Pegasus Mail Forensics to Carve Out Culpable Evidence

author
Published By Anurag Sharma
Anuraag Singh
Approved By Anuraag Singh
Published On May 28th, 2015
Reading Time 6 Minutes Reading
Category Forensics

The age of pervasive computing technology has expanded the doors for criminal activities. Now days, it has been observed that the most common type of litigation case in the court of law is theft of intellectual property. Generally such type of cases involves an employee who has passed on valuable company related information to the third-party through email messages. To deal with cases where the employee violates organizational norms, the law enforcement agencies take the help of forensic investigation team which can carve out suitable evidence so as to prove the accusatory guilty before law.

When forensic investigators deal with such type of cases, they need to perform thorough analysis of the email client and its messages. Now, how can the forensic examiners carve out evidence if the email client involved over here is Pegasus Mail? Before going into the forensic details, let’s first have an understanding into Pegasus email application.

Get an Insight to Start Pegasus mailbox analysis

Pegasus Mail is a free electronic emailing application which has been designed with myriad of excellent attributes to provide secured form of communication on Windows Operating system. It has been built around with impressive set of features to filter incoming messages and to control spamming with the use of Content control and Spamhalter filtering techniques. Further, the mail client supports multiple POP and IMAP accounts from one single account.

Getting Started With Process of Extracting Evidence

During the procedure of Pegasus mailbox analysis, we need to understand first its basic mechanism related to the storage of files and folders.

An email application such as in Pegasus, it is quite normal that there is interaction of two servers. One is for incoming and the other one is for outgoing. Whenever a user requires to read out a mail message, the Pegasus email client connects to the specific mail server by employing any of the protocols:

  • IMAP
  • POP (Post Office Protocol)
  • MAPI

Whenever forensic investigations are carried out by examiners, the protocol which is used for gathering incoming messages is not of that interest. Here, the most important thing is how the role of these protocols affects where the email messages are saved.

Taking a Deep Delve Into the Storage Location of Messages

Pegasus mailbox analysis shows that messages are saved in the PMAIL folder. Now we need to have a look into the details of PMAIL folder.

Pegasus Mail Forensics

 

Files Located In Pmail and WinPMail New-Mail Directory

CNM: When a new message arrives, it will have a file extension of .CNM .Thus, this type of file extension refers to the actual arrival of a message. The filename associated with the mail messages are unique, and so they are referred as message id. The actual name of such type of files normally begins P which refers to a POP3-delivered message.

The location of the CNM file extension messages is given as follows:

CMM

pop

Scooping Out Evidence via Pegasus Mail Forensics

The structure of the messages in the New Mail folder is somewhat different. Here, each messages stored as individual files whereas other folders like junk or main folder have all their messages stored in a .PMM file with a corresponding index file that has .PMI extension. So, for each folder, there is a file pair.

PMF: These files are considered to be attachment files. These are formed when local messages are sent with attachments. They are indicated with message that has a p

PMN: These are referred to as annotation files and are associated with their relevant messages through message id.

PML: These files are associated with a distribution list. Distribution list are text files with each line having one email address. Suppose, a message is sent to @<file>.PML. Here @ refers that a particular message is end to all the email address present in the distribution list. So, one can easily find it out that which all email address, the employer has sent messages.

CACHE.PM: This file can provide important information about the folders list which was used the last time P mail was started. So forensic examiners can get a look into the folders in which it can provide details to the activities of the employees.

During Pegasus mail forensics, deleted messages often provide lot of important clues which can bring about an up twist in litigation cases. If important messages about the company have been exchanged by the employee to some other parties or competitors then recovering deleted messages can cater culpable evidence. To find out whether there were any messages deleted from Pegasus mail, forensic investigators can simply perform re-indexing of that folder from Pegasus.

Restoring Deleted Folders

Generally the employees in such type of cases also deleted the messages folder. If there are any messages in the deleted messages folders then probably these message can be retrieved again by selecting the “Reindex folder” option during Pegasus mailbox analysis.

Pegasus Mail Forensics

Once this option has been selected it will display a message given as follows

rebuild

And the deleted messages will be shown once again the list of folders.

messages

Extraction of Password

Normally, it’s not possible for investigators to gain access to the configured POP client in Pegasus mail. However, a small kind of work over can make this really possible to forensically analyze Pegasus mail password.

In Pegasus Mail interface, under the “Tool” option, select Internet options and when a window appears, enable the option “Create internet session logs (advanced diagnostic use only).

Pegasus Mail Forensics

This will create a file TCP0001. WPM in the mailbox directory.

WPM-file

On opening this file with a text editor, one can find out the Pegasus mail password for the configured POP client.

password-detail

By logging in with the credentials in the text file we can carve out other evidence from the configured email client.

As such kind of crime proliferates on a wider scale, it is obvious that law enforcement agencies will neverhave the required time and effort to investigate on these case. For fairer prosecution of internet related criminal activity, they take the help of investigation agencies who have the potential to scoop out evidence. All those procedures mentioned above can help forensic investigators to carve out important clues from Pegasus Mailbox analysis. This evidence can act as inculpatory or exculpatory evidence and therefore if presented before law can prove the defendant guilty or free of crime. Further, there are much better forensic tools available in the market which can help forensic examiners to exhibit information related to the crime more precisely.