Blog

Windows Live Mail Forensics

Olivia Dehaviland | Last Modified: March 18th, 2020 | Updates

Microsoft Windows Live mail is a widely used desktop-based emailing platform that is compatible with Windows 7, Windows Server 2008 R2 and latest versions of Microsoft Windows. Its ever-increasing usage and popularity also make it vulnerable to cyber crooks to perform their illicit activities to commit offenses. In addition to this, techies are also facing challenges on an investigation of email artifacts because the tactics used by criminals like phishing, cyberbullying, etc., also vary from simple secrecy to imitation.

Windows Live Mail stores all incoming and outgoing emails of the user in EML files that follow MIME RFC 822 format. During Windows Live Mail Forensics, the very first step to analyze and restore the EML file is to open it in the text editor. The first part of the file illustrates the header information of email messages such as: To, From, Subject, Received and many more. Investigators can also examine the same email messages with HTML tags in the second segment. Text artifacts of the suspect’s email can easily be read in text editor but to read attachments investigators need to decode it.

Location of Windows Live Mail

C:\Users\<user_name>\AppData\Local\Microsoft\Windows Live Mail\

Windows Live Mailbox Forensics to Extract Evidence

Contact Database File

During investigation, experts can extract and restore the contact artifacts from Default (Offline) and Live ID (Online) modes of Windows Live Mail. Each mode has its own contacts that stores in “contacts.db” file with different location. WLM operate on one mode at a time.  Contact database file cannot be viewed by a normal user because it is stored in hidden subfolder called DB store. To perform the forensic analysis on contacts.db file, investigators need to check the “Show hidden files/folders option. This file is located in the following folder:

C:\Users\Username\AppData\Local\Microsoft\Windows Live\Contacts\Default\15.5\DBStore\contacts.edb

Windows Live Email Analysis

.oeaccount File

Each email account settings such as mail server, connections, password and a lot of other vital information are store in .oeaccount file with XML format. These files are located in subdirectories of the store root (%UserProfile%\Local\Settings\Application Data\Microsoft\Windows Mail). Each data file has a unique name (like account{AE6D02C3-EB5F-46F3-BAF7-A64A82B49DCE}.oeaccount) that is always located in Local Folder of the store root.  From this file, investigators can carve out the crucial information like data type, name, copy of mail is to remain on the email server and for how many days.

WindowsMail.MSMessageStore File

All email messages are stored in “WindowsMail.MSMessageStore” file located in %userprofile%\AppData\Local\Microsoft\Windows Mail directory. To perform the Windows Live Mail forensics analysis, simply copying the WindowsMail.MSMessageStore from the virtual environment and execute the ESENTUTL.exe commands from an administrative command prompt.

Conduct Windows Live Email Analysis via Tool

During the Windows Live mailbox forensics investigation, due to many limitations, experts prefer the migration of EML files into other email client applications. The conversion and examination of the EML file can be performed by manual process, but for a large Windows Live mail account, experts need an external forensic tool. In other words, investigation via forensic tool diminishes extra efforts and also saves the time of techies. Using, Windows Live Mail to PST converter user can convert the EML file with attachments into PST file format consuming least possible time.

First, Download Software from here:

 Free Download

After downloading and installing the this utility, the home screen will appear like this:

forensics

The tool offers a detailed examination of EML file via a bunch of view modes such as Normal Mail View and View Attachments. The multiple view option enables the experts to perform an in-depth analysis of the offender’s mailbox. The best part of the tool is it compatible with all email clients that create EML files.

You can buy the full version of this tool directly:

buy

best

Carrying out the Windows Live Mail forensics is not a piece of cake. But, our aim is to provide an organized methodology to perform a complete investigation of the EML file. In addition to the above-mentioned proficiencies, the software also loads with other tremendous features like; split PST file by size, create PST in Unicode format, installation of Outlook is not mandatory, etc., to perform Windows Live email analysis and carve evidence from suspects’ emails from every angle.

Get complete guide to migrate emails from Windows Live Mail to Outlook.