What if you're asked for a list of the e-mails that appear to have been read, or indeed only those that are unread? How can you do that with X-Ways Forensics?
Easy. Add you image(s) or devices to a case and refine the volume snapshot (F10) for your case. Tick the box for 'Extract email messages and attachments from..." and choose whether to run that over all your evidence, some of it, or just one item and let it finish.
Upon completion all the DBX, PST, EDB cabinet files and so on will have been parsed and their content listable within XWF using the eml\emlx 'Type' filter, or, using the 'Extracted e-mail' attribute filter (which I think is a safer bet to catch all extracted e-mails regardless of obscure types that might exist beyond eml\emlx but I could be wrong, but generally, eml\emlx will suffice as XWF renders all extracted e-mails as that type AFAIK).
When you select the 'Extracted e-mail' attribute filter, you will notice a 'read' tick box appears to allow you to list only e-mails with a 'read' flag. Conversely, if you tick that AND the NOT box, it will list e-mails that are not read, instead.
![]()
![]()
You can then create report table associations for each of your lists accordingly. Or of course you could not use the filter at all but simply sort by the attribute column instead. That way all the one's that have '(extracted e-mail)' will be listed together as will all the ones that have '(extracted e-mail, unread)' (at least in theory it should).
CAUTION: Obviously, this can only act as an indicator. It is possible for somebody to read an e-mail then set it back to 'unread'. And a variety of other caveats. So it is a general indicator only and should be used with the appropriate understanding that such caveats exist.
Easy. Add you image(s) or devices to a case and refine the volume snapshot (F10) for your case. Tick the box for 'Extract email messages and attachments from..." and choose whether to run that over all your evidence, some of it, or just one item and let it finish.
Upon completion all the DBX, PST, EDB cabinet files and so on will have been parsed and their content listable within XWF using the eml\emlx 'Type' filter, or, using the 'Extracted e-mail' attribute filter (which I think is a safer bet to catch all extracted e-mails regardless of obscure types that might exist beyond eml\emlx but I could be wrong, but generally, eml\emlx will suffice as XWF renders all extracted e-mails as that type AFAIK).
When you select the 'Extracted e-mail' attribute filter, you will notice a 'read' tick box appears to allow you to list only e-mails with a 'read' flag. Conversely, if you tick that AND the NOT box, it will list e-mails that are not read, instead.
You can then create report table associations for each of your lists accordingly. Or of course you could not use the filter at all but simply sort by the attribute column instead. That way all the one's that have '(extracted e-mail)' will be listed together as will all the ones that have '(extracted e-mail, unread)' (at least in theory it should).
CAUTION: Obviously, this can only act as an indicator. It is possible for somebody to read an e-mail then set it back to 'unread'. And a variety of other caveats. So it is a general indicator only and should be used with the appropriate understanding that such caveats exist.