Announcement

Collapse
No announcement yet.

How to extract the emails from the Windows 10 "Mail" app

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • David (PassMark)
    replied
    Was the EMail account setup with POP or IMAP?
    If it was IMAP then all the EMails should be sitting on a server somewhere and you won't need to look at cached local fragments.

    Leave a comment:


  • morpheus.bn
    replied

    No progress at the moment. I can't extract the emails! I would like to find this feature in the future...

    Leave a comment:


  • Simon (PassMark)
    replied
    There is another file we found called: HxStore.hxd
    Located: C:\Users\<user>\AppData\Local\Packages\microsoft.w indowscommunicationsapps_8wekyb3d8bbwe\LocalState

    The file contains emails saved by the Mail app, though it looks a bit corrupted/encoded/compressed when we try to read with File Viewer.

    More info: https://boncaldoforensics.wordpress....mail-research/

    So there must have been a fairly recent change to start using this file. Considering this a Microsoft App it is super badly documented. We don't know what the format is an it seems no one does.

    Really sucks for users if they want to backup or restore their EMail and are using POP3.

    Leave a comment:


  • David (PassMark)
    replied
    OK, we'll setup a test system and poke around a bit. Maybe Microsoft have changed the folder location and database structure (as if it wasn't already a big enough mess).

    Leave a comment:


  • morpheus.bn
    replied
    Originally posted by David (PassMark) View Post
    Were you able to find the store.vol database file?
    Yes, the file is exactly where it needs to be. I open it with the ESEDB viewer but the message table is empty while if I open the virtual machine the messages are there

    Leave a comment:


  • morpheus.bn
    replied
    Originally posted by David (PassMark) View Post
    I think you can open up the Window 10 Mail data files (.dat) in the Unistore folder.

    I just need to check the details.

    If you had an example file, that might also help.
    There is no dat file. If I index emails, the emails from the Mail app aren't extracted

    Leave a comment:


  • David (PassMark)
    replied
    Were you able to find the store.vol database file?

    Leave a comment:


  • morpheus.bn
    replied
    The folder contains only the subfolder "5" however by opening the Mail app from the virtual machine the e-mails are there.
    There must be another repository somewhere ...

    Leave a comment:


  • Simon (PassMark)
    replied
    Logs for the Mail app are written to the directory: \Users\<username>\AppData\Local\Comms\Unistore\dat a

    There are a bunch of numbered folders, each storing different things for the Mail app:
    0; Windows phone data
    2; contact lists within the account
    3; the contents/body of the email
    5; calendar invitations
    7; email attachments
    33; contents of invitations


    Also, in \Users\<username>\AppData\Local\Comms\UnistoreDB, there is a database file called store.vol, which stores email content. You can view this file using the ESEDB viewer, the tables of interest for us within this database include Message, Contact, Appointment, Attachment, and Recipient:
    Click image for larger version  Name:	Screenshot 2021-08-12 141247.png Views:	0 Size:	165.7 KB ID:	51188

    More info here: https://darkdefender.medium.com/wind...s-39025f5418d2

    Leave a comment:


  • David (PassMark)
    replied
    I think you can open up the Window 10 Mail data files (.dat) in the Unistore folder.

    I just need to check the details.

    If you had an example file, that might also help.

    Leave a comment:


  • How to extract the emails from the Windows 10 "Mail" app

    Hi,
    I'm a new OS Forensics user. I am testing the functionality of the software but I cannot extract the emails from the Windows 10 "Mail" app.
    Does anyone know how to do it?

    Thank you
Working...
X