Eudora is an email application which was acquired by Qualcomm in 1991. It was initially available for free which was later commercialized. Eudora comes in three modes; Sponsored, Paid, and Light. Facilities, added benefits, security, authentication, add-ins, etc. availability on the application completely depends on the mode of application. Paid mode comprises full features without advertisement; sponsored mode comes with full features with sponsors’ advertising; and Light mode is an upgraded version to free version with minimum facility available.
Despite of integration of spam filters or link tracer features, Eudora application is no exception for being part of numerous litigation cases. Its security layers are targeted at every level and new challenges are faced by investigators. Eudora email application under investigation conceals many evidences and thus investigators must have a detailed knowledge of this application. Below mentioned section probe about the forensic outlook on the Eudora mailbox application digging the architecture of an application for further analysis.
Eudora supports both IMAP and POP mail accounts and in both cases the messages are stored in to the local drive of the system. For IMAP accounts, Eudora downloads a copy of emails and saves it locally. Messages are previously stored on the server till user views them. Generally “Dominant” directory which is available as top level directory stores the mailboxes and directories defined for an IMAP account.
POP Mailboxes Path:
IMAP Mailboxes Path:
Windows Registry Location:
Quick Tip: It is possible that while configuring the settings for storage was customized. If you are unable to find the Eudora data files, you can search for “eudora.ini” file. The directory which comprises this file must be Eudora data directory.
Storage of Eudora emails is done in MBOX (.mbx) files. Individual files for separate mailbox is created. For e.g. for Inbox, In.mbx file is creates and for Junk, Junk.mbx file is created. It must be noted that Eudora saves the attachments in separate “attach” directory. Same is done to the embedded images (images which appear within the messages) which are stored in a separate “embedded” directory. Investigators should also follow other files available like mailbox directories and additional file types.
Mailbox: The most important source for evidence is the emails which are stored as mailboxes in the form of .MBX files. Mailbox is a string of emails so all the emails belonging to same folder are stored in same file. The associated files with similar names but different extensions will be available as; .toc, .inf, etc. In and Out mailboxes will be stored in top level Eudora directory for POP accounts, and for IMAP accounts, below few levels in Eudora>>IMAP>>Dominant directory.
Directories: Nested mail directories are created by Eudora so as to organize mailboxes. .fol extension is used to save the directories for POP accounts for e.g. it is possible that one or even more mailboxes are nested to such type of directory. There is no such extension (.fol) for IMAP accounts.
Nicknames: Email address and related nicknames are stored in a file named “nndbase”. Being a part of Eudora address book, it is available in the top Eudora directory and can also be found in a “Nickname” subdirectory. Outbox messages might show nicknames without the email id in “To” field.
Attachments: Email attachments are stored in separate “attach” directory. POP accounts have one “attach” directory in top level. IMAP accounts also have “attach” directory nested in associated mailbox directory. Eudora application marks the related messages with an associated path to attachment file’s location. While examining the contents, this point must be noted.
Embedded Files: These files include images which are part of messages and are available within message. All the files are stored in “embedded” directory which comes under top level Eudora directory.
Note: While investigation, only storage files are not important it is also important to analyze other directory or setting files so as to interrogate what type of settings were applied by user in his Eudora application. This also helps to trace out deleted data or re-create the files for its examination through various other tools.
It is not necessary that investigators will always get time to recreate the Eudora environment copying the storage and setting files in other machine. In such urgent needs it is better to examine the available setting and storage files. Below section will enlighten forensic significance of other Eudora email application setting files.
Secure Sockets (SSL) security protocol is supported by Eudora for transferring information and is available for Paid and Sponsored Eudora modes only.
Secure Sockets While Sending/Receiving: Required STARTTLS – (Windows), Required (TLS) – Mac. Eudora has improved handling of SSL (Secure Socket Layers) and it allows authenticating the server to send/receive emails.
Note: SSL Settings can vary for Dominant Personality and other personalities as per settings done.
Authentication: S/MIME Authentication with Style for Incoming Mails:Passwords, APOP, RPA, Kerberos, etc. Signature or encryption also allowed for emails.
Protocols Supported: POP3, SMTP and IMAP protocols are supported by Eudora.
To initiate a detailed analysis on Eudora application, it is necessary to know where to start from. Availability of storage and setting files can resolve many tasks pertaining Eudora investigation. To perform thorough Eudora email forensics in bulk, professional applications like data recovery software, MailXaminer, etc. are authentic ways. Such tools represents the emails in organized pattern; which makes it easy for investigators to carve necessary artifacts from the collected artifacts.