OLK14MsgAttach File – Retrieve Attachments from Mac OLK File
A few days ago, I worked on a case where I noticed that so many Outlook attachment files were not processed in an appropriate manner. The attachment files are named as olk14MsgAttach in Microsoft Outlook 2011 for Mac and olk15MsgAttach in Microsoft Outlook 2016 for Mac.
Earlier, there was no MS Outlook for Mac, there was another email client i.e. Entourage. It provides ease while using the email application as it does not have any PST or OST file. It only uses a Main.db file to store all its mailbox data and users can also extract emails and attachments in the form of EMLX files.
Overview of OLK Files
While going to the Office Suite of Mac, Microsoft finally released Outlook for Mac in 2011. It didn’t create OST and PST to store its mailbox data. Instead, they created separate directories for storing emails, attachments, contacts and other mailbox items. Outlook for Mac uses .olk14folder file for storing email folders, .olk14contact file for storing contacts, .olk14search for storing saved searches, .olk14pref for saves software preferences, .olk14category file stores categories for tagging emails, calendar, contacts, etc. There is another file created in Outlook for Mac i.e. .olk14UID which is associated with Outlook only. Then, it uses .olk14signature file for saving saved signatures, .olk14msgsource for storing the content of email messages, .olk14schedule contains saved schedules. There is one another file which contains the recent email address i.e. .olk14recent file. The .olk14mailaccount file contains the login information of the email account and olk14MsgAttach file saves the attachments of Outlook for Mac. Different directories for different items are shown in the following segment:
\user_name\Documents\Microsoft User Data\Office 2011 Identities\Main Identity\Data Records\Messages\
&
\user_name\Documents\Microsoft User Data\Office 2011 Identities\Main Identity\Data Records\Message Attachments\
Most of the forensic investigators can easily handle the email files but the olk14MsgAttach files are a little different and difficult to handle. The hex view of the file is shown in the following section and the structure is also described:
Structure of olk14MsgAttach File
The different attributes of the olk14MsgAttach Outlook for Mac attachment file are as follows:
- Attc – This is the signature of the file and the hex value of it is 41 74 74 63.
- Content-type – It defines the file category and applicable application.
- Name – Here, the name of the file is mentioned.
- Content-disposition – It specifies whether the attachment is inline or attached for subsequent access.
Note – If this attribute contains “inline”, it means that the attachment is displayed when the message is opened. These attachments displayed in the same order as they occur in the message. On the other hand, if the content-disposition displays “attachment” in it, that means that these attachments require actions to be displayed and are placed out of the message part. They are stored to be accessed later.
- Filename – This entity is same as mentioned in “name”.
- Content-transfer-encoding – Always shown as “base 64” because binary file is encoded with it.
The data of the binary file which is encoded begins with “base 64” (hex value – 62 61 73 65 36 34). Then occurs 0D which probably signifies buffer and it can occur several times.
Now, for processing olk14MsgAttach file, users can go for a third party application i.e. OLK Converter for Mac which can be used to transfer your emails along with attachments. The software provides an option to move emails into multiple file formats along with attachments. It can support both olk14 and olk15 message files which makes easier for the users to perform conversion using a single tool only.
Working of Software to Extract olk14MsgAttach File
- Launch the software and click on Add Folder(s) button.
- Browse the OLK files and then press Next button.
- Choose the output file format from various available options.
- Apply filters if you want and then choose the destination location.
- Now, click on Export button.
- When the export process completes, go to the storage location where the olk15MsgAttach and other files are saved.
- Here, you can open and access the attachments stored in OLK file easily.
Conclusion
As discussed in the above section, the hex view of the olk14MsgAttach file is quite different from any other email attachment. Therefore, it becomes a little bit difficult for the forensic investigators to read it properly. To overcome this situation, a user is suggested to switch the file format of the olk14MsgAttach file to some other file format and read it in a proper manner. Thus, to do this, a user is suggested to use a third-party tool which is mentioned above, which can convert all data items stored in OLK file, including attachments to multiple formats. Using this tool, it becomes easy for investigators also to investigate olk14MsgAttach or olk15MsgAttach file in an appropriate manner.