Whether you’re a fan of the new Outlook app or not, Microsoft are keen to push it on users, so as digital forensics practitioners we should expect to see it more and more often. From a DFIR perspective it represents a big change in how the data is stored, so in this blog Principal Analyst Oliver Hartshorn breaks down what can be found, where to find it, and why, even when an app might not look like a browser, it might still be one.
Outlook for Windows is Microsoft’s latest free email client. The app, available from the Microsoft Store (as well as now coming by default on Windows 11), effectively replaces the built-in Mail app from Windows 10 and 11. It does not (currently) appear to be a replacement for the Outlook desktop application that is part of Office.
Outlook for Windows is Microsoft’s latest free email client. The app, available from the Microsoft Store (as well as now coming by default on Windows 11), effectively replaces the built-in Mail app from Windows 10 and 11. It does not (currently) appear to be a replacement for the Outlook desktop application that is part of Office.
Outlook for Windows is a Windows Desktop application that utilises Microsoft Edge WebView2 (WebView2). WebView2 uses Microsoft Edge (based on Chromium) as the rendering engine to display web content. Because of this, the artefacts produced by Outlook for Windows share many similarities with artefacts produced by other Chromium based browsers/applications.Being a Windows Store app, we are used to those app’s artefacts being stored within C:\Users\\AppData\Local\Packages\, and although a set of folders get created there, the artefacts we’re interested in for this Outlook app can be found in the following location:C:\Users\\AppData\Local\Microsoft\Olk\Within the Olk folder, you may find a file called “UserSettings.json”.
This JSON file contains a key named “Identities” in which the email addresses (two email accounts in this case) in use by the Outlook for Windows client can be found, along with a string of hexadecimal characters sometimes referred to as an InternetUID. Furthermore, another key called “AccountLocalBackup” exists associating a UUID with the email address:
This JSON file contains a key named “Identities” in which the email addresses (two email accounts in this case) in use by the Outlook for Windows client can be found, along with a string of hexadecimal characters sometimes referred to as an InternetUID. Furthermore, another key called “AccountLocalBackup” exists associating a UUID with the email address:
Within this location, a folder called “EBWebView” exists. A folder called “EBWebView” or “EBWebView2” is a good marker to be looking out for to identify applications using Edge WebView. Inside here we’ll find the customary “Default” profile folder containing the usual Chromium/Electron folder/file names:
As with an increasing number of websites/web apps, a lot of useful data can be found stored in an IndexedDB. Being as this app is based on Edge Webview2 (Chromium), the IndexedDB data is stored within a LevelDB data store. We’ve already covered these data structures in detail in a previous blog:
https://www.cclsolutionsgroup.com/post/indexeddb-on-chromium. In short, IndexedDbs are a key-value store of JavaScript objects and values could consist of further key-value objects.
https://www.cclsolutionsgroup.com/post/indexeddb-on-chromium. In short, IndexedDbs are a key-value store of JavaScript objects and values could consist of further key-value objects.
One of the most powerful tools we have for understanding how Web apps store data is the developer tools built into browsers; luckily we can still make use of these tools in this Webview application by running it with the following command:
By clicking on “Application” from the menu in the DevTools window, we can see the different data storage objects, including IndexedDB:
Although it isn’t quite the same as a relational database such as SQLite, we can draw some analogies to make things feel a little familiar: IndexedDB can contain a number of databases which each contain a number of object stores. You can think of object stores like tables, which like in relational databases can also have indices to speed up data access. Object stores contain records, which are like rows in a table (but structured as a hierarchy rather than a row).
Figure 5 shows a screenshot of the databases in the IndexedDB during testing. Two email accounts were added to this instance of Outlook. The two sets of databases ending in two different UUID relates to these two different email accounts. These are the same UUIDs found identified in the “UserSettings.json” file.
IndexedDB databases contain data structures called Object Stores. Some of these can be seen in figure 6:
In figure 6, the Object Stores can be seen with the icon:
The other items that can been seen are indices. The “owa-offline-data-<uuid>” database contains many of the object stores that are of interest to us. Figure 7 shows some of the databases and object stores that could be of interest.
Get in touch
-
admin@inv-network.org
About Us
Inv-Network was created to support those who are tasked with the difficult job of protecting children from online child exploitation. Our goal is to provide community, resources, and training to Law Enforcement, District Attorney's, and Parole & Probation Officers.
Copyright © 2023
SEX OFFENDER MANAGEMENT SYMPOSIUM REFUND POLICY
Our Symposium aims to provide the most beneficial and practical experiences for our students. From providing resources, special guest speakers, and also networking and bonding experiences. All of this is costs for us at Intellect-LE. We do our best to cover the travel costs for our instructors as well as resource give aways for students and all of that is paid prior to the course dates. If we have a large amount of students cancel before class, this incurs a large out of pocket expense for use and we would not be able to sustain our course. When you or your agency registers and pays for class we believe you are attending. We understand that circumstances arise so while we do not refund paid seats, we do offer the following options;
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.
SEX OFFENDER MANAGEMENT SYMPOSIUM REFUND POLICY
Our Symposium aims to provide the most beneficial and practical experiences for our students. From providing resources, special guest speakers, and also networking and bonding experiences. All of this is costs for us at Intellect-LE. We do our best to cover the travel costs for our instructors as well as resource give aways for students and all of that is paid prior to the course dates. If we have a large amount of students cancel before class, this incurs a large out of pocket expense for use and we would not be able to sustain our course. When you or your agency registers and pays for class we believe you are attending. We understand that circumstances arise so while we do not refund paid seats, we do offer the following options;
1. Your seat may be transferred to another attendee from your agency at no additional cost.
2. Your seat may be moved to our next available training date, even if it is in another location.
3. You can be granted 1 year's worth of access to our skills center and all the training it contains.