Knowledgebase:
Investigating The Bat! Mailstorage
Posted by Jack H. Ward, Last modified by Jack H. Ward on 06 February 2018 03:27 AM

Electronic Evidence Examiner allows you to investigate mailstorages created by The Bat! of versions 3.x and higher.  

The Bat! mailstorage is stored in a *.tbb file or in the The Bat! folder.

Mailstorage default location:

Windows 7, 8, 8.1, 10

C:\Users\<<windows_username>\AppData\The Bat!


The Application Data folder (AppData in Windows 7, 8, 8.1, and 10) is hidden by default.

If you want to add the whole mailstorage with all accounts, navigate to the The Bat! folder and add it to Electronic Evidence Examiner.

If you want to add a specific mailbox, navigate to the subfolder with the name of the account in the The Bat! folder and add it to Electronic Evidence Examiner.

If you want to add a specific folder of a specific user from the mailstorage (i.e., Inbox folder, Outbox folder), do one of the following:

  • Navigate to the desired subfolder in the folder with Account name and add it to Electronic Evidence Examiner.
The folder must contain a MESSAGES.tbb file.
  • Navigate to the desired subfolder, select the MESSAGES.tbb file and add it to Electronic Evidence Examiner (e.g., MESSAGES.tbb file from the Inbox folder to add only the Inbox folder).

 To investigate the The Bat! mailstorage, do the following:

1. Have the Add New Evidence window open.
2. In the Category list, select E-mail Database. In the Source Type list, select The Bat! database. Click OK.



3. In the Select source for mounting window, select the Folder option to open the folder containing the mailstorage. Select the File option to open the *.tbb file.
4. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing The Bat! database and click Open. If you select the File option, in the standard Open window, navigate to the *.tbb file and click Open.

5. Enter the Evidence name (by default, the name of the file/folder to be added) and click OK.
6. The Bat! mailstorage is added to the case.
7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).
8. The deleted messages are displayed in the Data View pane in the folders they were deleted from. The deleted messages are marked with a red X.
9. Select the message in the Data View pane.  Its contents are displayed in the E-mail Data pane (at the bottom).
10. You can view the message contents in different formats and/or view the attachments.



Attachments 
 
 The Bat step 1.png (44.23 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)