If you have Windows Mail installed on a PC being used to access and download 5 email accounts. 4 of the accounts are removed and deleted from the program. The computer and the program continues to be used normally for some time, before the drive is forensically examined.
How much of the data from the 4 email accounts that were on there could likely be recovered and where would be the best place to start looking?
If you have Windows Mail installed on a PC …
The lack of responses is probably an indication that Windows Mail is not as well researched as, say, Outlook.
Windows Mail is fairly straight forward.
Emails are stored as plain text files (.eml) at C\users\<user>\AppData\Local\Microsoft\Windows Mail\Local Folders, but this can be changed by the user.
As for deleting accounts - I haven't tested it. Even if the user deleted the account and that causes the emails to be deleted as well, a simple search for common email search terms ("Received from" for instance) may find them.
Terry
windows.edb is a good place to try, and then start doing some string searches across the drive to locate fragments of emails.
H
windows.edb is a good place to try, and then start doing some string searches across the drive to locate fragments of emails.
H
Windows.edb is definitely worth a try, but my understanding is that it's pretty proactive in cleaning up entries from deleted files. So, if the emails were deleted, there wouldn't be an entry in Windows.edb.
But, I haven't tried it, so I could be wrong.
Volume Shadow Copy may be your friend in this case as well. Or any backup service, really.