Search Results

Update on 29 Jan, 2025 Webmail presents unique challenges for forensic investigations due to its cloud-based nature. Unlike traditional email clients that store messages locally, most webmail exists solely on servers operated by email service providers (ESPs) . This lack of offline archives makes forensic analysis more complex unless the user has enabled offline storage via POP or IMAP protocols . In such cases, emails can be retrieved from the user’s email client using standard host-based forensic techniques. Otherwise, forensic investigators must rely on keyword searches, data carving, or legal requests to the ESP for email preservation and release. -------------------------------------------------------------------------------------------------------- Challenges in Investigating Webmail One of the biggest hurdles in webmail investigations is identifying whether webmail is being used and determining which accounts belong to the target . Web browser forensics can help uncover email activity by analyzing: Browser history and cached data Auto-complete databases Saved passwords (if legally permissible) Regular expression searches for email addresses -------------------------------------------------------------------------------------------------------- Techniques for Webmail Collection Google Takeout and Similar Tools Many service providers offer tools for users to download their data. Emails (stored in MBOX format) Contacts, calendars, and bookmarks Drive files, Chrome history, and passwords For forensic investigations, this method requires the target's credentials and, if enabled, multi-factor authentication. IMAP Synchronization A simple yet effective way to collect webmail is through the IMAP protocol . This involves setting up an email client on a forensic workstation and synchronizing the target’s mailbox. However, Outlook is not ideal for forensic collection as it modifies email headers, which can impact DKIM and ARC validation. IMAP is widely used for collecting emails from providers that lack dedicated APIs, including: Outlook.com Hotmail Yahoo Mail iCloud AOL Mail Forensic Email Collection Tools Several specialized tools streamline webmail forensic investigations: 1. Magnet AXIOM Supports cloud-based email collection from Google Workspace, Microsoft 365, iCloud, and more. Uses API integration for forensic acquisition, requiring Super Admin privileges for enterprise accounts. 2. Metaspike Forensic Email Collector (FEC) Supports Microsoft 365 via Exchange Web Services, Microsoft Graph API, and IMAP. Captures Gmail, Google Workspace, and Microsoft webmail accounts. Uses a unique Remote Authenticator  to extract authentication tokens from a live system. Provides IMAP server logs, useful for detecting message manipulation via internal sequence numbers and timestamps. https://www.metaspike.com/software/ -------------------------------------------------------------------------------------------------------- Legal Requests for Webmail Data Each major ESP and social media platform offers legal and law enforcement guides detailing how investigators can request user data. These documents, often restricted to law enforcement, provide valuable insights into: Data retention policies Available subscriber information Logging details such as IP addresses used for account creation and access Similar legal resources exist for Google, Facebook, and Microsoft. Transparency reports from these providers give insight into the volume and nature of legal requests they rece -------------------------------------------------------------------------------------------------------- Browser Artifacts Webmail services like Gmail, Yahoo Mail, and Outlook are often accessed through web browsers, leaving behind a wealth of forensic artifacts. These browser-based traces can provide valuable insights into user activity, making them a key source of evidence in digital investigations. Whether analyzing a potential email compromise or tracking user communications, forensic experts can uncover crucial details through browser history, cache, and memory analysis. The Role of Browser Artifacts in Webmail Forensics Since webmail is accessed through browsers, artifacts left behind in browser history, cookies, cache, and session data can reveal: Webmail account names and providers  – Identifying which webmail services were used. Email subject lines  – Some services, like Gmail, include the subject line of opened emails in the page title, making it easier to conduct deeper searches. Folder structures and accessed emails  – URL parameters and page titles often indicate which email folders were accessed (e.g., Inbox, Sent, Drafts, Trash). Composed messages  – Identifying if and when new messages were composed can be crucial in cases of email compromise. Search activity  – Users frequently search within their webmail, and these search terms can reveal important topics of interest or specific emails accessed. Analyzing Browser History and Cache Browser history is a primary source of forensic evidence, as it contains URLs, timestamps, and referrer data. Additionally, cached webmail data can contain valuable remnants , though modern dynamic web content has made these traces less common. A strategic approach is to filter browser cache files for relevant webmail domains and then manually examine them . JSON and XML formats are commonly used, so a viewer that supports these formats can help analyze extracted data. For instance: Gmail cache files may contain a list of recent email contacts. Yahoo Mail cache files have been found to store search terms used by the user, sometimes spanning multiple years. A common technique is to filter search results by keywords like “mail” to identify relevant artifacts. Zero-byte files, which are often present, can be ignored to streamline the investigation. -------------------------------------------------------------------------------------------------------- Memory Analysis for Webmail Artifacts Capturing a system's memory can be one of the most effective ways to extract webmail data. While email content is rarely stored long-term in browser caches, it often remains in system memory while the session is active. Forensic tools like Magnet AXIOM (previously Internet Evidence Finder), Belkasoft, and AccessData specialize in carving out webmail remnants from memory images. These tools can recover: Complete webmail messages Email metadata Session tokens and authentication data -------------------------------------------------------------------------------------------------------- Webmail Forensics Arsenal Recon has developed an open-source tool called GmailURLDecoder , designed to extract and decode Gmail URLs from forensic output files. This tool can reveal embedded timestamps and other key information, making it a valuable asset for investigators. -------------------------------------------------------------------------------------------------------- Conclusion Webmail forensics is an essential aspect of modern digital investigations. By leveraging browser artifacts, cache data, and memory analysis, forensic experts can uncover valuable insights into email activity. While dynamic web content has reduced the amount of recoverable data in browser caches, careful search techniques and forensic tools can still reveal critical evidence. -------------------------------------------Dean---------------------------------------------------------

