Support   

 

 

 

 

 

 
Skip Navigation Links
> products and servicesExpand > products and services
Skip Navigation Links
> companyExpand > company
Skip Navigation Links
> resourcesExpand > resources
Skip Navigation Links
> contact supportExpand > contact support
Skip Navigation Links
> support portal
  
Download Center eSolutions Support Articles Support Videos Customer Service

Home > Support Home > Articles > Read a Subject's E-mail, Deleted or Not, with EnCase® Version 3

Read a Subject's E-mail, Deleted or Not, with EnCase® Version 3

Reading a perpetrator's e-mail is a great source of evidence. The key, of course, is knowing what e-mail application the perpetrator was using. If the Subject used a web-based e-mail application, like Hotmail or Yahoo! mail, then what you really need to find are all the temporary and/or deleted .HTM files. These can be extracted from your image with the HTML Carver script (see our web-site Help). If the perpetrator used a local application to read e-mail, such as Outlook Express or Eudora, then there are ways to read that e-mail as well.

Match the Viewer to the File

The first method you can try, if the Subject's e-mail files are still intact, is to Copy/Unerase the mail files to your hard drive. So, for Outlook Express 4, you would copy the inbox.mbx to your local hard drive. You could backup your own (if you have Outlook 4 on your computer), then move his/her inbox.mbx into your Outlook 4 folder. When you open Outlook Express, you would then be able to see his/her e-mails!

Of course, you might not have Outlook Express 4 or 5 on your computer. There is a work-around solution, which involves a third-party utility to read the e-mails. If it was Outlook Express 4 or Outlook Express 5 that the perpetrator was using, and EnCase® was able to interpret the files, then you can use a third-party utility to recover the e-mails. Please go to:

http://www.oehelp.com/MBXtract/Default.aspx and http://www.oehelp.com/DBXtract/Default.aspx

These are great programs for taking apart those applications (respectively). Please see Appendix V for other programs you can use to assist you in opening e-mail files from the different e-mail applications out there. 

What if the e-mail files, whatever the application, are in Unallocated Clusters and not easily recoverable? You will need to run a header search for that particular file as well as a footer search. When you have located both the header and footer, click and drag from one to the other, then right-click on the high-lighted area, and hit Export. You will export whatever file it is and can then try and interpret it with a text viewer or what have you. Doing it this way, you would simply have to go through the file (or Unallocated Clusters) and cut-and-paste the e-mail text into your Word documents.

DBX Files

A brand-new feature to EnCase® 3.16 is the ability to read .DBX files (Outlook Express 5) within EnCase®. Simply find the .DBX file you are interested in, right-click on it, and, on the pop-up menu, select VIEW FILE STRUCTURE. This feature is still in alpha-development, so if you have problems with it, please let us know. 


Right-click for pop-up, left-click for command


Reading Message 1 in the Inbox.dbx file!
 

© 2002-2007 Guidance Software, Inc. All Rights Reserved.
Privacy Statement | Historical Information | Contact Us | Careers | Mailing List | Resellers