Contact Us    Webinars   
Blog

Eudora Mailbox Forensic Analysis

Creative Team | January 15th, 2015 | Forensics

Eudora is an email application which was acquired by Qualcomm in 1991. It was initially available for free which was later commercialized. Eudora comes in three modes; Sponsored, Paid, and Light. Facilities, added benefits, security, authentication, add-ins, etc. availability on the application completely depends on the mode of application. Paid mode comprises full features without advertisement; sponsored mode comes with full features with sponsors’ advertising; and Light mode is an upgraded version to free version with minimum facility available.

Despite of integration of spam filters or link tracer features, Eudora application is no exception for being part of numerous litigation cases. Its security layers are targeted at every level and new challenges are faced by investigators. Eudora email application under investigation conceals many evidences and thus investigators must have a detailed knowledge of this application. Below mentioned section probe about the forensic outlook on the Eudora mailbox application digging the architecture of an application for further analysis.

Eudora Mailbox Forensic Analysis to Find Emails of Eudora Application?

Eudora supports both IMAP and POP mail accounts and in both cases the messages are stored in to the local drive of the system. For IMAP accounts, Eudora downloads a copy of emails and saves it locally. Messages are previously stored on the server till user views them. Generally “Dominant” directory which is available as top level directory stores the mailboxes and directories defined for an IMAP account.

POP Mailboxes Path:

pop-mailbox-path

IMAP Mailboxes Path:

imap-mailbox-path

Windows Registry Location:

windows-registry-location

Quick Tip: It is possible that while configuring the settings for storage was customized. If you are unable to find the Eudora data files, you can search for “eudora.ini” file. The directory which comprises this file must be Eudora data directory.

multiple-user-accounts

Eudora Email Application Data Storage

Storage of Eudora emails is done in MBOX (.mbx) files. Individual files for separate mailbox is created. For e.g. for Inbox, In.mbx file is creates and for Junk, Junk.mbx file is created. It must be noted that Eudora saves the attachments in separate “attach” directory. Same is done to the embedded images (images which appear within the messages) which are stored in a separate “embedded” directory. Investigators should also follow other files available like mailbox directories and additional file types.

Mailbox: The most important source for evidence is the emails which are stored as mailboxes in the form of .MBX files. Mailbox is a string of emails so all the emails belonging to same folder are stored in same file. The associated files with similar names but different extensions will be available as; .toc, .inf, etc. In and Out mailboxes will be stored in top level Eudora directory for POP accounts, and for IMAP accounts, below few levels in Eudora>>IMAP>>Dominant directory.

    • MBX (.mbx): Eudora application’s mailbox files are saved with .mbx extension. It is not necessary that these mailboxes will be visible with same extension it depends on the System’s Folders Options settings. In.mbx, Trash.mbx, Out.mbx, etc. are created.
    • TOC (.toc): Table of Contents alias TOC which are created for every MBX file. There is also an nndbase.toc which comprises content of Address Book (like nicknames).

 

mbx-file-location

Directories: Nested mail directories are created by Eudora so as to organize mailboxes. .fol extension is used to save the directories for POP accounts for e.g. it is possible that one or even more mailboxes are nested to such type of directory. There is no such extension (.fol) for IMAP accounts.

Nicknames: Email address and related nicknames are stored in a file named “nndbase”. Being a part of Eudora address book, it is available in the top Eudora directory and can also be found in a “Nickname” subdirectory. Outbox messages might show nicknames without the email id in “To” field.

Attachments: Email attachments are stored in separate “attach” directory. POP accounts have one “attach” directory in top level. IMAP accounts also have “attach” directory nested in associated mailbox directory. Eudora application marks the related messages with an associated path to attachment file’s location. While examining the contents, this point must be noted.

Embedded Files: These files include images which are part of messages and are available within message. All the files are stored in “embedded” directory which comes under top level Eudora directory.

Note: While investigation, only storage files are not important it is also important to analyze other directory or setting files so as to interrogate what type of settings were applied by user in his Eudora application. This also helps to trace out deleted data or re-create the files for its examination through various other tools.

Eudora Email Application Settings Files

It is not necessary that investigators will always get time to recreate the Eudora environment copying the storage and setting files in other machine. In such urgent needs it is better to examine the available setting and storage files. Below section will enlighten forensic significance of other Eudora email application setting files.

  • eudora.ini: This file comprises of almost all the settings of Eudora application made by the user. It can be easily read by opening it in Notepad and settings are also changeable. File can be deleted to reset all settings.
  • deudora.ini: Online mail settings are stored in the deudora.ini file along with the Registration Information which retains Eudora application in paid mode.
  • filters.pce: Names and extensions for Eudora filters are stored in Filters Folder where full information for the filters is available.

 

Security Layers & Authentication For Emails

checking-mail

Secure Sockets (SSL) security protocol is supported by Eudora for transferring information and is available for Paid and Sponsored Eudora modes only.

Secure Sockets While Sending/Receiving: Required STARTTLS – (Windows), Required (TLS) – Mac. Eudora has improved handling of SSL (Secure Socket Layers) and it allows authenticating the server to send/receive emails.

Note: SSL Settings can vary for Dominant Personality and other personalities as per settings done.

 

Authentication: S/MIME Authentication with Style for Incoming Mails:Passwords, APOP, RPA, Kerberos, etc. Signature or encryption also allowed for emails.

Other Security Options

  • Bayesian Filtering of Spam was added with SpamWatch in Eudora (6.0.1).
  • A ScamWatch feature was added in Eudora (6.2) which flags doubtful or malicious links within emails for better URL protection preventing email phishing. It is available only for Paid mode.
  • Ultra-fast search to trace any email with single or multiple measures was integrated in Eudora (7.0).

Protocols Supported: POP3, SMTP and IMAP protocols are supported by Eudora.

Conclusion:

To initiate a detailed analysis on Eudora application, it is necessary to know where to start from. Availability of storage and setting files can resolve many tasks pertaining Eudora investigation. To perform thorough Eudora email forensics in bulk, professional applications like data recovery software, MailXaminer, etc. are authentic ways. Such tools represents the emails in organized pattern; which makes it easy for investigators to carve necessary artifacts from the collected artifacts.