Updated on 29 Jan,2025 Microsoft 365 Purview Compliance Manager offers a powerful Content Search  feature that allows organizations to search across emails, Teams chats, SharePoint, OneDrive for Business, and even CoPilot usage. This tool is often the first stop when investigating emails and other online content. Key Features of Content Search Extensive Search Scope : Covers emails, Teams chats, SharePoint, OneDrive, and CoPilot interactions. Search Refinement : Filter results based on keywords, email addresses, and other parameters. Preview and Export : Search results can be estimated, previewed, and ultimately exported. Integration with eDiscovery : Enables litigation holds and deeper investigative workflows. Microsoft Purview Licensing and Access The features available depend on the organization's Microsoft version: E5 License : Access to Premium  eDiscovery tools, including Advanced Audit Logging . Lower-tier Licenses : Access to Standard  eDiscovery tools, which still provide audit log search capabilities. -------------------------------------------------------------------------------------------------------- Exporting Mailboxes to .PST Format Microsoft 365 allows the export of mailboxes via Content Search . Once a search is completed, results can be exported in .PST format  for emails , while SharePoint and OneDrive content is exported in native formats. Export Limitations Maximum 2 TB of data per search per day . Supports up to 100,000 mailboxes  per export. Individual .PST files are capped at 10 GB , with large searches split into multiple files. A maximum of 10 exports  can run simultaneously. To perform an export, the user must be assigned to the eDiscovery Manager  role. -------------------------------------------------------------------------------------------------------- Unified Audit Logs (UAL) and Their Importance Microsoft 365 provides Unified Audit Logs (UAL)  for tracking activity across Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD. These logs help security teams investigate potential threats and track attacker activities. Key Points About UAL: Enabled by Default (since 2019) : Previously, logging had to be manually enabled for each user. Retention Policy : 90 days  by default. Up to 1 year  for Microsoft 365 E5 users. Azure AD logs  are retained for 180 days  (depending on the license). Export Format : Logs are exported in JSON format  and can be processed using third-party tools for extended retention. ------------------------------------------------------------------------------------------------------- Auditing and Logging Office 365 offers built-in auditing  and APIs for Exchange Online, SharePoint Online, OneDrive for Business, and Azure AD. However, auditing is not enabled by default. Here's how you can enable auditing for a user via PowerShell:   Set-Mailbox -Identity "Akash Patel" -AuditEnabled $true When enabling logging, not all items are logged by default.  You can chain multiple commands to set all available logging options for mailbox owner accounts: Get-Mailbox -ResultSize Unlimited -Filter {RecipientTypeDetails -eq "UserMailbox"} | Set-Mailbox -AuditEnabled $true -AuditOwner "Create,HardDelete,MailboxLogin,Move,MoveToDeleteditems,SoftDelete,Update" What to Keep in Mind Logging Limitations : Logging in Office 365 has limitations, such as no logoff events and limited logging for non-admin accounts. Log Retrieval Time : Logs for SharePoint and OneDrive are typically available 15 minutes after the event, while Exchange Online and  Azure AD logs may take between 30 minutes to 12 hours. -------------------------------------------------------------------------------------------------------- One critical audit category is MailItemsAccessed , which logs when a user or attacker views emails . Initially restricted to admin users, it is now available for all tenants—though the rollout has been slow. -------------------------------------------------------------------------------------------------------- Investigating Logs with PowerShell The Search-UnifiedAuditLog  PowerShell cmdlet is a powerful tool for log analysis. Search-UnifiedAuditLog -StartDate 029/01/2025 -EndDate 30/01/2025 -UserIds -Operations MailItemsAccessed Log Availability: SharePoint & OneDrive logs : Available ~15 minutes after events. Exchange Online & Azure AD logs : May take 30 minutes to 12 hours  to appear. -------------------------------------------------------------------------------------------------------- Extracting Microsoft 365 Audit Logs Efficiently Extracting logs manually can be cumbersome due to limitations in Microsoft’s interface. Fortunately, third-party tools simplify this process: Microsoft-Extractor-Suite I have created a detailed article on Microsoft-Extractor-Suite (This article will be enough to get you running and understand how this tools work addition to another tool microsoft analyzer which will help you in investigation) Streamlining Cloud Log Analysis with Free Tools: Microsoft-Extractor-Suite and Microsoft-Analyzer-Suite https://www.cyberengage.org/post/streamlining-cloud-log-analysis-with-free-tools-microsoft-extractor-suite-and-microsoft-analyzer-su Hawk (PowerShell-Based Investigation Tool) (Will create article on this in future) GitHub Link: Hawk - O365 Intrusion Analysis -------------------------------------------------------------------------------------------------------- Final Thoughts Microsoft 365 Purview provides robust eDiscovery, search, and audit capabilities  for compliance and security teams. Understanding how to effectively leverage these tools—alongside PowerShell and third-party utilities—can make investigations faster and more efficient. Ensure that audit logs are enabled and verify logging configurations to avoid surprises during critical incidents! ------------------------------------------------------Dean-----------------------------------

Microsoft Exchange offers powerful tools for searching, archiving, and reviewing emails. One of these tools, Compliance Search , is designed for eDiscovery but is equally effective for tracking suspicious emails, investigating malware incidents, or responding to security breaches.. What is Compliance Search? Compliance Search first appeared in Exchange 2013. It provides a highly granular way to conduct email investigations by leveraging Exchange’s built-in indexing system . This indexing allows for efficient searches across email contents, including attachments, subject lines, and metadata. For on-premises Exchange servers There is no limit to the number of mailboxes that can be searched, but each individual search is restricted to a maximum of 500 mailboxes  and 50 GB of data . In Microsoft 365, different limits may apply. What Can You Search? Email messages  (including body text and metadata) Attachments  (except encrypted files or unsupported formats) Contacts and calendar entries Deduplication options  (to avoid duplicate search results) Compliance Search in Action New-ComplianceSearch -name "Legal Case 280" -ExchangeLocation "Operations" -ContentMatchQuery "'Query' AND 'Akash'" In Office 365, a GUI interface is provided within the Compliance Center for easier execution. Exchange 2010: The Predecessor to Compliance Search Before Compliance Search, Exchange 2010 relied on "Multi-Mailbox Search. " While less refined than Compliance Search, it offered advanced searching capabilities within a designated Discovery Management user group. This group allowed specific users to conduct advanced searches across the Exchange domain. Compliance Search in Microsoft 365 For Microsoft 365 Exchange Online , Compliance Search is integrated into the Microsoft Purview  interface, offering additional features such as: Expanded search capabilities  (including Teams, OneDrive, SharePoint, and even CoPilot AI prompts) Keyword statistics  (helping refine search terms and estimate matching results) Litigation Holds  (preventing deletion of identified emails, including future messages related to a case) This makes Compliance Search a crucial tool for legal teams, cybersecurity analysts, and IT administrators when handling data retention, incident response, and regulatory compliance . References [l] Use Compliance Search to Search All Mailboxes in Exchange 2016: https://learn.microsoft.com/en-us/exchange/policy-and-compliance/ediscovery/compliance-search?view=exchserver-2019&redirectedfrom=MSDN [2] New-ComplianceSearch: https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearch?view=exchange-ps&redirectedfrom=MSDN -------------------------------------------Dean--------------------------------------------------

