Possible additional Windows Live Mail message location?
Up until Windows 10, you could find email-related files with the extension “.EML”. These files presented the opportunity for email forensics. Once the new iteration of the Windows OS came about, it started storing files in alternative ways. It was found that a user’s Windows Live Mail (I’ll refer to this as WLM) related data could be found within the path “\Users\<Username>\Appdata\Local\Comms”. The collection of files here includes valuable information about the user’s emails within WLM.
Recently, a new file was found that my Professor and I did not recognize. This file, HxStore.hxd, appears to resemble to known Store.vol WLM file. My first guess is it is just a Hex version of the same file, but the alternate file location and structure had me curious. After not finding any analysis of this new file online, I figured I should take a look at it. This blog post just reviews my initial findings and interpretations so far.
The file in question is named “HxStore.hxd” and can be found at path:
- This file begins with the header “Nostromoh” and then contains an abundance of unused bytes (figure 1). As the file progresses, random clusters of unintelligible text are revealed. At the time of this post I have not deciphered these data blocks.
- A simple ASCII ‘Find all’ search on the file for “@body” will bring you straight to the message instances (figure 3). There will be a reference to the subject of the message thread, followed by the message itself. Some portions of the messages appear to have the ascii interpretation corrupted, but are typically minor instances. This allows for the emails to be almost fully recovered.
- Much like a typical email visualization, it appears that some of the newer email messages are combined with the previous email messages that are within the same conversation thread. In this case, the newest message is on top and the bottom message is the one that is being responded to. In figure 4 below, you will see the red message is the most recent response in the conversation thread
- Valuable timestamps can be found along with a select number of message bodies that are stored within this file (figure 5).
Over the next few weeks I will look more into this file and further compare it to the known “store.vol”. Further findings will be added to this post. Meanwhile, if anyone has any advice/knowledge to offer, I would be most appreciative.