MS Outlook MSG File analysis in Digital forensic Tool

MailXaminer | January 23rd, 2019 | Forensics

Microsoft Outlook is the widely using desktop-based email client. Which is also Known as the personal information manager because it includes calendar, task manager, contact manager, note taking, journal, and web browsing together with Email management. It uses the PST (personal storage table) and OST (offline storage table) file to store the data. Both file formats store the entire mailbox data in the single file as continuous data. Another file format used by the MS Outlook is MSG.

MSG File extension is used to store the single email message outside the Microsoft Outlook’s personal storage database. An MSG file contains information related to the single email message like sender, receiver, date, subject, body massage, hyperlink, attachment etc. Outlook MSG file extension can be easily created by dragging and dropping email message, task, contact, or appointment from Outlook to any folder. MSG File format allows sharing individual email message without providing the entire mailbox data. This will help to preserve the secrecy of the email data by sharing a single message instead of the entire mailbox data. Save information in single email file is easy to use.

MSG file specifies five storage elements and each one represent components of message object. The storage elements are:

  • Recipient object storage
  • Attachment object storage
  • Embedded Message object storage
  • Custom attachment storage
  • Named property mapping storage

Properties of MSG file

Outlook MSG file format includes all properties of Message object stored in it. If the message contain any attachment then the properties of each Attachment are also present in the MSG file.

1. PidTagStoreSupportMask

PidTagStoreSupportMask is the property shows whether the string properties in the MSG file extension is Unicode encoded or not. In which the STORE_UNICODE_OK flag is valid and other bits will be ignored.

2. Fixed Length Properties

It is the property define d as the result of their type have the values of same length. The different fixed length property types are:

  • PtypInteger32
  • PtypInteger16
  • PtypFloating32
  • PtypFloating64
  • PtypBoolean
  • PtypCurrency
  • PtypFloatingTime
  • PtypTime
  • PtypInteger64
  • PtypErrorCode

3. Variable Length Properties

variable length property defined as each instance of the property can have different/variable size. The different variable length property types are:

  • PtypString
  • PtypBinary
  • PtypString8
  • PtypGuid
  • PtypObject

4. Multiple-Valued Properties

Multiple-Valued Property can have more than one value corresponding to it but all values of the property must have same type. The value is stored in the file is differently depending upon whether the property is a fixed length multiple valued property or a variable length multiple valued property.

Extraction And Analysis Of Evidence From Outlook MSG File Format

During the Digital Forensic Instigation MailXaminer also provides the option to search and analyse MSG file without using the MS Outlook. Follow the given process to perform the analysis and extract the evidence from Outlook MSG file.

Add MSG File

Use the Add Evidence Option in MailXaminer to add MSG file type for analyse email data. Then choose MSG(*.msg) and browse the suspect MSG data file.

Examine MSG Data With Different View Option

For examine and analyse the Outlook MSG file extension, MailXaminer provide different view such as “Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments”. Each view provides different information about the email data.

preview msg file

Advance Search Option In MailXaminer

For the fast analysis of MSG file format, the tool provides search mechanism such as “General Search & Proximity Search”. And also it uses Logical Operators AND, OR, NOT and Search Algorithms such as “Wildcard Search, Stem Search, Fuzzy Search, Regular Expression search” to perform an advanced search on MSG File data.

Export option

After finding the specific evidence MSG file type, MailXaminer allows to selectively export the resultant evidence file into various file format like PDF, EML, MSG, HTML etc.

Export option

Conclusion

MSG is the file extension used by the Microsoft Outlook to store single email messages out of the Outlook’s personal storage database. It is also a reliable format to securely share the individual email messages instead of the entire mailbox. Use Digital forensic tool – MailXaminer to examine Outlook MSG file format that helps Investigator to search and extract the evidence stored in it.