±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 0 Overall: 35420
New Yesterday: 8 Visitors: 168

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Analysis of data stored in folder

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page Previous  1, 2 

Senior Member

Re: Analysis of data stored in folder

Post Posted: Nov 30, 17 04:33

- Skywalker

3. Then, when a mail is recieved, the attached files are stored in "Att" folder without being necessary to open the mail? Really? Shocked

Accordingly to given docs, yes.
But if you think about it sounds "logical enough".
I mean, an email in - say - old Outlook Express, when downloaded went, BOTH the e-mail and the attachment(s), into a single "database".
AFAICR the old MS e-mail programs didn't even have (as a number of other programs do) an option to download from the e-mail server only the e-mail title, or only a given number of lines of the e-mail message or just the text but not the attachments, it was an all or nothing download. Confused

When you wanted to actually open the e-mail (or the attachment) it was extracted/de-encoded from this database.
And managing this database has been proved over the years (possibly because of the increase of both the number of the e-mails and size of the attachments) to cause a number of issues.

So this Windows 8 (and later) app simply uses the (NTFS) filesystem as a database, it makes a lot of sense since a filesystem actually is a database (with a given number of "fixed fields") in it and NTFS is a very stable and fast filesystem, semi-journaled, etc., etc. with available (at least to the good MS guys) all possible search, edit, etc. libraries, it makes sense that instead of having a separate database engine they re-used the database they had available, i.e. the NTFS filesystem.

- Skywalker

Following the instructions I have found the set of mails under "Mail\1\" folder but the one I need is not. The question is: if the mail was recieved and it was deleted because the EML file doesn't exist anymore, why the attached files remained? I mean, why weren't they deleted too?

Is there any possibility that these attached files came from another app instead of mail app?


This is again more "common sense" than specific knowledge/experience, but I don't see why the user[1] could not directly access this "database" and either save a file in one of those folders/subfolders or (IMHO more probable) delete the "base e-mail" [2].


[1] and here also a line must be drawn.
Is it probable thar *any* user will ever save a file in a path *like* ..\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\<<user-id>>\120712-0049\Att\ ... ? certainly not, but still it is possible.
Is it probable that *any* of the crappy apps/programs the user installed (or built-in in the OS) could delete by chance an .eml file in one of those folders? No, but still it is possible (let's say that running - or automated run - of CHKDSK found that patticular e-mail message on a defective sector and "fixed it").

[2] Could it be an accident or it must have been intentional?
Hard to say, and even harder to prove, but - mind you again just an example for the sake of reasoning - what would a "normal" user do in case he/she wanted to remove *all* compromising files containing the word "palimpsestuous" Shocked ?
Most probably search for all files *.* in all the disk(s) containing that word.
Now, would the built-in search functions find such a file in that particular path?
Or would only another search program find it (possibly run from another OS booted - say - from a USB stick)?
Can a file in that particular path be simply deleted by the user? (or you need to tweak a number of options and - still say - run the progtam as administrator, etc.)

If - again just an hypothesis - what actually happened was that the .eml file was found in a text contents search and then deleted, the result would have been exactly what you report:
1) there is trace of this e-mail
2) there is the attachment
3) there is not (anymore) the .eml file
still this does not mean that this is what actually happened, a thorough analysis of the filesystem (and all other possible OS artifacts) assembled in a timeline might provide (or might not provide) further elements supporting or excluding this hypothesis.
- In theory there is no difference between theory and practice, but in practice there is. - 

Senior Member

Re: Analysis of data stored in folder

Post Posted: Dec 06, 17 19:18

I have been studying all the docs provided by jaclaz and the question here is the following:

Could some mail's attached files be stored in the folder "\Att" after a mail is recieved and stored in "\1" folder and without being necessary to open the mail? Could the mail be deleted without being opened but the attached files not to be deleted from "\Att" folder?

Thanks and regards!  

Page 2 of 2
Page Previous  1, 2