Evidence Collection Series: Emails
Where to begin?
This guide is a part of a series that details how to collect evidence related to the misuse of technology in domestic violence, sexual assault, and stalking cases. Before proceeding, we recommend that you read A Primer for Using the Legal Systems Toolkit: Understanding & Investigating Tech Misuse, Approaches to Evidence Collection: Survivor Considerations, and Approaches to Evidence Collection: Criminal vs. Civil Systems.
Who should use this resource?
The series is part of a Legal Systems Toolkit that includes guides to assist prosecutors, law enforcement, and civil attorneys.
IMPORTANT TIP/NOTICE FOR ADVOCATES: If you are a non-attorney survivor advocate, we strongly recommend that you do NOT gather or store evidence for survivors. You can greatly assist survivors by giving them information to gather the evidence themselves. Your participation in the process of gathering or storing evidence can lead to you being forced to testify in court, which can undermine confidentiality protections and negatively impact both the survivor and the integrity of your program. If you have questions, please contact Safety Net.
Email as Evidence: An Introduction
Email messages, whether sent by computer or a mobile device, are a common form of communication. In domestic violence cases, courts routinely order email as a means of “safe” communication between parties, as it leaves a written record. Abusive people frequently misuse email by sending harassing messages, gaining unauthorized access or creating fake addresses in order to monitor or impersonate survivors, or sending computer viruses or spyware. Email evidence can strengthen cases by providing proof of abuse and a clearer picture of relationship dynamics.
Email: The Technology
Despite being common technology, most people do not understand how email works “behind the scenes”. A basic understanding can help when investigating and documenting abusive behavior. In order to ensure clarity, we need to first identify specific terms that will be used in this document.
Email “Client”: An Email client refers to the program used to interact with your email; like Outlook, Gmail, and Yahoo!.
Email Header: This is a log file of sorts, which documents useful information regarding the sending of an email. It also contains information that is specific to that individual email communication. Specific steps need to be taken to view the email header, as it is commonly hidden from normal viewing.
Email Body: This is the content of the email; the message being sent.
Email Signature: An email signature may or may not be present as it is controlled by the user/author. It is typically at the end of the email body. Think of it as the author’s signature at the end of the message.
Email Attachments: An attachment is a file sent with an email and can be an image (picture), a video, an audio file, a document, etc.
Email Evidence: The Digital Trail
While email evidence can be extremely useful, it is not always properly sought out or collected, and it can get accidentally deleted or tainted. The remainder of this document covers how to collect and maintain email evidence to increase its usefulness in court. You can also read more about the differences in technology evidence collection between criminal and civil cases.
Admitting email evidence generally requires showing that an email is relevant to the case and a specific person authored and/or sent it. There are a variety of different ways to accomplish this, including: through agreement, through company records, and possibly through the email itself.
IMPORTANT NOTE ABOUT AGREEMENTS: Frequently, parties will consent to email evidence being admitted into court. It can be useful to consider communicating with the other party (if possible) about whether an agreement can be reached regarding introducing certain messages. It is far easier to introduce the evidence by agreement than to seek out a legal process or fight about the issue in trial.
ABOUT EMAIL AND PRIVACY: Prosecutors and law enforcement, in particular, will want to limit the amount of email evidence that is collected to protect against turning over to defense counsel unnecessary information due to Brady requirements. Turning over a victim’s private email information that is not directly relevant to the case can impact the willingness of victims to testify, confuse the fact-finder(s), and can lead to unnecessary re-traumatization.
The body of the email can have important information, beyond what is clearly spelled out in the communication. In cases where the sender of the email is contested, the body may include distinctive vocabulary, information, writing patterns, misspellings or other contextual clues that may help to prove who wrote the email. Additionally, the content of one email in a thread of messages may give important context to the overall communication, or could be used to show that an individual is inappropriately presenting only a portion of a conversation in order to mislead a factfinder.
There may be useful information worthy of investigation in the signature(s) in an email or email thread. Signatures are often automatically placed at the bottom of emails, and may even be forgotten about after the initial set-up. Signatures might be included only with new email messages or may look different if the message is a reply or a forward. Some signature may have be legally binding such as the case of “electronic signatures.”
Evidence contained in email attachments is not always fully utilized. Attachments may have important metadata, or information about the message or the attachment itself, that can help to identify the author/sender.
