±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33155
New Yesterday: 2 Visitors: 174

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Analysis of data stored in folder

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 
  

Analysis of data stored in folder

Post Posted: Mon Nov 27, 2017 7:13 pm

Hello everybody,

I'm trying to analyze some data stored in this folder. Specifically, the data I would like to analyze is the stored under the next sub-folder:

..\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\<<user-id>>\120712-0049\Att\

Does anybody know where the data stored here come from? I have researched in the Internet and the conclussion is this is a kind of cache in which attached files from mails are stored. The next questions are:

Which mails? Which mail app? Do the user need to open the recieved mail in order the attached files to be stored in the cache or just recieving the mail means the files will be stored although? Where are the mails stored? Have they been erased or they never were stored despite of their attached files indeed are? Could the mails be restored in such case?

Thanks everybody!

[Admin note: the title of this post has been modified to make it fit on the front page of the site.]  

Skywalker
Senior Member
 
 
  

Re: microsoft.windowscommunicationsapps_8wekyb3d8bbwe folder

Post Posted: Tue Nov 28, 2017 6:55 am

Can you edit the title? the long string is causing the form pages to load a bit weirdly.

Thanks!  

jpickens
Senior Member
 
 
  

Re: Analysis of data stored in folder

Post Posted: Tue Nov 28, 2017 9:21 am

- Skywalker


Does anybody know where the data stored here come from?


Yes. Windows 10 has a integrated E-Mail software and the path mentioned above is where this app stores attachments it receives. Inside the folder structure below "8wekyb3d8bbwe" attachments from the integrated calendar and contact apps are stored, too.

Some more details here

best regards, Robin  

Bunnysniper
Senior Member
 
 
  

Re: microsoft.windowscommunicationsapps_8wekyb3d8bbwe folder

Post Posted: Tue Nov 28, 2017 10:56 am

- jpickens
Can you edit the title? the long string is causing the form pages to load a bit weirdly.

Thanks!


I'm sorry. Admins edited it.  

Skywalker
Senior Member
 
 
  

Re: Analysis of data stored in folder

Post Posted: Tue Nov 28, 2017 11:01 am

- Bunnysniper
- Skywalker


Does anybody know where the data stored here come from?


Yes. Windows 10 has a integrated E-Mail software and the path mentioned above is where this app stores attachments it receives. Inside the folder structure below "8wekyb3d8bbwe" attachments from the integrated calendar and contact apps are stored, too.

Some more details here

best regards, Robin


Thanks for the info but I had already read the web you link. It shows useful information but it's not enough for my research.

The questions I made at the beginning are not answered in the web linked.

Regards!!!  

Skywalker
Senior Member
 
 
  

Re: Analysis of data stored in folder

Post Posted: Tue Nov 28, 2017 11:57 am

- Skywalker

Does anybody know where the data stored here come from? I have researched in the Internet and the conclussion is this is a kind of cache in which attached files from mails are stored.

No. it is seemingly not a "cache" is where the actual attachment are stored by the built-in mail program

These are your questions numbered:
- Skywalker

1) Which mails?
2) Which mail app?
3) Do the user need to open the recieved mail in order the attached files to be stored in the cache or just recieving the mail means the files will be stored although?
4) Where are the mails stored?
5) Have they been erased or they never were stored despite of their attached files indeed are?
6) Could the mails be restored in such case?

This:
cctc.calpoly.edu/ccic/...ics-manual
get the PDF of chapter 9
content-calpoly-edu.s3...Review.pdf
and the Appendixes:
content-calpoly-edu.s3...ix%20G.pdf
they might help you.

Possible answers:
#1 All mails downloaded using the default mail app in Windows 8 (not "Live Mail" see appendix E) and possibly also on later versions
#2 See #1
#3 No need to open the received mail is stored separately as "e-mail" and as attachment(s)
#4 See the doc
#5 ?
#6 I guess it depends, the mails are not the attachments and the attachments are not the e-mails, so it is possible that the actual mail was deleted (and cannot be recovered) by using some "alternate deletion methods" or maybe it has been deleted and it still can be recovered.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: Analysis of data stored in folder

Post Posted: Tue Nov 28, 2017 9:27 pm

Hi jaclaz!!

Magnificent docs!! Thanks.

3. Then, when a mail is recieved, the attached files are stored in "Att" folder without being necessary to open the mail? Really? Shocked

Following the instructions I have found the set of mails under "Mail\1\" folder but the one I need is not. The question is: if the mail was recieved and it was deleted because the EML file doesn't exist anymore, why the attached files remained? I mean, why weren't they deleted too?

Is there any possibility that these attached files came from another app instead of mail app?

Thanks!!!  

Skywalker
Senior Member
 
 

Page 1 of 2
Go to page 1, 2  Next