Windows Live Mail Forensics

Olivia Dehaviland | October 10th, 2017 | Updates

Microsoft Windows Live mail is a widely used desktop-based emailing platform that is compatible with Windows 7, Windows Server 2008 R2 and latest versions of Microsoft Windows. Its ever increasing usage and popularity also make it vulnerable to cyber crooks to perform their illicit activities to commit offences. In addition to this, techies are also facing challenges on investigation of email artifacts because the tactics used by criminals like phishing, cyber bullying, etc., also vary from simple secrecy to imitation.

Windows Live Mail stores all incoming and outgoing emails of user in EML file that follow MIME RFC 822 format. During Windows Live Mail Forensics, the very first step to analyze and restore the EML file is to open it in text editor. The first part of the file illustrates the header information of email message such as: To, From, Subject, Received and many more. Investigators can also examine the same email messages with HTML tags in second segment. Text artifacts of the suspect’s email can easily be read in text editor but to read attachments investigators need to decode it.

Location of Windows Live Mail

C:\Users\<user_name>\AppData\Local\Microsoft\Windows Live Mail\

Windows Live Mailbox Forensics to Extract Evidence

Contact Database File

During investigation, experts can extract and restore the contact artifacts from Default (Offline) and Live ID (Online) modes of Windows Live Mail. Each mode has its own contacts that stores in “contacts.db” file with different location. WLM operate on one mode at a time.  Contact database file cannot be viewed by a normal user because it is stored in hidden subfolder called DB store. To perform the forensic analysis on contacts.db file, investigators need to check the “Show hidden files/folders option. This file is located in the following folder:

C:\Users\Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.5\DBStore\contacts.edb

Windows Live Email Analysis

.oeaccount File

Each email account settings such as mail server, connections, password and a lot of other vital information is store in .oeaccount file with XML format. These files are located in subdirectories of the store root (%UserProfile%\Local\Settings\Application Data\Microsoft\Windows Mail). Each data file has a unique name (like account{AE6D02C3-EB5F-46F3-BAF7-A64A82B49DCE}.oeaccount) that is always located in Local Folder of the store root.  From this file, investigators can carve out the crucial information like data type, name, copy of mail is to remain on the email server and for how many days.

WindowsMail.MSMessageStore File

All email messages is stored in “WindowsMail.MSMessageStore” file located in %userprofile%\AppData\Local\Microsoft\Windows Mail directory. To perform the Windows Live Mail forensics analysis, simply copying the WindowsMail.MSMessageStore from virtual environment and execute the ESENTUTL.exe commands from an administrative command prompt.

Conduct Windows Live Email Analysis via Tool

During Windows Live mailbox forensics investigation, due to many limitation experts prefer migration of EML file into other email client applications. The conversion and examination of EML file can be performed by manual process, but for a large Windows Live mail account, experts need an external forensic tool. In other words, investigation via forensic tool diminishes extra efforts and also save the time of techies. Using, EML to PST converter user can convert the EML file with attachments into PST file format consuming least possible time.

The tool offers a detailed examination of EML file via a bunch of view modes such as Hex View, Properties View, MIME View, RTF View and many more. The multiple view option enables the experts to perform in-depth analysis on the offender’s mailbox. The best part of the tool is it compatible with all email clients that create EML files.

Free Download

Carrying out the Windows Live Mail forensics is not a piece of cake. But, our aim is to provide an organized methodology to perform a complete investigation of EML file. In addition to above mentioned proficiencies, the software also loads with other tremendous features like; split PST file by size, create PST in Unicode format, installation of Outlook is not mandatory, etc., to perform Windows Live email analysis and carve evidence from suspects’ emails from every angle.