Hello, everyone. I am a computer science student and I am using Autopsy for a final project in a forensics class. For the project, I have to analyze a disk image within the bounds of a search warrant. Autopsy gave me everything I needed, including all the emails on the disk image, opened and unopened. The warrant does not allow us to touch unopened emails. Is there a way to set Autopsy not to capture unopened emails?
No there’s no setting for that. I don’t believe Autopsy even records the read status of emails.
Ann is correct. That does not mean that it cannot be done and that you can use Autopsy to do some of the work. If the email is thunderbird then look at the following SQLite database global-messages-db.sqlite. You can determine what email’s have been read using this database and then go into Autopsy and bookmark them so that you are only looking at the emails you are allowed to see. For other email formats you can do some research to see how to get this information, then use it to come back to Autopsy and do some tagging. Once you have done this then please come back here and tell us what you did as it may help someone in the future that has to do what you are doing.