Blog >> Window Mail

Investigating Window Mail

17/02/2023 Friday

Windows Mail is an email client developed by Microsoft and included in Windows Vista and later versions of Windows. It is available as the successor to Outlook Express, which was either included with, or released for Internet Explorer 3.0 and later versions of Internet Explorer.

Digital Forensics Value of Windows Mail

Mail is an essential method of communication that used within different fields. Where windows mail provides records of emails, contacts, and events; this can be significant in varus types of investigations.

Location of Windows Mail Artifacts

Mail artifacts are found in the following location:
%systempartititon%:\Users\%username%\Appdata\Local\Comms\UnistoreDB

Analyzing Windows Mail with ArtiFast

This section will discuss how to use ArtiFast to extract Mail artifacts from Windows and what kind of digital forensics insights we can gain from the artifacts.

After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select Windows Mail artifacts:

Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Window Mail artifacts in ArtiFast.

Windows Mail Calendar Events Artifact

• Date - Event start date/time.
• Event Name - The Event name.
• Event Owner - The Event Owner.
• Account - The email address of the account.
• Event Location - The event location.
• Time (Mins) - Time in minutes.
• All Day - Indicates whether the event is all day or not.
• Additional People - Additional people associated with the event.
• Duration(Mins) - Duration in minutes.
• Repeat - Indicate whether the event is repeated or not.

Windows Mail Contacts Artifact

• Date - Message delivery date/time.
• Message ID - The message ID.
• Email Content location - Email content file local path.
• From - Email sender.
• Importance - Email importance setting.
• Message abstract - Message abstract.
• BCC - The BCC recipient/s of the email.
• Attachment(s) - Information on attachment.
• Parent Folder - Email parent folder.
• Record Cached Date/Time - Email record cached date/time.
• Read - Indicate whether the email was read or not.
• Subject - Email subject.
• CC - Email CC recipient(s).
• Display Name - Display name.

Windows Mail Messages Artifact

• Date - Message delivery date/time.
• Message ID - The message ID.
• Email Content location - Email content file local path.
• From - Email sender.
• Importance - Email importance setting.
• Message abstract - Message abstract.
• BCC - The BCC recipient/s of the email.
• Attachment(s) - Information on attachment.
• Parent Folder - Email parent folder.
• Record Cached Date/Time - Email record cached date/time.
• Read - Indicate whether the email was read or not.
• Subject - Email subject.
• CC - Email CC recipient(s).
• Display Name - Display name.

For more information or suggestions please contact: ekrma.elnour@forensafe.com