EnScript to convert individual OSX .emlx files into MBOX format so EnCase can parse it.

On a request from a person I consider a friend and whom I have learned a lot from, Pat Lim, I created this EnScript to help parse OSX email messages.

EnCase can parse many different types of emails, but unfortunately emails in the native "mail" application in OSX is not supported. Pat did some research and figured out the structure of the individual email files typically stored in the /[user]/Library/Mail/POP/Inbox folder. Each email is stored with a .emlx extension.

This EnScript will process selected (blue checked) .emlx files. The individual .emlx files will be reformatted and concatenated into one single file and placed in your default export folder for the case. This single file will be in the MBOX format and can then be added into EnCase and parsed. The emails will show up in the records tab if you select the email parse option from the search dialog, or you can simply right-click on the exported MBOX file and choose "view file structure".









Download Here

Count unique domains in email list

This EnScript was written by request for someone doing an email spam case and he needed to parse a large list of email addresses and then extract only the unique domain names.

So in this case, he had a very large ASCII file containing thousands and thousands of email addresses, some of which came from the same organization and had the same domain, but different email address. He needed a way to just create a list of just the unique domain names. This EnScript takes an ASCII file, with one email per line, line-delimited with a CRLF like this:

john@test.com
dave@test.com
steve@test.com
mike@mydomain.com
tom@mydomain.com
joe@mydomain.com
etc...etc...etc...



The output of the EnScript in the CONSOLE tab would be:

test.com (2)
mydomain.com (3)

This is a pretty specialized EnScript, but others may have a use for it as well.

Download Here