Windows Live Mail Forensics to Search Evidences Inside EML Files
To begin with Windows Live Mail forensics and its file format EML file forensics, we need to first understand how actually Windows Live Mail stores emails in Windows OS.
Windows Live Mail (a component of the Windows Essentials Suite) is one of the most renowned freeware email client application with more than 280 million+ active accounts. WLM (Windows Live Mail) efficiently manages multiple email accounts, calendars, contacts, and other data items. Also, Windows Live Mail supports Post Office Protocol (POP3) and IMAP (Internet Message Access Protocol) as an incoming server and Simple Mail Transfer Protocol (SMTP) as the outgoing server.
File Formats & Locations of WLM Data Files
In Windows Vista OS, the Microsoft Outlook Express email client became history. Windows Live Mail enters the game. It’s inbuilt in most PCs working under Windows 7, at location “C:\Program Files\Windows Mail”. All email messages in Windows Live Mail are stored as “.eml files”, along with folder tree information.
It also contains the additional information that Windows Live Mail requires to display email data. One needs to apply the following options in order to view the hidden folders and file extensions:
- Control Panel > Folder Options > View > Show hidden files and folders
- Control Panel > Folder Options > View > Hide extensions for known file types (uncheck it)
Default Location of Windows Live Mail in different Windows OS Versions are as follows:
Window XP: –
C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail
Vista or Windows 7: –
C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail
Windows 8: –
C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail
From the above description, investigators can easily find the location of the .eml file in different operating systems. However, from an investigative standpoint, technocrats must know that in Windows Live Mail forensics, the contact database is stored in contact.edb file.
Modes of Operation for Contact Database in Windows Live Mail Forensics
Windows Live Mail provides two modes of operation for contact database: –
- Default (Offline) mode – No sign in to Live ID
- Live ID (Online) mode – Live ID Sign in to Windows Live
Now, users can operate Windows Live Mail in one mode at a time. Contacts are unique for each mode when users view them in WLM.
Contact Database File in WLM
- Windows Live Mail stores all of its Contact databases in a single file called “contacts.edb”.
- Each mode in WLM should have a unique “contacts.edb” file (same name, different location).
- Each Live ID used in Live ID (Online) mode must have a unique “contacts.edb” file.
- The contacts.edb file for Default (Offline) mode is stored in a hidden sub-folder called DBStore. To view the DBStore folder, users have to configure the Windows Explorer to “Show hidden files/folders and protected operating system files”.
The Location of DBStore Folder
WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista
C:\Users\Windows\Username\AppData\Local\Microsoft\Windows\Live\Contacts\Default\15.4\DBStore
WLM 2011 (QFE3 Version) – Windows 7 or Vista
C:\Users\Windows\Username\AppData\Local\Microsoft\Windows\Live\Contacts\Default\15.5\DBStore
Note: – The Default DBStore folder is a hidden folder of the “15.5” folder.
The Location of DBStore folder in Live ID (Offline) Mode
WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista
C:\Users\(username)\AppData\Local\Microsoft\Windows Live\Contacts\(Live ID)\15.4\DBStore C:\Users\(username)\AppData\Local\Microsoft\Windows Live\Contacts\(Live ID)\15.5\DBStore
Windows Live Mail Forensics to Retrieve Corrupted or Deleted EML Files
Nowadays instant messengers, social networking sites, emails are the major carrier of information. It is mostly used by corporate for professional communication purposes. Thus, the elimination of such information accidentally or otherwise, may cause inconvenience to the users. Finally, to balance such catastrophic situations, Windows Live Mail comes with a “Deleted Items” folder.
This folder is available to store the items deleted from any mail folder of the client. However, cases involving hard deletion of emails are not handled well by the client. Nevertheless, erasing or deleting email messages permanently does not mean that it’s gone forever, it can still be extracted forensically.
