AOL Forensics

AOL Forensics – Digging In & Parsing Through the AOL Email Local Storage

AOL Email Service

AOL Desktop application is a platform employed for locally reading messages that were exchanged using the popular webmail service, AOL. The application enables communication through the webmail service profile without the need of a web browser. Storage of the data generated via AOL Desktop is preserved by the application in a PFC format file, i.e. Personal File Cabinet. The application along with a reader for AOL messages, serves as a medium to communicate right from the desktop. The messages are synchronized back and forth, i.e. the ones sent via webmail are replicated on the desktop and vice versa. Each activity that takes place over the web or desktop interface of AOL mail service is reflected on both the platforms respectively. Reason why AOL Desktop application comes with backup option integrated in it. The backup also creates and stores email data in PFC format, which preserves emails unconnectedly, i.e. PFC storage is separate from that of the server storage within the mailbox.

AOL Forensics

Forensically Examining AOL Email Storage

Cyberspace, shared by users has relatively turned into a less secure platform for storing or exchanging confidential information due to the rapid increase in cybercrime ratio. As a result, emails have become a soft target due to being used as the most common source & medium of communication both; professionally as well as a personally. The excessive use of AOL service not only led to making it the target but also a source of perpetrating e-crime. AOL Desktop service plays a major role in benefitting investigations during the execution of such activities by giving control over user data to the examiners in the form of locally stored PFC files.

Investigating AOL Desktop Storage: Personal Filing Cabinet

PFC Storage in AOL Desktop

AOL Desktop application version 9.7 introduced local mail storage facilities in two peculiar ways, i.e. by serving an On AOL folder and an On My PC folder. Each folder respectively maintains the message storage generated by the exchange of emails executed by the respective account holder. However, the set of rules for storage of emails in both the folders are entirely different.

pfc storage in AOL

  1. 'On AOL' is the server-based folder that is consistently connected with the AOL Server and reflects every user activity via unremitting synchronization. Therefore, every activity that takes place on the AOL Web interface is reflected upon the 'On AOL' folder on the desktop application.
  2. Meanwhile, 'On My PC' folder acts as a local storage for the mail service, and remains unaffected by the activities taking place on the account therefore, preserving the email that may have been wiped off from the account at an earlier point of time. On My PC is better known as a backup of the email storage within an AOL account. The desktop application for reading emails belonging to an AOL account comes with a backup generation and restoration provision integrated within. This backup is generated in PFC format file.

Therefore, the important fact to take note of here is, the validity of messages, i.e. the longest duration an email will stay in your mailbox depends on the storage in which it is located.

For Instance: The availability of messages stored on the server-based mailbox is not under control of the end user while the ones that reside within the On My PC folder are. This difference is due to the 'On AOL' folder's consistent connectivity/synchronization with the server, which reflects any/all changes that take place concerning the account messages.

Forensic Examination of AOL Desktop Storage

AOL is a web based email service, which makes the platform prone to felonious activities like hacking. However, the desktop application dedicated for reading & management of the account messages plays a key role in executing investigative procedures on the message exchange of an AOL account.

The PFC file is used by AOL for storing the account emails locally. Even though message(s) are wiped off by the culprit using the web service, a copy of it will be still be maintained on the 'On My PC' storage (if created by the user).

Examination of forensic AOL

However, proprietary nature of PFC format restricts it from being accessible over any other platform except AOL Desktop reader application. Therefore, the only major challenge faced by investigators during an AOL Desktop storage examination is its orphaned state, which confines them from reading and thus investigating the messages stored in the PFC.

Role of AOL Forensics Tool – pfc storage in AOL

The standard email forensics examination of electronic data requires the investigator to first perform an imaging of the evidence and study it instead of the original copy. However, a PFC is only limited to an AOL Desktop application environment, therefore a commercial AOL forensic utility needs to be applied to work for the same that does not mishandle the evidence, i.e. modify or change it in any way – from changing the order of email arrangement to the attributes associated with it.

Aol PFC Reader acts as a fundamental medium of performing PFC file forensics by allowing the investigators to use it for the following purposes:

  1. Independent / standalone reading of PFC file storage
  2. Auto locate PFC file on the machine to accelerate the investigation procedure
  3. Preview of complete message along with: accurate details (attributes), header contents, body contents, and corresponding attachment

Conclusion

Activities like spamming, phishing, and so on, have become a common practice by internet offenders. However, the trace is always left behind in the form of the respective message on the account, which is generally deleted as part of evidence spoliation. However, in cases where desktop reader for the email service is used, the scope of getting hold of potential evidence wiped off is possible through PFC storage generated in the form of On My PC folder. AOL Forensic helps investigate the communication carried out using the account without compromising on the evidence.