Apple Mail Forensics — Email Artifacts

Eva Mendis | September 21st, 2017 | Email Forensics

apple mail forensics

Getting Started

Apple Mail is a popular email client that comes as a default program for Mac OS X 10.0 operating system and later versions to facilitate the Mac users. It supports POP3, IMAP, Exchange  2007 accounts. As Apple mail is an inbuilt email client for those who are using Mac OS. It is important to note that Apple mail only supports the version 10.0  or later. Most of the times, Mac machine is used as a device for criminal activity or maybe the victim is using Apple mail client for mailing services. So there is a great need for apple mail forensic analysis.

Mailboxes: Treasure of information

To analyze data or capture the important information we need to find the particular folders where usually the evidence is hidden against the criminal activity. We must not get confused with mailboxes and folders as Apple mail uses the term mailbox for its folders. The mailboxes are Inbox, Draft, Sent, RSS, and Trash, etc. These mailboxes can be very useful for carving the evidence and gather relevant information which is enough to send culprit behind the bars.

Along with the folders, we must be aware of the location of these mailboxes for acquiring data. Suppose, if the email containing evidence is hidden and we know the location, we can easily manage to extract Apple Mail files and perform Apple Mail forensics.

Location of  Apple Mail Mailboxes:
Default Location: /library/Mail/

Mailbox- Library/mail/[Mail Box]

RSS feeds: /Library/preferences/

apple emails


Extract Evidence:

Sometimes, the investigators used to complain about they found some file related to the Apple Mail in the system, but are not able to view those files. Actually, Apple mail stores its data in MBOX file using .mbox file extension, which makes it easier to view data using the Apple Mail Viewer. Using such kind of software, One can easily preview the Apple mail file and able to read every message with its attachments. It is a myth that we can’t investigate Apple Mail files without the Mac environment. It is possible to examine Apple Mails using Apple Mail examiner that doesn’t require any specific environment.

One way can be, take the Apple Mail mailboxes found as evidence out of the Mac machine using a USB flash drive. If you are not able to perform Apple mail forensics in Mac environment, then export these emails to another system and use MBOX viewer which allows you to have a preview of your emails.  While performing Apple mail forensic we must be able to analyze certain like –mailing address of the sender and receiver, message header, sender’s IP address, MD5 value of the message, date and time of sending and message as well along with other relevant details. There is other software, which lets you analyze all these characteristics and to convert the files into a presentable format which can be used for recording the document. And almost every investigator believes to have the evidence in some of the other documented formats to facilitate the process of investigation and providing a proof against guilty.