Updated on 29 Jan, 2025 In today's digital world, emails play a crucial role in business communications. However, accidental deletions, malicious actions, or legal investigations often require organizations to have robust email retention policies. This is where Exchange Online's Recoverable Items folder  comes into play . It acts as a safety net, ensuring that important emails and documents are not permanently lost too soon and can be retrieved when necessary. --------------------------------------------------------------------------------------------------------- What is the Recoverable Items Folder? The Recoverable Items folder  is a hidden system folder i n Exchange Online that stores deleted items before they are permanently purged . It helps in legal compliance, facilitates eDiscovery (electronic discovery) requests, and prevents unauthorized purging of critical emails. ------------------------------------------------------------------------------------------------------------- Why is the Recoverable Items Folder Important? Organizations need to retain emails and documents for compliance, security, and business continuity. The Recoverable Items folder serves multiple purposes, including: Accidental or malicious deletion protection Legal and compliance holds  (Litigation Hold, eDiscovery Hold, and In-Place Hold) Retention policies  in Microsoft 365 and Office 365 Mailbox audit logging  (tracking actions like email deletions and modifications) Calendar logging  for historical calendar entries ------------------------------------------------------------------------------------------------------------- How Deleted Emails Are Handled in Exchange Online When a user deletes an email, it doesn't disappear immediately. Instead, Exchange follows a structured process to handle deletions: Soft Delete  – When an email is deleted from the Deleted Items  folder or removed using Shift + Delete, it moves to the Deletions  subfolder within the Recoverable Items folder. By default, it stays here for 14 days  (or up to 30 days if configured). Purges  – Once the retention period expires, emails move to the Purges  folder, where they wait for final deletion by the Exchange Managed Folder Assistant . Hard Delete  – When an email is purged, it is permanently deleted and cannot be recovered unless it was under a legal hold. ------------------------------------------------------------------------------------------------------------- Subfolders in the Recoverable Items Folder The Recoverable Items folder contains multiple subfolders, each serving a unique purpose: Deletions  – Stores soft-deleted items until their retention period expires. Purges  – Contains emails waiting for permanent deletion. DiscoveryHold  – Holds emails placed under eDiscovery or legal retention policies. Versions  – Stores copies of modified emails under legal hold, using a "copy-on-write" technique. Auditing Logs  – Records mailbox activity, including email deletions and modifications. Calendar Logging  – Retains past calendar entries for reference. ------------------------------------------------------------------------------------------------------------- Legal Holds and eDiscovery Organizations can place entire mailboxes or specific items under a Litigation Hold, In-Place Hold, or eDiscovery Hold . This ensures that critical emails are preserved indefinitely until the hold is lifted. Additionally, q uery-based holds  allow for precise retention of only relevant messages . Multiple holds can be applied to a single email, making it easier to comply with various legal requirements. Mailbox and Message Auditing Exchange Online includes audit logging  to track user activity, such as: When emails are created, moved, or deleted Whether an email was soft or hard deleted Emails sent from a mailbox In Microsoft 365, mailbox auditing is enabled by default and logs 90 days of activity via the Unified Audit Log . However, in on-premises Exchange, it must be manually activated for each user. Message Tracing and Tracking For better transparency, Exchange Online includes message tracing , which logs details of sent and received emails, such as: Sender and recipient details Email subject, size, and timestamps Delivery status and originating IP address Message tracing is enabled by default  for up to 90 days. However, retrieving messages older than 7 days may take longer and is available only in CSV format .  Below are some commonly used PowerShell commands to work with the "Recoverable Items" folder: 1. Get-MailboxFolderStatistics Statistics for all folders within a specified mailbox, including the "Recoverable Items" folder. Get-MailboxFolderStatistics -Identity | Where-Object {$_.FolderPath -like '*Recoverable Items*'} 2. Search-Mailbox Searches for items within a mailbox that match specified search criteria, including items in the "Recoverable Items" folder. Search-Mailbox -Identity -SearchQuery 'folderpath:"Recoverable Items"' 3. New-MailboxSearch Creates a new search query and places the search results into a discovery mailbox. New-MailboxSearch -Name "RecoverableItemsSearch" -SourceMailboxes -SearchQuery 'folderpath:"Recoverable Items"' 4. Get-RecoverableItems Retrieves the items from the "Recoverable Items" folder for a specified mailbox. Get-RecoverableItems -Identity 5. Restore-RecoverableItems Restores items from the "Recoverable Items" folder back to the primary mailbox or to another mailbox. Restore-RecoverableItems -Identity -FilterItemType IPM.Note https://learn.microsoft.com/en-us/powershell/module/exchange/?view=exchange-ps#mailboxes Final Thoughts The Recoverable Items folder  in Exchange Online is a critical component of email retention and compliance strategies. Whether protecting against accidental deletions, enforcing legal holds, or tracking mailbox activities, it ensures organizations have complete control over their email data. --------------------------------------------------Dean-----------------------------------------------

