top of page
Apr 291 min read

Outlook Attachment Recovery


Key Points:

  1. Temporary Storage: When attachments are previewed or opened in Outlook, they are saved temporarily in this folder on the local drive.

  2. Folder Structure: The folder structure will be Content.Outlook followed by a randomly named subfolder.

  3. Default Cleanup: Starting from Outlook 2007, attachments in this folder are deleted when Outlook is closed, but there are exceptions like Outlook crashes or open files.

  4. Timestamps: Outlook often backdates the creation date of attachments to the date of the email they were attached to. However, variations can occur based on Outlook version and attachment type.


Forensic Techniques:


  • Timestamp Analysis: Utilize the MFT $Filename attribute to determine the exact time an attachment was opened.

  • Artifact Examination: Investigate artifacts like $Logfile, USNJoumal, and copies of $MFT in Volume Shadow Copies for traces of attachments, even after Outlook has removed them.

  • File Recovery: Tools like Disk Cleanup can be used to remove temporary files, but they might still be recoverable using forensic software.

Location:


  • Default Location: C:\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ (Replace [username] with the actual username of the user profile.)


Registry Key for Folder Location:


  • HKCU\Software\Microsoft\Office\<version>\Outlook\Security\OutlookSecureTempFolder

  • Replace <version> with your Outlook version (e.g., 16.0 for Outlook 2016/2019, 15.0 for Outlook 2013).


Implications for Forensic Investigations:

  • Evidence Preservation: Ensure timely acquisition of this folder to preserve potential evidence before it's automatically deleted by Outlook or cleaned up by other processes.

  • Timestamp Analysis: Accurate timestamp analysis can be crucial for timeline reconstruction and verifying the sequence of events.

  • Artifact Analysis: Leveraging forensic artifacts can provide insights into file activity, user actions, and potential data leakage.

  • Testing: Given the variability in timestamp handling across Outlook versions and attachment types, testing is essential to understand the behavior of a specific configuration

Akash Patel

30 views0 comments

Comments

bottom of page