Home » Updates » Opera MBS Forensics

Opera MBS Forensics

author
Published By Ashwani Tiwari
Aswin Vijayan
Approved By Aswin Vijayan
Published On April 14th, 2022
Reading Time 4 Minutes Reading
Category Updates

The most immense challenge that the investigators face during email investigation includes diagnosis and analysis of the culprit’s mailbox type and format. This proves to be a mine of vital information for the Forensicators. Opera email client creates a MBS file on POP3 and IMAP accounts. Opera MBS files are basic Files that store individual email messages of a profile.

Opera MBS Mailbox Analysis

 

Starting with the basic point of Opera forensics, in Opera mail (formerly known as M2), all the mailbox files are available in the All Messages folder of Opera mail like Unread, Outbox, Received, Sent, Spam, etc. All the subscribed emails are saved in Mailing Lists. One of the most crucial features of Opera mail is Filtering in which it automatically classifies the attachments according to their file formats.

Now, Let’s Start the Opera MBS Forensics: –

Initially, the most crucial artefact that needs to check in Opera forensics is the basic email file format. The file format used by Opera mail to save all its email messages is.MBS. In Windows 7 Opera MBS file is available in: Drive C > User > UserName > AppData > Local > Opera Mail > Mail > Store > Account.

Opera MBS Viewer

 

By following the path mentioned above, you will reach the configured account folder. In this folder, a number of sub-folders can be seen listed, all of which are vital from an investigative point of view. Let’s proceed with opera MBS mailbox analysis:

Cache Folder

Cache files of Opera mail are saved in the Cache folder that starts with “opr” and is saved with the extension “tmp”.  Moreover, the investigators can view these files by using the Opera MBS Viewer utility.

cache-folder

 

Account.ini File

In Opera mail > mail > account.ini file stored evidence about account settings. It keeps the information about each account. During Opera MBS forensics a user can easily find their account by using the email address and making changes to it.

Opera MBS File Analysis

 

POP & IMAP Setting

The Opera mail > mail > POP & IMAP folder shows the type of email service used by the user. Do not use both accounts simultaneously because it may create issues for the user. After configuring the account all the emails are looks like a tree structure in the IMAP folder.

imap-folder

 

Indexer Folder

The Opera mail > mail > Indexer Folder maintains the log information of the file such as Contact ID, Folder ID, Search ID, Thread ID, Indexer Version etc. Investigators can carve the log evidence from this folder.

Opera MBS Reader

 

Index.ini File

Opera MBS mailbox analysis shows that all the configuration settings are stored in the index.ini file (Opera mail > mail > index.ini). To hide the information of email messages, the user has to set the value to ‘1’. If the user makes changes in this file then data may be lost from mail indexing.

index-file

 

Lexicon Folder

The lexicon folder saves the information of the mail database and keeps track of each email. The user can delete this folder but cannot recover it. It will only provide the search option to restore the database.

lexicon-folder

 

Omanibase.dat File

Opera MBS forensics also retains the track of email messages available in the store folder of the Opera mail folder. The user cannot recover the Omanibase.dat file once deleted.

omailbase-file

 

Signaturex.txt File

It creates a file, when a user adds a signature to email messages. Signaturex.txt file is created in the mail directory, where X indicates the number of accounts configured; the user can view this file by using Opera MBS viewer.

Opera MBS Opener

 

mbs-viewer

 

For forensic investigation of Opera MBS mailbox analysis, any freeware email examiner utility can be used such as Opera MBS Viewer.

download

Using the software, investigators can easily scan and examine the email artefacts stored within an MBS file. The header of any email client stores the most crucial information associated with a suspect email message. The software helps in analyzing and carving evidence from header such as; Message-ID, Received-SPF, Delivered To, Return-Path, etc. To begin with, Opera MBS Forensics using Opera MBS Reader, simply add the file on the Opera Forensics tool and extract the evidence from the culprit’s mailbox.