Windows 8 and 8.1 Mail Finder

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

Finds deleted e-mail messages originating from the Windows 8 and 8.1 Mail applications.

1,324 downloads

Product compatibility

EnCase App Central

Description

This script finds and decodes Windows 8/8.1 mail messages originating from cached EML message files, which are stored in the following folder -

%LOCALAPPDATA%\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\

The default period for which messages will be cached is two weeks.

The script was primarily designed for recovering such messages from unallocated clusters.

The script works by finding the header part of a message using the following keywords -

MIME-Version: 1.0\x0d\x0aSubject:
MIME-Version: 1.0\x0d\x0aFrom:

It then uses the following keywords to find the start of Base64-encoded message-content in plain-text or HTML format -

Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/plain; charset="utf-8"\x0d\x0a\x0d\x0a
Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/html; charset="utf-8"\x0d\x0a\x0d\x0a

Any data between hits for these two keywords is treated as e-mail-message header-content; Base64 data following a hit for the second keyword is treated as message-text. Note that the script cannot locate attachments.

The script will create two bookmarks for each message that it locates. The first will be a text-bookmark relating to the message header; the second will be a decode-bookmark showing the decoded Base64 message-text in report view.

The script will also write the header and decoded message-text data for each message to a combined stream in a logical evidence file (LEF). The stream will have an EML file-extension. The LEF can be brought back into the case, examined, searched and additional bookmarks created if necessary. Note that any decoded Base-64 message-text will be encoded as UTF-8; it may also be in HTML format. One of the best ways to view the EML streams in the LEF is to use the Document tab in EnCase or open them in Outlook or Thunderbird.

In addition to writing messages as individual streams, the script will also write those messages into a single MBOX-format file in the LEF. This will allow the messages in the LEF to be processed by the evidence processor in the usual way.

It's important to bear in mind that recovery of Base-64 message content from unallocated clusters is not without risk (corrupt data can cause a crash) and so the script won't parse Base-64 encoded data greater than one megabyte in length. Attachments do not form part of this data so this limit should be sufficient for most cases.

If a message has content in both HTML and plain-text formats then the script will decode the first type that it finds.

At the time of writing this, the script has been tested with messages originating from Yahoo! and Google accounts.

This script was developed for use in EnCase training. For more details, please click the following link:

OpenText EnCase Training

Releases

Release

Size

Date

Windows 8 and 8.1 Mail Finder 2.0.0

Aug 1, 2024

More info Less info

Product compatibility

Release notes

Tested with:
EnCase Forensic 7.10.01.27

Languages

English

Files

Marketplace

Marketplace

Windows 8 and 8.1 Mail Finder

Product compatibility

CATEGORY

Description

Releases

Sign in

Marketplace

Windows 8 and 8.1 Mail Finder

App Support Tiers

Product compatibility

CATEGORY

Description

Releases

Unsubscribe from notifications

Marketplace Terms of Service

Your download has begun