Every email you send passes through an email server at some point. The key question is whether the email still lives on the server or has been moved to local storage on a device like a workstation. In many business environments, email systems use a mix of both—recent emails are usually accessible through the company’s email server, while older messages are often archived locally on workstations or synchronized for offline use. --------------------------------------------------------------------------------------------------------- Cloud vs. On-Premises Mail Servers In recent years, many organizations have shifted from traditional on-premises email servers to cloud-based solutions or Software as a Service (SaaS) platforms like Microsoft 365 and Google Workspace. This transition has brought both advantages and challenges for evidence collection. With less direct control over physical infrastructure, organizations must rely on the tools provided by these platforms to search, preserve, and extract email and related server logs. Despite these changes, the goal remains the same: investigators need efficient ways to identify, extract, and analyze relevant emails and logs. --------------------------------------------------------------------------------------------------------- Techniques for Evidence Acquisition from Email Servers Export Individual Mailboxes This involves directly exporting mailboxes for the accounts in question. Vendor-Specific Tools Email platforms like Microsoft 365 and Google Workspace often come with built-in tools to help search, filter, and extract emails. Third-Party Tools and APIs Specialized third-party tools often leverage APIs (Application Programming Interfaces) to access email systems and server logs. Interestingly, APIs can sometimes yield more detailed or complete results compared to vendor-provided graphical tools. --------------------------------------------------------------------------------------------------------- The Recoverable Items Folder: A Goldmine for Investigations Modern email systems like Microsoft Exchange and Microsoft 365 include a feature called the Recoverable Items folder . This folder ensures that emails, even those deleted by users, aren’t immediately lost. Instead, emails go through several stages before being permanently purged: Deletions : When users delete emails (even with  + ), the messages move to this subfolder. Purges : Once the retention period (14 days by default) expires , emails are moved here temporarily before being permanently deleted. DiscoveryHold : Emails under a legal or eDiscovery hold are preserved indefinitely. Versions : If an email is modified while on hold, the system creates a snapshot of the original version using a “copy-on-write” method. This ensures the integrity of evidence. --------------------------------------------------------------------------------------------------------- Leveraging PowerShell for Exchange Server Investigations If you’re working with an on-premises Exchange Server, PowerShell is your best friend . It offers powerful tools to search, filter, and export data directly from the server without disrupting operations. Here are some common PowerShell commands for email investigations: Commands for Exchange 2010 SP1 and Above: New-MailboxImportRequest : Used to import mailbox data. New-MailboxExportRequest : Used to export mailbox data. Example Syntax: New-MailboxExportRequest -Mailbox akash_patel -FilePath \\Server\Folder\akash_patel.pst Export with Date Range and Advanced Filtering: New-MailboxExportRequest -Mailbox akash_patel -ContentFilter {(body -like "*Welcome*") -and (Received -gt "01/01/2024" -and Received -lt "03/01/2024")} -FilePath \\Server\Folder\akash_AdvancedFiltered.pst Export Multiple Mailboxes: Get-Mailbox -ResultSize Unlimited | Where-Object {$_.RecipientTypeDetails -eq "UserMailbox"} | New-MailboxExportRequest -FilePath \\Server\Folder\AllMailboxes.pst Incremental Export: New-MailboxExportRequest -Mailbox akash_patel -IncludeFolders "#Inbox#" -FilePath \\Server\Folder\Akash_Incremental.pst -IsArchive Exchange Server 2007 Exchange 2007 introduced similar but slightly different PowerShell-based commands for mailbox exports. These commands require the Exchange Management Tools to be installed as a snap-in to PowerShell. Example Commands: Export-Mailbox -Identity akash@gmail.com -PSTFolderPath C:\akash.pst Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath C:\PST Export with Date Range: Export-Mailbox -Identity akash@gmail.com -StartDate "01/01/2022" -EndDate "03/01/2022" -PSTFolderPath C:\akash_DateFiltered.pst Export to Network Location: Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath \\Network\Share\Corporate.pst Export Specific Folder: Export-Mailbox -Identity akash@gmail.com -IncludeFolders "\Sent Items" -PSTFolderPath C:\akash_SentItems.pst Exchange Server 2003, 2000, and 5.5 For older versions of Exchange, the primary tool for exporting mailbox data is ExMerge . While it lacks some of the advanced features of newer tools, ExMerge is capable of exporting individual user mailboxes to .PST files. Limitation of ExMerge: 2 GB PST Size Limit : This can be problematic for large mailboxes. Example command: ExMerge -B -F C:\userlist.txt -D C:\PST\ -S ExchangeServerName Conclusion PowerShell Cmdlets : Offer a flexible and powerful way to export mailbox data with advanced filtering options. Suitable for Exchange 2010 and above. ExMerge : Useful for older versions of Exchange but has a 2 GB PST size limitation. When choosing a method for extracting email data from Exchange servers, consider the version of Exchange, the size of mailboxes, required features, and compatibility with other tools or processes. Always ensure that the chosen method aligns with forensic best practices to maintain data integrity and admissibility in legal proceedings. --------------------------------------------------------------------------------------------------------- Best Practices for Email Evidence Collection Understand Your Tools Collaborate with Administrators Test Before You Rely Plan for Legacy Systems --------------------------------------------------------------------------------------------------------- Wrapping Up Modern email forensics is all about flexibility. Whether you’re using built-in vendor tools, APIs, or third-party solutions, preparation is key. Knowing how to navigate recoverable items, export mailboxes, and use filtering tools can make or break an investigation. By combining a clear understanding of email server technology with effective tools and techniques, you’ll be well-equipped to gather and analyze evidence in today’s complex email landscape. ------------------------------------------Dean------------------------------------------------------

Updated on 28 Jan,2025 When investigating emails during digital forensic analysis, knowing where and how emails are stored locally can make all the difference. Unlike server-based emails that are stored remotely , host-based email stores  are archives saved directly on a computer. These archives can be either a single large file  (like Microsoft Outlook's .OST files) or multiple files  where an index file helps organize metadata such as read status, flags, and replies. ------------------------------------------------------------------------------------------------------- Why Local Email Archives Matter in Investigations Even when companies use server-based email solutions, local email archives are still valuable sources of information. Here’s why: Many organizations limit mailbox sizes , leading users to archive old messages locally. Employees may store backup emails or contact lists  imported from other systems. Deleted emails  can often be recovered from these local archives. ------------------------------------------------------------------------------------------------------- How to Identify Local Email Archives Since local email archives are almost always tied to an installed email client, you can start by checking the system's installed applications . Other useful techniques include: File extension searches  (e.g., looking for .OST, .PST, or .NST files). Reviewing email client configurations  and registry settings on Windows. Using forensic tools  that can automatically detect known email archives. Some email clients allow password