Not so long ago, one email client which increased in popularity (particularly amongst paedophiles) in the United Kingdom was that provided with America Online (AOL).
Email extraction and analysis causes significant problems for digital forensic examiners. Almost all of the forensic software designed for extracting email is tailored for dealing with mail-store files which are intact. This means that they have not been designed to extract email data from the other areas of a suspect hard drive such as, unallocated clusters, cluster slack, page files, hibernation files and other binary source files. They have also not been designed to extract data fragments when the mail-store index has been overwritten.
From an evidential point of view, it is likely that a large quantity of email evidence is not being extracted. In addition, as there is limited documentation available regarding the proprietary binary file structures, there is wide variance in the output from many of the commercial forensic tools currently available.
Recovery of AOL (Personal Filing Cabinet) Email Messages
The AOL Professional Recovery Module has the ability of recovering live and deleted email messages (including attachments) whether directly from a Forensic image (such as an Encase® e01 compressed image) or a physical disk / volume. The output from the software allows the forensic investigator to identify the exact location the data was recovered from.
The carving engine for this Module is the result of numerous years research and development. It was originally released in the Digital Detective product EMLXtract. When this software was released to law enforcement in 2004, it was the first software product to recover AOL email messages from an image or physical/logical device (as opposed to a single PFC File). When compared against other tools, this software recovered more email messages than any other. It works particularly well against corrupted data when many other tools fail to recover anything at all.
The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. AOL email messages contain many different elements such as compressed and non-contiguous data blocks. Embedded attachments can be split and have to be stitched back together. When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image. This functionality was originally released to Police Forces all around the world as a tool called EMLXtract.
Through research and development, the recovery engine has been enhanced further and is now part of Blade. The following video shows the extraction and examination of AOL email messages from a segmented disk image.