Q: Can the original source of an E-mail be determined?

A: An E-mail message usually contains the following information: TO whom it is being sent, FROM whom it is being sent, its SUBJECT, and the DATE it was sent. E-mails also contain additional information that can help track an electronic message back to its original source. This information is in the "header" and includes:

	intermediary E-mail servers that routed the message;
	the program used to create the message; and
	the Internet Protocol (IP) address of the computer from which the message was sent.

To send an E-mail, someone must have Internet access through an Internet Service Provider (ISP); the ISP provides the IP address, which is included in most communications sent and received from the computer, including E-mails.

With the IP address of the E-mail sender, along with the date and time the message was sent, E-Mail, the ISP and/or E-mail Service Provider (ESP) can be served with a subpoena for records pertaining to the sender. In some corporate network environments, such a subpoena will result only in discovery of a company's E-mail server; a second subpoena will narrow the search within the company to a specific computer.

Clint Modesitt
Computer Forensics Investigator

E-mail your computer forensics or electronic discovery question to: AskTheExpert@spinellicorp.com

IP Address: An Internet Protocol (IP) address is a unique number - like a Social Security Number - assigned by the user's Internet Service Provider (ISP) that is comprised of four sets of digits, called "octets." An example IP address is 255.153.4.53. The IP address allows computers or computer devices with Internet access to communicate with other computers. Depending on the user's Internet connection, the IP address can be static - the computer uses the same address each time the user connects to the Internet - or dynamic - potentially different each time the user connects the Internet.

With a dial-up connection, MSN, AOL, Earthlink or another ISP issues the computer an IP address for the duration of the online session. With a broadband connection, the IP address can change periodically. Since the IP address is unique to a specific computer when it is issued, a timely subpoena to the ISP will often yield the user's contact information and billing records.

E-Mail Prompts AZ Bankruptcy Court to Deny Dismissal of Breach of Fiduciary Duty Claim

When Kohlberg & Co. (Defendants) acquired Southwest Supermarkets, LLC as a wholly owned subsidiary in 1995, the then-insolvent 23-store grocery chain agreed to pay Kohlberg a $1 million acquisition fee, plus a yearly management fee; to cover certain tax liabilities arising from Kohlberg's ownership of Southwest; and to purchase vested options from several company officers. In this breach of fiduciary duty claim against Kohlberg, arising from Southwest's 2001 Chapter 11 bankruptcy filing, Plaintiff Daniel Collins (Trustee for the bankruptcy estate of Southwest Supermarkets, LLC) alleged fraudulent self-dealing by a fiduciary, citing among other causes of action tax liability payments Southwest made to Kohlberg that were about twice the actual accrued amount. Kohlberg moved for dismissal based on statute of limitations pursuant to Rule 12(b)(6) of the Federal Rules of Civil Procedure. Citing an E-mail from Southwest's CEO to Kohlberg sent just one month before the bankruptcy filing ("All is quiet (at least within my privy) regarding the $2.9 million Company receivable from Kohlberg."), the United States Bankruptcy Court District of Arizona held that Kohlberg was "self dealing for profit … right up until the filing of the bankruptcy, because despite Southwest's financial distress Kohlberg did not voluntarily repay the $2.9 million tax overpayment, nor require Southwest to demand it, but rather sought to keep 'quiet' about it." The Court ruled the statute of limitations be equitably tolled, keeping Plaintiff's claim alive.

In re Southwest Supermarkets, LLC 325 B.R. 417 (D. Ariz. May 26, 2005)

NY Supreme Court Compels ISP To Disclose Name of Person Who Sent Allegedly Defamatory E-Mail

Seeking a preaction disclosure to identify potential defendants pursuant to New York Civil Practice Law and Rules (CPLR) 3102 (c), the Public Relations Society of America, Inc. (PRSA) and its Executive Director, Catherine A. Bolton (Petitioners) moved for an order directing Internet Service Provider (ISP) Road Runner to produce all documents concerning the person who used the IP address 66.108.84.160 to send an allegedly defamatory E-mail from prsa_staff@hotmail.com. The October 18, 2004 E-mail, which was sent to the PRSA Board under the pseudonym, "Catherine Hater," accused Ms. Bolton of incompetence and dishonesty in her dealings with the PRSA staff and board, and suggested that she should be fired. When the motion was granted by default because Roadrunner failed to attend the hearing or otherwise contest it, "John Doe" motioned for, and was granted, a stay of the judgment. Without disclosing the E-mailer's identity to the petitioners, a New York Supreme Court judge reviewed the electronic communication and determined that it "is actionable because it disparages Bolton before her employers and the statement asserts her general incompetency in her job performance which is 'incompatible with the proper conduct of [Bolton's profession]'." "John Doe" then requested that the default judgment be vacated on First Amendment grounds. Concluding that the statements in the E-mail were not constitutionally protected because they were not "pure opinion," and that the First Amendment did not preclude discovery of the sender's identity, the Supreme Court declined to vacate the disclosure judgment.

The Public Relations Society of America, Inc. v. Road Runner High Speed Online 799 N.Y.S. 2d 847 (N.Y. Sup. Ct, New York County, May 27, 2005)

E-Mail Headers Point to Co-Worker in E-Mail Harassment Case

When an account executive working for a national marketing firm began receiving harassing E-mails, she wrote it off as annoying spam. Over the next two months, the inappropriate E-mails became increasingly vulgar and frequent. After conducting an internal investigation, her employer's Human Resources and Legal departments met with Spinelli Corporation to discuss investigative options. Suspecting that the E-mails, which were sent from a Yahoo! account, were written by a disgruntled co-worker, the team performed a computer forensic analysis of the co-worker's laptop computer. Although there was no indication that the co-worker had logged into the Yahoo! account used to send the E-mails, the E-mail headers on some of the harassing messages could be traced to a Cox Communications IP address. With this information, our client's legal team subpoenaed Cox for the subscriber information for the person assigned this specific IP address on the dates and times that the subject E-mails were sent. Cox provided this information to our client under court order, confirming that the suspected individual had sent the E-mails. Confronted with this information, the co-worker confessed to sending the E-mail messages and made his personal computer available for forensic imaging and analysis. The harassing E-mails, some of which had been sent with the falsified headers, were found on the hard drive - along with sensitive company documents he had E-mailed to himself and had deleted, upon learning of our investigation.

Computer Forensics Case Law Reviews Archived

Looking for a specific case summary, but can't remember when it was published in the Electronic Evidence Examiner? An archive of computer forensics and electronic discovery case law summaries from past issues is now available for your convenience.