protection, but these usually just lock access to the application— not the email archive itsel f. If you need to retrieve email client passwords, Mail PassView from NirSoft  is a useful tool. ------------------------------------------------------------------------------------------------------- Microsoft Outlook: The Dominant Email Client For Windows users, Microsoft Outlook dominates the email client market . From a forensic standpoint, this is great news because Outlook’s email storage formats are well-documented and widely supported by forensic tools. Outlook’s Three Email Storage Formats .OST (Offline Outlook Data File):  Used by Microsoft 365, Exchange, IMAP, and Outlook.com accounts. .PST (Outlook Data File):  Used for POP email accounts, archives, and exported email backups. NST (Outlook Group Storage File):  Stores group conversations and calendar data for Microsoft 365 Groups. ------------------------------------------------------------------------------------------------------- Understanding Outlook’s Email Storage Formats PST Files:  Once the standard format for Outlook, these files store emails, attachments, contacts, and calendar entries . While newer versions o f Outlook favor .OST files , .PST files are still used for email backups and archives. OST Files:  Now the default for Microsoft 365 and Exchange accounts , these files act as local copies of server-based mailboxes. Unlike .PST files, OST files cannot be opened separately without Outlook. NST Files:   A newer format designed for Microsoft 365 Groups . Unlike the other two, NST files do not store emails permanently but instead cache group conversations and calendar events. ------------------------------------------------------------------------------------------------------- Where to Find Outlook Email Files The location of these files depends on your Outlook version and Windows setup. Typically, you can find them here: .PST File Locations: 1. Outlook 2019, Outlook 2016, Outlook 2013: C:\Users\[username]\Documents\Outlook Files 2. Outlook 2010: C:\Users\[username]\Documents\Outlook Files 3. Outlook 2007: C:\Users\[username]\AppData\Local\Microsoft\Outlook 4. Outlook 2003 and earlier: C:\Users\[username]\AppData\Local\Microsoft\Outlook .OST File Locations: 1. Outlook 2019, Outlook 2016, Outlook 2013: C:\Users\[username]\AppData\Local\Microsoft\Outlook 2. Outlook 2010: C:\Users\[username]\AppData\Local\Microsoft\Outlook 3. Outlook 2007: C:\Users\[username]\AppData\Local\Microsoft\Outlook 4. Outlook 2003: C:\Documents and Settings\[username]\Local Settings\Application Data\Microsoft\Outlook ------------------------------------------------------------------------------------------------------------- Update location as per 28 Jan 2025 %UserProfile%\Documents\Outlook %UserProfile%\AppData\Local\Microsoft\Outlook Older versions of Outlook may store archives in %UserProfile%\AppData\Roaming\Microsoft\Outlook Windows registry key  at  can help locate non-default storage locations. NTUSER\Software\Microsoft\Office\16.0\Outlook\ Notes: • It's always a good practice to check the actual locations in Outlook settings or through the registry: ------------------------------------------------------------------------------------------------------------- .PST Location Registry Key: • HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook • (Replace xx.0 with the version of Outlook you are using, e.g., 16.0 for Outlook 2016/2019 and 15.0 for Outlook 2013.) .OST Location Registry Key: • HKEY_CURRENT_USER\Software\Microsoft\Office\xx.0\Outlook • (Again, replace xx.0 with your Outlook version.) Look for the ForceOSTPath or ForcePSTPath values under these registry keys to find the custom paths set for .OST and .PST files, respectively ------------------------------------------------------------------------------------------------------------- Recovering Deleted Emails from Outlook Archives Outlook email files can be massive—modern versions support up to 50 GB per file  (compared to the 2 GB limit  in Outlook 2003 and earlier). Deleted emails often linger within these files  and can be recovered using forensic tools, even if they were “hard deleted” (permanently removed). Key Takeaways for Investigators Local email stores  are a goldmine for forensic analysis, even in cloud-based environments. Outlook dominates  the Windows email client market, making its archives crucial for investigations. Deleted emails and metadata  can often be recovered with the right tools. File location and registry analysis  can help track down hidden email archives. **************************************************************************************************************** When it comes to email forensics, it's nearly impossible to prepare for every single email client out there. However, focusing on the more common ones is a great starting point. Step 1: Identify Installed or Previously Used Email Clients One of the first steps you can take is to look for email programs installed or previously used on the system. The Windows registry, as well as execution artifacts like Prefetch files , can be a goldmine of information . They might even reveal references to email clients that were installed and later removed. If you're unsure about an unfamiliar program, a quick internet search can often provide details about its file types or archive structures. Step 2: Understand Email Archive Formats Most email clients store their data in clear-text archive formats, making it easier to access the contents. Outlook’s PST/OST files are among the few exceptions. Forensic suites excel at locating and parsing these archives, and they often come with robust searching capabilities. Some email archive formats include unallocated space, meaning even emails that were hard-deleted might still be recoverable. Step 3: Don’t Forget Other Data Email clients are often more than just tools for sending and receiving emails. Many are complete productivity hubs, featuring calendars, address books, and task lists . These features can generate additional artifacts, which might also be exported into various formats. These can provide useful context during an investigation. -------------------------------------------------------------------------------------------------------- Conclusion By understanding how host-based email storage works, forensic investigators can uncover crucial evidence, even when emails seem lost or deleted. ----------------------------------------Dean------------------------------------------------------

