Home » Email Forensics » Apple Mail Forensics — Email Artifacts

Apple Mail Forensics — Email Artifacts

Published By Raj Kumar
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 16th, 2022
Reading Time 3 Minutes Reading
Category Email Forensics

apple mail forensics

Getting Started

Apple Mail is a popular email client that comes as a default program for Mac OS X 10.0 operating system and later versions to facilitate the Mac users. It supports POP3, IMAP, and Exchange  2007 accounts. As Apple mail is an inbuilt email client for those who are using Mac OS. It is important to note that Apple mail only supports version 10.0  or later. Most of the time, for criminal activity or maybe the victim the people use Mac machine as a device, using an Apple mail client for mailing services. So there is a great need for apple mail forensic analysis.

Mailboxes: Treasure of information

To analyze data or capture important information. We need to find the particular folders that usually it hide the evidence against the criminal activity. Also, we don’t have to get confused with mailboxes and folders as Apple mail uses the term mailbox for its folders. The mailboxes are Inbox, Draft, Sent, RSS, Trash, etc. These mailboxes can be very useful for carving and gathering the evidence relevant information. Which is enough to send the culprit behind the bars.

Along with the folders, we must be aware of the location of these mailboxes for acquiring data. Suppose, if the email containing evidence is hidden and we know the location. Then we can easily manage to extract Apple Mail files and perform Apple Mail forensics.

Location of  Apple Mail Mailboxes:
Default Location: /library/Mail/

Mailbox- Library/mail/[Mail Box]

RSS feeds: /Library/preferences/com.apple.mail.plist

apple emails


Extract Evidence:

Sometimes, the investigators used to complain about they found some files related to the Apple Mail in the system, but are not able to view those files. Actually, Apple mail stores its data in an MBOX file using .mbox file extension, which makes it easier to view data using the Apple Mail Viewer. Using such kind of software. One can easily preview the Apple mail file and be able to read every message with its attachments. It is a myth that we can’t investigate Apple Mail files without the Mac environment. However, it is possible to examine Apple Mails using an Apple Mail examiner that doesn’t require any specific environment.

One way can be, to take the Apple Mail mailboxes found as evidence out of the Mac machine using a USB flash drive. If you are not able to perform Apple mail forensics in a Mac environment, then export these emails to another system and use MBOX viewer which allows you to have a preview of your emails.  While performing Apple mail forensics we must be able to analyze certain like –the mailing address of the sender and receiver, the message header, sender’s IP address, MD5 value of the message, date and time of sending and message as well as other relevant details. There is other software, which lets you analyze all these characteristics and convert the files into a presentable format. Which can be useful for recording the document. And almost every investigator believes to have the evidence in some of the other documented formats. To facilitate the process of investigation and provide proof against guilty.