Analysis of data st...
 
Notifications
Clear all

Analysis of data stored in folder

9 Posts
4 Users
0 Likes
1,309 Views
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Hello everybody,

I'm trying to analyze some data stored in this folder. Specifically, the data I would like to analyze is the stored under the next sub-folder

..\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\<<user-id>>\120712-0049\Att\

Does anybody know where the data stored here come from? I have researched in the Internet and the conclussion is this is a kind of cache in which attached files from mails are stored. The next questions are

Which mails? Which mail app? Do the user need to open the recieved mail in order the attached files to be stored in the cache or just recieving the mail means the files will be stored although? Where are the mails stored? Have they been erased or they never were stored despite of their attached files indeed are? Could the mails be restored in such case?

Thanks everybody!

[Admin note the title of this post has been modified to make it fit on the front page of the site.]

 
Posted : 28/11/2017 1:13 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

Can you edit the title? the long string is causing the form pages to load a bit weirdly.

Thanks!

 
Posted : 28/11/2017 12:55 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Does anybody know where the data stored here come from?

Yes. Windows 10 has a integrated E-Mail software and the path mentioned above is where this app stores attachments it receives. Inside the folder structure below "8wekyb3d8bbwe" attachments from the integrated calendar and contact apps are stored, too.

Some more details here

best regards, Robin

 
Posted : 28/11/2017 3:21 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Can you edit the title? the long string is causing the form pages to load a bit weirdly.

Thanks!

I'm sorry. Admins edited it.

 
Posted : 28/11/2017 4:56 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Does anybody know where the data stored here come from?

Yes. Windows 10 has a integrated E-Mail software and the path mentioned above is where this app stores attachments it receives. Inside the folder structure below "8wekyb3d8bbwe" attachments from the integrated calendar and contact apps are stored, too.

Some more details here

best regards, Robin

Thanks for the info but I had already read the web you link. It shows useful information but it's not enough for my research.

The questions I made at the beginning are not answered in the web linked.

Regards!!!

 
Posted : 28/11/2017 5:01 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Does anybody know where the data stored here come from? I have researched in the Internet and the conclussion is this is a kind of cache in which attached files from mails are stored.

No. it is seemingly not a "cache" is where the actual attachment are stored by the built-in mail program

These are your questions numbered

1) Which mails?
2) Which mail app?
3) Do the user need to open the recieved mail in order the attached files to be stored in the cache or just recieving the mail means the files will be stored although?
4) Where are the mails stored?
5) Have they been erased or they never were stored despite of their attached files indeed are?
6) Could the mails be restored in such case?

This
https://cctc.calpoly.edu/ccic/forensics-manual
get the PDF of chapter 9
https://content-calpoly-edu.s3.amazonaws.com/cctc/1/documents/ccic_forensics_manual/CCIC%20Chapter%209%20-%20Email%20Review.pdf
and the Appendixes
https://content-calpoly-edu.s3.amazonaws.com/cctc/1/documents/ccic_forensics_manual/CCIC%20Appendix%20A%20to%20Appendix%20G.pdf
they might help you.

Possible answers
#1 All mails downloaded using the default mail app in Windows 8 (not "Live Mail" see appendix E) and possibly also on later versions
#2 See #1
#3 No need to open the received mail is stored separately as "e-mail" and as attachment(s)
#4 See the doc
#5 ?
#6 I guess it depends, the mails are not the attachments and the attachments are not the e-mails, so it is possible that the actual mail was deleted (and cannot be recovered) by using some "alternate deletion methods" or maybe it has been deleted and it still can be recovered.

jaclaz

 
Posted : 28/11/2017 5:57 pm
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

Hi jaclaz!!

Magnificent docs!! Thanks.

3. Then, when a mail is recieved, the attached files are stored in "Att" folder without being necessary to open the mail? Really? 😯

Following the instructions I have found the set of mails under "Mail\1\" folder but the one I need is not. The question is if the mail was recieved and it was deleted because the EML file doesn't exist anymore, why the attached files remained? I mean, why weren't they deleted too?

