Blog

Outlook.com Email Forensics — How To

Olivia Dehaviland | September 21st, 2017 | Updates

Microsoft Outlook.com is a web-based email client application. Formerly known as Hotmail, Outlook.com email artifacts such as; username, subject, and body, comes in great use during a digital investigation related to Outlook.com email data, thus, requiring email recovery and analysis of the artifacts. Email analysis and investigation is a vast arena. Therefore, even when a file is deleted using standard methods, the file content is not yet lost permanently. Even in case of permanent deletion of data from the client interface, a copy of the data remains in its original location; a folder or directory. Similarly, in the case of Outlook.com, hard deleted data leaves behind a white space, which, if not replaced with new data can be used for restoring the erased copy. Meanwhile, Outlook.com stores all its data on the Microsoft Server, which further eases the process of lost data restoration.

Outlook.com Email Forensic Analysis

The tasks and procedures involved in detecting clues are complex as well as lengthier. There are a number of ways by which you can recover deleted emails. You can create a local copy of your Outlook.com account data using a commercial backup or conversion tools. The benefit of using an external application is that you can customize your data download. You can do this either by filtering a particular amount of data for analysis or creating its backup in a file format highly preferred in forensic analysis.

Among many other forensics email analysis tools, Outlook.com Backup helps investigators with the advanced investigation and analysis techniques for doing email artifacts analysis for Outlook.com emails. The tool renders a technique to backup data into multiple file formats such as PST, MSG, MBOX as well as EML. Thus, offering the opportunity of studying email in the most forensically preferred file format i.e., MSG.

Outlook.com Backup Tool

Forensic Email Recovery from Outlook.com

Although each situation is unique, over 100 trillion emails are sent a year, making it a crucial evidentiary component in nearly every case litigated today. Large organizations like banks or brokerage firms; have retention policies in place, or even email archiving for regulatory purposes, that store email evidences for years in a searchable and retrievable format. The purpose of an email investigative tool is to provide an examination of such repositories, regardless of their type/format. And further serve the complete, basic and advanced requirements of each email investigation stage that includes:

Evidence Email Scanning:

  • Both web-based, as well as desktop based email services, can be scanned for investigation purpose. You can scan email data in two modes: Single File Mode and Bulk File Mode. After completion of scanning process, you can view the file name, size, type, email count, etc.

Analysis of Emails and Attachments:

  • You can view the suspect’s file in multiple view option like Normal view, Hex View, MIME View, Message Header View and attachments.
  • During the analysis of emails in Normal view, you can preview the sender’s and receiver’s message header and body.
  • In Hex View you can analyze the suspect email in binary format. In case any part of the evidence is being destroyed then you can analyze the data by mapping character from hex code.
  • In the emails, the header is the part of a message that describes the originator address, IP, date, time, etc. It is the primary source that helps in the investigation of suspect email data and it also helps in attempts to understand any other forged email.
  • MIME (Multi-Purpose Internet Mail Extensions) is an extension of the original internet email protocol. MIME View represents any SMTP mail’s inner details like header information of the sender’s, IP, time, date, etc.

Track Investigation:

  • The crucial email evidences can be bookmarked. This feature maintains the individual privacy of the investigator by restricting a limited access to the evidences.

Report Generation:

  • On the completion of email data recovery and analysis, evidences can be exported into multiple file formats according to the type of the data.

mail view

There are multiple tools available for analysis of email data. One tool which fits best for Outlook.com email forensics and covers most of the common file formats for email examination is MailXaminer. To fulfill the need of case documentation, the software provides the complete dashboard to easily manage cases and email investigation, where the complete information of the scan file (s) is provided and similarly the other requirements are also fulfilled by the tool in a respective manner.