Opera MBS Forensics
The most immense challenge that the investigators face during email investigation includes diagnosis and analysis of the culprit’s mailbox type and format. This proves to be a mine of vital information for the Forensicators. Opera email client creates a MBS file on POP3 and IMAP accounts. Opera MBS files are basic Files that store individual email messages of a profile.
Starting with the basic point of Opera forensics, in Opera mail (formerly known as M2), all the mailbox files are available in the All Messages folder of Opera mail like Unread, Outbox, Received, Sent, Spam, etc. All the subscribed emails are saved in Mailing Lists. One of the most crucial features of Opera mail is Filtering in which it automatically classifies the attachments according to their file formats.
Now, Let’s Start the Opera MBS Forensics: –
Initially, the most crucial artefact that needs to check in Opera forensics is the basic email file format. The file format used by Opera mail to save all its email messages is.MBS. In Windows 7 Opera MBS file is available in: Drive C > User > UserName > AppData > Local > Opera Mail > Mail > Store > Account.
By following the path mentioned above, you will reach the configured account folder. In this folder, a number of sub-folders can be seen listed, all of which are vital from an investigative point of view. Let’s proceed with opera MBS mailbox analysis:
Cache files of Opera mail are saved in the Cache folder that starts with “opr” and is saved with the extension “tmp”. Moreover, the investigators can view these files by using the Opera MBS Viewer utility.
In Opera mail > mail > account.ini file stored evidence about account settings. It keeps the information about each account. During Opera MBS forensics a user can easily find their account by using the email address and making changes to it.
POP & IMAP Setting
The Opera mail > mail > POP & IMAP folder shows the type of email service used by the user. Do not use both accounts simultaneously because it may create issues for the user. After configuring the account all the emails are looks like a tree structure in the IMAP folder.
The Opera mail > mail > Indexer Folder maintains the log information of the file such as Contact ID, Folder ID, Search ID, Thread ID, Indexer Version etc. Investigators can carve the log evidence from this folder.
Opera MBS mailbox analysis shows that all the configuration settings are stored in the index.ini file (Opera mail > mail > index.ini). To hide the information of email messages, the user has to set the value to ‘1’. If the user makes changes in this file then data may be lost from mail indexing.
The lexicon folder saves the information of the mail database and keeps track of each email. The user can delete this folder but cannot recover it. It will only provide the search option to restore the database.
Opera MBS forensics also retains the track of email messages available in the store folder of the Opera mail folder. The user cannot recover the Omanibase.dat file once deleted.
It creates a file, when a user adds a signature to email messages. Signaturex.txt file is created in the mail directory, where X indicates the number of accounts configured; the user can view this file by using Opera MBS viewer.
For forensic investigation of Opera MBS mailbox analysis, any freeware email examiner utility can be used such as Opera MBS Viewer.
Using the software, investigators can easily scan and examine the email artefacts stored within an MBS file. The header of any email client stores the most crucial information associated with a suspect email message. The software helps in analyzing and carving evidence from header such as; Message-ID, Received-SPF, Delivered To, Return-Path, etc. To begin with, Opera MBS Forensics using Opera MBS Reader, simply add the file on the Opera Forensics tool and extract the evidence from the culprit’s mailbox.