Hi, i'm trying to find webmail on a suspect drive, i know they have a yahoo email address as well as their outlook address. I also know what this yahoo adress is and ran a search in FTK using this as the term. I now have many hits in .tmp files and disk free space.
I have been clicking on each diskfreespace and then searching again through the html with the email address, the email address occurs many times in each, however i am yet to locate actual email content.
I therefore started searching through the free space using the term "original message". From this i am pulling back emails from html which are related to his outlook address but no yahoo emails.
Any thoughts as to why i can only locate the address and not actual emails?
Any ideas for search terms that are more or less unique to a yahoo email/occur in html around yahoo email messages?
and lastly, why am i finding outlook emails embedded in html? i know the company uses exchange server, could this be related?
Thanks for any advice.
In EnCase for a quick look through the webmail (i usually do this in addition to the webmail parser as it seems to miss stuff i think) i filter with
if filename contains showfolder or getmsg or compose or showletter (there are probably others i cant remember)
to filter all the filenames with those common terms for webmail pages and have a flick through them. (yes this may add in a few irrelevant pages, but not enough to worry about generally - and covers more than i would by being more specific with extension or characters that come after/around which are often missing for some reason)
Re the other question, are you searching for the address, rather than the username, IE 'joebloggs69@yahoo.com' rather than 'joebloggs69' you may have more luck with the latter.
Re your outlook emails not entirely sure what you have, but i have a web-based exchange option at work, so could this be similar?
Rich
Thanks rich2005, Encase webmail parser? does FTK have an equivalent?
Finding webmail on a suspect drive has been a real pain for me recently… (
It just doesn't seem as straight forward as it should be; its more of a long drawn out boring process from which i reap no rewards atm…
strobak
fully intact webmail pages should end up in some browser cache or other.
webmail traces in slack/free space if carved out on header info may be partial files and significantly broken so you only get maybe the term you were looking for and a few lines more. this is usually down to a heavily fragmented drive.
wrt yahoo, why not join up, and use the service on a clean user ID in your PC. then go check the webcache for html files and relevant names. then you can deconstruct into component parts. Some browsers/OS may have different cache styles so it would be better to match what your looking for yourself.
wrt outlook and html, can't an outlook pane be used to open browser material via a link, and vice versa, if someone has sent an email in html format won't outlook present it as such?
kern
Three things I can think of.
Carve out all the HTML in FTK
Under internet options search all the right hand column searches i.e. .com .net .org (you should potentially search all the ones in the left as well http https www etc.)
Be sure you have reindexed the case, no need to do previously indexed files.
FTK has a problem opening yahoo mails so you find yourself sometimes doing an export to desktop and viewing them on there.
Sometimes you have to just go 1 by 1 all the way down the HTML files until you hit the gem you need.
One thing I have found with yahoo web mail in the temporary internet cache is the presence of gzip files that show no file extension. You will normally find these with the same date and time stamps as the viewable html extension files that contain the e mails or whatever. When the html files are deleted it appears the gzip file extension ones are left. If you search the temporary internet cache for these gzip files you may find that they contain yahoo messages or other interesting pages.
Encase can view these gzip files but if you have trouble I found the following works.
Copy them out and in the process give them a gzip extension. Open them in winzip and save them out in the process giving them an html extension. If when you open them in IE you get the cannot connect to server page and they are unreadable open them instead in Navroad32 and you will see the content.