While it’s useful to examine available metadata, make sure that any investigation complies with appropriate ethical requirements. Many states have ethical opinions that preclude using metadata that was accidentally sent. This is particularly true where one attorney has inadvertently sent metadata in a document that provides protected information about another client. It is important to be aware of your jurisdiction’s ethical rules on this issue.
The header of an email carries important metadata including the sender, receiver, date, time, subject, and Internet Protocol (IP) address. The IP address of the sender may allow investigators to determine where the email was sent from and possibly who sent it. Note that an IP address may be challenging to connect with a sender if an anonymous proxy server or a relay service was used.
It is important to note that accurate header information is only available in the original electronic version of the email. That version may be accessed through a computer or mobile device, through a web mail platform or account, or on an email server itself. An investigator will not be able to view the original email header by having the survivor forward the email to them. In a forward, the original email header is replaced with a header that contains the forwarder’s information. It is also not possible to uncover the header with just a screenshot or photo of the email body. It is also possible for the survivor to copy/paste the email header into a new document and send that or a screenshot of the header to the investigator as an attachment to an email. The survivor may also log into their email from a computer at the investigators office and retrieve the email header while the investigator watches to ensure the integrity of the data. Law Enforcement investigators should validate this information by serving legal process on the email company to obtain not only the email communication(s) in question, but the associated email header(s) as well. Legal process should also be served on the suspect’s email account that was used to send the email(s) in question, requesting copies of all sent mail, draft mail, and access logs during the same time frame of the evidentiary emails. This will help provide a more complete picture of events and help rule out someone else accessing the suspect’s email account and sending the email(s) in question.
Remember, even if the original email was deleted, it may still be present in the trash folder. When the original email is deleted from the inbox and the trash, but the email client exists on a smartphone or tablet that is backed up to a computer or cloud storage, the email may still exist in one of the backups of the device.
What is an IP address?
IP addresses have been successfully used to identify abusive persons. It is helpful for the survivor to keep a log of abusive behaviors and to document IP addresses from those electronic communications.
An IP address will appear in one of two ways; as a numerical code or a combination of numbers and letters (hexadecimal digits). It is used to identify a particular device on the Internet. Every device requires an IP address to connect to the Internet. There are two versions of IP addresses; IPv4 (version 4) and IPv6 (version 6). IPv4 consists of four sets of numbers, each ranging from 0 to 255, and each set separated by a dot, for example "184.108.40.206" or "220.127.116.11". IPv6 consists of eight groups of four hexadecimal digits, each separated by a colon, for example “2001:4860:4860:0000:0000:0000:0000:8888”. With IPv6, the IP address is often displayed in a truncated format. That is done by removing the sets of four hexadecimal digits whose value are all “0” and replacing them with an additional colon, for example “2001:4860:4860::8888”.
There are two types of IP addresses that can be assigned by an Internet Service Provider (ISP). A static IP address is always the same, while a dynamic IP address may change every time a user connects to the Internet. A dynamic IP address is most common for home users. An ISP, will have records of which customer was assigned a particular IP address at a specific date and time. This is how a residence/location can be associated with a particular IP address. ISP’s typically keep these records for no more than 90 days.
Finding the IP Address
The header in an email will often contain the IP address that the email was sent from. To find the originating IP address, that is the IP address used to send the email, read the email header from the bottom up and look for the IP address that follows the “x-originating-ip” or “Client IP”. In some cases, the “x-originating-ip” or “Client IP” address shown in the email header may not be the one issued to the sender of the email by the ISP. If you look up the IP and find Google or an email provider, they may have substituted their IP for the originating (sender’s) IP. In this case, they will likely still have the sender’s IP address on file and can provide it if served with appropriate legal process.
Locating an email header varies depending on the email client. To find instructions for locating headers, try an online search for “How to see full email headers in [name of email client].”
Looking up or Tracing an IP Address
Once you have the x-originating-IP or Client IP address, you can find the ISP that is leasing the IP Address by performing a “WhoIs” search. There are several different online resources to locate this information, a commonly used one is www.arin.net. Some of these sites will also provide other information, including the approximate geographic location of the device assigned to that IP address. This location information may not be reliable or accurate enough to be used for anything more than a general city within a state.
