eM Client Forensics – Analyze Mailbox Data of eM Client

MailXaminer | April 29th, 2020 | Forensics

eM Client is an email client application which was developed in the year 2006. It rapidly captured a lot of user’s attention as compared to several other renowned desktop-based email applications. This Windows and macOS based specific application served a huge variety of configuration options and other features. This application is a powerful platform as it doesn’t just serve emailing, but also offers PIM (Personal Information Manager) services along with IM (Instant Messaging) feature. A quickly accessible sidebar is also available that brings together all the virtual assistants on one screen which makes it end-user friendly.

Along with the support of Windows configuration, the client also supports all major email services used heavily worldwide for communication. eM Client makes it easy to migrate user’s messages from Gmail, Outlook, Exchange, iCloud, etc. to eM Client.

And regardless of how fast-paced technology is, emails are still one of the most preferred mediums of electronic communication as well as the source and target of malicious cyber activities. In this article, we have discussed the construction and operations of eM Client forensics and how it can be studied from an analysis point of view to extract out crucial information for eDiscovery purposes.

The Email Database: Storage & Format

Path of the Data Storage:

eM Client mailbox has a default database storage for all of its components such as Attachments, Category, Contact_data, Contact_Index, Event_data, Event_Index, Folders, IM, Mail_data, Mail_fti, Mail_index, Mail, Privacy_list, Task_data, Task_index, Timezones.

The path for the storage of the component data and information are as follows:

eM Client Forensics Storage

Data File Type:

eM Client consists of three types of file formats used for storing the component data and information associated with the client. The three file types that are generated by default in the store folder that helps in eM Client forensics are as follows:

1. .DAT: This is the standard data file format consisting of data that is accessed or composed by eM Client. DAT files can be opened easily in case of some specific programs like eM Client. However, DAT files that are created as a text file can be opened and viewed without client availability. Therefore, it can be accessed by some manual means but eM Client analysis is the only application that can use and operate it. There are mainly three components for which a DAT file is created i.e. Certificate, Telemetry, and Security.

2. .DAT-SHM: An SHM or shared-memory DAT file consists of no persistent information. The sole purpose of an SHM file is to render a shared memory block that can be used by multiple numbers of processes to access a common database under WAL mode. Shared memory files only exist while running in a WAL mode. Both WAL and Shared-Memory files are interrelated, i.e. both share the same lifetime. An SHM is created when a WAL file is generated and if SHM is deleted then it’s corresponding WAL will be deleted too. When a WAL file is being recovered, the SHM file is also recreated but from scratch which depends on the recovered contents of the WAL file.

3. .DAT-WAL: SQLite started supporting a new type of control mechanism for transactions, i.e. WAL (Write-ahead log). .dat-wal file or a database suffixed with –wal denotes that file is in WAL mode. This means that connections made to the respective database are using WAL as well. A WAL file is located in the same folder as that of the database and has the same file name with a string appended to it – “-wal”. Forensically, to examine what is associated with a WAL file, the database is opened and its content is written or checkpointed to the main data. However, this may come with several problems:

  • a. Old information in the main data file could be overwritten by the information extracted from the WAL file. It may have lost the potentially valuable data that can be used as evidence.
  • b. The unused spaces within a WAL file could consist of deleted data.

ActiveSync & Unfiltered Spam: Configuration Tip

eM Client can import the user’s data directly from the previous email client program that was installed on the current device. Some of the supported applications are Microsoft Outlook, Windows Address Book, Microsoft Outlook Express, Windows Live Mail, Windows Mail (Vista), Thunderbird, and The Bat!

Users can also import data from separate files. Options are available to import messages from EML and MBOX files, contacts from CSV and VCF files, and items of the calendar from ICS files. If the user previously had installed eM Client and saved the settings, then the user can also import all eM Client settings from .xml files.

The configuration with other email applications also promotes the unfiltered download of spam messages and junk folders. Downloading the data along with images and attachments promotes the entry of malicious content. It may put the eM Client database under threat of vulnerability that leads to corruption.

NOTE: In case, if the database gets corrupted anyhow then, eM Client can solve the issue itself. eM Client comes with a DB Repair application which is located in its Program Files folder. Running the tool will execute a consistency check on the database to find the problematic issues and repair them.

