Frequently asked Questions and Answers on EMail Detective
| Frequently asked Questions and Answers on EMail Detective |
| 
|
1. Which MBox eMail clients does EMail Detective work with? EMD works with a whole host of MBox clients, ranging from “The Bat”, “Claws”, “Bacra”, “Mozilla Thunderbird”, “IncrediMail”, “Opera”, “Eureka”, “Pegasus”, “Windows Live”, “Entourage”, “Zimbra” and many other MBox based email applications. EMD will pull data, text, files, and graphics from all of these email clients and process them for the examiner to easily review. 2. What data does EMD pull from the pagefile.sys or binary fragments? EMD will go through a pagefile.sys or any binary data file passed to it looking for graphic signatures, video, music, document type file signatures (over 100 types), chat conversations, known database fragments, plain text and attempt extraction, decryption and/or decoding of the embedded information for the examiner. 3. How are sqlite files handled by EMD? EMD will parse through an sqlite database pulling data from all fields and presenting it to the examiner in a readable fashion. Several common sqlite applications have special handlers built into EMD for enhanced extraction of data and viewing. 4. Which versions of America Online and CompuServe does EMail Detective work with? EMD works with all versions of AOL from 1.0 - 9.8, including AOL 9.0 security edition, AOL 9.0vr (vista ready), OpenRide, AOL Desktop, and CompuServe versions 6.0 - 7.0. 5. Does the America Online db on a user's disk drive contain all of a user's email? Unless a user specifies the AOL mail options – "Retain all mail I read in my Saved Mail Folder" and "Retain all mail I send in my Mail I've Sent Folder", then their local AOL db's will not contain copies of emails sent or received by this user. Additionally, a user can delete their offline mail. The EMD application can recover these deleted messages if present. However, if the user chooses the AOL option, "Managed Saved Mail - Compact", (see picture below), then these records cannot be recovered. The exception to all of the previously stated conditions is the AOL Cache file. Located in the AOL mail directory, the cache files have the most recently sent/received email message headers for each user. The EMD application will show which cache file is currently associated with a user's email. To decode all associated and unassociated cache files, have the EMD application decode the files located in the user's “CACHE” directory. This is located below the AOL v9.0 mail directory. AOL version 9.0 - General tab
"Retain all mail I read in my Saved Mail Folder" and "Retain all mail I send in my Mail I've Sent Folder" needs to be checked to save all emails locally. If "Managed Saved Mail - Backup" has been selected, then a backup of the local email database may be found in the directory "..organize/backup" AOL version 9.0 Advanced - Tab
AOL version 9.0 - To save embedded images the item "Retain all embedded images in read mail" needs to be enabled on the Advanced Tab. AOL version 6.0 - 8.0
"Retain all mail I read in my Personal Filing Cabinet" and "Retain all mail I send in my Personal Filing Cabinet" need to be check to save email locally. If "Automatically backup my Filing cabinet every" is checked, then a backup of the local email database is in the directory "..organize/backup" AOL version 5.0
"Retain all mail I read in my Personal Filing Cabinet" and "Retain all mail I send in my Personal Filing Cabinet" need to be check to save email locally.
6. Can I search an entire hard drive for all AOL db's? Yes, this can easily be done by selecting the “Read mail folder…” menu option in the EMD application. Select the top level drive, i.e. C:\ or D:\ and then select the “Okay” button. Doing this will take the EMD application a considerable amount of time, based on the disk size, number of files and speed of the PC. All the AOL db's found will be cataloged and have a report produced in your specified output directory.
7. Why are the photos stored in a separate directory from the EMD report? This is just done as a convenience factor, based on user feedback. Additionally, If multiple or duplicate usernames are encountered on the local drive, then keeping track of the pictures associated with each username becomes much easier with separate directories.
8. Why are some photos renamed by the EMD application? See next question.
9. Why are there duplicate photos in the directory? Example: There are two different Email messages both with photos. The photos in each message have the same name and size, but are completely different pictures. If the EMD application were to save the extracted photos under the given name, then only one would be present in the output directory. The second one saved would overwrite the first one. In order to differentiate between the two photo's the EMD application will assign a unique name to each when they are saved. In this case, the report will reflect the name assigned to each photo in each Email message.
