Guide on Apple Mail Forensics: Detailed Analysis

apple mail forensics
author
Published By Mohit
Anuraag Singh
Approved By Anuraag Singh
Published On May 27th, 2023
Reading Time 6 Minutes Reading
Category Forensics

Before moving ahead with the apple mail forensic, let’s first understand what Apple Mail is. Apple Mail or simply Mail is an email client which is inbuilt with all Apple operating systems such as Mac OS, iOS, etc. Mbox is the compatible file format.

Given the popularity of Mac devices and the increased number of Apple users, cybercriminals have shifted their interest in carrying out email crimes using Apple Mail. Since the security options in Mac devices are robust and hard to bypass, an investigation on these devices without knowing the user admin password becomes challenging for digital forensics investigators.

So, let’s discuss the core attribute through which one can perform Apple mail forensics to bring out vital evidentiary information.

Heart of Apple Mail Forensics – Apple Mail Email Header

One interesting thing about apple mail is that it can be configured with email clients like Gmail, Yahoo Mail, Exchange, and iCloud. Currently, for sending emails, the running version of Apple Mail uses SMTP protocol. Plus, for retrieving emails, it uses IMAP and POP3. 

That means whenever a user tries to send/receive emails via Apple Mail, those email messages will contain some block of text which is commonly referred to as the header in the email client.

This email header plays an important role in Apple Mail forensics. Cause it holds all the necessary and crucial information for email analysis that can help investigators find clues to solve a case. 

Different Attributes in Apple Mail Header

For carving out evidence from an Apple Mail, digital forensics investigators need to analyze each and every component of the header. That includes:

  • Message ID: Every email message has a special ID called a message ID, which is made up of a mix of letters and numbers with a web extension. This ID is unique to a certain email message.
  • MIME-Version: This Apple Mail characteristic displays the MIME version that is currently being used in that specific email message.
  • X-Originalarrivaltime: In Apple Mail headers, this element displays the email’s first arrival time together with the current date and time.
  • From: This Apple Mail characteristic displays the email ID from whom the user received the email.
  • To: This Apple Mail characteristic displays the email ID to which the email message was sent.
  • Date: This Apple Mail feature displays the date that a specific email message was sent.
  • Delivery-Date: This Apple Mail feature contains information about the delivery date and time.
  • X-Mailer: This feature of Apple Mail lists the email client and the IP address from which it received the email.
  • Apple Mail’s Content-Type: This header field identifies the type of email message content. Additionally, it shows the data and character set that was included in that specific email message.
  • X-eopatrributedmessage: It contains the value regardless of whether the user has received any messages or not. Its value can be either 0 or 1.

Now comes the question, how you can view the header information?

Steps to View Apple Mail Email Header Information

It’s obvious that when you open an email on an Apple Mail client, you won’t be able to see the header data directly. So, to view the header, you need to follow the below steps;

  • Select any email message where the headers need to be read after starting the Apple Mail program.

  • Now select the Message option from the View tab’s menu, and then under Message, choose Raw Source.

  • The user can then examine all the information in the email headers located at the top of the email message. The email headers contain all the necessary details, such as the mail server, content type, employed IP address, etc.

Undoubtedly, you can manually view the header components of one email at a time. But, if you like to enhance your experience and want to view the header data on a professional dashboard, then look no further than Email Forensics Tool by MailXaminer. This tool can even let you view the header information of deleted emails. So, you can say that it is capable of performing Apple Mail Forensics from every angle. 

Examination of Apple Mail Using Professional Investigation Tool

The software works as an Apple Mail MBOX analyzer that emerges as a standalone provision during the investigation. The application extends a unified platform for reading MBOX files along with their contents in a detailed manner. Moreover, the application comes integrated with an additional range of investigation-friendly options like Bulk Mailbox Processing, Multiple Views, Evidence Searching, Extraction, and Reporting in other formats, etc. In the below section, we will discuss the advanced features of this software in detail.

Bulk Mailbox Processing

This software allows the processing of a huge amount of data for investigation. Users can add single as well as bulk files by providing the CSV with the location path of files or folders. Along with this, the tool supports a wide variety of email file types including MBOX related to several web-based or desktop-based email clients.

Multiple Views of Evidential File

It provides multiple views of email files defining hidden artifacts from the email files. The tool provides 7+ preview modes such as Message, Hex, Properties, Message Header, MIME, HTML, RTF, and Attachments. These preview modes help investigators to view and analyze hidden information from the suspected files to extract the evidence.

Evidence Searching

This tried and tested tool allows us to add our own filter to search the required evidence data and it also provides various inbuilt searches based on advanced algorithms. Search functions such as General Search, Proximity Search, Regular Expression, Stem Search, Fuzzy Search, and Wildcard Search are provided by the tool to filter out required data. Along with this, users can also avail the use of logical operators in search filters (AND, OR, NOT).

Extraction and Reporting in Other Formats

The software provides an option to extract several kinds of reports in different file formats. It helps the user to categorize and extract the evidential data in the desired file format. The report consists of various types such as Case Reports, Keyword Reports, Tag Reports, Bookmark Reports, etc. Users can also select the files that they want to display on the report. For this, they have attributes like To, From, Cc, Subject, Body, Mail ID, etc.

Final Verdict

Apple Mail application stores emails in .mbox file format. MBOX is a text-based file type that contains a standard structure for the arrangement of data. The above-mentioned software for Apple Mail forensics comes with the standard provisions of investigation, principles, and prerequisites. With this utility, working on the MBOX file is relatively convenient for investigators to investigate the hidden artifacts.

author

By Mohit

Mohit, a renowned digital and cyber forensics expert, specializes in extracting, analyzing, and preserving digital evidence. He helps organizations protect their sensitive data from cyber threats by uncovering hidden clues and providing actionable insights. Mohit's commitment to staying updated with the latest industry trends ensures he delivers valuable articles on safeguarding organizations from emerging cyber risks.