Windows Live Mail Forensics to Search Evidences Inside EML Files

MailXaminer | September 18th, 2020 | Forensics

To begin with Windows Live Mail forensics and its file format EML file forensics, we need to first understand how actually Windows Live Mail stores emails in Windows OS.

Windows Live Mail (a component of the Windows Essentials Suite) is one of the most renowned freeware email client application with more than 280 million+ active accounts. WLM (Windows Live Mail) efficiently manages multiple email accounts, calendars, contacts, and other data items. Windows Live Mail supports Post Office Protocol (POP3) and IMAP (Internet Message Access Protocol) as an incoming server and Simple Mail Transfer Protocol (SMTP) as the outgoing server.

File Formats & Locations of Windows Live Mail Data Files

In Window Vista OS, the Microsoft Outlook Express email client was replaced by Windows Live Mail. It’s inbuilt in most PCs working under Windows 7, at location “C:\Program Files\Windows Mail”. All email messages in Windows Live Mail are stored as “.eml files”, along with folder tree information.

It also contains the additional information that Windows Live Mail requires to display email data. One needs to apply the following options in order to view the hidden folders and file extensions:

Control Panel > Folder Options > View > Show hidden files and folders

Control Panel > Folder Options > View > Hide extensions for known file types (uncheck it)

Hide extensions: Windows Live Mail Forensics

Default Location of Windows Live Mail in different Windows OS Versions are as follows:

Window XP: –

C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail

Vista or Windows 7: –

C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail

Windows 8: –

C:\Users\[UserName]\AppData\Local\Microsoft\Windows Live Mail

From the above description, investigators can easily find the location of the .eml file in different operating systems. But with an investigative standpoint, technocrats must know that in Windows Live Mail, the contact database is stored in contact.edb file.

Modes of Operation for Contact Database

Windows Live Mail provides two modes of operation for contact database: –

  • Default (Offline) mode – No sign in to Live ID
  • Live ID (Online) mode – Live ID Sign in to Windows Live

Windows Live Mail can be operated in one mode at a time. Contacts are unique for each mode when viewed in WLM.

Contact Database File in WLM

  • Windows Live Mail stores all of its Contact databases in a single file called “contacts.edb”.
  • Each mode in WLM should have a unique “contacts.edb” file (same name, different location).
  • Each Live ID used in Live ID (Online) mode must have a unique “contacts.edb” file.
  • The contacts.edb file for Default (Offline) mode is stored in a hidden sub-folder called DBStore. To view the DBStore folder, users have to configure the Windows Explorer to “Show hidden files/folders and protected operating system files”.

The Location of DBStore Folder

WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.4\DBStore

WLM 2011 (QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.5\DBStore

Note: – The Default DBStore folder is a hidden folder of the “15.5” folder.

The Location of DBStore folder in Live ID (Offline) Mode

WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista

C:\Users\(username)\AppData\Local\Microsoft\Windows Live\Contacts\(Live ID)\15.4\DBStore

C:\Users\(username)\AppData\Local\Microsoft\Windows Live\Contacts\(Live ID)\15.5\DBStore

Forensically Retrieve Corrupted or Deleted EML Files

Nowadays instant messengers, social networking sites, emails are the major carrier of information. It is mostly used by corporate for professional communication purposes. Thus, the elimination of such information accidentally or otherwise, may cause inconvenience to the users. To balance such catastrophic situations, Windows Live Mail comes with a “Deleted Items” folder. This folder is available to store the items deleted from any mail folder of the client. However, cases involving hard deletion of emails are not handled well by the client. Nevertheless, erasing or deleting email messages permanently does not mean that it’s gone forever, it can still be extracted forensically.

Forensic tracing of the email is used for retrieving information from mailbox files for analysis purposes. In order to do the same, we must first be aware of the file extension of emails and technicalities related to it. In the case of Windows Live Mail, the file extension of emails is .eml and further information can be examined using forensic techniques.

Analysis of Windows Live Mail (EML) File Using MailXaminer

Forensic Email Analysis Tools, has the capability to examine and analyze EML files using its various attributes such as; Mail View for normal email body examination, viewing the hexadecimal code with Hex View, Properties of email file, Message Header analysis, MIME View, Email Hop, HTML View, RTF View & Word Cloud visualization. These multiple mode features of the MailXaminer tool helps to identify any kind of manipulation in the uploaded data file.

Attachments always deal with important digital artefacts. The user-friendly interface of the software enables a brief investigation of embedded attachments in Attachment View. With the help of MailXaminer, the investigator can easily dig deeper to find the potential evidence from the EML files.

Windows Live Mail Forensics

Mail View
In normal Mail View, the email header represents a traversed path, which includes From, To, Cc, Bcc, Subject, Tag, and Attachment(s) details. The email body part also shows text/images of the email.

Mail View

Hex Mode
Hexadecimal code examination in Hex View simplifies the structure of complicated binary values. These values make the investigation tasks easier to understand and assist in judging variant crimes like email fraud.

Hex Mode

Properties
Properties of the EML email files can be viewed clearly in this preview mode. It helps investigators to extract the hidden information of the email files such as Message-ID, Body Details, Message Flags, etc.

Properties

Massage Header View
Message Header analysis gives the information to track emails. It also helps to find the original sender’s IP Address, MIME version, X-Priority, Message-IDs, Content-Type, etc.

Massage Header View

MIME View
The MIME View represents any SMTP mail’s inner details. In this view, the user can easily check the suspected email artefacts.

MIME View

Email Hop
In this view, one can analyze the path wherein the email has been traversed. This includes gateways, routers, and switches. It helps forensic examiners to find the clue by tracking the route through which the email has been passed.

Email Hop

HTML View
In this view, it helps the examiners to perform content analysis by analyzing the internal script or HTML code of the email data file.

HTML View

RTF View
Rich Text File format helps the investigator to view the data in the original text format. It allows the investigator to examine the email data clearly with actual fonts and formatting used in RTF Editor. Moreover, the emails composed using RTF Editor consists of a different encoding type, which can be viewed using this view mode.

RTF View

Attachment View
In this mode, a user does not need to open the entire message to view the attached file. This view provides direct access to the attachment of selected email files without opening emails individually.

Attachment View

Word Cloud
It is one of the highlighted features, which is introduced in the latest version of the tool. Word Cloud provides the visual representation of words and phrases contained in the email data. In Word Cloud, words and phrases generally display in different colors and sizes. The size of the words is directly proportional to their frequencies as bigger size words indicate high frequency and words with smaller sizes indicate low frequency. This view helps investigators to gain a close insight into the email file.

Word Cloud

Export and Save Evidences

A forensic analyst should always maintain the stages or steps of investigations involved to find the relevant evidence related to the crime scene. It helps the examiners to show the investigation process regarding the case more accurately in front of judicial authorities. After searching the evidence within the EML files, the last stage of an email investigation process is “Reporting”. It can be done by exporting the case data and evidence extracted from the examined EML files into legally accepted file formats like MSG, PDF, Concordance, etc., which benefits the judicial proceedings.

MailXaminer allows exporting the evidence report in multiple file formats. Users can select and export the evidence report into any of the available file formats. It also provides the option to save the evidence report at any existing desired destination location into the system.

Export and Save Evidences

Conclusion

In this write-up, we have discussed Window Live Mail, its supported file formats and locations. Here we also recommend an email forensic tool that can examine the .eml files in different views for better analysis. The goal of MailXaminer is to fetch out sufficient evidence that may allow the criminal perpetrator to be successfully prosecuted. MailXaminer is a fast, accurate, and easy to use email forensic software solution.