Windows 10 Mail App Forensics

  • \Users\<username>\AppData\Local\Comms\Unistore\data
Directory Listings for the Windows 10 Mail App Artefacts
  • AppData\Local\Comms\Unistore\data\0; Windows phone data
  • AppData\Local\Comms\Unistore\data\2; contact lists within the account
  • AppData\Local\Comms\Unistore\data\3; the contents/body of the email
  • AppData\Local\Comms\Unistore\data\5; calendar invitations
  • AppData\Local\Comms\Unistore\data\7; email attachments
  • AppData\Local\Comms\Unistore\data\33; contents of invitations, maybe
XWays displaying calendar invitations
OSForensics parsing .dat files in \data\33
Using OS Forensics to Extract store.vol
OSForensics String Viewer to search store.vol for email data
Using OSForensic’s ESEDB Viewer to parse store.vol
Attempting to use NirSoft’s ESEDatabaseView to parse store.vol
Attempting to use Autopsy to parse store.vol

--

--

--

Your one and only source into the scandalous life of a DFIR consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Journey Begins! (at least the blogging part, I’ve been learning to code for almost 2 years now)

Learn Go: Packages

The correct approach to learning software development — Part 2

How to deploy a Docker container to AWS Elastic Beanstalk using AWS CLI

Understanding go.mod and go.sum

Recipe OSS: How to replicate inter-regionally buckets? (Alibaba Cloud)

Tubi x Scala: Why it works? — CTO’s Guidebook | Scalac.io

scala programming language for machine learning

Make it Rain — Agriculture Lessons!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
darkdefender

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.

More from Medium

Detection-as-Code: The Real Deal or Another Trend?

A straight forward guide to installing Cuckoo sandbox on Ubuntu 18.04

VMware info screen

Setting off (Week 10)

Log4Shell Honeypot Analysis