Hi all!
Hope this post finds you well.
I’m having a few issues when running keyword searches over an MBOX email account in Autopsy.
The email parser works just fine and I have a bunch of email extracted from the MBOX files. The problem I’m having is that when I run a keyword search all of the hits returned are from the raw MBOX files rather that the separate emails. Is this normal?
What I’d like to do is return the emails that have keyword hits, run a further date filter and export the individual emails. Is this possible?
Thank you for any help you can give.
Chris
No I don’t think it’s possible to do exactly what you want. Interestingly, it seems like there’s a difference in how results are displayed depending on whether you do an ad-hoc search or view the results from the tree.
I did an ad-hoc keyword search for “fish”. The results that say “E-Mail Messages Artifact” are the individual messages. But they’re not separate files - as you can see by the Size column they all just reference the original “Inbox” file. And if you try to export them you’ll just get a copy of the original file. If I click on these search results from the tree I no longer see that “E-Mail Messages Artifact” name - everything just says “Inbox”.
Closest I can think of would be the following - go to Generate Report->Excel Report. Either leave it as-is or select only email using the “Result Types” button. This will give you an excel spreadsheet with a row for each email. There’s a date column so you should be able to get rid of anything outside your range. But you’ll still need to do the actual keyword search.
Thank you very much for your quick reply! I think on this occasion I will need to find an alternative method as I do need to export the individual emails themselves, but the Excel report option will definitely come in handy in the future!
Thanks for your time,
Chris
