Webmail not found

Whats a good way to locate evidence of webmail on a computer?

It depends.

I can find email addresses easy enough and internet history to show evidence supporting webmail URL's are being accessed, but the actual emails seem to be difficult to find (using EnCase).

Since it's web mail, you have to deal with a number of mechanisms web caching rules (stated by the web mail server), and web browser security policy and configuration, as well as its infrastructure.

If the web server states that 'this web page – i.e. mail – must not be cached, or stored, on disk ' … what does the actual web browser do? Does it follow instructions? If it does, you won't find mails stored. If the web browser has its own policies, what are they? (Some browsers don't cache https traffic on disk, only in memory. In which case the page file is where you may find the stuff.) And if anything is cached locally on disk, for how long will it be around, and how is it disposed of after than (just a simple delete, or is it erased securely?)

Now, having said that; IEF finds quite a bit of webmail and in this particular case all of them are spam type messages from stores and notifications from social media but no personal emails from or to friends, family, etc.

So are you looking in the right place? Or are you looking at a throw-away mail account intended for unimportant mail and possibly spam bait?

If you look for mail-related applications, what do you find? No Thunderbird? No … eM? Mailbird? Claws? … or perhaps older stuff? Eudora? Embla? Is web mail the only possibility?

No VM with unix using 'mailx' on encrypted virtual drive? (Just to be perverse…)