With this metadata information at hand, Simek said, one can “with a high degree of confidence, say that these were authentic messages that were sent from this account to that account and sent back.”
The data gleaned from email headers will likely be more than enough to meet the evidence authentication requirements mandated by the Federal Rules of Evidence (FRE) Rule 901, a standard commonly used by both federal and nonfederal courts around the country.
Among other things, the rule allows for authentication based on “distinctive characteristics” of an item including its contents and substance, such as email addresses and messages. These characteristics must be taken together with circumstantial facts, such as evidence a person was at their computer or device at the time an email was sent, or that the email client and device identified in the header matches those commonly used by the person in question.
There is, however, one large caveat to collecting information from email headers: In order to obtain all relevant metadata, one must be in possession of the original email itself. Having a forwarded copy of an original email, Simek noted, creates entirely new header information. “[All I’m] able to see is your information about the forwarding, and not about the original message.”
But once in possession of an original email, extracting the header is fairly easily. Simek explained that one can use e-discovery tools for the task, or even extract them manually from their email client, though the steps for that will vary depending on “if it’s a Gmail message, if it’s Hotmail or some [other] web-based client. The processes are different.”
He advised attorneys, however, to turn to data forensics experts for such extractions, given that “DIY extractions of headers” will likely run into problems, and those who extract the data may also be called to testify in court.