Announcement

Collapse
No announcement yet.

How to extract the emails from the Windows 10 "Mail" app

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • How to extract the emails from the Windows 10 "Mail" app

    Hi,
    I'm a new OS Forensics user. I am testing the functionality of the software but I cannot extract the emails from the Windows 10 "Mail" app.
    Does anyone know how to do it?

    Thank you

  • #2
    I think you can open up the Window 10 Mail data files (.dat) in the Unistore folder.

    I just need to check the details.

    If you had an example file, that might also help.

    Comment


    • #3
      Logs for the Mail app are written to the directory: \Users\<username>\AppData\Local\Comms\Unistore\dat a

      There are a bunch of numbered folders, each storing different things for the Mail app:
      0; Windows phone data
      2; contact lists within the account
      3; the contents/body of the email
      5; calendar invitations
      7; email attachments
      33; contents of invitations


      Also, in \Users\<username>\AppData\Local\Comms\UnistoreDB, there is a database file called store.vol, which stores email content. You can view this file using the ESEDB viewer, the tables of interest for us within this database include Message, Contact, Appointment, Attachment, and Recipient:
      Click image for larger version  Name:	Screenshot 2021-08-12 141247.png Views:	0 Size:	165.7 KB ID:	51188

      More info here: https://darkdefender.medium.com/wind...s-39025f5418d2

      Comment


      • #4
        The folder contains only the subfolder "5" however by opening the Mail app from the virtual machine the e-mails are there.
        There must be another repository somewhere ...

        Comment


        • #5
          Were you able to find the store.vol database file?

          Comment


          • #6
            Originally posted by David (PassMark) View Post
            I think you can open up the Window 10 Mail data files (.dat) in the Unistore folder.

            I just need to check the details.

            If you had an example file, that might also help.
            There is no dat file. If I index emails, the emails from the Mail app aren't extracted

            Comment


            • #7
              Originally posted by David (PassMark) View Post
              Were you able to find the store.vol database file?
              Yes, the file is exactly where it needs to be. I open it with the ESEDB viewer but the message table is empty while if I open the virtual machine the messages are there

              Comment


              • #8
                OK, we'll setup a test system and poke around a bit. Maybe Microsoft have changed the folder location and database structure (as if it wasn't already a big enough mess).

                Comment


                • #9
                  There is another file we found called: HxStore.hxd
                  Located: C:\Users\<user>\AppData\Local\Packages\microsoft.w indowscommunicationsapps_8wekyb3d8bbwe\LocalState

                  The file contains emails saved by the Mail app, though it looks a bit corrupted/encoded/compressed when we try to read with File Viewer.

                  More info: https://boncaldoforensics.wordpress....mail-research/

                  So there must have been a fairly recent change to start using this file. Considering this a Microsoft App it is super badly documented. We don't know what the format is an it seems no one does.

                  Really sucks for users if they want to backup or restore their EMail and are using POP3.

                  Comment


                  • #10

                    No progress at the moment. I can't extract the emails! I would like to find this feature in the future...

                    Comment


                    • #11
                      Was the EMail account setup with POP or IMAP?
                      If it was IMAP then all the EMails should be sitting on a server somewhere and you won't need to look at cached local fragments.

                      Comment

                      Working...
                      X