Several forensic tools will be able to extract data from the Mail app. In this example, we are going to talk about FTK Imager, but the process of extracting data and especially elements such as file paths and folder locations, will be the same regardless of which tool you prefer to use.

First of all, open up FTK Imager and add a new evidence item. The data you are looking for will be in the UsersUsernameAppDataLocalComms folder.

Opening this folder, you will see five subfolders: Temp, Unistore, UnistoreDB, UserDataTempFiles, and Volatile. These are the locations we will be looking at in this chapter.