Key Points: Did you know that when you open an email attachment in Outlook, it doesn’t just disappear after you close it? Outlook temporarily saves it in a hidden folder on your computer. This “Secure Temp Folder” is an important artifact in forensic investigations, as it can reveal previously opened attachments—even if they were deleted from emails. Where Are These Attachments Stored? Outlook stores opened attachments in a special folder under the Internet Explorer cache: For IE10 and earlier  → Temporary Internet Files For IE11 and later  → INetCache Within these locations, you'll find a Content.Outlook  folder, which contains a randomly named subfolder where attachments are stored. T his is different from older Outlook versions (like Outlook 2003), which used an "OLK" folder. If you're trying to locate this folder manually, you can check the registry key: 📌 NTUSER\Software\Microsoft\Office\Outlook\Security (Value: OutlookSecureTempFolder ) Default L ocation: C :\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ (Replace [username] with the actual username of the user profile.) ---------------------------------------------------------------------------------------------------- Why Does This Matter for Forensics? Before Outlook 2007, Forensic investigators could often recover multiple versions of the same file if it had been opened multiple times. Nowadays, Outlook automatically deletes files from this folder when it closes. However, there are exceptions: If Outlook crashes , the file might stay. If the file is still open  when the email is closed, Outlook won’t delete it. This means investigators can still find valuable evidence in this folder, even though it’s less common than before. ---------------------------------------------------------------------------------------------------- Recovering Deleted Attachments Even if Outlook has deleted an attachment from this folder, traces of it may still exist in forensic artifacts like: $Logfile USNJournal Volume Shadow Copies Using forensic tools, investigators can often reconstruct deleted attachments and track when they were accessed. ---------------------------------------------------------------------------------------------------- Timestamp Oddities: When Was the File Opened? Attachments inside an email don’t have their own timestamps —so how does Outlook handle them. Sometimes, Outlook backdates  the file’s creation date to match the email’s timestamp. Other times, it uses the modification time  of the original file. ---------------------------------------------------------------------------------------------------- Key Takeaways 🔹 Opened email attachments are temporarily stored on disk. 🔹 Outlook tries to delete them but doesn’t always succeed. 🔹 Timestamps on attachments can be misleading. 🔹 Deleted attachments may still be recoverable from forensic artifacts. For forensic analysts, this folder remains a hidden goldmine of information that can provide crucial insights into user activity—long after an email has been deleted. ----------------------------------------Dean--------------------------------------------------------

Why Local Email Clients Matter Webmail, which requires an internet to access messages, local email clients like Microsoft Outlook allow users to read, write, and organize emails even when they’re offline. This is possible because of Microsoft Exchange’s Cached Exchange Mode , which stores a copy of emails locally using Offline Outlook Data Files (.OST) . The Role of OST Files in Email Storage For Microsoft 365 (M365) and Outlook.com , OST files have become more common. These files store a cached version  of Exchange data, typically containing emails from the last 12 months and reaching sizes of up to 50 GB . ------------------------------------------------------------------------------------------------------------ Recovering Data from OST Files: The Challenges Unlike Personal Storage Table (.PST) files , which Outlook can open directly , OST files are encrypted and not easily accessible . This makes recovering data tricky. Convert OST to PST  – Several third-party tools, l ike ost2pst.exe , help convert OST files into PST format for easier access. Use Forensic Suites  – Advanced forensic tools like AXIOM, X-Ways, FTK, and EnCas e  can natively parse OST files for investigation. Beware of Duplicate Data  – Since OST files sync with the Exchange server, investigators often encounter duplicate emails  when analyzing both sources. ------------------------------------------------------------------------------------------------------------ Kindly note, sometimes orphaned OST files  (files that failed to sync due to errors like mailbox corruption) can also be found on a system. Fixing Corrupt OST Files If an OST file gets damaged, there are a couple of ways to repair it: scanost.exe  – A built-in Outlook tool that attempts to fix corrupt OST files. pffexport  – An open-source tool (part of the libpff library) that extracts data from both OST and PST files. ------------------------------------------------------------------------------------------------------------ Best Tools for Viewing and Extracting Emails While forensic suites can analyze PST and OST files, sometimes a standalone email viewer is more convenient. Some useful tools include: XstReader  – An open-source tool written in .NET/C# that allows quick access to PST, OST, and NST files. XstExporter  – A command-line tool for extracting emails and attachments in bulk. Kernel Data Recovery Viewers  – Free tools that allow users to view emails but require a paid version for exporting data. These tools have advantages over Outlook, such as: ✅ Opening files from any  Outlook version ✅ Bypassing  password protection ✅ Recovering  corrupted files ✅ Providing an easy-to-navigate  interface ------------------------------------------------------------------------------------------------------------ The Reality of Free vs. Paid Email Forensic Tools Unfortunately, when it comes to email forensics, free tools have limitations . Most investigators rely on commercial forensic suites for in-depth analysis. However, if you’re on a budget, some affordable tools include: PST Walker  – A low-cost PST viewer Aid4Mail, Emailchemy, and Logikcull  – Recommended by users for basic email extraction and analysis. Final Thoughts OST and PST files play a crucial role in email forensics, providing valuable insights even when data is deleted from the mail server. Whether you’re using forensic suites or standalone tools, understanding how these files work and where to find them is key to effective investigations. ------------------------------------------Dean----------------------------------------------

Google is known for its unique data storage formats , and Google Drive for Desktop  is no exception. Unlike JSON or XML , Google Drive stores critical metadata in Protocol Buffers (protobufs) —a binary format that is highly efficient but difficult to interpret . 🚀 Key Topics: ✅ What are Protocol Buffers (protobufs)? ✅ How to decode protobufs  in Google Drive databases ✅ Investigating Google Drive’s local file cache ✅ Mapping cached files to their original filenames ---------------------------------------------------------------------------------------------------------- 1️⃣ Understanding Protocol Buffers (protobufs) in Google Drive 🔍 What Are Protocol Buffers? Google developed Protocol Buffers (protobufs)  as a lightweight, efficient data format  for storing and transmitting structured data . Unlike JSON or XML , protobufs store data in binary , making them: ✅ Faster  to read/write ✅ More space-efficient ✅ Difficult for humans to interpret 📌 Where Are Protobufs Used in Google Drive? Several key Google Drive databases use protobufs for storing file metadata: Database Table Protobuf Field Description metadata_sqlite_db item_properties content-entry Stores cached file identifiers metadata_sqlite_db properties account_settings Stores Google account & sync settings ---------------------------------------------------------------------------------------------------------- 2️⃣ Decoding Protobufs Using CyberChef Protobufs are not human-readable . To extract valuable information, we need to decode them manually  using tools like CyberChef . 🛠️ Step-by-Step Protobuf Decoding (Using CyberChef) 1️⃣ Extract binary data  from the content-entry or account_settings field in metadata_sqlite_db. 2️⃣ Convert Hex to Binary  using CyberChef’s "From Hex"  operation. 