A Brief Guide on Apple Mail Forensics: Data Storage Analysis

MailXaminer | October 19th, 2020 | Forensics

A well known and widely used operating system Mac OS X of Apple Mac system gives “Apple Mail” as its default-messaging platform for desktop communication. The advancement and qualitative features of Apple Mac OS has made it a standard messaging platform amongst the users of Apple Mac systems that resulted in gaining a large number of users. Thus, by owing the effortless reachability, it becomes the most obvious medium of communication for Mac users.

Due to the popularity and inclusive factors, Apple Mail brings the focus of cybercriminals into it and it mostly becomes the victim of email crimes. Therefore, it has been noticed by forensic investigators that Mac-based applications confront complications during the investigation process due to the lack of forensics advancement. This article will discuss the need for Apple Mail forensics to bring out the vital evidentiary information from an investigative standpoint.

Heart of Apple Mail Forensics: Data Storage

The investigation process basically involves going into the depth to discover the activities that occurred in the past. Therefore, as far as the forensic analysis of Apple Mail is concerned, its data storage plays an important role. The study of suspected data is highly essential to understand, interpret, and conclude the case involving offending activities taken place using the Apple Mail.

Better known as the “Mail.app” referred to as Apple Mail stores its messages in the standard folder structure, named as – Inbox, Outbox, Sent Items, etc. However, peculiarity about the storage is that each folder is denoted as a Mailbox (MBOX format) and the folder path by default is:

Library/Mail/[Mail Box]

Every mailbox is generated in MBOX format. MBOX is a file type that is used to hold the collection of text-formatted email messages.

Data Storage Analysis

Traversing the Email Storage of Apple Mail

MBOX files are basically cross-platform and open source in nature. Therefore, the readability of content stored within the MBOX file is not challenging anyway. Considering the situation which is entirely based on reading the file forensically. Investigators are required to read and analyze the content in order to extract the evidentiary facts.

Locating and Exploration of Artefacts during Apple Mail Forensics

Besides the mailbox, the email client stores a copy of each message individually in the form of a .emlx file. The storage is done within the “Messages” folder of each mailbox (Inbox, Sent Items, Outbox, etc.). To locate Apple Mail mailboxes, follow the given folder path on your Mac machine and extract the relevant artefacts for evidence acquisition:

Library/Mail/[Mail Box]

Apple Mail Forensics

Mailbox files or MBOX files have multiple variants, which differ based on the forensically original email client. These variants are MBOXO, MBOXCL/CL2, and MBOXRD. However, the variant used by Apple Mail is MBOX and is readable across a variety of platforms.

Nevertheless, to keep the process strictly forensic oriented, Email Forensics Tools like MailXaminer can be applied to work. This addition of utility enhances the investigation experience by providing a collective view of messages on a unified platform. It contains all metadata (details associated with each message), which is retained in its original form. Moreover, forensic tools add up rapidity in the examination of email artefacts, which further helps in sorting out evidence from the same.

Forensic Examination of Apple Mail Using MailXaminer

MailXaminer works as an Apple Mail MBOX analyzer that emerges as a standalone provision during the investigation of Mail.app message storage. The application extends a unified platform for reading MBOX files along with its contents in a detailed manner. Moreover, the application comes integrated with an additional range of investigation friendly options like Bulk Mailbox Processing, Multiple Views, Evidence Searching, Extraction and Reporting in other formats, etc. In the below section, we will discuss these advanced features of MailXaminer in detail, as follows:

Bulk Mailbox Processing
MailXaminer software allows processing a huge amount of data for investigation. Users can add single as well as bulk files by providing the CSV with the location path of files or folders. Along with this, the tool supports a wide variety of email file types including MBOX related to several web-based or desktop-based email clients.

Bulk Mailbox Processing

Multiple Views of Evidential File
It provides multiple views of email files defining hidden artefacts from the email files. The tool provides 9+ preview modes such as Normal Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments, and Word Cloud. These preview modes help investigators to view and analyze hidden information from the suspected files to extract out the evidence.

Multiple Views of Evidential File

Evidence Searching
An email forensic tool allows us to add our own filter to search the required evidence data and it also provides various inbuilt searches based on advanced algorithms. Search functions such as General Search, Proximity Search, Regular Expression, Stem Search, Fuzzy Search, and Wildcard Search are provided by the tool to filter out required data. Along with this, users can also avail of logical operator searches (AND, OR, NOT).

Evidence Searching

Extraction and Reporting in Other Formats
The email forensic software MailXaminer provides an option to extract several kinds of reports in different file formats. It helps the user to categorize and extract the evidential data in the desired file format. The report consists of various types such as Case Report, Keyword Report, Tag Report, Bookmark Report, etc. Users can also select the files that they want to display on the report like To, From, Cc, Subject, Body, Mail ID, etc.

Extraction and Reporting

Final Verdict

Apple Mail application stores emails in .mbox file format. MBOX is a text-based file type that contains a standard structure of the arrangement of data. MailXaminer email forensic software comes with the standard provisions of investigation, principals, and prerequisites. With this utility, working on the MBOX file is relatively convenient for investigators to investigate the hidden artefacts.