Outlook Express Email Forensics

Creative Team | February 17th, 2015 | Forensics

Outlook Express is an email client packaged with Windows XP version and one with the option to manage various POP and IMAP accounts. With it one can compose and receive rich HTML emails. Alike to other email clients, Outlook Express also stores all the emails in the local machine. In other words, we can say that Outlook Express overall offers all the traditional services offered by an email client.

The escalation of a new technology has always led to increase in the risk of commitment of a crime. Some illegitimate uses of email clients can be observed in cases such as phishing, bullying, disclosure of confidential information, IP theft and child pornography. From Outlook Express email forensics  point of view, the offenders in various scenarios have a common perception that the activities performed by them remain anonymous on the internet. But this is not the true side of the story. Forensic Investigators equipped with suitable tools and techniques with a high degree of accuracy in a timely fashion forward the evidences to prove the culprit guilty in a lawsuit.

Instigating Storage Folder Of Outlook Express

All the Outlook Express mail folders and messages, local IMAP folders and settings are stored in one folder designated as Store root folder in store root directory. The default location of this directory is:

C:\Documents and Settings\<User>\Local Settings\Application Data\Identities\Microsoft\Outlook Express


Forensic Analysis Of User Files Of Outlook Express

All the messaging information within the root directory is stored as a DBX (.dbx) file. These DBX files are of utmost importance in forensic analysis as it is the file that originally stores all the data of Outlook Express, i.e. emails.


The different DBX files which store data of Outlook Express are:

  • Deleted Items.dbx

Stores all the messages deleted from any folder. This file helps in retrieving mails deleted from any email folder by a culprit in order to hide illegal actions carried out.

  • Drafts.dbx

Messages which were initiated but were not finished or sent are stored in drafts.dbx file. This folder may prove helpful in retrieving the information saved in the unsent form.

  • Folders.dbx

This is the master index file of Outlook Express and is essential in order to run Outlook Express. The folder should be handled with great caution as mishandling or mail structure corruption may lead to loss of vital information including; newsgroups and emails.

  • Inbox.dbx

It is the account holder’s inbox which stores all the incoming mails. Information carved out from the inbox.dbx file is very crucial as it reveals the contacts and emails of users that the culprit has interacted with.

  • Offline.dbx

This file exists on systems where a webmail services like Hotmail and IMAP have been configured. It stores the actions or tasks carried out while the user remained offline.

  • Pop3uidl.dbx

This file tracks down the mails saved on the POP3 mail server. The forensic analysis of this folder may reveal mails which have been deleted from the inbox and deleted items folder as well.

  • <Name>.dbx

This file is used to represent user created folders and emails stored in it. If the size of the file exceeds 2MB limit, forensic investigators might need to carry out recovery of the data as it may get corrupted.

  • Sent Items.dbx

Mail sent by the default user gets stored in the sent items.dbx file. Alike other files this also proves to be a strong evidence in forensics uncovering the conversation from the account holder’s end.

Anatomy Of Binary Structure Of DBX Files

While examining the DBX file in its raw format by, either using a disk utility or carving tool, the traditional hexadecimal structure of the DBX files is analyzed.

  • Header: The header or file signature starts with hexadecimal and is CF AD 12 FE (0XCF 0XAD 0x12 0XFE)
  • Content Class Identifier (CLSID): Header is followed by a file function identifier, CLSID that identifies the type of DBX file it is. It is basically a string at the beginning of files which is used to define the file in operating system.


Analysis Of Binary Structure Of Outlook Express Emails

The detailed analysis of emails in Outlook Express is usually carried out by studying their binary structure. The investigators study these artifacts and bring forward the various alterations, if any, done to the emails. The email structure of DBX files consist of the following components:

  • The data Header is of 16 Bytes
  • The data block is of 512 Bytes
  • The data in Emails of .dbx files is not contiguous.
  • The attachments with emails are in Base64 encoding.
  • The data is split by blocks of 16 bit data.


Further analysis of 16 Byte Header Block, which divides the data blocks in the emails of Outlook Express, we come across 4 subdivisions (4 byte each) of the header. These are:


Changes In Binary Struture When Mail Is Deleted

  • In Header Block

The 0x0200/ 0x01fc block and Data Block Length is updated to show deletion.

  • In Data Block

First 4 bytes are overwritten when a mail is deleted which can be checked for to verify if any email has been deleted.


To carry out a thorough and deep analysis of the mails in Outlook Express, it is necessary to know where to start from.  Collection and observation of artifacts at an optimum level is not possible to carry out without the help of professional tools. One such tool is MailXaminer, an email forensics tool. MailXaminer streamlines your efforts so that you can focus more time on the interpretation of collected artifacts rather than wasting your time with manual procedures. With it the forensic examiners can deeply analyze the header of the emails and view the emails in multiple views like HTML, MIME, RTF, etc., revealing inner details that are otherwise not visible on the frontend. MailXaminer is also fortified with Skin Tone Analysis feature that discovers any/all obscene images exchanged via emails (even as attachments) in crimes like child pornography.