

 

[pink lily]

Do online email clients like Yahoo, Google Mail, etc. actually store a copy of your mail on your hard drive?

Only if you download them to your hard drive, using an email client such as Windows Live Mail or something. Otherwise those emails are stored only on Yahoo's or Google's servers. I do not know if emails you delete from those servers are permanently deleted or not.

There is some discussion of the subject here: http://ask-leo.com/are_deleted_emails_really_deleted.html

 

[BigWords]

When I check this, it shows a locale 30+ miles from my actual location.

I'm using a web 'n' walk stick, so the data is routed all over the place. The internet thinks I'm in the middle of England... Stupid internet.

I do not know if emails you delete from those servers are permanently deleted or not.

If the police know the passwords to log into Google Mail (for example) they don't even need the original computer. A log-in from another computer would gve them all the mail they needed.

 

[Tsu Dho Nimh]

Here's what I'd like to say:
The computer experts were also able to figure out the real life, physical address of the person to whom the email was sent (or who sent it, doesn't much matter).

From the email address of the FROM or the TO of the e-mail, provided the account was with a normal ISP like COX.net, or a company, they could subpoena and find out who had that account, and the billing address.

Free web email account, probably not.

EXAMPLE:
[email protected] would be traceable through a subpoena COX to the owner of the COX account, with the billing address. Not necessarily where the email was sent from/to.

[email protected] might have some activity at GMAIL that gives a clue who he is, but gmail doesn't ask for data on real people. They do ask for a backup email -somewhere to send your password if you screw up - qwhich with another subpoena might have information on the person.

Searching for the email address on the internet is often profitable, because it might show up on a forum or a LinkedIn profile.

**************
If you absolutely need to physically locate the place the email was sent from/to for plot purposes, the jargon to use is a "fixed IP address". Most domains that run their own mail servers have these, so that mail.myspot.com doesn't keep moving and screw up the mail delivery. So do many small businesses who run their own web servers (having the IP address of a domain keep changing is a bad idea)

ISPs charge a bit more for these, not all ISPs offer them, but for example the mail server I send from can be traced to a certain spot on the COX network that is tied to a certain node on their cables ... it doesn't get shuffled every time I log on or send mail.

 

[hammerklavier]

Yes, entirely feasible. Even if they used Yahoo! or Gmail. The browser would cache the page in a temporary area while you are viewing it, computer forensics could recover part of it using sophisticated programs. The run of the mill recovery programs wouldn't work if it had been overwritten or the disk had been wiped, but what the police use actually looks at minute differences in the magnetic traces of the hard drive.

The header of the email would have to be partially intact so they could get the email address or part of the chain of servers the email passed through. From that they could actually find the address of the person. Either through their registration with their ISP, or by a geolocation technique (which would give an approximate location).

 

[RobinGBrown]

As a couple of people have said, it's highly implausible, but frankly I've seen worse in episodes of CSI.

If however you're trying to write a high tech thriller in which it's crucial to the plot then a fair number of people will have their suspension of disbelief tested by this. Computer forensics is, in general, all or nothing.

 

[Chumplet]

Okay, here's what happened to me. Very simple. I used Mail on my Mac for email, and it is through a webmail server called Rogers (like Yahoo). I read and deleted emails regularly from both sources.

Last week my Mail program pooched, so I fired up the Microsoft Entourage mail application that was already installed on my computer.

It proceeded to retrieve every email I received for the last three years. They're all there, baby.

Don't know if that helps, but it's another possibility.

 

[RobinGBrown]

@Chumplet

All your emails are stored on the webserver, thats why the mail app can retrieve all them.

 

[Chumplet]

@Chumplet

All your emails are stored on the webserver, thats why the mail app can retrieve all them.

Yes, I knew that. It's just an example of a simple scenario, that's all.

So, in the OP's question, the email in question couldn't be retrieved in that manner? I guess it's way too simple, like guessing the secret word "apple" in DaVinci Code.

BTW my hubby's in IT & my son is in college for computer security. I should really consult them before responding to techie threads. )

 

[hammerklavier]

As a couple of people have said, it's highly implausible, but frankly I've seen worse in episodes of CSI.

If however you're trying to write a high tech thriller in which it's crucial to the plot then a fair number of people will have their suspension of disbelief tested by this. Computer forensics is, in general, all or nothing.

Only because most people have no idea what computer forensics is capable of. The big question is, does this scenario warrant that the feds utilize their time and talent? If so, there's a good chance they'll recover the email.