Outlook Express DBX Forensics

Complete Forensic Examination of Multiple Outlook Express DBX Files

Basics of DBX File Format - DBX Forensics

DBX is the file extension used for storing the collection of each email folder. This email folder belongs to the Microsoft Outlook Express email client and stores the email of a particular email folder on the user profile. Each DBX file stores the collection of emails per folder including custom folder if any, i.e. inbox.dbx, sent items.dbx, and so on.

Usage of DBX extends from Outlook Express to Windows Mail on Windows Vista and Windows Live Mail on Windows 7. However, these only support importing messages from a DBX format file, while Outlook Express remains to be the default origin of DBX format files.

Role of DBX Files In Outlook Express DBX Forensic

Like other desktop email applications, even Outlook Express has been observed to be used a lot in malicious web based activities. Thus, Outlook Express DBX file forensics is also an essential part of email client data forensics. And as Outlook Express is no longer in use as support was stopped by Microsoft, a lot of challenges are usually confronted by investigators, especially opening and accessing DBX file. Moreover, when the file is multiple in numbers the process becomes more tiresome and next to impossible, because each folder has a DBX file each of its own and Outlook Express only works with XP.

DBX File Information - A Detailed Overview

The DBX file extension files are a collection of emails thus; they are more of an email folder than file. The client, Outlook Express uses the common extension for saving the emails of all its folders. All the folders of a user account created on the client are saved at its default store folder location with .dbx extension. Thus, each folder is represented as; inbox.dbx, deleted items.dbx, drafts.dbx, sent items.dbx, and the same applies to custom folders, if any.

Location of DBX File

The DBX file structure in a raw format shows a basic hexadecimal arrangement. Header portion also known as file signature can be seen beginning with the hex value: CLSID, i.e. Content Class ID is an identifier that distinguishes the DBX file type. This is usually a string at the start of the file that defines respective file on the OS.

Outlook Express DBX File Format Forensics

Closely observing the structure of DBX files shows that on deleting any message, a trace is left behind. When a message deletion takes place, in the header block, 0x0200/ 0x01fc and the DBL (Data Block Length) gets updated reflecting a deletion. Moreover, in the data block the first 4 bytes get overwritten. This way, in case of evidence tampering, during the process of Outlook Express DBX forensic it can be detected during the DBX file forensics by studying the structure keenly.

Present Time DBX Forensic Challenges

The major challenge commonly faced during DBX forensics is that Outlook Express has now become outdated. Only a rare count of users presently have Windows XP, which is the only version of the platform that supports usage of Outlook Express, in fact, comes preinstalled with one. Therefore, since the end of support for both; the OS version and OE client, primary challenge of investigating DBX files turned out to be its orphaned state.

Moreover, the detailed header analysis during Outlook Express DBX forensic became more of a challenge as far as complete internet header information was concerned that couldn't be viewed without the application.

How To Read DBX Files Outlook Express Without The Client?

Outlook Express, though a client used long ago, was one of the highly adopted email applications especially for organizational purposes due to its plain and simple interface. Thus, there are many who still have their archives stored in DBX storage file. There is clearly no proper procedure to manually look into a DBX file and its email headers without causing the information to get altered in the process. However, with an external forensic application that is developed dedicatedly for the analysis of DBX file and its emails, assistance can be gained in large amount. Another option for reading & analyzing DBX file is the conversion of DBX file to PST file & doing its forensic without MS Outlook application. DBX Forensics is a likewise and greatly suitable application that is purposefully built to open/view orphaned DBX files as well as configured account from its default storage path for further analysis. The highlighting options that make this tool worthy include:

  • It offers the option to forensically analyze DBX files even if they are orphan.
  • Multiple, in fact, bulk of DBX files can be loaded at once from a folder with assortment of file types.
  • Most importantly, the application can restore emails if deleted (hard deleted) from DBX folder.
  • Header analysis views offer a lot of detailed information regarding the complete email and its internet header by hex, mime, message header, and other views.
  • Moreover, the application imposes no limitation on the number and size of files.