The following is an example of a complete email header, noting in red the X-Originating-IP and the Message ID, a unique ID given by the originating SMTP email server that can help identify the sender, even if the “From” was tampered with.
Contacting the Internet Service Provider (ISP)
The ISP can identify who the IP address was assigned to. In some cases, it may be an individual home, linking directly to the abusive person, or it may be to a hotel, library, coffee shop, or other location, in which case you would need to establish that the abusive person was there through other evidence, like security surveillance footage and connection logs for the public WiFi that was used.
Most ISP’s will have a specific contact for law enforcement. You can search for that specific contact information on the ISP List at Search.org, for example:
With a Retention Notice or Preservation Order, the ISP will create a copy of the data identified in the order and maintain that information until served with the appropriate legal process, or 90 days passes. A Preservation Order is generally only valid for 90 days; however, one additional Preservation Order may be provided to the ISP, thereby adding an additional 90 days to the length of time for a total of 180 days. This is a critical step to ensure information is still available until a subpoena, court order for production of records, or search warrant can be obtained. A subpoena or court order for production of records can allow you to obtain basic subscriber information, whereas a search warrant can get access to actual email content.
Be aware that the ISP may attempt to notify the abusive person that legal process has been served on them regarding their account. To decrease safety risks to the victim, include in the subpoena, court order for production of records, or search warrant specific orders to the ISP not to notify the account holder/customer (the abusive person) or make any changes, like locking access to the account. Some ISP’s require a separate/stand-alone court order mandating they not disclose the service of legal process to the account holder/customer (the abusive person).
Some ISP’s may state that they will charge a fee for the processing of the requested information. Informing them that the fee is not feasible often results in it being waived. In some jurisdictions, it may be possible to ask the court to make the offender pay for the cost of processing requests to the ISP.
Connect an IP Address to a Specific Person
This last step can be the hardest part of an investigation. In some cases, locating the IP address and putting that information into an IP lookup can give you helpful clues about the geographic coordinates of the sender. Unfortunately, that evidence may not always be admissible or available. In many cases it will be necessary to build circumstantial evidence to show that the IP address is connected to a device owned or used by the alleged perpetrator and that the perpetrator had access, motive, and opportunity to use the device.
Tips for Collecting Email Evidence
TIP 1: Consider emails received and sent
It is important to talk with survivors about email communications with the abusive person and also about any suspicious or malicious communications that may have come from the abusive person through impersonation. Sometimes survivors may not discuss things that they feel like they cannot prove. For example, survivors may be reluctant to discuss or report that a person had inappropriately used their email address to send messages, while pretending to be the survivor, because they are embarrassed about the messages or because they may fear that they cannot prove that it was the abusive party. Let the survivor know that it is your job to help prove who sent it, their job is to let you know everything that has happened, including things that may be embarrassing or difficult to prove.
TIP 2: Protect against inappropriate access
There are a variety of ways that an abusive person could falsify email evidence. They could unlawfully access a survivor’s email account to delete or send inappropriate emails. They could also set up a fake account that has an address similar to the real account (e.g. firstname.lastname@example.org might be faked as email@example.com), or might use an email spoofing service. Or they may use impersonation to try and paint survivors in a negative light. It is important to be aware of these possibilities and to be prepared to help the court them.
Many email clients allow for the account holder to see what devices accessed an account. Some even provide information about the date, time, Internet browser used, and approximate geolocation for each device. It is important to help survivors set up strong passwords and to ensure that the survivor has a system to regularly check which devices are able to access their accounts.
Next Steps in your Investigation
Despite the challenge that technology can pose to evidence collection, it is possible to successfully prove tech abuse cases through effective investigation and creative advocacy. Help the survivor understand how to protect, collect, and preserve evidence. Read more about the importance of involving survivors in the process of collecting evidence in Approaches to Evidence Collection: Survivor Considerations. Survivors’ active participation can lead to information that may strengthen the case, and can give survivors essential tools for safety and healing regardless of the outcome of the case.
For more information, see the resources in our Evidence Collection Series. If you have further questions about investigating tech abuse cases, please contact Safety Net, and visit TechSafety.org for more information.
Special thank you to Bryan Franke of 2CSolutions for providing expertise and guidance on the creation of this series.
 “Original” is a complicated term because digital files “live” in so many places simultaneously. In this case, original primarily refers to a message that has not been “forwarded” or sent as a part of a “reply.”