WinMailMRU Explained: Recovering Sender and Attachment History

WinMailMRU Explained: Recovering Sender and Attachment History

What WinMailMRU is

WinMailMRU is a Most-Recently-Used (MRU) list created by Microsoft Outlook/Exchange when it generates TNEF (Transport Neutral Encapsulation Format) data stored in winmail.dat. The MRU records track recent recipients and attachments referenced by the TNEF process (for example, when Outlook converts rich-text messages to winmail.dat for non-MAPI clients). Forensic analysts use WinMailMRU to reconstruct recent sender/recipient activity and attached filenames or identifiers.

Where it’s found

• Inside TNEF winmail.dat blobs attached to messages or saved from mail stores.
• In some Outlook/Exchange caches and registry artifacts related to TNEF handling.
• Exported by forensic tools that parse TNEF structures.

Key data elements in WinMailMRU entries

• Recipient name and/or email address (sometimes only a GUID or display name).
• Attachment filename or an attachment identifier.
• Timestamps (when present) indicating the MRU entry update time.
• Entry order/position reflecting recency.
• Related message or message-ID references in complex cases.

What it can reveal

• Recent recipients the sender used when generating winmail.dat attachments.
• Filenames of attachments that were converted into TNEF parts (may reveal document names).
• Sequence of recent send actions (via MRU ordering).
• Corroborating evidence linking a user to sending specific documents or communicating with specific recipients.

Limitations and caveats

• Not every winmail.dat contains full email addresses; some entries use display names or internal IDs.
• MRU lists reflect client-side recent use, not necessarily successful deliveries.
• Timestamps may be absent, imprecise, or represent local client time.
• WinMailMRU entries can be overwritten as the MRU updates; older history may be lost.
• Parsing requires correct handling of TNEF encoding and character sets; corrupted blobs can hide data.

Tools and techniques for recovery

• Use TNEF parsers (open-source and commercial) to extract winmail.dat and display internal attributes.
• Extract and inspect the TNEF attribute blocks that correspond to MRU lists.
• Correlate MRU data with mail server logs, mailbox stores (PST/OST), and MAPI attributes for verification.
• When only GUIDs or internal IDs appear, cross-reference MAPI recipient tables or Active Directory where available.
• Preserve original artifacts and work on copies; document parsing steps and tools used.

Example workflow (concise)

1. Acquire mailbox or saved message containing winmail.dat.
2. Use a TNEF parser to extract attributes and list MRU entries.
3. Normalize any character encodings and map internal IDs to addresses via mailbox/AD.
4. Correlate MRU findings with server logs, message headers, and timestamps.
5. Report findings with assumptions, confidence, and supporting artifacts.

Reporting tips

• State what fields were recovered (names, emails, filenames, timestamps).
• Note gaps (e.g., display names only, no timestamps).
• Include hashes and copies of extracted winmail.dat for reproduc