idx outlook express (ie4) index file
format
| by jeff evans idx file format ---------------------- index size description -------- ------- ---------------- 1-4 4 bytes file id (the ascii string "jmf9") 5-8 4 bytes sub-id (the hex value 0x04000100) 9-12 4 bytes number of items in the index file (number of e-mail messages) 13-16 4 bytes file size in bytes 17-20 4 bytes ? (seems to contain the hex value 0x01000000) 21-24 4 bytes ? (seems to contain the hex value 0x10000100) 25-64 40 bytes string composed of 0x00's index items immediately follow this header. each item has the following format: index size description -------- ------- ---------------- 1-4 4 bytes flags (see below) 5-8 4 bytes ? 9-12 4 bytes entry number (unique for each index item) 13-16 4 bytes ? 17-20 4 bytes remaining size in this index item, including the size of this value and the size of the end buffer 21-24 4 bytes ? 25-28 4 bytes size of the message, in bytes 29-194 166 bytes seems to be mostly empty, usage was unclear 195-202 8 bytes date message received (a win32 filetime structure) 203-210 8 bytes date message sent (a win32 filetime structure) 211-212 2 bytes ? 213-216 4 bytes size of the subject field in bytes 217-x x bytes subject field (an ascii string - length is specified by the preceding value) x-x 4 bytes size of senders e-mail address in bytes x-x x bytes senders e-mail address (an ascii string - length specified by preceding value) x-x 4 bytes size of senders name in bytes x-x x bytes senders name (an ascii string - length specified by preceding value) x-x 4 bytes size of pop server in bytes x-x x bytes pop server message was retrieved from x-x 5 bytes ? x-x 4 bytes size of username used to log into pop server x-x x bytes username used to log into pop server (an ascii string) x-x 4 bytes size of the name of the mail account x-x x bytes name of the outlook express account that corresponds to the pop server x-x 8 bytes ? x-x 0-3 bytes variable length buffer which is used to make the length of the entry an even multiple of 4 notes: the size of the index entries is measured from the "remaining size" value. this value is calculated such that it is equal to the number of bytes between the start of this variable and the end of the variable length buffer. each index entry has a set of flags which describe it's properties. a normal message appears to have a value of 10h. messages that are marked as read by the mail client have a value of 12h (you can perform a bitwise and on the flags using 2h to determine if the message has been read. ex:) if (dwflags & 2) (message is not read) else (message is read) there are probably other values to indicate attachments and priorities, but i did not attempt to work these out. i can be reached via e-mail at: [email protected] or [email protected] jeff evans. |