Electronic evidence from the internet

Electronic evidence cover image

By Stephen Mason and George Weir

To ask the right questions of digital evidence professionals when instructing them, it is incumbent on the lawyer to be aware of what questions to ask. Here we describe the various mechanisms by which evidence in electronic form is adduced into legal proceedings via the worldwide web and internet.


A significant amount of correspondence undertaken within and between organisations takes the form of the exchange of email. Email is, essentially, an unstructured form of communication, whose content determines its purpose:

(i) An email discussing official business between employees internally is an internal memorandum.

(ii) A similar email sent out to a third party relating to official business is an external communication, and by being sent with the same corporate information that is contained on the stationery, should be treated as official stationery.

(iii) An extension of a telephone conversation, confirming something, for instance, is a note to be added to a file, whether it is sent to people within the organization or to external addressees, or a mix of internal and external addressees.

(iv) A note to a friend to say you enjoyed the party last night, or to colleagues inviting them to join you in a glass of port and a slice of Dundee cake to celebrate your birthday, is an item of private correspondence using the organization’s resources. The use of email for this purpose may or may not be authorized by the organization.

Email is an important source of electronic evidence. However, emails should be treated with some discretion, because a person can conceal his identity and hide behind a false email address with relative ease. It is very straightforward to send an email that appears to come from someone other than the real source. Forging emails might be effortless, but email is freely admitted into legal proceedings, both criminal and civil.

To obtain access to email, it is necessary to interact with two different services, one for outgoing mail and one for incoming mail. These services may, or may not, be provided by the same server. To read email, the individual must direct the email program to connect to a mail server using one of a number of protocols, the most common of which are: Post Office Protocol (POP), Internet Message Access Protocol (IMAP), and a proprietary Microsoft protocol called Messaging Application Programming Interface (MAPI).

The POP protocol (POP3 is the most widely used version) permits the user to read his email by downloading it from a remote server and onto the storage facility of his local computer or device. Once the email has been downloaded from the server, it is automatically deleted from the live server, but probably not from the back-up server that will invariably be used by the mail service provider for the purpose of recovering from a failure for any reason. By contrast, the IMAP protocol (IMAP4 being the most widely used) enables the user to leave all his email on the mail server. Keeping all the email on a single server can be an advantage for an organization because the email for the entire organization can be backed up from a central location. However, the problem with keeping all email communications on the server is that the server may eventually become overloaded due to the volume of data. Both POP and IMAP protocols require a user to have a username and a password before the user can obtain access to the mail download service. In addition, the protocol servers keep logs of who checked emails and when they were checked. This enables an investigator to look for evidence of email traffic even where a user has deleted all of his emails.

Outgoing email uses a different protocol called Simple Mail Transfer Protocol (SMTP), although MAPI also supports outgoing email. The servers supporting SMTP do not normally require a user to use a password. This makes it very easy for an individual to forge a message. However, the SMTP server may keep a log of the messages that pass through the system.

When an email is sent from a computer, it will pass on to one of a number of Message Transfer Agents (MTA). The MTAs act in the same way as post offices. A local MTA will receive the email. Upon receipt, it will add to the top of the email message received the current time and date, the name of the MTA, and other additional information. This information in what is called the header of the email. As the message passes through various MTAs, each MTA will add further date and time stamps to the header. The most recent information will be at the top of the header.

Another item of information that tends to be collected in the header is the Internet Protocol (IP) address of the computer or system connecting to the server. Technically astute users of email who may wish to hide their identity can send messages through anonymous or pseudonymous re-mailing services. When email is sent through such a re-mailing agent, the header information may be stripped before the message is sent on to its destination. However, some other forms of electronic evidence are transferred during such a process, and it is possible for forensic investigators to attempt to find evidence that may be useful.

Instant messaging

Instant Messaging (IM) is a form of online communications service that enables the user to transmit a variety of text, voice and image messages with other individuals in real time over the Internet. This form of communication is similar to a conversation over the telephone, but the users typically communicate by typing messages into the software. The technology also permits the user to share files. Instant messaging has become popular because the software implementing the service can be downloaded at no cost, and is easy to install and use.