Nevertheless, eM Client is not responsible for the vulnerabilities of downloading spam along with internal media but ActiveSync is. However, the eM client analysis may download viruses and other malicious programs into the system. They unknowingly execute and may put the database under a more severe threat.

Promotes Spamming & Undisclosed Emailing

The application has a “Send As Mass Mail” option that promotes problematic activities like spamming, email bombing, etc. This makes it worst as:

  • Firstly, mass messaging can be done without disclosing the recipients about other recipients.
  • Secondly, these facilities are unrestrictedly served in the client’s 30 days freeware version.

Spamming Emails

Evidentially Crucial Data: Storage and Backup

Apart from DAT, DAT-SHM, & DAT-WAL file types, eM Client forensics is capable of storing its data in some other file types too:

1. EML: Within the export option of the application, eM client mailbox analysis gives a choice to store each email as a single text message in EML file format.

Traversing an EML Message: Reading the contents and structure of a file with .eml extension is more feasible. Internal information and structure of a single email file with EML file format can be examined using the Notepad or any available text editor. For example, an email received in the Inbox of eM Client mailbox can be easily traversed using Notepad. The data file have the following information that may be crucial from an investigative point of view:

  • a. SPF & DKIM: An SPF always has the purpose of describing the mail server that permits to transmit messages for a particular domain. It can be used to avoid “fail” mail ID. The SPF values are safe when “neutral” or “pass” but if it is “fail” then, the message shall not be received at the receiver’s end as it would have been rejected already by the exchanger. Whereas, a DKIM, i.e. the DomainKeys Identified Mail is a source of related domain with an email. It further allows the organization to be liable for an email in such a way that a recipient can validate it.

eM Client Forensics - SPF & DKIM

  • b. DKIM Signature: In eM client email forensics, the DKIM signature is used by the SMTP receiver of a message to verify that whether the one claiming to be the sender of the email is genuine or not. Any tampering done with the message can also be detected. The public key can also be retrieved to verify the sender and with the help of its ‘s’ & ‘d’ fields a manual query against DNS can be generated to get a TEXT resource record of the host.

DKIM Signature

  • c. Message-ID: Each email has a unique message ID that can be used to verify its authenticity. It is put into an email header either by the MUA or its first MTA.

Message ID

  • d. Received From: The server involved in sending or relaying the message at a given point is shown in this portion of the header.
  • e. Received By: This column of the header indicates the server name or the IP address to which the message was received.

Received

TIP: Investigators during eM client forensics tend to follow the strict methods to cut short the time duration of an investigation. Thus, third party email forensic tools have been on the rise as a result. MailXaminer is a dedicated, quick & convenient email forensic analysis platform with full support for EML files & many others which are also trusted by Law Enforcements.

2. vCard: Contacts of the selected category are exportable into vCard (VCF file). While choosing the file creation type, i.e. single VCF for all contacts or a vCard file, export location for the file can also be chosen.

3. ICS: Similar customization applies to ICS files however, they are generated while exporting both events and tasks. Message-ID of the current message and any previous message received from the same sender can be matched to verify whether the sender of the message is the one who it claims to be.

4. XML: Settings, Rules, Accounts, and Save Passwords are exportable into the XML file format at the preferred location. However, note that while saving the passwords, exportation may prompt for a Custom Password to add an additional layer of security.

Along with this, eM client forensics also permits the backup of DAT files for all the components in a zipped archive folder at a user-defined location. MailFTI to Mail data along with attachment, contacts, security, certificate, folders, IM Data, etc., included in the backup which can be restored from the client’s File menu even in case of any inconsistency.

eM Client Forensics

Final Observation

eM Client seems to be an extremely user-friendly email platform that comes along with PIM facilities. It provides an easy way to offenders for committing offenses like; email bombing, spamming, sharing of intellectual property with an intervening party without letting the recipient know the same. The manipulation of digital information has become unimaginably easier. But the detection of traces left during such activities has parallelly grown stronger & become more feasible. This application helps to trace the illegal activities with numerous methods and platforms available in eM Client forensics such as data files, storage database, and email headers, etc.