Apple Mail Forensics

Apple Mail is an email program included in Mac OS X operating system. Like other mail client, Apple Mail support POP3, IMAP and Exchange 2007 accounts.Some mailboxes are added such as ‘To Do’, ‘Notes’ and ‘RSS mailboxes’.

~~~~~ ~~~~~

Default Locations

Apple Mail’s artifacts are stored in the following default location:

  • Default Location: ~/Library/Mail/
  • Mail Box: ~/Library/Mail/[Mail Box]/
  • RSS Feeds: ~/Library/Mail/RSS/
  • Configurations: ~/Library/Preferences/com.apple.mail.plist

~~~~~ ~~~~~

com.apple.mail.plist

Information about mail delivery configurations can be found in ‘DeliveryAccounts’. My analysis revealed on my Gmail account revealed that it contained information to:

  • SMTP mail server hostname
  • Mail server port number
  • Authentication
  • Username of mail account

A more detailed information of the configured mailbox can be found under ‘MailAccounts’. Each ‘item’ listed are the configured respectively email accounts by the users. The graphic below is the configured mailbox for my Gmail account. From here, we can derive:

  • AccountName: The name of the mailbox displayed in Apple Mail
  • AccountPath: path where the messages are stored
  • AccountType: IMAP or SMTP
  • DateOfLastSync: timestamp of the last synchronisation
  • Mail server hostname
  • FullUserNAme: Name used

~~~~~ ~~~~~

Messages Analysis

Email messages are stored in ~/Library/Mail/[Mail Box]/Messages. Each email message is individually stored as a file. Each message file is numbered and has a file extension “emlx”. The corresponding email attachments may be stored separately in the ~/Library/Mail/[Mail Box]/Messages/Attachments” folder. For example, the attachments of “1649.emlx” is located at “Attachment/1649/” folder.

~~~~~ ~~~~~

Recovery and Examination

  1. To perform a recovery and examination, I have to export the mailboxes from “~/Library/Mail/” and the configuration file from “~/Library/Preferences/com.apple.mail.plist”.
  2. Set up a new user account on the examiner’s MAC system.
  3. You can then copy the Mail folder and com.apple.mail.plist in the respective locations.
  4. All you need to do now is to open Apple Mail and you can read the email messages as what your suspect’s see

~~~~~ ~~~~~

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s