Depending on the type of software used, the program will, when a message is initiated, connect the two devices, either via a direct point-to-point configuration or via a client-server configuration, through the ports of the devices. There are two significant problems. First, in a client-server configuration, the instant message server may not necessarily log such messages, which means that such conversations can be considered conceptually similar to conversations over the telephone. Secondly, the program may have a feature that allows for messages to pass through legitimate open ports if others are not available. Whether such conversations are recorded will depend on the software used.

In an earlier variation of Instant Messaging known as Internet Relay Chat (IRC), conversations take place in a similar way to a conference call. IRC is mainly designed for group communications, though it also allows for one-on-one communications via private messages. It frequently suffers from the same issues as Instant Messaging, in that the servers relaying messages are not typically configured to log conversations.

Peer to peer networking

As personal computers have developed, so have their capacity and power increased. As a result, there is less of a dividing line between a client and a server. This is because any host can be made a server by installing appropriate software into the computer. The software then permits other clients to obtain access to the resources of the computer over the network. This is called peer-to-peer networking (P2P), and is often the subject of litigation regarding intellectual property, especially for the purpose of downloading music and films without payment.

For instance, in Hong Kong, a Norwich Pharmacal [1974] AC 133 (CA), revd [1974] AC 133 (HL) order was granted in the case of Cinepoly Records Co Ltd v Hong Kong Broadband Network Ltd [2006] HKCFI 84; [2006] 1 HKLRD 255; HCMP2487/2005 (26 January 2006) in respect of a number of IP addresses, and in the case of Polydor Ltd v Brown [2005] EWHC 3191 (Ch) summary judgment was granted against the second defendant, Mr Bowles, for copyright infringement, after a Norwich Pharmacal order was made against various Internet service providers whose subscribers’ IP addresses had been identified as being used for allegedly infringing activity. In both cases, the infringers were identified by the Internet service providers from their electronic records of the IP addresses assigned to their subscribers at the date and time in question when the allegedly infringing activity was taking place.

Social networking

The advent of Web 2.0 has seen an enormous increase in websites that permit users to provide their own content. This varies in type from uploaded video clips (on sites such as YouTube), photographs (on sites such as Flickr), personal musings in the form of blogs (personal Web logs) and interactive exchanges with a wider audience in the form of social networking sites (such as Facebook and Twitter) and their more business-oriented alternatives (such as LinkedIn). As social networking has increased in popularity, with meteoric growth in participating users, several contexts arise in which the content of an individual’s social network contribution may constitute evidence. For instance, an individual may be located at a specific place by means of his geotagged submissions to such a site, and photographs uploaded to a social networking site often retain their geotag data and reflect the time and place at which they were taken. Many of such sites with contributions that contain such information have been used for the purposes of grooming and blackmail.

In a different vein, an individual’s social network contributions may suffice to determine political or social prejudices that in turn shed light on the character of a trial witness. The evidence in such cases may be recovered from the witness’ contributions to the social networking sites, depending upon the availability and accessibility of such contributions to such sites. If an individual had made such contributions under an alias, a digital evidence professional may be able to establish his true identity by matching his online contributions to the same content that is found on the individual’s storage media.

No doubt the reader will be aware that how the profession operates (last minute, just in time) does not help with complex digital evidence, and the police are also at the mercy of government funding, for which see: Written evidence submitted by Stephen Mason and Nicholas Bohm, submitted to the Treasury Committee on 17 January 2011 (http://bit.ly/2ti5rBO) – this was written six years ago, yet the problem remains.

© Stephen Mason and George Weir, 2017

Stephen Mason is a barrister, and author of Electronic Signatures in Law (4th edition) and editor, with Daniel Seng, of Electronic Evidence (4th edition), from which this article is an extract. Email stephenmason@stephenmason.co.uk.

Both titles are available from the Institute of Advanced Legal Studies’ OBserving Law in the Humanities Digital Library in print or ebook formats or as free PDF downloads.

Dr George Weir is a Lecturer in Computer and Information Sciences at the University of Strathclyde in Glasgow. In addition to teaching computing, security and digital forensics, he leads a research group on cyber-security, human factors and data analytics.