• 0Shopping Cart
Digital Detective
  • Home
  • Corporate
    • About Us
      • Executive Team
      • Our Clients
      • Testimonials
    • News and Events
      • Latest News
      • Press Release
    • Legal
      • Privacy Policy
      • Cookie Policy
      • Returns Policy
  • Products
    • Forensic Software
      • NetAnalysis®
      • HstEx®
      • Blade®
    • Downloads
      • Evaluation Request
      • Free Digital Forensic Tools
    • Product Documentation
      • NetAnalysis® Documentation
      • HstEx® Documentation
      • Blade® Documentation
  • Careers
  • Support
    • Knowledge Base
    • Support Portal
    • Digital Forensics Forum
  • Store
    • Forensic Software
    • View Shopping Cart
  • Blog
  • Contact Us
  • Search
  • Menu Menu

Recovery of AOL PFC (Personal Filing Cabinet) Email Messages

Blade®, Data Recovery
Email client showing inbox, compose and starring lniks

Introduction

The use of electronic mail (email) as a mode of communications for both formal and informal purposes has increased considerably over the past decade. As such, the opportunities for the criminal element of society to make use of this facility have also widened making it commonplace within a digital forensics examination to review email content. Not so long ago, one email client which increased in popularity (particularly amongst paedophiles) in the United Kingdom was that provided with America Online (AOL).

Email extraction and analysis causes significant problems for digital forensic examiners. Almost all of the forensic software designed for extracting email is tailored for dealing with mail-store files which are intact. This means that they have not been designed to extract email data from the other areas of a suspect hard drive such as, unallocated clusters, cluster slack, page files, hibernation files and other binary source files. They have also not been designed to extract data fragments when the mail-store index has been overwritten.

From an evidential point of view, it is likely that a large quantity of email evidence is not being extracted. In addition, as there is limited documentation available regarding the proprietary binary file structures, there is wide variance in the output from many of the commercial forensic tools currently available.

AOL Email Client

In complete contrast to the wealth of software resources available for Microsoft Outlook Express, there are limited resources available for the file format of the AOL Personal Filing Cabinet (mail-store file) and email client.

There are numerous commercial companies offering a service to convert AOL Personal Filing Cabinet files into other mail-store formats, however, this is not a forensic service. A recent search revealed one company offering to convert a single PFC mail-store file for $200 US.

The AOL Email client stores data from individual email messages in a binary file generally known as the PFC (Personal Filing Cabinet). This file has no extension. In a typical Microsoft Windows XP system, the folder structure and mail-store files are stored within the user profile as shown below. The organize folder holds the mail-store data and has a structure which is in a similar format through various versions of the client. In this example, you can see a single screen name (this is an AOL term for a user) in use.

 

Figure 1

The data for this version is stored within an organize folder within the “All Users” Windows profile. The organize folder can support and store multiple screen names. The individual files for a screen name are shown below:

 

Figure 2

With regards to email messages, the main file of interest is the Personal Filing Cabinet (PFC). This is a binary file which contains a number of different AOL objects such as Favourite Places, Away Messages, Stored Email Messages, Newsgroup Postings and Download Manager information.

With AOL version 7.00 and above, the body of the email is compressed using ZLib. This causes a problem for the forensic examiner as traditional keyword searching will not be successful without decompressing the data first.

Recovery of AOL (Personal Filing Cabinet) Email Messages

Digital Detective’s forensic data recovery software Blade® contains a Professional Recovery module which has been designed to recover AOL email messages from a number of sources.

The Professional Recovery Module has the ability of recovering live and deleted email messages (including attachments) whether directly from a Forensic image (such as an Encase® e01 compressed image) or a physical disk / volume. The output from the software allows the forensic investigator to identify the exact location the data was recovered from.

The carving engine for this Module is the result of numerous years research and development. It was originally released in the Digital Detective product EMLXtract. When this software was released to law enforcement in 2004, it was the first software product to recover AOL email messages from an image or physical/logical device (as opposed to a single PFC File). When compared against other tools, this software recovered more email messages than any other. It works particularly well against corrupted data when many other tools fail to recover anything at all.

The research and development that went into recovering AOL email messages from a forensic image took a considerable amount of time. AOL email messages contain many different elements such as compressed and non-contiguous data blocks. Embedded attachments can be split and have to be stitched back together. When this module was originally designed, the goal was not to recover live and deleted email messages from a Personal Filing Cabinet, but to be able to recover emails from a disk image. This functionality was originally released to Police Forces all around the world as a tool called EMLXtract.

Through research and development, the recovery engine has been enhanced further and is now part of Blade®. The following video shows the extraction and examination of AOL email messages from a segmented disk image. Figure 3 shows a recovered email message from Blade® Professional.

 

Figure 3

As Blade® process the source image, it recovers individual messages and converts them into an HTML representation of the original message. This includes decompressing the Zlib content and rebuilding the original attachments. The physical location of the original email is identified by Physical Sector and Sector Offset. The easiest way to use Blade® in a forensic examination is to simply point it at a forensic image of the original device.