Forensic tracing of the email is used for retrieving information from mailbox files for analysis purposes. In order to do the same, we must first be aware of the file extension of emails and technicalities related to it. In the case of Windows Live Mail forensics, the file extension of emails is .eml and further information can be examined using forensic techniques.
Analysis of Windows Live Mail (EML) File Using MailXaminer
Forensic Email Analysis Tools, has the capability to examine and analyze EML files using its various attributes such as; Mail View for normal email body examination, viewing the hexadecimal code with Hex View, Properties of email file, Message Header analysis, MIME View, Email Hop, HTML View, RTF View & Word Cloud visualization. These multiple-mode features of the MailXaminer tool help to identify any kind of manipulation in the uploaded data file.
Attachments always deal with important digital artifacts. The user-friendly interface of the software enables a brief investigation of embedded attachments in Attachment View. With the help of MailXaminer, the investigator can easily dig deeper to find the potential evidence from the EML files.
Mail View
In normal Mail View, the email header represents a traversed path, which includes From, To, Cc, Bcc, Subject, Tag, and Attachment(s) details. The email body part also shows text/images of the email.
Hex Mode
Hexadecimal code examination in Hex View simplifies the structure of complicated binary values. These values make the investigation tasks easier to understand and assist in judging variant crimes like email fraud.
Properties
Properties of the EML email files can be viewed clearly in this preview mode. It helps investigators to extract the hidden information of the email files such as Message-ID, Body Details, Message Flags, etc.
Massage Header View
Message Header analysis gives the information to track emails. It also helps to find the original sender’s IP Address, MIME version, X-Priority, Message-IDs, Content-Type, etc.
Some Extra Features for Windows Live Forensics Tool
MIME View
The MIME View represents any SMTP mail’s inner details. In this view, the user can easily check the suspected email artefacts.
Email Hop
In this view, one can analyze the path wherein the email has been traversed. Moreover, this includes gateways, routers, and switches. It helps forensic examiners to find the clue by tracking the route of communication for the email.
HTML View
In this view, it helps the examiners to perform content analysis by analyzing the internal script or HTML code of the email data file.
RTF View
Rich Text File format helps the investigator to view the data in the original text format. Therefore, it allows the investigator to examine the email data clearly with actual fonts and formatting used in RTF Editor. Moreover, when someone composes emails using RTF Editor consists of a different encoding type, they can view them using this view mode.
Attachment View
Evidently, in this mode, a user does not need to open the entire message to view the attached file. Hence, this view provides direct access to the attachment of selected email files without opening emails individually.
Word Cloud
It is one of the most advanced features, which is present in the latest version of the tool. Word Cloud provides the visual representation of words and phrases contained in the email data. In Word Cloud, words and phrases generally display in different colors and sizes. Also, the size of the words is directly proportional to their frequencies as bigger size words indicate high frequency and words with smaller sizes indicate low frequency. This view helps investigators to gain a close insight into the email file.
Export and Save Evidence
A forensic analyst should always maintain the stages or steps of investigations involved to find the relevant evidence related to the crime scene. Moreover, it helps the examiners to show the investigation process regarding the case more accurately in front of judicial authorities. After searching the evidence within the EML files, the last stage of an email investigation process is “Reporting”. To make this happen, export the case data and evidence from the examined EML files into legal file formats like MSG, PDF, Concordance, etc, which benefits the judicial proceedings.
Also, MailXaminer allows exporting the evidence report in multiple file formats. Users can select and export the evidence report into any of the available file formats. It also provides the option to save the evidence report at any existing desired destination location into the system.
Conclusion
Now, in this write-up, we have discussed Windows Live Mail forensics, its supported file formats and locations. Here we also recommend an email forensic tool that can examine the .eml files in different views for better analysis. Evidently, the goal of MailXaminer is to fetch out sufficient evidence that may allow investigators to successfully prosecute the criminal perpetrator. Evidently, MailXaminer is a fast, accurate, and easy-to-use email forensic software solution.