Blog

Opera MBS Forensics

Olivia Dehaviland | May 4th, 2015 | Updates

The most immense challenge that the investigators face during email investigation includes diagnosis and analysis of the culprit’s mailbox type and format. This is proves to be a mine of vital information for the Forensicators. Opera email client creates a MBS file on POP3 and IMAP accounts. Opera MBS files are basic Files that store individual email messages of a profile.

Opera MBS Mailbox Analysis

 

Starting with the basic point of Opera forensics, in Opera mail (formerly known as M2) , all the mailbox files are available in the All Messages folder of Opera mail like Unread, Outbox, Received, Sent, Spam, etc. All the subscribed emails are saved in Mailing Lists. One of the most crucial features of Opera mail is Filtering in which it automatically classifies the attachments according to their file formats.

Now, Let’s Start the Opera MBS Forensics: –

The most crucial artifact that needs to be checked in Opera forensics is the basic email file format. The file format used by Opera mail to save all its email messages is .MBS. In Windows 7 Opera MBS file is available in: Drive C > User > UserName > AppData > Local > Opera Mail > Mail > Store > Account.

Opera MBS Viewer

 

By following the path mentioned above, you will reach the configured account folder. In this folder, a number of sub-folders can be seen listed, all of which are vital from investigative point of view. Let’s proceed with opera MBS mailbox analysis:

Cache Folder

Cache files of Opera mail are saved in Cache folder that start with “opr” and are saved with the extension “tmp”.  Investigators can view these files by using Opera MBS Viewer utility.

cache-folder

 

Account.ini File

In Opera mail > mail > account.ini file stored evidence about account settings. It keeps information of each account. During Opera MBS forensics a user can easily find their account by using email address and make changes in it.

Opera MBS File Analysis

 

POP & IMAP Setting

The Opera mail > mail > POP & IMAP folder shows the type of email service used by user. Do not use both account simultaneously because it may be create issues for user. After configuring the account all the mails are shown in IMAP folder in a tree structure.

imap-folder

 

Indexer Folder

The Opera mail > mail > Indexer Folder maintain the log information of file such as Contact ID, Folder ID, Search ID, Thread ID, Indexer Version etc. Investigators can carve the log evidence from this folder.

Opera MBS Reader

 

Index.ini File

Opera MBS mailbox analysis shows that all the configuration settings are stored in index.ini file (Opera mail > mail > index.ini). To hide the information of email messages, it should be set on the value ‘1’. If user makes changes in this file then data may be lost from mail indexing.

index-file

 

Lexicon Folder

Lexicon folder saves the information of mail database and keeps track of each email. User can delete this folder but cannot recover it. It will only provide the search option to restore the database.

lexicon-folder

 

Omanibase.dat File

Opera MBS forensics also retains the track of email messages available in the store folder of Opera mail folder. User cannot recover the Omanibase.dat file once deleted.

omailbase-file

 

Signaturex.txt File

This file is created when user adds signature to email messages. Signaturex.txt file is created in mail directory, where X indicates the number of account configured; user can view this file by using Opera MBS viewer.

Opera MBS Opener

 

mbs-viewer

 

For forensic investigation of Opera MBS mailbox analysis, any freeware email examiner utility can be used such as Opera MBS Viewer.

download

Using the software, investigators can easily scan and examine the email artifacts stored within an MBS file. Header of any email client stores the most crucial information associated to a suspect email message. The software helps in analyzing and carving evidence from header such as; Message ID, Received-SPF, Delivered To, Return-Path, etc. To begin with Opera MBS Forensics using Opera MBS Reader, simply add the file on the Opera Forensics tool and extract the evidence from culprit’s mailbox.