IT Labor
Experiences
Forensic authentication of emails in a labor procedure with confidential information

In this case, an organization needed to transform a set of digital communications into solid expert evidence for a labor procedure, with a clear objective: guarantee the authenticity of the analyzed emails and be able to support technical conclusions without depending on simple captures or exports without forensic control.
The starting point was especially sensitive: it was detected that, from a corporate account, a multitude of emails of a confidential nature had been sent to a private account on the same specific date, within a relevant time range for the file. This required an analysis that would prove not only the “what”, but the “how” and the “why” from a technical point of view.
The expert need was twofold:
(1) confirm that these emails were actually sent/received and
(2) demonstrate that they had not been modified, also including all the attached content.
In addition, the entire content should be provided for independent review, reinforcing the transparency and verifiability of the work.
From there, the analysis was not limited to a “closed batch”: it was documented that there were dozens of additional emails exchanged between the corporate and personal accounts, and the work was expanded with blind searches extending the date range to detect and verify related communications, incorporating them for assessment with their proven authenticity.
At martinsdelima we apply a methodology designed so that each conclusion is traceable, reproducible and defensible: we perform forensic acquisition ensuring the non-modification of databases, headers and contents, and studying metadata in the laboratory with forensic tools (e.g., Autopsy, X-Ways and EnCase). The technical heart of the report was the analysis of headers (chronological reading from bottom to top) and critical fields such as Message-ID and Received, complemented with validations of origin/destination by consulting the owner of public IPs in RIPE, and additional checks with tools such as WinHex and OsForensics to rule out manipulations in emails and attachments.
The result was excellent because it closed the technical debate: it was concluded that the expert emails were real and that their content had not been altered (neither dates nor sending/receiving servers), reiterating the NON-manipulation and providing the reproduced content and its original version for review. In practice, this allowed us to move from a suspicion to a robust technical evidence, minimizing the margin of challenge and giving the procedure a probative basis of the highest quality.