28th May 2010/by Craig Wilson
Tags: AOL, Email Recovery, Intelli-Carve, PFC
Share this entry
  • Share on Facebook
  • Share on Twitter
  • Share on WhatsApp
  • Share on Pinterest
  • Share on LinkedIn
  • Share on Tumblr
  • Share on Vk
  • Share on Reddit
  • Share by Mail
You might also like
AOL logo on dark blue background AOL PFC EMail Recovery

Categories

Recent Posts

  • DataDump™ – Data Extractor
  • NetAnalysis® v3.3 and HstEx® v5.3 Released
  • NetAnalysis® v3.2 and HstEx® v5.2 Released
  • Forensic Analysis of the Zone.Identifier Stream
  • NetAnalysis® v3.1 Released

Tags

ACPO AOL Big Endian Browser Evidence Byte Order Cache Case Study Change Log Cookies Data Extraction Data Recovery Data Recovery Profiles Date & Time Digital Evidence Discount Dongles Email Recovery Endianness File System Find Panel Free Good Practice Guidelines Hard Disk Head Swap Image Mounting Intelli-Carve Internet Explorer Junction Points Legal Licensing Little Endian Microsoft Windows Mozilla Firefox News NTFS Offer PFC Release Notes Seagate Search Syntax Timestamps Tools Tutorial

About Us

Digital Detective enhances digital forensic science though cutting edge research and development. We offer a range of products and services for digital forensic analysis and advanced data recovery.

Recent Tweets

Exciting news! Our popular #DataDump tool just got even better with the release of v2.1. Download now for free and experience the difference! #freetool #dataextraction digital-detective.ne…

About 3 weeks ago from Digital Detective's Twitter via Twitter Web App

Nothing seems to have changed in the last 13 years. lbc.co.uk/news/polic…

About 2 months ago from Digital Detective's Twitter via Twitter Web App

This has been a lot of work; hope you like it. NetAnalysis® v3.3 and HstEx® v5.3 have been released. Lots of new functionality! digital-detective.ne…

About 3 months ago from Digital Detective's Twitter via Twitter Web App

Her Majesty The Queen Elizabeth II 1926 - 2022 pic.twitter.com/sWSC…

About 5 months ago from Digital Detective's Twitter via Twitter for iPad

Recovery and analysis of MFT resident Zone.Identifier alternate data streams and how they are helpful in a forensic investigation. #DFIR #DigitalForensics #BrowserForensics #FileSystemAnalysis digital-detective.ne…

About a year ago from Digital Detective's Twitter via Twitter Web App

Follow @DigitalDetectiv

Select Language

Translate our site by selecting your language from the option below.

en English
ar Arabiczh-CN Chinese (Simplified)nl Dutchen Englishfr Frenchde Germanit Italianpt Portugueseru Russianes Spanish

Contact Us

Digital Detective Group
Motis Business Centre
Cheriton High Street
Folkestone
KENT, CT19 4QJ
United Kingdom

///courts.endearing.bulbs
+44 (0) 20 3384 3587

Copyright © 2001 - 2023 Digital Detective Group Limited
  • Facebook
  • Twitter
  • Youtube
  • Mail
  • Home
  • Sitemap
  • Corporate
  • Products
  • Store
  • Blog
  • Contact
Scroll to top

This site uses cookies. By continuing to browse the site, you are agreeing to our use of cookies.

OKLearn more

Cookie and Privacy Settings



How we use cookies

We may request cookies to be set on your device. We use cookies to let us know when you visit our websites, how you interact with us, to enrich your user experience, and to customize your relationship with our website.

Click on the different category headings to find out more. You can also change some of your preferences. Note that blocking some types of cookies may impact your experience on our websites and the services we are able to offer.

Essential Website Cookies

These cookies are strictly necessary to provide you with services available through our website and to use some of its features.

Because these cookies are strictly necessary to deliver the website, refuseing them will have impact how our site functions. You always can block or delete cookies by changing your browser settings and force blocking all cookies on this website. But this will always prompt you to accept/refuse cookies when revisiting our site.

We fully respect if you want to refuse cookies but to avoid asking you again and again kindly allow us to store a cookie for that. You are free to opt out any time or opt in for other cookies to get a better experience. If you refuse cookies we will remove all set cookies in our domain.

We provide you with a list of stored cookies on your computer in our domain so you can check what we stored. Due to security reasons we are not able to show or modify cookies from other domains. You can check these in your browser security settings.

Google Analytics Cookies

These cookies collect information that is used either in aggregate form to help us understand how our website is being used or how effective our marketing campaigns are, or to help us customize our website and application for you in order to enhance your experience.

If you do not want that we track your visit to our site you can disable tracking in your browser here:

Other external services

We also use different external services like Google Webfonts, Google Maps, and external Video providers. Since these providers may collect personal data like your IP address we allow you to block them here. Please be aware that this might heavily reduce the functionality and appearance of our site. Changes will take effect once you reload the page.

Google Webfont Settings:

Google Map Settings:

Google reCaptcha Settings:

Vimeo and Youtube video embeds:

Other cookies

The following cookies are also needed - You can choose if you want to allow them:

Privacy Policy

You can read about our cookies and privacy settings in detail on our Privacy Policy Page.

Privacy Policy
Accept settingsHide notification only