Notifications
Clear all

Windows 10 Mail App

12 Posts
6 Users
0 Likes
4,549 Views
(@guillef)
Posts: 6
Active Member
Topic starter
 

I need to extract all email messages stored in"Windows Mail" app of Windows 10 (including body and attachments), preferably as eml.

Any tool or script available for this task?

As far as I know AXIOM, X-Ways and Encase don't support it.

 
Posted : 08/10/2018 3:57 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

Hello,

This application might work for you https://www.aid4mail.com//email-forensics.php

NOTE I have no relationship whatsoever with Fookes Software except for the fact that I use Aid4Mail Forensic Edition myself.

 
Posted : 08/10/2018 5:56 pm
(@guillef)
Posts: 6
Active Member
Topic starter
 

I tried Aid4Mail Forensic Edition, but it doesn't support Windows 10 Mail App.

I forgot to mention that I have an E01 forensic image and that I can't connect to the IMAP account.

 
Posted : 09/10/2018 12:21 am
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

What file types are you finding in the Windows 10 Mail App folder specifically?

 
Posted : 09/10/2018 1:53 am
LeGioN
(@legion)
Posts: 51
Trusted Member
 

I might be completely wrong here..
But people who knows more than me might be able to confirm or debunk my thoughts here )

But I do believe that the mail-client store the emails as EML locally if pop3 is selected while if IMAP is selected all the mail is stored on the server.

Do you know the settings? )

 
Posted : 09/10/2018 7:45 am
(@guillef)
Posts: 6
Active Member
Topic starter
 

What file types are you finding in the Windows 10 Mail App folder specifically?

The messages are stored in a distributed way.

In AppData\Local\Comms\Unistore\Data\3 you find the body message
In AppData\Local\Comms\Unistore\Data\7 you find message's attachments
In AppData\Local\Comms\UnistoreDB\store.vol you have and EDB database which contains the headers and link with body messages and attachments.

 
Posted : 09/10/2018 11:26 am
(@guillef)
Posts: 6
Active Member
Topic starter
 

But I do believe that the mail-client store the emails as EML locally if pop3 is selected while if IMAP is selected all the mail is stored on the server.

Please see my answer to UnallocatedClusters regarding how the emails are stored.

 
Posted : 09/10/2018 11:29 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Yep, that is page 213-215 here (by Oleg Skulkin and Scar De Courcier)
https://books.google.it/books?id=XJZGDwAAQBAJ&pg=PA213#v=onepage&q&f=false

jaclaz

 
Posted : 09/10/2018 5:55 pm
(@guillef)
Posts: 6
Active Member
Topic starter
 

Yep, that is page 213-215 here (by Oleg Skulkin and Scar De Courcier)
https://books.google.it/books?id=XJZGDwAAQBAJ&pg=PA213#v=onepage&q&f=false

jaclaz

Thanks jaclaz.

I would like to remind my original question
Any tool or script available for this task?

 
Posted : 10/10/2018 2:07 pm
(@mcman)
Posts: 189
Estimable Member
 

The Win10 Mail app now stores everything in ESE databases which is a pain. We're adding support for it right now but it's not out yet. The Win8 Mail app used to just cache EML files which was great and easy to support, the newer stuff is a little messier. In the meantime while you wait for tools to support it, you should be able to take a look using an ESE db viewer of your choice which will get you most of what you need, it's just a little more manual work piecing it all together.

EDIT the link to Oleg's book didn't work for me but I suspect he said the same thing that I mention above )

Hope that helps,

Jamie McQuaid
Magnet Forensics

 
Posted : 10/10/2018 3:50 pm
Page 1 / 2
Share: