KMail Forensics – Linux Email Client Insights

Creative Team | October 20th, 2014 | Forensics

Know how to recover evidences from KMail Email Client from Linux and Ubuntu distro.

Kmail is the default email client of the KDE desktop environment for Linux and BSD and other forms of unixy systems and provides a full-featured GUI interface for composing, sending, and receiving email messages. Kmail is part of a KDE “Personal Information Management” application called Kontact. This application has many features, including Kmail, an address book (KAddressBook), a calendar, task, an organizer and scheduler (KOrganizer), and a note writer (KNotes). Kmail offers automatic support for GPG keys, so users can sign and encrypt their email securely and easily.

Kmail: Its Concept and Storage Type

Basically Kmail was developed to work in the KDE desktop environ. However, you can also install it individually from the Ubuntu Software Center to make it run on GNOME Environment as well. Kmail supports Internet Message Access protocol (IMAP), Post Office Protocol (POP3), and Simple Mail Transfer Protocol (SMTP), and user can create as many accounts for any of these protocols. It has an anti-spam system and it supports HTML emails, OpenPGP, MIME, S/MIME email formats.

Kmail can save messages in two formats: –

Kmail can save messages in either of two formats, i.e. Mbox and MailDir. Mbox saves all messages in a single file and directories are also simulated by means of individual files.

Where as MailDir format has a unique file name for every message and every message is stored in the respective directories that can be easily identified and further processed. Kmail uses the MailDir format by default, but this format is not supported by many other email programs.

Investigating Kmail Emails

From an investigative standpoint, email has emerged as the most important application on the Internet for the communication of messages, delivery of documents and carrying out of transactions, but cyber criminals continue to misuse it for illegitimate purposes. As discussed above, Kmail can save all its messages in either Mbox or MailDir format. If a technocrat receives a Kmail message file, i.e., an Mbox format file, then they can analyze the suspect email artifact without configuring the mail client and using an email forensic tool instead.

Conclusion: In order to view the Kmail mailbox and read its contents, investigators can use the freeware MBOX viewer tool. However, MailXaminer can help take the investigation process to an advanced level by allowing investigators to further examine the file and its emails forensically, to carve out evidences.