Mail Envelope Index

Location

Common Names

Description

SQLite-based metadata index used by Apple Mail to catalog message headers, mailbox locations, account relationships, and search state across local and synced mailboxes in the user profile.

Forensic Value

Envelope Index provides a fast way to enumerate mail subjects, senders, recipients, message IDs, and mailbox placement even when individual .emlx files have been moved or partially pruned by the client. It helps reconstruct what mailboxes existed, which accounts were configured, and whether suspicious messages were present locally on the Mac around the incident window. Correlating the index with attachment and quarantine artifacts can reveal phishing delivery and message-based staging activity on the host.

Tools Required

Collection Commands

find ~/Library/Mail -path "*MailData/Envelope Index*" -exec cp {} /forensics/mail_envelope_index/ \; 2>/dev/null

sqlite3 ~/Library/Mail/V*/MailData/Envelope\ Index ".tables" > /forensics/mail_envelope_tables.txt 2>/dev/null

find ~/Library/Mail -maxdepth 4 -type f | head -1000 > /forensics/mail_file_inventory.txt

Collection Constraints

• •Paths, schemas, and permission boundaries vary by macOS release, Full Disk Access state, and whether data came from a live collection, mounted image, or backup source.
• •Mailbox layout and schema vary by Apple Mail version and account type. Some content may reside only in server-synced stores or encrypted cloud mailboxes rather than locally cached files.

MITRE ATT&CK Techniques

References