Hello everyone
I have a case where I need to recover e-mails.
The hdd in question was formatted and OS was re-installed. I also know that the last user used Lotus email client.
I found many emails in unalocatted clusters. This is an example of my search hit result (I use Encase)
From "Person1" <person1@domain1.com>
To <person2@domain2.com>
Subject Text of subject
Date Tue, 5 Feb 2009 171843 +0300
MIME-Version 1.0
Content-Type multipart/mixed;
boundary="—-=_NextPart_000_0035_01C8681B.28CC9140"
X-Priority 3
X-MSMail-Priority Normal
X-Mailer Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE Produced By Microsoft MimeOLE V6.00.2900.3198
This is a multi-part message in MIME format.
——=_NextPart_000_0035_01C8681B.28CC9140
Content-Type text/plain;
format=flowed;
charset="iso-8859-1";
reply-type=original
Content-Transfer-Encoding 8bit
—– Original Message —–
Body text
——=_NextPart_000_0035_01C8681B.28CC9140
Content-Type application/vnd.ms-excel;
name="aim.xls"
Content-Transfer-Encoding base64
Content-Disposition attachment;
filename="aim.xls"
0M8R4KGxGuEAAAAAAAAAAAAAAAAAAAAAPgADAP7/CQAGAAAAAAAAAAAAAAAFAAAAAQAAAAAAAAAA
EAAAEwIAAAEAAAD+////AAAAAAAAAABiAAAA4wAAAH4BAADlAQAA////////////,E··········<G··////////////
////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////////////////////////////
.
.I cut most of the body of the attachment in this example
.
.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA=
——=_NextPart_000_0035_01C8681B.28CC9140–
I need to open file in the attachment - aim.xls. I select this message in anallocated clasters and export binary data to file with .eml extension.
I open this eml file and it looks good except I can not see body. When I try to open attachment, MS Excel says that file could not be read.
I think that there is some problem with attachment encoding or with my solution to get the attachment.
Any ideas what it can be? How about another way to get attachment?
Thanks.
——=_NextPart_000_0035_01C8681B.28CC9140
Content-Type application/vnd.ms-excel;
name="aim.xls"
Content-Transfer-Encoding base64
Content-Disposition attachment;
filename="aim.xls"
It says base64, so extract the contents of that part (from the 0M8R4… to the AAA=) into a file, and then feed that file through a base64 decoder, and make sure that the resulting file is called aim.xls.
On Uni*x, you probably already have this (look for base64 or uudecode), on other other platforms you need to find a suitable tool. On Windows, some archive utilities support it – with IZArc, for example, check the Tools menu, then UU/XX/Mime Encode, and just specify input file and output file.
I use the following process
http//
Works well for me.
Can you elaborate more on this please?
It says base64, so extract the contents of that part (from the 0M8R4… to the AAA=) into a file, and then feed that file through a base64 decoder, and make sure that the resulting file is called aim.xls.
On Uni*x, you probably already have this (look for base64 or uudecode), on other other platforms you need to find a suitable tool. On Windows, some archive utilities support it – with IZArc, for example, check the Tools menu, then UU/XX/Mime Encode, and just specify input file and output file.
Can you elaborate more on this please?
The link that I posted outlines the process quite nicely. Or am I missing something?
My post was directed to Athulin as his method suggests a different way to approach things than the link you posted.
Also, not everyone uses Perl. And, there are 2 comments on that link, both of which talk about errors. If someone doesn't know how to use Perl, or just knows the basics, they surely don't know how to fix coding errors.
Can you elaborate more on this please?
The link that I posted outlines the process quite nicely. Or am I missing something?
@Seagull
In this seemingly unrelated thread
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=6449
You can find some apps that can be of help.
Particularly a GUI uudecoder
http//
that features, beside "plain" decode also a "desperate" mode that may be useful.
jaclaz
My post was directed to Athulin as his method suggests a different way to approach things than the link you posted.
The link also spells out how to do the process, manually, which is what Athulin suggested, but did not describe, explicitly. If you wanted, you could edit the message by hand to remove all but the attachment, add the "begin-base64" line, and run uudecode. The Perl attachment was supposed to automate that process.
My post was directed to Athulin as his method suggests a different way to approach things than the link you posted.
Also, not everyone uses Perl. And, there are 2 comments on that link, both of which talk about errors. If someone doesn't know how to use Perl, or just knows the basics, they surely don't know how to fix coding errors.
Can you elaborate more on this please?
The link that I posted outlines the process quite nicely. Or am I missing something?
There are a number of Base64 decoders online such as
http//
Just change the .bin extension of the output file to .xls (or the ext of the attachment) and it should open in Excel (providing all of the base64 encoding from the e-mail has been fully recovered correctly from unallocated).
Dan
Can you elaborate more on this please?
Not sure what you need elaborated? But perhaps the details have been explained already.
The data you need to extract is the block of characters that follows the empty line after the attachment header. I'd use a plain text editor like Notepad, Wordpad, vi or emacs for that job. (Or even cut-and-paste from the tool in which I examine the mail source.)
For the base64 decoding I probably use the base64 utility that's part of Cygwin, but it works just as well in Linux. (Forget what I said about IZArc – it does encoding only, I see now. But I'm pretty sure there are other Win utilities that do this job, so you may need to look around.)
Assuming the Linux/Cygwin approach, it's just
% base64 -d <aim.txt >aim.xls
(assuming I saved the extracted data in aim.txt).
In some cases, I have seen that the extracted data includes characters that can't be be base64-code. In that case, I just see if using the '-i' (ignore non-base64 characters) makes better sense. (And I would spend some time to pinpoint the bad character, just in case …)
As has already been noted, there are on-line decoders … however, I would stay away from them for serious w0rk. I would not like to find that the data I have handed over it has been analyzed, discovered to be an Excel file, and some malware added. For quick tests, they're fine. At the very least, I'd do a double check by feeding the newly decoded data back into an encoder and ensuring that it produced the same file as the original.