Reading a perpetrator's e-mail is a great source of evidence. The key, of course, is knowing what e-mail application the perpetrator was using. If the Subject used a web-based e-mail application, like Hotmail or Yahoo! mail, then what you really need to find are all the temporary and/or deleted .HTM files. These can be extracted from your image with the HTML Carver script (see our web-site Help). If the perpetrator used a local application to read e-mail, such as Outlook Express or Eudora, then there are ways to read that e-mail as well.

Outlook Express 5 E-mail

EnCase® can read .DBX files (Outlook Express 5) within EnCase®. Locate a .DBX file, right-click, and select View File Structure from the context menu.

Right-click for context menu, left-click to execute

The file will be graphically represented as a folder with the mounted DBX volume beneath. In the right pane in the "Table" view, individual e-mails will be listed as Message0, Message1, and so on. The text of the e-mails will be in the text preview pane below.

Reading Outlook Express 5 e-mail

MS Outlook E-Mail

EnCase® can mount and view Outlook PST files in a plain-text format. It works identically to mounting and viewing Outlook Express DBX files above, but one would be executing the View File Structure command on a PST file, not a DBX file.

EnCase® loads the PST file

After a PST file has been mounted, it will appear under the Cases tab in a format remarkably similar to MS Outlook's interface.

Viewing e-mails in a PST file

It is possible to include recovered Outlook Express 5 e-mail text and attachments in the report. This is done by bookmarking the attached base64 encoded image and pasting the e-mail header and message in the bookmark comments window. Below is a .dbx file parsed out into a virtual folder. The folder contains one message.

One e-mail recovered from Deleted Items folder

1. In this message is an attached .jpg image encoded with base64. Select the first character of the e-mail header and highlight the text down ("sweep") to the beginning of the encoded image.
   
   
2. Right-click on the Bookmark folder in the Bookmark Folder pane. Select New Folder and type in the name of the folder, such as Email. Press <ENTER> to save the name of the new folder.

Highlight the e-mail header and message and choose COPY

The picture attached to the e-mail

Right-click on the first character of the encoded image (right after the file name) and choose Bookmark Data or <Ctrl>-<B>. In the "Add Bookmark" window, view the data as a base64 encoded picture. In the "Comments" block, right-click and select Paste to place the highlighted message from the clipboard into the "Comments" block.

Click on the "Bookmarks" view tab and select the new e-mail bookmark folder in the left pane. In the right pane, select the "Report" view for the new bookmark. The report will display the complete e-mail, including header, with the bookmark and decoded image at the bottom.

Bookmarked e-mail attachment and e-mail header information