Which statement about email forensics is accurate?

• A. It includes identifying sender, recipient, date/time, origination location and there are retention laws for specific fields
• B. It concerns only the content of messages
• C. It ignores metadata such as headers
• D. It does not involve regulatory considerations

Answer: (A)

Email forensics is about reconstructing how a message traveled and who was involved by analyzing headers, timestamps, and routing information, while also ensuring the evidence is preserved under applicable laws. The statement that best fits this reality points to identifying the sender, recipient, date/time, and origination location from the metadata and headers, and it also recognizes that there are data-retention and regulatory requirements that govern how long certain fields or records must be kept. In practice, header data (like the Received lines and IPs) reveals the path and origin, and timestamps establish the sequence of events, which is essential for establishing provenance and credibility in a case. Content alone isn’t enough to establish where the message came from or when it was sent, and headers are not something to ignore because they carry the critical route and origin information. Regulatory considerations are indeed a normal part of investigations, affecting how you collect, preserve, and present email evidence.