Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Windows 8 and 8.1 Mail Finder

This script finds and decodes Windows 8/8.1 mail messages originating from cached EML message files which are stored in the following folder –

%LOCALAPPDATA%\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\

The default period for which messages are cached is two weeks after which they're deleted. The script was primarily designed for recovering such messages from unallocated clusters. The fact that the message-content is Base64 encoded makes it difficult to find them using standard keyword searching. The script works by finding the header part of a message using the following keywords -

MIME-Version: 1.0\x0d\x0aSubject:

MIME-Version: 1.0\x0d\x0aFrom:

It then uses the following keywords to find the start of Base64-encoded message-content in plain-text or HTML format -

Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/plain; charset="utf-8"\x0d\x0a\x0d\x0a

Content-Transfer-Encoding: base64\x0d\x0aContent-Type: text/html; charset="utf-8"\x0d\x0a\x0d\x0a

Any data between hits for these two keywords is treated as an e-mail-message header-content; Base64 data following a hit for the second keyword is treated as message-text. Note that the script cannot locate attachments.

The script will create two bookmarks for each message that it locates. The first will be a text-bookmark relating to the message header; the second will be a decode-bookmark showing the decoded Base64 message-text in report view. The script will also write the header and decoded message-text data for each message to a combined stream in a logical evidence file (LEF). The stream will have an EML file-extension.

The LEF can be brought back into the case—examined, searched and additional bookmarks created if necessary. Note that any decoded Base-64 message-text will be encoded as UTF-8; it may also be in HTML format. One of the best ways to view the EML streams in the LEF is to use the Document tab in EnCase or open them in an external viewer such as Outlook or Thunderbird.

In addition to writing messages as individual streams the script will also write those messages into a single MBOX-format file in the LEF. This will allow the messages in the LEF to be processed by the EnCase evidence processor in the usual way. It's important to bear in mind that recovery of Base-64 message content from unallocated clusters is not without risk (corrupt data can cause a crash) and so the script won't parse Base-64 encoded data greater than one megabyte in length. Attachments do not form part of this data so this limit should be sufficient for most cases. If a message has content in both HTML and plain-text formats then the script will decode the first type that it finds.

At the time of writing this the script has been tested with messages originating from Yahoo! and Google accounts.

Download Now



Version: 2
Tested with:
EnCase Forensic 7.1
Developer: Simon Key
Category: Artifact

2864 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
7449 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
141 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
98 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
84 Downloads
App