Outlook Express

Microsoft Outlook Express is a common e-mail and Internet news client. It is installed by default with Internet Explorer on a Windows-based operating system. Because it is readily available, many users choose it as their default e-mail client. Therefore, the forensic investigator must be prepared to reconstruct the e-mail generated from this program. This section will describe how Outlook Express can be used by a forensic analyst in a way that’s slightly different from an ordinary user to help establish further investigative leads.

Implementation

To install Outlook Express, you must first install Internet Explorer. After it is installed on the forensic workstation, it need not be configured further. The analyst will simply import the subject’s e-mail into his copy of Outlook Express on the forensic workstation. This can be accomplished using the following steps:

1. Open Outlook Express and choose File | Import | Messages.

2. In the Outlook Express Import dialog box, choose the version of Outlook Express you want to import. Then click Next.

3. Choose the option Import Mail From An OE6 Store Directory. Click OK.

   

4. Choose the location of the directory to be imported. This would be the directory obtained from the forensic duplication or a logical copy of the subject’s machine. The common locations for this directory are presented in Table 24-1. Click Next.

   

5. After Outlook Express has detected that the contents of the directory are indeed a valid mail store, it offers you the option of selecting any or all of the folders available. Choose the appropriate option(s) and click Next.

6. After you finish the import, the new messages are located in the folder tree.

You need to know the location of the e-mail storage files, according to whichever flavor of Windows is used. Table 24-1 shows the typical locations of these files.

The information should be copied from the evidence to a fresh directory before you import it into Outlook Express, because Outlook Express needs read and write access to the data and the evidence would typically not have write privileges.