Contact Us    Webinars   
Blog

A Brief Guide to Perform Email Forensics in Outlook Mac OLM File

Creative Team | June 7th, 2016 | Forensics
With the increasing rate of digital crimes associated with several email clients, need of forensics investigation of both desktop and web-based mailboxes used by the suspects has been raised tremendously. One of the email clients that are used for crimes is MS Outlook that is available for both Windows and Mac systems. In the blog, we will be studying how investigators can perform the Email Forensics of OLM file associated with Outlook for Mac system.

Need of Outlook for Mac Forensics

Development of email clients has provides ease for communication with multiple users across the globe, but it has also contributed to the crimes by misuse of the same platform. Outlook for Mac is mostly used for business purpose as it allow users to setup server-based rules of MS Exchange and integrate with Lync (Skype for Business) that are used in many large-scale associations. That is why, there is a high chance of Mac Outlook being involved in cyber-based criminal acts like illegal sharing of confidential data, theft of intellectual property, identity theft etc. Suspects using Outlook for Mac for the criminal acts often have false belief that when an email message is deleted from the account, it cannot be restored. However, the advanced techniques used by forensic teams can help in recovery of corrupt/deleted emails to ensure that the evidences are retrieved. Forensics analysis for Mac Outlook has become a matter of high concerns for reaching out to the suspects and presenting evidences against the suspects to provide justice to the victims.

In-depth Analysis of Outlook for Mac

Considering the aspects of the investigation teams, firstly it is very much necessary to understand the structure of the data file on which they need to analyze and excogitate ways to carry out forensic investigation. The emails, contacts and other data items associated with Mac Outlook profile are stored in the system under the local directory path:

Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/..

1

Mac for Outlook 2011 and 2016 has been designed to list its user profiles under Main Identity. Single Identity can have one or more email accounts associated with it. Identity stores all the emails, contacts, calendar entries etc. under Data Records folder. The only file format that can be used for archiving our Mac Outlook data is OLM file i.e., Outlook for Mac Data File.

Contents of Outlook for Mac Profile are as follows:

 DATA RECORDS

As stated above, Identities are used in Outlook for Mac system and it contains a directory called Data Records containing all the data items or files of the particular Outlook profile. Multiple file directories are present under this folder such as Calendar attachments, contacts, messages, message source etc.

– nK DIRECTORY

When the Messages folder inside Data Records directory is opened, we can see many other folders before reaching to the main message in the format of nK directory. Here, n defines the sequence and K is used to denote thousand according to the default naming convention used by Microsoft for naming folders such as T – Trillion; B – Billion; M – Million and K – Thousand.

2

– MESSAGE SOURCE

It contains the most important part of the content as far as Forensics investigation is concerned.  Message source stores the email content located under Data Records Directory. These files are present with the extension (.olk14MsgSource) containing message in plain text ASCII, Unicode or both formats. In order to access the message Source, we will select the message and right-click on it and choose ‘View Source’

 3

Message Source of the Email in Outlook for Mac looks like this:

4

– OLK14MESSAGE

It consists of email file with header portion and not the whole body content. It is used for the purpose of preview of emails by the client while they are browsing. A local copy of the email of the message is created when they are downloaded.
The collected email data from the suspect’s Outlook OLM file can be compiled together. The resultant information can be studied manually or with the help of forensic tools. Message Source contains many details about the Email and related data in terms of forensics can be extracted like important information related to the message like sender details, IP address, receiver details, MIME version, message ID, date etc.

Observation

The blog has been aimed to understand the need of forensic analysis associated with email clients like Outlook for Mac. The in-depth investigation on the Outlook for Mac OLM file has been described after analyzing the contents of the OLM file used by the suspect. Several investigation tools are available in the market to resolve criminal acts, one of which is MailXaminer that allows deep examination of the emails of Mac Outlook. However, it is always recommended to study about the reliability and working of the tool before using it.