Opera MBS Forensics
The most immense challenge that the investigators face during email investigation includes diagnosis and analysis of the culprit’s mailbox type and format. This is proves to be a mine of vital information for the Forensicators. Opera email client creates a MBS file on POP3 and IMAP accounts. Opera MBS files are basic Files that store individual email messages of a profile.
Starting with the basic point of Opera forensics, in Opera mail (formerly known as M2) , all the mailbox files are available in the All Messages folder of Opera mail like Unread, Outbox, Received, Sent, Spam, etc. All the subscribed emails are saved in Mailing Lists. One of the most crucial features of Opera mail is Filtering in which it automatically classifies the attachments according to their file formats.
Now, Let’s Start the Opera MBS Forensics: –
The most crucial artifact that needs to be checked in Opera forensics is the basic email file format. The file format used by Opera mail to save all its email messages is .MBS. In Windows 7 Opera MBS file is available in: Drive C > User > UserName > AppData > Local > Opera Mail > Mail > Store > Account.
By following the path mentioned above, you will reach the configured account folder. In this folder, a number of sub-folders can be seen listed, all of which are vital from investigative point of view. Let’s proceed with opera MBS mailbox analysis:
Cache files of Opera mail are saved in Cache folder that start with “opr” and are saved with the extension “tmp”. Investigators can view these files by using Opera MBS Viewer utility.
In Opera mail > mail > account.ini file stored evidence about account settings. It keeps information of each account. During Opera MBS forensics a user can easily find their account by using email address and make changes in it.
POP & IMAP Setting
The Opera mail > mail > POP & IMAP folder shows the type of email service used by user. Do not use both account simultaneously because it may be create issues for user. After configuring the account all the mails are shown in IMAP folder in a tree structure.
The Opera mail > mail > Indexer Folder maintain the log information of file such as Contact ID, Folder ID, Search ID, Thread ID, Indexer Version etc. Investigators can carve the log evidence from this folder.
Opera MBS mailbox analysis shows that all the configuration settings are stored in index.ini file (Opera mail > mail > index.ini). To hide the information of email messages, it should be set on the value ‘1’. If user makes changes in this file then data may be lost from mail indexing.
Lexicon folder saves the information of mail database and keeps track of each email. User can delete this folder but cannot recover it. It will only provide the search option to restore the database.
Opera MBS forensics also retains the track of email messages available in the store folder of Opera mail folder. User cannot recover the Omanibase.dat file once deleted.
This file is created when user adds signature to email messages. Signaturex.txt file is created in mail directory, where X indicates the number of account configured; user can view this file by using Opera MBS viewer.
For forensic investigation of Opera MBS mailbox analysis, any freeware email examiner utility can be used such as Opera MBS Viewer.
Using the software, investigators can easily scan and examine the email artifacts stored within an MBS file. Header of any email client stores the most crucial information associated to a suspect email message. The software helps in analyzing and carving evidence from header such as; Message ID, Received-SPF, Delivered To, Return-Path, etc. To begin with Opera MBS Forensics using Opera MBS Reader, simply add the file on the Opera Forensics tool and extract the evidence from culprit’s mailbox.