Contact Us    Webinars   

EarthLink Forensics: Discovering & Examining Weak Links

Creative Team | September 3rd, 2016 | Forensics

Businesses have forever relied upon communication but since the age of technology, even letters transformed to emails with the increased dependency on electronic communication. Therefore, different email services have always been on the rise, programmed to meet the different needs of diverse users. EarthLink emerged as one of the many email services that render a completely different webmail experience. Following is a report on the anatomy of the webmail service generated via performing EarthLink forensics.

A Study of EarthLink and Its Features

EarthLink is a typical webmail client, which is not so typical and has an interface that resembles the UI of a desktop mail client. It offers a basic mailing service with a number of striking additional options not found in others of its kind.

Working with EarthLink is an experience no different from browsing the web. However, it doesn’t carry out even a single action without having to refresh the webpage completely which is a disturbing act especially during login as it tends to loss of information.

An Outline of EarthLink Forensics

  • A Webmail service operated on subscription basis making it vulnerable to acts of hacking and misuse.
  • User account data is stored on web servers therefore, no control to end user is provided.
  • Provides anti-spam and anti-virus protection service featured for protection from phishing/spamming.
  • Anonymous mailing feature promotes a possibility of spamming and phishing if misused.
  • One account can be linked to up to a minimum of 8 accounts with different user profiles portrayed.

Role of EarthLink in Digital Forensics

EarthLink has been involved in eDiscovery cases both, as a victim client and as a culprit in an act. A detailed study of the web service reveals facts responsible for involving EarthLink in the acts of cybercrime for financial gains or online character assassination.

However, the involvement is never one-sided thus; exposing the client as both the culprit as well as the victim of cybercriminal acts. Discovered are some upgraded set of features as well as a shortcoming of the webmail service EarthLink, proving it responsible for conducting suspicious acts via email communication.

EarthLink as the Victim

Technology may be powerful, but isn’t perfect; the proof of it is its shortcomings and failure in fulfilling certain user requirements.
EarthLink is no exception and has been in the news several times for cases related to the compromise of security.
Reason: The webmail service does not use ‘TLS level encryption’ during the login procedure on the POP3 services it uses. Therefore, its privacy can easily be invaded by intercepting the wireless connection in use.

EarthLink as the Culprit

Use and misuse go hand in hand, which is how EarthLink got involved in cybercriminal acts as the culprit too.
Following is an account of the features responsible for such consequences and misuse of the webmail service.


Anonymous emailing can be activated by the user on their EarthLink profile to hide their original identity (email address) from the recipient.

A single user account is allotted the permission to generate a minimum of up to 8 completely separate email accounts.

Firstly, the anonymous emailing option indirectly promotes spamming when used for illegal purposes. Secondly, the allotment of multiple profiles to a single user account can again be used for spamming or email bombing.

Measures from EarthLink Mail Service

  • It is possible to encrypt the login when using EarthLink via IMAP configuration or through its default web interface. Nevertheless, it is not enabled by default yet can be customized into usage by user preference.
  • If the account has recovered after being hacked once, always ensure that the email settings have not been manipulated. It is possible for the hacker to receive all your emails via email forwarding that may have been set during the period of hacking. Post recovery of a compromised account, always ensure to check all the settings and apply a stronger password along with session encryption enabled besides just login encryption.

Challenges of Executing EarthLink Forensics

  • The service being hosted on web interface automatically poses a common investigative challenge, i.e. no possession or control over the profile data. You do not own the profile data or control it as it is stored on the web server and not on a local storage.
  • Secondly, the client comes with the option to retain or erase deleted emails from the trash based on the retention period set by the user. By default, this limit is set to a certain duration, which can be extended according to the user preference. The emails could possibly be deleted by the user from the trash, which results in permanent loss of potential evidence.
  • Examining Compromised Communication of EarthLink

    It automatically becomes difficult to implement forensic procedures on an email service as complicated as EarthLink (from forensics standpoint). Therefore, only a commercial third party application can come to the rescue of an investigator during the examination. As far as emails are concerned, the finest resource to accomplish EarthLink forensics would be using MailXaminer.

    The application is a standalone and specialized email forensics toolkit programmed with the finest set of search technique. It comprises of all the right features that enable a successful forensic analysis of both a desktop as well as webmail application.

    MailXaminer’s Role in EarthLink Forensics

    Firstly, the application provides local access to webmail messages enabling complete control over the account data.
    Secondly, the software boasts an advanced search mechanism with multiple criteria and options enabled. Using it one can sort emails of all the different accounts associated to the primary EarthLink profile.


    It is always good to delegate to get precise outcomes. MailXaminer as a medium of performing forensics on email clients both, desktop and web based, offers investigators the freedom to concentrate only on connecting evidence and coming to the conclusion of a case instead of investing time on parsing and investigating it on their own. EarthLink emerges as a complicated platform to examine from certain investigative point of views due to session encryption, web access, and multiple account correlation. Nevertheless, MailXaminer helps surpass the challenges with the help of its key features like downloading of emails on the software UI, advance search mechanism, and more.