Microsoft Mail

Overview

Evidence: Microsoft Mail Description: Collect Microsoft Mail Emails Category: Applications Platform: windows Short Name: mml Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Microsoft Mail (Windows Live Mail and Windows 10/11 Mail app) stores email messages in EML format and ESE databases. These applications are built-in Windows email clients that sync with various email accounts including Outlook.com, Gmail, and Exchange.

Data Collected

This collector gathers structured data about microsoft mail.

Collection Method

This collector gathers EML email files from Windows Live Mail directories, Unistore email databases, and HXD files from the modern Windows Mail app.

Forensic Value

Email data is critical for investigations involving communication evidence, phishing attacks, business email compromise, data exfiltration, and establishing timelines. Emails reveal correspondence, attachments, contacts, and can provide evidence of intent or planning.