Hello
Has anyone had to deal with preserving webmail (Yahoo, Gmail, Hotmail/Windows Live) accounts in a non-LE scenario?
Counsel wants all emails in these accounts to be put into a PST file. Owner has given Counsel username and password information.
I read that Gmail has an IMAP function that will let you create an Outlook account and bring down the emails, contacts etc without deleting them from the server. Is that the best way?
For Hotmail you can use the Outlook Connector
Has anyone done similar preservation for Yahoo - or all three for that matter and is willing to share info?
Thanx in advance.
-=Art=-
Found this link on the FF Forum
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4532
last message on it is from 2009. Any changes?
Yes. VM is your friend here.
Here is what I have done in the past.
Fresh VM. Log into the webmail account and record everything. Don't click on messages but memorialize the state things are in - number of messages, etc. Change the settings necessary for IMAP (use IMAP not POP3 unless you choose in Outlook/client to save messages on server - to much risk of mischecking a box so use IMAP in my opinion) and whatever else you might need if it is supported.
* Gmail - POP/IMAP available but needs to be turned "on"
* Yahoo - you have to pay for the Mail Plus $19.99 for the year
* Hotmail/Live - There is actually a Outlook plug in connector you will want to use
I then set up a fresh install of Outlook and a new profile in the VM. I use secure ports to download that the service will allow and do not set up SMTP. Download messages to profile PST. Confirm message counts with out clicking on any messages.
Save your VM. Extract from the VMDK.
The whole time I am snapshoting, recording and screen capping along the way.
I have found this to be the most thorough in cases where I need to do this. Certainly customize to your needs and environment. If there are any questions a lot is memorialized and you have a created data set and environment that a 3rd party can review.
Worked very well for me when I was engaged as a neutral to remove emails and data from a complying user's email account. I was able to create a PST data set. Then search within forensic programs for responsive messages. In a new instance of the VM was able to search in Outlook to verify then remove messages from the server through Outlook that matched the requirements for deletion leaving behind non-matter related messages. After that I could go back into webmail view to verify and memorialize. Also, I was able to extract all the attachments, create a hash set and search suspect devices to see if the data proliferated to other areas.
Douglas
Thanx. Great info.
It looks like Gmail will allow IMAP but Yahoo Plus does not. It has to be POP. The Connector for Hotmail seems to work fine - have used it once before I think.
Taking care to CHECK "Leave messages on Server" a POP account will only bring down new emails - CORRECT?
- What about old ones and ones in other folders - user created and Sent/Trash etc.
Would Yahoo Plus allow IMAP so that all folders come down with the proper messages?
-=Art=-
Heh. Yahoo does not BUT, gmail allows importing ALL of yahoo messages. D
So set up a dummy Gmail account, and link to the Y! account. It will suck down every single message into the Gmail account, irrelevant of the Y! type.
Douglas
Thanx. Great info.
+1 Thanks for sharing that approach Douglas
You can do some Yahoo IMAP and there is a connector
http//
Yahoo wiki - obviously verify any info first - scroll down to IMAP info
http//
POP will pull everything from the server. You can play around and do other boxes if you know the ways and the server can support it.
* Made a edit above about doing everything over secure ports and not enabling SMTP/sending.
Ah hah! I like the IMAP connector idea.
Will try it out.
Thank you, again Douglas!
-=Art=-
Jhup
Nicely done! Had not thought of that one - definitely worth the test to go from Yahoo to Gmail to PST.
There's never just one way to skin a cat….. )
Heh. Yahoo does not BUT, gmail allows importing ALL of yahoo messages. D
So set up a dummy Gmail account, and link to the Y! account. It will suck down every single message into the Gmail account, irrelevant of the Y! type.
For Yahoo, we typically use the free Zimbra Desktop
http//
The export splits large folders into subfolders of 1000 messages so there's potentially a little bit of work to do after you get it into a PST, but it should still be faster than going via Gmail.