I'm doing an investigation that involves AOL emails. I'm now parsing through unallocated space looking for deleted emails and wanted to get some advice.
1. I've deduced that most likely the emails that are in UC start with the header v6.99AOLFAOLH and footer AOLFAOLH. I'm thinking of running a file carver EnScript (EnCase v6) to do the preliminary carving for me since doing a keyword search for the header or footer returns thousands of emails. Does my header and footer look right? I'm affriad of missing emails so if someone ahs done this before and doesn't agree with my approach please advise. AOL is installed on the system but I've seen evidence of webmail "Mail.aol.com" too.
2. Are there any tools that you guys can recommend that are good at parsing AOL v9 or other versions? I've used FTK, EnCase and HotPepper inc, and so far HotPepper returned hundreds more results that are all legible and complete.
Thanks for your help on this matter,
Although I have never used it for AOL, Simple Carver (
Thanks Randy,
I have tools to carve header and footer data. I was looking more for confirmation that my header and footer information was correct and then seperately, if anyone knew of any tools that worked well in parsing PFC files.
I'll look at that tool though. You never know when you'll need another carving tool. lol
There is a great tool in the UK for AOL artefacts from the creator of Netanalysis, it is called EMLXtract. It is at beta stage and as one of the beta testers I can say it is impressive. At the weekend we extracted 27,000 AOL emails many with attachments from unallocated in an urgent case. Unsure as to when it goes on general release. You can contact creator on;
http//
Cheers Dave Kennedy
Computer Crime Unit,
Durham Constabulary,
UK.
Thank you.
I've downloaded their beta code and will give them a try.
I tried to access to the website but i did not find the EMLXTRACT.
(i bought netanalysis)
Any one can tell me where i can find it.
BR
I tried to access to the website but i did not find the EMLXTRACT.
(i bought netanalysis)Any one can tell me where i can find it.
BR
It's in beta, contact the site admin and ask to be added to the beta program.
Try EMail Detective - at
They have an option to process data carved out of unallocated space and recover AOL email.
Hope that helps!
Art
The case that originally prompted this post has gone and past but Hotpepperinc was the tool I used and it worked great. It was rare that I was able to carve out a full email from UC but the allocated stuff came out nicely. They have a great fully functioning demo that leaves out every 5th message if you want to test drive it.