A Brief Guide on Apple Mail Forensics

MailXaminer | July 4th, 2015 | Forensics

Mac Operating Systems come configured with Apple Mail or the Mail.app since version 10.0. Like most Operating Systems, Mac OS X has Apple Mail as its default-messaging platform for desktop communication. The set of qualitative features in Apple Mac has already made it a standard messaging platform amongst users of Apple Mac systems. The advancement adopted by Mac OS versions has resulted in it gaining a large number of users, thus, making Apple Mail become the most obvious medium of communication by Mac users, owing to its effortless reachability. All these factors have resulted in bringing Apple Mail in notice of investigators due to the fact that Mac based applications confront complications during investigation procedures due to the lack of a dedicated available. This paper discusses about the essentials of the Apple Mail, examining which is enough to bring out vital evidentiary information from an investigative standpoint.

The Heart of Apple Mail Forensics: Storage

Examination of anything and everything involves going into the depths to discover activities that occurred in the past. Therefore, as far as the forensic analysis of Apple Mail is concerned its data storage plays an important role, studying which is highly essential to understand, interpret, and conclude the case involving offending activities taken place using or involving Apple Mail.

Better known as the Mail.app, Apple Mail stores its messages as a collection arranged in the standard folder structure of – Inbox, Outbox, Sent Items, etc. However, the peculiarity about its storage is that, each of these folders is denoted as a mailbox and the folder path by default is:

apple mbox viewer

Every mailbox is generated in Mailbox format, i.e. MBOX file type that is the collection of text-formatted messages in a unified.

apple mail forensics

Traversing The Email Storage of Apple Mail

MBOX files are cross platform and most applications that share compatibility with it are open source. Therefore, the readability of the contents stored within an MBOX file is no challenge, however, considering the situation is entirely based on forensically reading the file; investigators are required to read between the lines and not just, what is on the surface.

Locating And Exploration of Artifacts During Apple Mail Forensics

Besides mailbox, the client in question stores a copy of each message individually in the form of .emlx file. The storage is done within the ‘messages’ folder of each mailbox (inbox, sent items, outbox, etc.). To locate Apple Mail mailboxes, follow the given folder path on your Mac machine and extract the relevant artifacts for evidence acquisition:

apple mbox viewer

apple mail forensics

Mailbox files or MBOX files have multiple variants, which differs based on the origin client that it belongs. These variants are MBOXO, MBOXCL/CL2, and MBOXRD. However, the variant used by Apple Mail is MBOX and is readable across variety of platforms. Nevertheless, to keep the process strictly forensic oriented, commercial tools for Apple Mail MBOX Viewer can be applied to work. This addition of utility enhances the investigation experience by providing collective view of messages on a unified platform with all metadata (details associated with each message) retained in its original form. Moreover, forensic tools add up rapidity in the examination of email artifacts, which further helps in sorting out evidence from the same.


Working on MBOX file based evidence during Apple Mail Forensics is relatively convenient for investigators because the file type is text based and has a standard structure of arrangement, i.e. separation of each message with a blank or line. However, forensic processing comes with standards of investigation, principals, and prerequisites, i.e. not processing the original evidence unless the platform guarantees not to spoil the evidence and retention metadata based on which activities of the suspect or victim can be tracked down.

Apple Mail MBOX Viewer MailXaminer emerges as a great standalone provision during the investigation of Mail.app message storage. The application extends a unified platform for reading MBOX files along with its contents in a detailed manner. Moreover, the application comes integrated with an additional range of investigation friendly options like; bulk mailbox processing, defined email parsing, evidence searching, reporting, and extraction as other formats, etc.