Outlook.com Email Forensics — How To Analyze Emails

Microsoft Outlook.com is a web-based email client application. Formerly known as Hotmail, Outlook.com email artefacts such as; username, subject, and body, comes in great use during a digital investigation related to Outlook.com email data. Thus, requires email recovery and analysis of the artefacts. Email analysis and investigation are a vast arena. Therefore, even when a file is deleted using standard methods, the file content is not yet lost permanently. Even in case of permanent deletion of data from the client interface, a copy of the data remains in its original location; a folder or directory. Similarly, in the case of Outlook.com, hard deleted data leaves behind a white space, which, if not replaced with new data can be used for restoring the erased copy. Meanwhile, Outlook.com stores all its data on the Microsoft Server, which further eases the process of lost data restoration.

Outlook.com Email Forensic Analysis

The tasks and procedures involved in detecting clues are complex as well as lengthier. There are a number of ways by which you can recover deleted emails. You can create a local copy of your Outlook.com account data using commercial backup or conversion tools. The benefit of using an external application is that you can customize your data download. You can do this either by filtering a particular amount of data for analysis or creating its backup in a file format highly preferred in forensic analysis.

Among many other forensics email analysis tools, Outlook.com Backup helps investigators with the advanced investigation and analysis techniques for doing email artefacts analysis for Outlook.com emails. The tool renders a technique to backup data into multiple file formats such as PST, MSG, MBOX as well as EML. Thus, offering the opportunity of studying email in the most forensically preferred file format i.e., MSG.

Outlook.com Backup Tool

Forensic Email Recovery from Outlook.com

Although each situation is unique, over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Large organizations like banks or brokerage firms; have retention policies in place, or even email archiving for regulatory purposes, that store email evidence for years in a searchable and retrievable format. The purpose of an email investigative tool is to provide an examination of such repositories, regardless of their type/format. And further serve the complete, basic and advanced requirements of each email investigation stage that includes:

Evidence Email Scanning:

• Both web-based, as well as desktop-based email services, can be scanned for investigation purposes. You can scan email data in two modes: Single File Mode and Bulk File Mode. After completion of the scanning process, you can view the file name, size, type, email count, etc.

Analysis of Emails and Attachments:

• You can view the suspect’s file in multiple view options like Normal view, Hex View, MIME View, Message Header View and attachments.
• During the analysis of emails in Normal view, you can preview the sender’s and receiver’s message header and body.
• Under Hex View you can analyze the suspect email in binary format. In case any part of the evidence is being destroyed then you can analyze the data by mapping characters from hex code.
• In the emails, the header is the part of a message that describes the originator’s address, IP, date, time, etc. It is the primary source that helps in the investigation of suspect email data. And it also helps in attempts to understand any other forged email.
• MIME (Multi-Purpose Internet Mail Extensions) is an extension of the original Internet email protocol. MIME View represents any SMTP mail’s inner details like header information of the sender’s, IP, time, date, etc.

Track Investigation:

• Can bookmark the crucial email evidence. This feature maintains the individual privacy of the investigator by restricting limited access to the evidence.

Report Generation:

• On the completion of email data recovery and analysis, evidence can be exported into multiple file formats according to the type of data.

There are multiple tools available for the analysis of email data. One tool which fits best for Outlook.com email forensics and covers most of the common file formats for email examination is MailXaminer. To fulfil the need for case documentation. The software provides the complete dashboard to easily manage cases and email investigation, where it provides the complete information of the scan file (s)  and similarly it fulfils the other requirements of the tool in a respective manner.