3️⃣ Use the "Protobuf Decode" function  in CyberChef to parse the binary4️⃣ Extract file identifiers, hashes, and metadata  from the decoded protobuf. Example: 📌 Forensic Use: ✅ Recover filenames & hashes from cached files ✅ Extract Google account details from account_settings ✅ Tie cached files to their metadata in Google Drive ---------------------------------------------------------------------------------------------------------- 3️⃣ Collecting Google Drive’s Local Content Cache Since Google Drive operates as a virtual drive , forensic imaging of the system does not capture cloud-only files . Fortunately, Google Drive caches local copies  of some files, allowing investigators to recover deleted or cloud-only data . 📍 Cache Folder Location: C:\Users\\AppData\Local\Google\DriveFS\\content_cache\ Cached files are renamed  and lack file extensions . Files r emain in cache even after deletion from Google Driv e . Cached thumbnails and previews  may persist for longer periods . 📌 Forensic Use: (Using DB Browser) ✅ Recover cloud-only files that were previously accessed ✅ Extract deleted files from cache (even if removed from Google Drive) ✅ Analyze thumbnails and previews for additional evidence ---------------------------------------------------------------------------------------------------------- 4️⃣ Mapping Cached Files to Original Filenames(Investigating Cache Process) Since cached files lose their original names , we must rebuild their filenames  using metadata from metadata_sqlite_db. 📍 Key Database: metadata_sqlite_db 📌 Tables of Interest: Table Field Description items local_title Original filename items file_size File size (used for verification) item_properties content-entry Maps cached files to their original names 🛠️ Step-by-Step Process to Rebuild Filenames 1️⃣ Review items table to identify files of interest 2️⃣ Check item properties to see if cached (content-entry property) 3️⃣ Parse content-entry protobuf to identify filename on disk 4️⃣ Search content_cache folder for that filename and double-check with item file size information 📌 Forensic Use: ✅ Link cached files to their original names & locations ✅ Recover hidden files no longer visible in Google Drive ✅ Extract additional forensic metadata (e.g., file hash, timestamps) ---------------------------------------------------------------------------------------------------------- 5️⃣ File Type Identification Using Header Analysis Since cached files lack extensions , we must identify their types using header analysis . 🔍 Common File Headers (Magic Numbers) File Type Magic Number (Hex) JPEG Image FF D8 FF PNG Image 89 50 4E 47 PDF Document 25 50 44 46 ZIP Archive 50 4B 03 04 📌 Tools for Header Analysis: Hex Editors  (HxD, WinHex) Forensic Suites  (Autopsy, FTK, EnCase) 📌 Forensic Use: ✅ Determine file type even without extensions ✅ Identify potentially malicious files (e.g., renamed executables) ✅ Cross-check file headers against known malware signatures ---------------------------------------------------------------------------------------------------------- We will explore more about Google Drive in the next article (Automating Google Drive Forensics: Tools & Techniques)   , so stay tuned! See you in the next one.

Emails are an integral part of modern communication, serving as both a personal and professional lifeline. Behind the scenes of every email is a digital envelope known as the email header, a treasure trove of metadata that offers invaluable insights into the email's journey, authenticity, and origin. Email Transmission Path An email's journey is a multi-step process: Mail Client : Emails originate from a mail client, which can be a local application like Outlook or a web-based platform such as Yahoo! Mail. Mail Transfer Agent (MTA) : The client communicates with an MTA, a server running the Simple Mail Transfer Protocol (SMTP), responsible for email transmission. Route : The MTA identifies the recipient's server and forwards the email. In larger networks, emails may traverse multiple MTAs. Key Metadata in Email Headers While the body of an email contains the message, headers contain the metadata that digital investigators seek. Here are some crucial header fields and their implications: Message-ID : Acts as a unique tracking number for the email, aiding in tracking its journey. Received : Chronicles the email's path with server IP addresses, timestamps, and time zones. It's crucial to validate these entries for authenticity. ( Always analyze from Bottom to Up) X-Originating-IP : Previously used to reveal the sender's IP address, this field has been removed from Gmail and Outlook headers due to privacy concerns. X-Mailer : Once indicating the email client used, this field is now missing in modern Gmail and Outlook headers. Headers:   https://www.iana.org/assignments/message-headers/message-headers.xhtml X-headers: - X-Headers are experimental or extensions to normal RFC headers. Mail   providers can create X-Headers for internal tracking or administrative purposes. Implications for Forensic Analysis 1. X-Originating-IP: • Challenges: Due to the removal of this field, tracing the actual originating IP of an email sender from Gmail or Outlook headers has become more challenging. • Alternative: Investigators might have to rely on "Received" headers, but these are often internal server IPs and may not provide the actual sender's IP. 2. X-Mailer: • Challenges: Lack of "X-Mailer" makes it harder to determine if an email was composed locally or via a web-based client. • Alternative : Other metadata and content analysis can sometimes provide clues about the client used to compose the email, but it's less direct than having an "X-Mailer" field. Forensic Considerations Challenges and Alternatives Spoofing : While rare, spoofing can lead to misleading header information, requiring investigators to be vigilant. Privacy : Due to global regulations like GDPR, headers have been anonymized to protect user data, complicating investigations. Forensic Tools : Specialized tools can parse headers, extract metadata, and trace an email's path, aiding in investigations. Encryption and Security Headers Modern email services prioritize user security: TLS/SSL : Both Gmail and Outlook use Transport Layer Security (TLS) for email encryption, indicated in headers. SPF/DKIM/DMARC/ARC : Authentication methods to verify sender identity, also present in headers. Server-Side Changes Both Gmail and Outlook have undergone significant changes: Google Workspace : Google's transition to Workspace brought changes in server infrastructure and email processing. Cloud Integration : Microsoft's integration of Outlook with cloud services affects email storage, routing, and access. User-Agent Headers Modern browsers and mobile apps have influenced User-Agent headers: Modern Browsers : Email headers now reflect modern browser usage, providing less specific client device information. Key Elements to Analyse Received Headers : Start from the bottom and work your way up. These headers detail the servers the email passed through. SPF Records : Check for valid SPF records. Apple, for example, publishes SPF records. DKIM/ARC : Look for DKIM/ARC signatures to verify message integrity. Return Path : Verify that the return path is from a legitimate source, not a suspicious domain. Message ID : Compare with known legitimate messages to check for consistency. Construction of Message ID : Typically combines the current date/time with unique system identifiers like a process ID or domain name. Detection : Checking the message ID format can help detect forged emails. --------------------------------------------------------------------------------------------------- Updated on 28 January,2025 When investigating emails, one of the most critical elements