Windows Live Mail Forensics — Explained

Creative Team | October 21st, 2014 | Forensics

To begin with Windows Live Mail forensics or EML file forensics, we need to first understand how actually Windows stores emails in Windows 7 and earlier Windows version.

Windows Live Mail (a component of the Windows Essentials Suite) is one of the most renowned freeware email client application with more than 280 million active accounts. WLM (Windows Live Mail) efficiently manages multiple email accounts, calendar, and contacts. Windows Live Mail supports Post Office Protocol (POP3) and IMAP (Internet Message Access Protocol) as incoming server and Simple Mail Transfer Protocol (SMTP) as the outgoing server.

In Window Vista OS, the Microsoft Outlook Express email client was replaced by Windows Live Mail. It’s inbuilt in most PCs working under Windows 7, in a hidden folder “C:\Program Files\Windows Mail”. All files that contain email messages, are stored as “.eml files”, along with folder tree information and other type of information that Windows Live Mail requires to display stored data.

This following information is required to set the operating system to view hidden folders and file extensions, as follows:

Control Panel > Folder Options > View > Show hidden files and folders

Control Panel > Folder Options > View > Hide extensions for know file types (uncheck it)

windows live mail forensics

Location of  Windows Live Mail in :

Window XP: –

C:\Documents and settings\UserName\Local Settings\Application Data\Microsoft\Windows Live Mail

Vista or Windows 7: –

C:\Users\UserName\AppsData\Local\Microsoft\Windows Live Mail

Windows 8: –


From above description, investigator can easily catch on the location of eml file in different Operating system. But From an investigative standpoint, technocrat should know that in Windows Live Mail, contact database is stored in contact.edb file:

Windows Live Mail provides two modes of operation for contact database: –

• Default (Offline) – no sign in to Window Live
• Live ID (Offline) – Sign in to Windows Live

Windows Live Mail will operate in one mode at a time and each mode has its own contacts when viewed in WLM.

Database Name and Location: –

• Windows Live Mail stores all of its Contact databases in a single file called “contacts.edb”.

Location: C:\Users\Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.4\DBStore\contacts.edb

• Each mode in WLM, will have a unique “contacts.edb” file (same name, different location).
• Each Live ID used in Live ID mode will have also a unique “contacts.edb” file.

Default (Offline) Mode: –

The contacts.edb file of Default (Offline) mode is stored in a hidden sub folder folder called DBStore. To view the DBStore folder technocrat should configure the Windows Explorer to “Show hidden files/folders and protected operating system files”.

The Location of DBStore folder: –

• WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.4\DBStore

• WLM 2011 (QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.5\DBStore

Note: – The Default DBStore folder is a hidden folder of the “15.5” folder.

The Location of DBStore folder in Live ID (Offline) Mode: –

• WLM 2011 (Pre QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Live ID \15.4\DBStore

• WLM 2011 (QFE3 Version) – Windows 7 or Vista

C:\Users\Windows Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.5\DBStore

Forensic Analysis of Windows Live Mail (EML) File

Despite of the rise of instant messengers and Social networking sites; emails are still a major carrier of information, used by corporate environments for professional communication purposes. Thus, elimination of such information accidentally or otherwise, may cause inconvenience to the user. To balance such catastrophic situations Windows Live Mail comes with a Deleted Items folder. For storing the items deleted from any mail folder of the client, this folder is available. However, cases involving hard deletion of emails are not handled well by the client. Nevertheless, erasing or deleting email messages permanently does not mean that it’s gone forever, it can still be extracted forensically.

Forensic tracing of the email is used for retrieving information from mailbox files. In order to do so, we must first be aware of the file extension of emails and technicalities related to it. In case of Windows Live Mail, the file extension of emails is .eml and further information can be examined using forensic strategies.

Forensic email analysis tools, endow the capability to users for examining and analyzing the EML file using its various attributes such as; Header analysis, normal email body examination, viewing the hexadecimal code, message header analysis, MIME view, email hop, & plain text view. These make identifying any kind of manipulation in the database. Attachments always deal with important digital artifacts and the user friendly interface of the software provides a more brief investigation of embedded attachments. Using this tool, the users can also search inside EML files.

eml file forensics

In Normal email body view; header represent from, to, cc, bcc, date, time, subject, and attachment details, and the body part show text/images of the email.

Hexadecimal code examination simplify the structure of complicated binary values which is rarely hard to understand even if its related to the texts, videos, images, documents, etc. These values make the investigation tasks easier to understand and assist in judging variant crimes like email fraud.

Message Header analysis teaches you how to use “Email header” to backtrack and find the original sender’s IP address, MIME version, X-Priority, Message-IDs, and Content-Type.

Mime-Version 1.0 :  It indicates that this message is to use the rules of MIME. “Mime-Version 1.0” is the only currently defined MIME-Version header allowed.

X-Priority : The “X-Priority” is used to show the urgency level of sending email messages and the value of it lies between 1 to 5.

Message-IDs :  Message-IDs are required to have a specific format which is a subset of an email address and to be globally unique.

MIME View : The MIME View represents any SMTP mail’s inner details. In this view user can easily check the suspect email artifacts.

Export and Save Evidences : Practically, a forensic analyst always keeps the copy of their steps (modes of investigation) to prove them more accurately in front of judicial authorities. After the execution of search inside EML files; based on the steps of email investigation the last stage of an email investigation is “Reporting” which can be done by exporting case data and evidences extracted from the examined EML file into legally accepted file formats like; MSG, PDF, Concordance, etc., benefits the judicial proceedings.

The goal of MailXaminer is to carve out sufficient evidences that may allow the criminal perpetrator to be successfully prosecuted. MailXaminer is a fast, accurate, and easy to learn email forensics solution. The software can comprehensively analyze the data of both desktop – based as well as web – based email clients.