Is there any possibility that these attached files came from another app instead of mail app?

Thanks!!!

 
Posted : 29/11/2017 3:27 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

3. Then, when a mail is recieved, the attached files are stored in "Att" folder without being necessary to open the mail? Really? 😯

Accordingly to given docs, yes.
But if you think about it sounds "logical enough".
I mean, an email in - say - old Outlook Express, when downloaded went, BOTH the e-mail and the attachment(s), into a single "database".
AFAICR the old MS e-mail programs didn't even have (as a number of other programs do) an option to download from the e-mail server only the e-mail title, or only a given number of lines of the e-mail message or just the text but not the attachments, it was an all or nothing download. ?

When you wanted to actually open the e-mail (or the attachment) it was extracted/de-encoded from this database.
And managing this database has been proved over the years (possibly because of the increase of both the number of the e-mails and size of the attachments) to cause a number of issues.

So this Windows 8 (and later) app simply uses the (NTFS) filesystem as a database, it makes a lot of sense since a filesystem actually is a database (with a given number of "fixed fields") in it and NTFS is a very stable and fast filesystem, semi-journaled, etc., etc. with available (at least to the good MS guys) all possible search, edit, etc. libraries, it makes sense that instead of having a separate database engine they re-used the database they had available, i.e. the NTFS filesystem.

Following the instructions I have found the set of mails under "Mail\1\" folder but the one I need is not. The question is if the mail was recieved and it was deleted because the EML file doesn't exist anymore, why the attached files remained? I mean, why weren't they deleted too?

Is there any possibility that these attached files came from another app instead of mail app?

Thanks!!!

This is again more "common sense" than specific knowledge/experience, but I don't see why the user[1] could not directly access this "database" and either save a file in one of those folders/subfolders or (IMHO more probable) delete the "base e-mail" [2].

jaclaz

[1] and here also a line must be drawn.
Is it probable thar *any* user will ever save a file in a path *like* ..\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\LiveComm\<<user-id>>\120712-0049\Att\ … ? certainly not, but still it is possible.
Is it probable that *any* of the crappy apps/programs the user installed (or built-in in the OS) could delete by chance an .eml file in one of those folders? No, but still it is possible (let's say that running - or automated run - of CHKDSK found that patticular e-mail message on a defective sector and "fixed it").

[2] Could it be an accident or it must have been intentional?
Hard to say, and even harder to prove, but - mind you again just an example for the sake of reasoning - what would a "normal" user do in case he/she wanted to remove *all* compromising files containing the word "palimpsestuous" 😯 ?
Most probably search for all files *.* in all the disk(s) containing that word.
Now, would the built-in search functions find such a file in that particular path?
Or would only another search program find it (possibly run from another OS booted - say - from a USB stick)?
Can a file in that particular path be simply deleted by the user? (or you need to tweak a number of options and - still say - run the progtam as administrator, etc.)

If - again just an hypothesis - what actually happened was that the .eml file was found in a text contents search and then deleted, the result would have been exactly what you report
1) there is trace of this e-mail
2) there is the attachment
3) there is not (anymore) the .eml file
still this does not mean that this is what actually happened, a thorough analysis of the filesystem (and all other possible OS artifacts) assembled in a timeline might provide (or might not provide) further elements supporting or excluding this hypothesis.

 
Posted : 30/11/2017 9:33 am
(@skywalker)
Posts: 152
Reputable Member
Topic starter
 

I have been studying all the docs provided by jaclaz and the question here is the following

Could some mail's attached files be stored in the folder "\Att" after a mail is recieved and stored in "\1" folder and without being necessary to open the mail? Could the mail be deleted without being opened but the attached files not to be deleted from "\Att" folder?

Thanks and regards!

 
Posted : 07/12/2017 12:18 am
Share: