Contact Us    Webinars   
Blog

How To Initiate Incredimail Mailbox Forensics?

MailXaminer | February 11th, 2015 | Forensics

It is believed that people who like animations, 3-D affects, background pictures, special fonts etc. in their emailing client, Incredimail is the perfect option for them. With so many special effects, it might not be an idea business emailing tool but definitely a creative application loved for bringing liveliness.

How Incredimail Saves Email Data?

The very first thing that strikes during Incredimail mailbox forensic analysis is where the default database gets stored. When Incredimail is configured with a mail account, by default its database gets saved at “C:\Users\%username%\Appdata\Local\IM\Identities” folder.

The emails of every folder gets saved under “Identities\{longstring}\Message Store” folder. Here, messagestore.db file will be available that stores the application metadata (messages) with relational data model. Incredimail uses SQLite3 in order to save and manage database.

When SQLite database is checked, it can be observed that other than messagestore.db file, there are other directories created. While these folders stores the actual data, the .db file stores pointers to the data folders for quick access.

message-store-location

For Windows XP:

The email information of IncrediMail gets saved into IMM file in Windows XP. To check the location of message folder, click on “Tools” and drop down to “Options”.

In the “General” tab, click on “Data Folder Settings” button. Copy the location and paste it in the address bar of windows explorer. Open the “Identities” folder>> “String of Numbers”>> “Message Store Folder” and there you will find the IMM files. For every mail folder, IMM file gets created.

folder-settings

application-data-im

However, it should be noted that the IMM file only stores raw mails and not the attachments. The index information of the IMM files get saved into IMH file which is also known as the header file and includes details like sender, receiver etc. Then, there is Attachments directory that has all the email attachments saved in it, be it pictures, programs, or documents.

Later Windows Editions:

Individual emails of the mail client gets saved into IML file that is similar to an EML file.

messages-1

msg-properties

Backup Options in Incredimail

If premium version of Incredimail is used (i.e. Incredimail Plus), there is option available to backup account data into a format that can be easily accessed on any computer having Incredimail installed on it. Using the “Data and Settings Export Wizard”, it is possible to collect email database from the application and use it to find evidence on machine for forensics. The complete story of Incredimail Mailbox Forensic Analysis revolves around the extraction of emails as well as the email headers in a readable form. Once this is attained, the forensic analysis becomes as easy as cutting a piece of cake.

SQLite DB Viewers to Restore Incredimail Messages

When DB File is Corrupt:

Free SQLite DB Browser gives a convenient option to read and analyze DB files on both Windows and Mac Operating System. This will provide physical database structure that will provide information of how DB is saved on disk. The sqlite_masterview provides details about the objects that are saved in the database.

If the .db file is corrupt or have inconsistency, then there are SQLite Viewers available that can help to read the DB file and save the database into other database format like MS Access for further investigation.

What Data is Deleted from DB:

Data deleted from SQLite database holds possibility of partial recovery (if not complete) by analyzing the binary dump from the raw database file. Manually doing this won’t be possible as the SQLite data is deleted permanently once the records are deleted from the table. Also, the hard fact is when data is deleted from SQLite, its metadata is overwritten and thus some of the information cannot be restored:

#: SQLite uses B-trees to store database and traverse through it. Restoring data through binary files means the pointers will be lost and the respective regions will be marked as free space. If the usage of SQLite continues, the free space might get overwritten and have garbage data instead.

 Note:

  1. If VACCUM command is run against the database, deleted data recovery is impossible. Reason being, this command rebuilds the database. When data is deleted, it leaves behind free space or pages which are reclaimed by the OS only when the database is rebuild.

 

  1. If SQLite is complied with SQLITE SECURE DELETE option, the deletion will directly replace the content with zero. In this case also, it is impossible to get back deleted SQLite data.

Where is Incredimail Email Header?

To view header of an email, double click on it. A window will get opened, click on “File” and choose “Properties”.

Click on the “Details” tab and entire header of the emails will be available.

rtf-test

Conclusion: Email file analysis is one of the finest technique for Incredimail forensics. This can be accompanied by tools like MailXaminer that helps in Incredimail mailbox forensics through investigation of IMM files. Using this, investigate and examine complete set of emails available within the IMM files.