Knowledgebase:
Adding Mailstorage Evidence
Posted by Jack H. Ward, Last modified by Jack H. Ward on 29 January 2018 03:20 AM

A Mailstorage or Email Evidence is a link to a mailstorage (email database) that allows the user to view and examine its structure and content. Generally, a mailstorage consists of folders, each of which can include messages, which, in their turn, can have attachments (files of different formats attached to them).

To add evidence to a new or existing case, do the following:

1. Create a new case or open an existing one.

2. On the Evidence tab, in the Evidence group, click Add Evidence; or right-click the case node and select Add New Evidence; or click Add Evidence on the Welcome screen (if you add an evidence before creating or opening a new case, the case will be created automatically and saved to C:\Users\<User>\My Documents\Paraben Corporation\Paraben’s Electronic Evidence Examiner by default. The name of the case file will be e3).
3.The Add New Evidence window opens.



4. Select the Email database evidence category and its Source type. Use the Autodetect option to browse to a file or folder and have Electronic Evidence Examiner auto detect evidence for the selected category.
5. In the Select source for mounting window, select whether the evidence is found in a File or Folder and click OK.     
                                                                                                                                                                                                                          


The following mailstorages are stored in files:

AOL database

File *.pfc

EDB database

File *.edb

EDB 5.5 database

File *.edb

EDB 2013 database

File *.edb

PST database

File *.pst

OST database

File *.ost

The Bat! database

File *.tbb

Outlook Express database

File *.dbx

NSF database

File *.nsf

Eudora database

File *.mbx

Google Takeout Storage

File *.mbox

E-mail File database

File *.eml

E-mail Examiner archive

File *.pmx


The following mailstorages are stored in folders:

GroupWise database

Folder containing a mailstorage

The Bat! database

Folder containing a mailstorage

Thunderbird database

Folder containing a mailstorage

Outlook Express database

Folder containing a mailstorage

Eudora database

Folder containing a mailstorage

E-mail File database

Folder containing a mailstorage

Windows mail database

Folder containing a mailstorage

Maildir database

Folder containing a mailstorage

6. If you select the Folder option, in the Browse For Folder window, navigate to the folder containing the mailstorage and click Open. If you select the File option, in the standard Open window, navigate to the file and click Open.
      
The investigation of mailstorage evidence is possible with the following packages:

Mailstorage Type

E3: Universal/P2C

E3: EMX

E3: NEMX

America On-line (AOL)

+

+

-

Eudora

+

+

-

E-mail Files

+

+

-

E-mail Examiner Archive

+

+

-

Google Takeout

+

+

-

Maildir Database

+

+

-

Microsoft Outlook

+

+

-

Outlook Express

+

+

-

The Bat!

+

+

-

Thunderbird

+

+

-

Windows Mail

+

+

-

Microsoft Exchange

+

-

+

GroupWise

+

-

+

Lotus Notes

+

-

+



Attachments 
 
 Adding Mailstorage Evidence.png (29.69 KB)
 Adding Mailstorage Evidence 2.png (40.97 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)