Some of you are referring to getting a single user's emails from the likes of Microsoft, Yahoo (now, mostly Microsoft) and Google like the admin browses to a folder, makes an archive and sends it off. No. Data retention is data at rest and data at rest is the source of most data compromises.
1. *If* the data is being stored, it is not easy to retrieve.
2. Data storage costs lots of money at their scale. If they go cheap, the data is off on tape. Either way, the legal dept. always requires current regulation compliance, but minimize liabilities associated with keeping someone else's personal communication.
My point being, it's not the sure thing some of you want it to be.
BroDeal said:
I think that would be the primary location to look. I only use web-based mail. E-mail would only exist in memory or briefly in the swap space, where it would be quickly overwritten.
BroDeal, that's not how a file system works. ***Everything*** you see in a browser is written to disk. Most consumers disks are so large the "empty" space created by "delete" operations never gets over-written. That's why I keep hammering away at the investigators needing a person who was frequently cc'd on email. It's probably still there. It's not hard to get either. Time consuming, but not difficult.
Weisel would be a good target for data forensics because, he's probably like most business people who totally ignore the consequences of mixing communications to gain some convenience. He probably mixes his USAC, Financial business, Tailwind email communications. It's likely Weisel's Financial office operations have some archives with content of interest to the investigation. The SEC has strict rules about data retention. Of course, that has never stopped anyone from ignoring the SEC's regs.
Hopefully, a strong case for the prosecution will not come down to needing to do data forensics on a number of disks.