to understand is how messages are linked together in a thread. Every email is assigned a unique Message-ID , which helps track conversations. To make things even easier, email systems use two important fields: References  and In-Reply-To . How Emails Are Linked in a Thread References Field : This field maintains a list of all previous Message-IDs in a thread. Every time someone replies, the parent email’s Message-ID is added to the lis t. In-Reply-To Field : This field records just the Message-ID of the direct parent email. Most modern email clients check if the In-Reply-To  ID exists in the References  field and add it if needed . Because of this, the References  field usually provides the most complete view of an email thread. Why Does This Matter in Forensics? These fields help investigators track related emails and identify missing messages. Since Message-IDs  are unique, they are excellent search terms when analyzing email logs or using forensic tools. The best email forensic tools leverage References  and In-Reply-To  fields to reconstruct conversation threads, making it easier to review messages efficiently. --------------------------------------------------------------------------------------------------- Conclusion Email headers, though often overlooked, are a goldmine for digital forensic investigators. By meticulously analyzing these headers, professionals can trace an email's journey, verify its authenticity, and gather valuable metadata for investigations. Despite challenges like spoofing, privacy concerns, and evolving server-side changes, a thorough approach and specialized forensic tools can navigate these obstacles. --------------------------------------Dean-----------------------------------------------

Emails, a ubiquitous form of communication in the digital age, hold a treasure trove of information for forensic investigators. Understanding the structure and nuances of emails is crucial for effective forensic analysis. Email Structure An email comprises mainly of three components: Header:  This contains metadata like sender, recipient, timestamp, and routing information. Body:  The main content of the email, which can include text, images, and other multimedia. Attachments:  Files that are sent along with the email, often carrying critical information. Most standard email clients hide header information, but dedicated forensic tools can unveil this hidden data, offering deeper insights into the email's journey. Email Body Analysis The email body is relatively simple to analyze. It primarily contains the content provided by the sender, often supplemented with signature blocks or device-specific tags. Analyzing email bodies often involves: Manual Review:  Using a forensic tool or email client to manually read each message. Keyword Searching:  Employing string searches to filter emails based on specific keywords or phrases. Data Reduction:  Removing duplicate emails to streamline the review process. When dealing with emails in foreign languages, ensure the forensic tool supports Unicode characters to avoid misinterpretation. Email Attachments Attachments are a goldmine of information, making up around 80% of email data. However, they come with their own set of challenges: Formats:  Attachments can be in various formats requiring specialized viewers. Identification:  Matching attachments with their corresponding emails can be tricky. Security Risks:  Attachments are a common vector for malware, necessitating thorough virus scanning. Forensic Considerations Binary Storage:  While emails are text-based, they can be stored as binary data, requiring specialized forensic tools for accurate searching. Raw Email Analysis:  When analyzing raw email data, remember that attachments are encoded (typically in MIME/base64 format), requiring decoding tools or email clients for proper viewing. Virus Scanning:  Given the potential security risks, scanning attachments for viruses is imperative. Ensure your forensic workstation has updated antivirus software with email client plugins for comprehensive scanning. Conclusion Email forensics, though seemingly straightforward, requires a meticulous approach to extract valuable information effectively. With the right tools and techniques, investigators can uncover critical evidence stored within emails, aiding in a variety of investigations ranging from corporate fraud to cybercrimes. Akash Patel

Email forensics is indeed a powerful in the realm of digital investigations. 1. Who sent the email? Identifying the sender is pivotal as it sets the foundation for any email investigation. While emails can be anonymized or spoofed, there are often traces left behind that can help in determining the true sender. Origination Address: The email's "From" address is the first clue. Even if it's spoofed, it can sometimes lead to known domains or entities that can be investigated further. IP Address: Every email sent over the internet carries with it the IP address of the sending server. This IP can often be traced back to an ISP or, in some cases, to a specific organization or location. Contextual Clues: The content of the email, the signature block, language patterns, and references can also provide hints about the sender's identity or affiliation. 2. When was it sent? Timestamps are crucial in establishing timelines, which can be vital in investigations. Message Timestamp: The email's internal timestamp can be altered, but it still provides a reference point. Mail Server Timestamp : This is a more reliable source for determining when an email was sent. Mail servers maintain logs that record the exact time an email was received or sent, providing a trustworthy timeline for investigators. Verifying Authenticity To confirm whether an email is genuine or has been altered, investigators analyze mail headers. These headers contain various data points, including timestamps that can indicate possible tampering. Authentication technologies like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and ARC (Authenticated Received Chain) help verify if an email is legitimate and whether it has been modified during transit. 4. Where was it sent from? Pinpointing the origin of an email can help trace its path and determine its legitimacy. IP Geolocation: The IP address associated with the sending server can be mapped to a geographical location using geolocation databases. This can give investigators an idea of where the email was sent from. Mail Server and ISP Tracking: By analyzing the email header, one can trace the path the email took through different mail servers and ISPs. This can help narrow down its origin and may lead to further investigative avenues. 5. Is there relevant content? While the above questions help in identifying the email's origin and path, the content often holds the key to understanding the email's significance to the investigation. Email Stores: Beyond the text and attachments, emails can contain valuable information stored in contact lists, calendar appointments, and task lists. This data can provide context to the email's intent and can be instrumental in corroborating evidence or establishing motive. In conclusion, email forensics is not just about reading emails but understanding the metadata, tracing its path, and extracting relevant content. A well-conducted email examination can provide a comprehensive view of an individual's activities, associations, and intentions, making it an indispensable tool for digital investigations -------------------------------------------------Dean-------------------------------------------------