Microsoft HxStore.hxd (email) Research

Possible additional Windows Live Mail message location?

Up until Windows 10, you could find email-related files with the extension “.EML”.  These files presented the opportunity for email forensics. Once the new iteration of the Windows OS came about, it started storing files in alternative ways. It was found that a user’s Windows Live Mail (I’ll refer to this as WLM) related data could be found within the path “\Users\<Username>\Appdata\Local\Comms”. The collection of files here includes valuable information about the user’s emails within WLM.

Recently, a new file was found that my Professor and I did not recognize. This file, HxStore.hxd, appears to resemble to known Store.vol WLM file. My first guess is it is just a Hex version of the same file, but the alternate file location and structure had me curious. After not finding any analysis of this new file online, I figured I should take a look at it. This blog post just reviews my initial findings and interpretations so far.

The file in question is named “HxStore.hxd” and can be found at path:

 Users\<user>\Appdata\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\

Findings:

  • This file begins with the header “Nostromoh” and then contains an abundance of unused bytes (figure 1). As the file progresses, random clusters of unintelligible text are revealed. At the time of this post I have not deciphered these data blocks.
    header
    Figure 1: The header of the file.

    mess
    Figure 2: Unintelligible data
  • A simple  ASCII ‘Find all’ search on the file for “@body” will bring you straight to the message instances (figure 3).  There will be a reference to the subject of the message thread, followed by the message itself. Some portions of the messages appear to have the ascii interpretation corrupted, but are typically minor instances. This allows for the emails to be almost fully recovered. 
    message with search
    Figure 3: A search for “@body” finds the email message body within the file.

     

  • Much like a typical email visualization, it appears that some of the newer email messages are combined with the previous email messages that are within the same conversation thread. In this case, the newest message is on top and the bottom message is the one that is being responded to. In figure 4 below, you will see the red message is the most recent response in the conversation thread

    history stack
    Figure 4: The conversation thread with stacking
  • Valuable timestamps can be found along with a select number of message bodies that are stored within this file (figure 5).

 

timestamps
Figure 5: Timestamps of email message

Over the next few weeks I will look more into this file and further compare it to the known “store.vol”. Further findings will be added to this post. Meanwhile, if anyone has any advice/knowledge to offer, I would be most appreciative.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a free website or blog at WordPress.com.

Up ↑

Create your website at WordPress.com
Get started
%d bloggers like this: