Key Points:
Did you know that when you open an email attachment in Outlook, it doesn’t just disappear after you close it?
Outlook temporarily saves it in a hidden folder on your computer. This “Secure Temp Folder” is an important artifact in forensic investigations, as it can reveal previously opened attachments—even if they were deleted from emails.
Where Are These Attachments Stored?
Outlook stores opened attachments in a special folder under the Internet Explorer cache:
For IE10 and earlier → Temporary Internet Files
For IE11 and later → INetCache
Within these locations, you'll find a Content.Outlook folder, which contains a randomly named subfolder where attachments are stored. This is different from older Outlook versions (like Outlook 2003), which used an "OLK<random>" folder.
If you're trying to locate this folder manually, you can check the registry key:
📌 NTUSER\Software\Microsoft\Office<version>\Outlook\Security(Value: OutlookSecureTempFolder)
Default Location:
C:\Users\[username]\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\
(Replace [username] with the actual username of the user profile.)
----------------------------------------------------------------------------------------------------
Why Does This Matter for Forensics?
Before Outlook 2007, Forensic investigators could often recover multiple versions of the same file if it had been opened multiple times.
Nowadays, Outlook automatically deletes files from this folder when it closes. However, there are exceptions:
If Outlook crashes, the file might stay.
If the file is still open when the email is closed, Outlook won’t delete it.
This means investigators can still find valuable evidence in this folder, even though it’s less common than before.
----------------------------------------------------------------------------------------------------
Recovering Deleted Attachments
Even if Outlook has deleted an attachment from this folder, traces of it may still exist in forensic artifacts like:
$Logfile
USNJournal
Volume Shadow Copies
Using forensic tools, investigators can often reconstruct deleted attachments and track when they were accessed.
----------------------------------------------------------------------------------------------------
Timestamp Oddities: When Was the File Opened?
Attachments inside an email don’t have their own timestamps—so how does Outlook handle them.
Sometimes, Outlook backdates the file’s creation date to match the email’s timestamp.
Other times, it uses the modification time of the original file.
----------------------------------------------------------------------------------------------------
Key Takeaways
🔹 Opened email attachments are temporarily stored on disk.
🔹 Outlook tries to delete them but doesn’t always succeed.
🔹 Timestamps on attachments can be misleading.
🔹 Deleted attachments may still be recoverable from forensic artifacts.
For forensic analysts, this folder remains a hidden goldmine of information that can provide crucial insights into user activity—long after an email has been deleted.
Comments