MBOX File Forensics – Carving The Evidences
Let me blog something about – How to do MBOX file forensics and carve out information from .mbox files collected during data collection as a part of performing email investigations.
MBOX File Forensics Scenario – Carving The Evidences
Today, electronic media is a mine of evidence, which is used by all the Law Enforcement Agencies in the world to extract evidence. Most of the Evidence is gathered from emails that are cached and saved on the user’s hard drive. In the field of Data forensics, mostly emails are taken as evidence which is usually in MBOX format. There are many email clients having emails in the MBOX formats, which usually act as important evidence in case investigation. Some of the email clients are Thunderbird, Apple Mail, Entourage, Evolution, Opera mail, Powermail and more. It is important to know the location of the MBOX file to perform MBOX email forensics and carve evidence from files. Different email client uses different locations for MBOX files. During, the investigation evidence is found as emails which are needed to be analyzed carefully to solve the case. While performing MBOX forensic, firstly we need to find the MBOX file from the culprit’s system. But sometimes these MBOX files are hidden and we need to discover the file.
To make the hidden MBOX file visible you need to follow some steps listed below :
- Go to Control Panel
- Click on the Appearance and Personalization.
- Then select the Folder Option, a window will popup.
- Select View Tab and uncheck the “Hide empty drives in the computer folder” option.
After the forensics investigator got all the MBOX file from the system, now a email viewer needs to be there in the system to view and analyze MBOX file. In MBOX file, there are mainly three components of a MBOX file-
- Header
- Body
- Attachments
But If you don’t have an email viewer for MBOX files in your system, there are numerous tools available in the market that allows you to view and analyze the MBOX file. But, the software suggested and trusted by most of the technocrats is MBOX Viewer Pro.
The tool has various distinct features to provide flexibility in MBOX forensics, these are listed below:-
- Add MBOX file: The Software allows you to browse a MBOX file from any location. The file can be imported from any location on the system.
- Auto Scan: The Software has a unique feature, which automatically scans all the file to load MBOX file. It also indexes all the items in the MBOX file to facilitate the search feature.
- Preview MBOX file: After the files have been scanned the MBOX file can be previewed with their respective attachments.
- Supported Operating system: The Software supports Windows 10, 8 and all other versions. By providing the support for all the versions of Windows operating system facilitates the user.
- Advanced Search feature: The advanced search feature is the most interesting feature as it allows you to search according to the evidences gathered. Emails and attachment are searched using specific email ID, or any number.
- Naming Option: The software provides the users to create names according to their convenience. The names can be subject, subject+date, etc.
- Save and Export: The Software after processing successfully saves the file and has the provision to export the MBOX file into Portable Document Format (PDF).
- Normal view: In normal view, the software shows the sender’s and receiver’s address, subject, body, and attachments of the email etc.
- Hex view: The software shows MBOX files in Hexadecimal view.
- Message header view: The message header includes the details about receiving IP, MD5 value, date of sending and receiving of the file, message id, message size and other body details.
- Attachments: This view shows the attachments like images, word file, pdf file etc. of the emails.
- MIME view: The mime view shows the details related to the servers IP of the sender and receiver.
This is the tool with all such features that allow the investigators to perform MBOX File Forensics. This helps in the easy investigation of digital forensics case, that generally depends on emails.
Exporting in a Valid Format
To present the evidences before the court of Law, it should be in a form of record, so we generally prefer to use software that converts the MBOX files into a readable form. Most of the software only allows you to view the MBOX files not to convert. But it is necessary to convert that file into a presentable format like PDF because the court needs a valid evidence against the guilty. The PDF format is preferred because it is the safest format protected by the password and modification is quite difficult. I know most of the users are facing problem in a thorough investigation of MBOX files. The problem will be resolved by searching for an email examination tool which is not only capable of inspecting files in MBOX format but the other formats. There is very few software available that import and export multiple formats for carving evidence. You need a software which allows you to import the files as MBOX formats to perform an advanced search according to the specific keywords and phrases. The availability of search feature facilitates work of interrogator and reduces the hectic manual searching.
For more convenience, there must be an option to export that MBOX files to another format like Concordance, HTML, EML, PDF, Print, MSG, PST, CSV and TIFF to be produced as a valid report. As some of the formats like Concordance are taken as ideal in Digital Forensic Arena. For detail investigation, we must opt for the software that allows you to work in 360. The report of evidence must be documented for future use. The court only believes documented evidence so, it is mandatory to produce evidence in supported formats.
