I’m working a matter whereby I’m trying to tie the suspect to the keyboard for a BEC type case. I’ve located the suspicious emails being generated and sent in the Custodian’s OST file, however I am seeing a difference in the “from” field. Some emails generate the from field as :
“Suspect name” "
Whilst others look like
“Suspoect name” <“/o=organisation/ou=country/cn=recipients/cn=laptop user name”>
Does anyone have any ideas what the reason for the discrepancy would be? I understand that it’s certificate attributes in the field, but why would some contain it and some do not? Is it possible that the emails were generated off different devices?