I need to extract all email messages stored in"Windows Mail" app of Windows 10 (including body and attachments), preferably as eml.
Any tool or script available for this task?
As far as I know AXIOM, X-Ways and Encase don't support it.
Hello,
This application might work for you https://
NOTE I have no relationship whatsoever with Fookes Software except for the fact that I use Aid4Mail Forensic Edition myself.
I tried Aid4Mail Forensic Edition, but it doesn't support Windows 10 Mail App.
I forgot to mention that I have an E01 forensic image and that I can't connect to the IMAP account.
What file types are you finding in the Windows 10 Mail App folder specifically?
I might be completely wrong here..
But people who knows more than me might be able to confirm or debunk my thoughts here )
But I do believe that the mail-client store the emails as EML locally if pop3 is selected while if IMAP is selected all the mail is stored on the server.
Do you know the settings? )
What file types are you finding in the Windows 10 Mail App folder specifically?
The messages are stored in a distributed way.
In AppData\Local\Comms\Unistore\Data\3 you find the body message
In AppData\Local\Comms\Unistore\Data\7 you find message's attachments
In AppData\Local\Comms\UnistoreDB\store.vol you have and EDB database which contains the headers and link with body messages and attachments.
But I do believe that the mail-client store the emails as EML locally if pop3 is selected while if IMAP is selected all the mail is stored on the server.
Please see my answer to UnallocatedClusters regarding how the emails are stored.
Yep, that is page 213-215 here (by Oleg Skulkin and Scar De Courcier)
https://
jaclaz
Yep, that is page 213-215 here (by Oleg Skulkin and Scar De Courcier)
https://books.google.it/books?id=XJZGDwAAQBAJ&pg=PA213#v=onepage&q&f=false jaclaz
Thanks jaclaz.
I would like to remind my original question
Any tool or script available for this task?
The Win10 Mail app now stores everything in ESE databases which is a pain. We're adding support for it right now but it's not out yet. The Win8 Mail app used to just cache EML files which was great and easy to support, the newer stuff is a little messier. In the meantime while you wait for tools to support it, you should be able to take a look using an ESE db viewer of your choice which will get you most of what you need, it's just a little more manual work piecing it all together.
EDIT the link to Oleg's book didn't work for me but I suspect he said the same thing that I mention above )
Hope that helps,
Jamie McQuaid
Magnet Forensics