A Brief Guide to Perform Email Forensics in Outlook Mac OLM File

MailXaminer | October 23rd, 2020 | Forensics

Nowadays, as the rate of digital crimes associated with several email clients is increasing rapidly, the need for forensics investigation of suspected mailboxes has also been tremendously increased. One of the widely used email clients which are also targeted by cybercriminals is MS Outlook. It is available for both the operating systems i.e., Windows and Mac systems. In this write-up, we are going to discuss “how investigators can perform the email forensics of OLM file associated with Outlook for Mac system?”

What is the Need for Outlook for Mac Forensics?

Development of advanced features within the updated versions of email clients has provided ease for communication across the globe. On the other hand, it is also increased the number of cybercrime attacks. Outlook for Mac is widely using for business purposes within organizations. It allows users to setup server-based rules for MS Exchange and integrates with Lync (Skype for Business) using in many large-scale associations. This is because there is a high chance of Mac Outlook being involved in cyber-based criminal activities like illegal sharing of confidential data, theft of intellectual property, identity theft, etc.

Nowadays, cybercriminals are using Mac Outlook for illegal activities, often there exists a false belief that a deleted email message from Outlook cannot be restored. However, advanced inbuilt techniques in forensic tools help examiners in the recovery of deleted email data to ensure the retrieval of evidence. Forensic analysis of Mac Outlook has become a matter of high concern to reach suspected facts and evidence against the accused to provide justice to victims.

Manual Techniques for In-depth Outlook for Mac Analysis

Considering the aspects of investigation teams, firstly it is necessary to understand the structure of Outlook data files. These files are primarily needed to analyze and study to carry out the forensic investigation. The location path of Mac for Outlook data files in the user’s system is varied from one version to another. Mac Outlook 2011 is different from other versions because it archives data files in OLK14msg file format.

The emails, contacts and other data items associated with Mac Outlook 11 profile are stored in the user’s system under the local directory path, as follows:

“Documents/Microsoft User Data/Office 2011 Identities/Main Identity/Data Records/..”

Perform Email Forensics in Outlook Mac OLM

Mac for Outlook lists its user profiles under the folder “Main Identity”. Single identity can have one or more email accounts associated with it. Identity stores all the emails, contacts, calendar entries etc. under the “Data Records” folder. The only file format that can be used for archiving Mac Outlook data is OLM file i.e., Outlook for Mac Data File.

Contents of Outlook for Mac Profile are as follows:

– DATA RECORDS
As stated above, Identities are used in Outlook for Mac system and it contains a directory called “Data Records” containing all the data items or files of the particular Outlook profile. Multiple file directories are present under this folder such as Calendar attachments, contacts, messages, message source etc.

– nK DIRECTORY
When the Message folder inside the “Data Records” directory is opened, users can see many other folders before reaching the main message in the format of the nK directory. Here, n defines the sequence, and K is used to denote thousand according to the default naming convention used by Microsoft for naming folders such as T – Trillion; B – Billion; M – Million and K – Thousand.

nK DIRECTORY

– MESSAGE SOURCE
It contains the most important part of the content as far as forensics investigation is concerned. Message source stores the email content located under the “Data Records” directory. These files are present the extension (.olk14MsgSource) containing message in plain text ASCII, Unicode, or both formats. In order to access the message Source, select the message and right-click on it and choose ‘View Source’

MESSAGE SOURCE

Message Source of the email in Outlook for Mac looks like this:

View Source of Mac OLM File

– OLK14MESSAGE
It consists of email file header portion, but not the whole body content. It can be used to properly analyze and investigate emails. A local copy of the email message is created when they are downloaded. Message Source contains many details about the email and related data in terms of forensics. It can be used to extract the important information related to the message like sender details, IP address, receiver details, MIME version, etc.

The collected email data from the suspect’s Outlook OLM file can be compiled together. The resultant information can be studied manually or with the help of an efficient Email Forensics Tool like MailXaminer.

Outlook Mac OLM File Forensics Using MailXaminer

MailXaminer is efficient email forensic software, containing a wide variety of powerful advanced features. The tool provides multiple functionalities like search mechanisms based on algorithms, recover deleted data, multiple preview modes of emails and attachments, export evidential files, and many more. Using these advanced features, forensic examiners can analyze Outlook OLM files to search for the evidence. Further, we will discuss the process of investigation and searching for evidence in OLM data files using MailXaminer software.

Step 1: At first, users need to add the suspected file into the software to start the examination process. For this, select the “Add Evidence” tab. An “Add File” pop-up window will open, now select the file type and “Browse” the location of file from the system. Then, click on “Add” button

Add Evidence

Step 2: Now, under the “Emails” tab of the “Mails” section, users can view all the email data files including recovered deleted files in red color

Emails

Step 3: MailXaminer software provides an option to preview selected email files in multiple preview modes that will help the user diligently analyze the data. For this, just select the email files and right click. Then, choose “Preview” option from the list

Perform Email Forensics

Step 4: It provides different preview modes such as Normal mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments, and Word Cloud. Using these different views of emails, investigators can extract hidden data and search the evidence from email files

Normal mail, Hex, Properties, Message Header, MIME, etc.

Step 5: Under the “Attachments” tab of the “Media” section, one can view all the attachments from the scanned email files in a list without opening the whole message

Attachment Forensics

Step 6: MailXaminer also provides an option to export the evidence report in any desired file format. To export the files from the software, just select files, and then click on “Export”. An “Export Options” pop-up window will open, now select the desired “Output Format” and “Destination Location” to save the export file at the desired location. Then, click on “OK”.

Email Forensics in Outlook Mac OLM File

Observation

The blog has aimed to understand the need for forensic analysis associated with email clients like Outlook for Mac. The in-depth investigation on the Outlook for Mac OLM file has been described after analyzing the contents of the OLM file used by the suspect. Several investigation tools are available in the market to resolve cyber-criminal acts. MailXaminer is an efficient utility that allows deep examination of the emails of Mac Outlook. It has the ability to analyze email data files systematically and extract evidence from the files in a hassle-free way.