Mail Account Information

Overview

Apple Mail account configuration is stored in Accounts4.sqlite, a shared system-level SQLite database that manages all internet accounts configured on the Mac (not just email). This database contains account identifiers, usernames, account types, authentication status, and the account descriptions visible in Mail.app preferences. The account identifiers in this database correspond to the UUID-based directory names in the Mail data directory, providing the link between account configuration and stored messages.

Mail account data is forensically valuable for identifying which email services a user has configured, whether accounts are active, and which email addresses are associated with the user.

File Locations

This database is shared across all macOS applications that use system-level internet accounts (Mail, Calendar, Contacts, etc.).

Database Schema

ZACCOUNT Table

CREATE TABLE ZACCOUNT (
    Z_PK INTEGER PRIMARY KEY,
    ZACTIVE INTEGER,                    -- 1 = active, 0 = disabled
    ZAUTHENTICATED INTEGER,             -- 1 = authenticated, 0 = not
    ZDATE TIMESTAMP,                    -- Account creation/modification date
    ZACCOUNTDESCRIPTION VARCHAR,        -- User-facing name (e.g., "Work Email")
    ZAUTHENTICATIONTYPE VARCHAR,        -- Authentication method
    ZIDENTIFIER VARCHAR,                -- UUID that maps to Mail directory name
    ZUSERNAME VARCHAR,                  -- Email address or username
    ZDATACLASSPROPERTIES BLOB,          -- Serialized account properties
    ZACCOUNTTYPE INTEGER                -- FK to ZACCOUNTTYPE.Z_PK
);

ZACCOUNTTYPE Table

CREATE TABLE ZACCOUNTTYPE (
    Z_PK INTEGER PRIMARY KEY,
    ZACCOUNTTYPEDESCRIPTION VARCHAR,    -- Account type identifier
    ZIDENTIFIER VARCHAR                 -- Type identifier string
);

Common account type descriptions:

Key Fields for Analysis

Linking Accounts to Mail Directories

The ZIDENTIFIER column contains the UUID that serves as the directory name for that account's mail data:

~/Library/Mail/V10/{ZIDENTIFIER}/
  INBOX.mbox/
  Sent Messages.mbox/
  ...

Forensic Query

-- List all email-related accounts
SELECT
    a.ZIDENTIFIER AS account_uuid,
    a.ZACCOUNTDESCRIPTION AS description,
    a.ZUSERNAME AS username,
    a.ZACTIVE AS active,
    a.ZAUTHENTICATED AS authenticated,
    t.ZACCOUNTTYPEDESCRIPTION AS account_type
FROM ZACCOUNT a
LEFT JOIN ZACCOUNTTYPE t ON a.ZACCOUNTTYPE = t.Z_PK
WHERE t.ZACCOUNTTYPEDESCRIPTION LIKE '%mail%'
   OR t.ZACCOUNTTYPEDESCRIPTION LIKE '%imap%'
   OR t.ZACCOUNTTYPEDESCRIPTION LIKE '%pop%'
   OR t.ZACCOUNTTYPEDESCRIPTION LIKE '%exchange%'
ORDER BY a.Z_PK;

Timestamps

The ZDATE column uses Core Data timestamps (seconds since 2001-01-01 00:00:00 UTC).

SELECT datetime(ZDATE + 978307200, 'unixepoch') AS date_utc FROM ZACCOUNT;

Analysis Notes

• Shared database: Accounts4.sqlite is not specific to Mail.app. It contains accounts for Calendar, Contacts, and other system services. Filter by account type to isolate email accounts.
• Disabled accounts: An account with ZACTIVE = 0 has been disabled but not removed. The associated mail data may still exist on disk.
• Authentication failures: ZAUTHENTICATED = 0 may indicate a recently changed password, expired credentials, or a deliberate attempt to disconnect the account without removing it.
• Never collect passwords: The ZDATACLASSPROPERTIES blob contains serialized properties but actual credentials are stored in the Keychain, not in this database. macfor never extracts passwords.
• Multiple accounts per provider: A user may have multiple accounts of the same type (e.g., two IMAP accounts). Each gets a unique ZIDENTIFIER.
• Account UUID correlation: Cross-reference the ZIDENTIFIER with directory names in ~/Library/Mail/V10/ to determine which EMLX files belong to which account.

Version Differences

Tool Support

References

• Mac OS X 10.9 Artifacts Location - Forensics Wiki
• Apple Mail Forensics - MailXaminer