Windows 8 and 8.1 Mail Finder
This script finds and decodes Windows 8/8.1 mail messages originating from cached EML message files which are stored in the following folder –
The default period for which messages are cached is two weeks after which they're deleted. The script was primarily designed for recovering such messages from unallocated clusters. The fact that the message-content is Base64 encoded makes it difficult to find them using standard keyword searching. The script works by finding the header part of a message using the following keywords -
It then uses the following keywords to find the start of Base64-encoded message-content in plain-text or HTML format -
Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/plain; charset="utf-8"\x0d\x0a\x0d\x0a
Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/html; charset="utf-8"\x0d\x0a\x0d\x0a
Any data between hits for these two keywords is treated as an e-mail-message header-content; Base64 data following a hit for the second keyword is treated as message-text. Note that the script cannot locate attachments.
The script will create two bookmarks for each message that it locates. The first will be a text-bookmark relating to the message header; the second will be a decode-bookmark showing the decoded Base64 message-text in report view. The script will also write the header and decoded message-text data for each message to a combined stream in a logical evidence file (LEF). The stream will have an EML file-extension.
The LEF can be brought back into the case—examined, searched and additional bookmarks created if necessary. Note that any decoded Base-64 message-text will be encoded as UTF-8; it may also be in HTML format. One of the best ways to view the EML streams in the LEF is to use the Document tab in EnCase or open them in an external viewer such as Outlook or Thunderbird.
In addition to writing messages as individual streams the script will also write those messages into a single MBOX-format file in the LEF. This will allow the messages in the LEF to be processed by the EnCase evidence processor in the usual way. It's important to bear in mind that recovery of Base-64 message content from unallocated clusters is not without risk (corrupt data can cause a crash) and so the script won't parse Base-64 encoded data greater than one megabyte in length. Attachments do not form part of this data so this limit should be sufficient for most cases. If a message has content in both HTML and plain-text formats then the script will decode the first type that it finds.
At the time of writing this the script has been tested with messages originating from Yahoo! and Google accounts.