10. What are the photos with the ART extension and how come I cannot view them. Many years ago there existed a company Johnson–Grace which created a compression format with the “.art” extension. AOL acquired this company and now uses this proprietary format for many of its embedded graphics. There are a few viewer's that can be used with these files: Smart_Pix_Manager is one such utility. Or if you have access to AOL's v9.0 or later software, then these files can be viewed by selecting the "File" then "Open My Picture Finder..." menus. A good general free graphic viewer is IrfanView, however it does not support ".art" files.
11. I cannot find AOL's dB's on a users system. In version 9.0, AOL moved its default mail directory from below its application path to the following “C:\Documents and Settings\All Users\Application Data\AOL” . This directory is normally hidden under the Windows XP OS. To unhide this directory, using Windows Explorer – select “Tools”, “Folder Options...”, “View” tab, select “Show hidden files and folders”. You should now be able to navigate to this AOL directory using Windows Explorer or any file open dialogue. Note : If searching for AOL’s filing cabinet under Windows Vista, then look in the following path for AOL 9.0vr – “C:\ProgramData\AOL\C_America Online”. When searching for AOL’s OpenRide filing cabinet’s look in the following path: “\Documents and Settings\User\Local Settings\Application Data\AOL\UserProfiles” Where “User” is the name of each user account name under Windows.
12. Will EMD work with CompuServe? Yes, Versions 6.0 and 7.0 of CompuServe use the same PFC format as the America Online client. EMD will extract the email from the CompuServe client and produce reports.
13. I know of some one interested in the software, is there a demo version available. Yes, there is a demo version of the software posted on our web site that you may download. Only the demo version can be given out to an associate for review. This demo version has a limit on the number of messages it will decode along with several other feature limitations. One of the best ways for some one to review the software is to look through the EMD user's manual. This is included on our web site for download in the tech support area as well as in the demo package and all released versions.
14. I am trying to recover deleted email but the EMD application does not find the mail item. AOL has a very efficient email database. It is very compact and extremely fast for the client application (AOL) to access and and manipulate. When a user deletes an email that has been stored offline. The AOL software will mark this record in its database as deleted. If the user reads additional mail after this item is deleted, then AOL may reuse this space and place the new mail item here. Unless EMD is run soon after an item has been deleted. It is unlikely many deleted records remain in AOL's database or will they be found intact. See note #1 above. The EMD application does not recover or search unallocated disk space or the Windows swap file. Deleted message fragments can possibly be recovered if they are present on a hard drive in an existing or restored AOL mail db sometimes referred to as a PFC file. 15. What's the difference between the Text and HTML reports generated by the EMD software . The EMD program generates two types of reports: The HTML report is geared towards an attorney's viewing. This report will show the viewer how the email message looked (includes color, graphics and font information) when presented to the reader. The Text report is geared towards the examiner. It is easily manipulated, contains no live links and can be readily searched and viewed. All graphics, fonts and HTML commands have been removed. Graphics have been replaced with links to the files extracted on disk. When using the EMD program and choosing to generate an HTML report, the following items should be considered: 1) The report may contain live Internet links. 2) When viewing the report with Internet Explorer (IE), or any other browser, the browser will attempt to connect to the Internet and resolve all the links contained in the email messages. 3) The size of this report can get very large: 15 MG or greater if the number of emails processed > 2000. 4) IE and other browsers may be slow in processing a file of this size. Browsers were not designed to handle HTML files with massive links or large file sizes. 5) Lab systems tend to be higher end (more RAM and faster processor) than an attorney's. 6) If you are passing this HTML report on to the attorney or another person, either by saving it onto a CD or by email, then the makeup of the attorney's system may be of concern. 7) Does the viewer's system have a high speed Internet connection? Does it have a lot of RAM? 8) Is this report being printed right away or will it be several months before it's reviewed and printed? 9) Live links can expire or the material may no longer be present after some time passes. 10) On low end systems, viewing a report of this size may not be possible or all images may not come up. Suggested method for handling HTML reports: Open the HTML report and select "Save As" - Web page complete, in IE. This will cause all the links to be resolved and saved to your local disk drive in the specified folder. All of the files saved along with the web page should be transferred to a CD or zipped up and then transferred to the attorney. This allows for offline viewing of a static HTML. This method may be a procedure your lab wishes to follow regardless of the program that generates any HTML report. ### Unable to find your answer here? Please contact technical support for further assistance. To order a copy of EMail Detective see pricing information |
|
Web pages and content Copyright © 2003- by Hot Pepper Technology, Inc. |
