Blog

Outlook Mac Forensics – Using OLM File Repair Tool with Ease

Carl Wilson | November 5th, 2017 | Forensics

Outlook is a common communication provision that Microsoft has made available for both; Windows as well as Mac Operating System. Almost all the features provided on Windows Outlook are owned by the Mac Outlook version 2011. Though, Outlook for Mac is available for Home as well as Business purpose, it is usually observed being used in enterprises only. This is because it permits users to establish the server side rules of Microsoft Exchange and also integrate with other services like Lync that are greatly used within and amongst organizations of large scale. OLM file repair tool on the other hand is the most beneficial utility that help to recover Mac OLM files that are corrupted and damaged through any types of cyber attacks. Therefore, there is a high risk of Outlook for Mac being involved in cyber based criminal activities of organizational level like; email espionage, theft of intellectual property, illegal sharing of company strategies, etc. Therefore, we are discussing the method to execute Outlook Mac Forensics in this article.

Local Data Repository – Carry Out Outlook Mac Forensics

Storage of emails, contacts, and other components in Outlook for Mac is done on the local machine under a fixed directory path:

By default, Microsoft Outlook 2011 is programmed to list user profiles under a common storage, i.e. the Main Identity. There can be more than one identity on Mac Outlook, which can be managed using the Database Utility by Microsoft that gets installed along with Home and Business license for Office. Each identity can have one or more e-mail accounts associated with it. All settings and data for an identity are stored in a series of directories under the corresponding identity directory. OLM recovery software let the user to get an idea of what type of attacks the Outlook files have undergone so that user can prevent those in future and can repair OLM files.

Evolution of Microsoft Email Program for Mac

Earlier, the application that Mac worked with for was Entourage that was programmed to store almost the complete user data in a common Database file which included email messages and other data. However, owing to performance related issues cropped up and thus, changes were made to the storage scheme for content by the client. Outlook for Mac 2011 was introduced with the new data storage scheme where in order to avoid performance related issues; separate storage for each data type was planned.

  1. In Mac Outlook identities consists of a new directory, i.e. Data Records, which maintains the client’s profile content within a range of directories and files. A number of subdirectories exist within the Data Records folder one is assigned for each data type, i.e. Contacts, Message Source, & Categories.
  2. Files for the content reside within nK directory where n denotes a sequential number, whereas K denotes a thousand as per the default naming convention used by Microsoft for the folders (T – Trillion, B – Billion, M – Million, K – Thousand).
  3. Besides a name provided, each file is created with the extension – olk12 {content type} where the {content type} denotes a particular string which could be for – schedule, recent, MsgSource, or message.
  4. The most resourceful evidence while conducting Outlook Mac forensics, i.e. email content is located within a directory named – ‘Message Source’ which is also a part of the directories held by Data Records. These files are given – olk14MsgSource – extension. The files are a proprietary format that commonly consists of plain text ASCII, Unicode or message in both formats.

outlook mac forensics

OLK14MESSAGE vs. OLK14MSGSOURCE

OLK14MESSAGE is the email file generated under Outlook 2011 consisting of only the header portion of an email and not the body content. The file is used by the client to display a preview of emails while they are being browsed. The client automatically creates an email’s local copy of this message file when they are downloaded to the client.

OLK14MSGSOURCE is the data file of the client. This file is responsible for storing source data of the emails which is referenced in the respective OLK14MESSAGE file. The file is loaded by the client on backend for provided view of the email message body content.

The message content that is not included in the message file is stored within the MsgSource file. Thus, similar to the message file which is loaded on browsing emails, this file is loaded in the back end by the client when a particular email is focused on. OLM file repair tool is the best available tool that helps to get those corrupted file of Outlook recovered.

NOTE: Using a text editor one can take a look at the fragment of text stored within the message file.

Emergence of the Outlook for Mac Data File

Examining the complete message using Message and MsgSource file is a lot of work that has to be done. First associating the files and then analyzing the fragments of text in them. Alternatively, one can go for OLM files that are the proprietary complete data storage files of Outlook for Mac.

img2

However, the Outlook 2011 for Mac Data File is not created by default but has to be generated via manual export. Storage within the file can be customized as during the export users are given the option to choose the type of data they want to create this repository for: emails, contacts, calendar, etc.

img3

The trouble with OLM files is that they are environment dependent. Without Mac OS and Outlook 2011 for Mac installed on it, storage of an OLM file cannot be accessed. Also, not being a very old file type there is also a lack of tools that can bridge the gap by providing an independent platform to read OLM files.

Outlook Mac Recovery: Medium for Outlook Mac Forensics

Outlook Mac Recovery Tool Download

There are not many tools that can help read OLM files without the desired platform. Completely different type of storage format and type adopted by Outlook for Mac makes it difficult to look through them and achieve an effective analysis.

Outlook Mac Recovery Software works as an efficient tool that converts the message data from OLM file to a text based EML file. In comparison, an OLM file is less investigation-friendly than a text based file like; .eml which is an open source single message file that stores a single message in a file each.

outlook mac recovery

With the help of the application, one can convert the messages with same message structure, content, and attributes retained in an EML file each. The file(s), once created can further be read and analyzed using a Notepad as they are structured in a standard text based format or with a tool designed to read EML files.

One such examination tool for EML files is – EML Forensics application that provides a deeper look at the messages and their respective header’s structure for complete investigation of the conversations or communication carried out with the client as either the source or target.

outlook mac forensics

Conclusion

The stated information details the areas of Outlook Mac data storage for examination of potential evidence. Investigating data with the help of the usage suggested Outlook Mac Recovery tool (being a necessity), one can perform an efficient Outlook Mac Forensics to achieve and acquire ample amount of optimum evidence in the most strategic manner. Moreover with the help of OLM File Repair Tool you can easily recover corrupted Mac OLM files.