Mailbird Forensics for Finding Evidences in Email

Creative Team | May 12th, 2016 | Forensics

Mailbird is a desktop based Email Client, which allows users to access emails as well as connect them with social networks like Facebook, Google Plus, and WhatsApp etc. The first version of Mailbird was released for public in January 27, 2014. It has awarded as best free email client for Windows OS in 2014 & 2015 by IT World. It provides many features to users like Email Snooze, Video Meetings, Speed Readers, and connectivity with Social Networks.

Mailbird Email Client

Figure 1: Mailbird Email Client Version 2.0

User can use their social network’s contacts to communicate instantly to any person with whom they want to interact. Mailbird is an Easy to Use email client with Rich User Interface and freedom to work with any email server. You can see the Interface of Mailbird in fig 1.

Mailbird Forensics Examination

Mailbird has been gaining its popularity in the market as it was awarded continuously for three years since 2013 in which beta version was also included before public release. Due to this reason, many users are migrating to Mailbird from any other email clients like Outlook and Mozilla Thunderbird. However, with the introduction of new features and functionalities, this email client has some disadvantages such as it does not have export feature.
With the increasing users of Mailbird, possibilities of targeted cyber-crimes have also increased. Therefore, it is the work of investigation teams to look into any email client for cyber-crime offences, which is why it is necessary to investigate Mailbird for an artifact. However, the question that arises is how to get access of the emails of Mailbird stored in local computer. It is the most important thing to find the stored mails and mail folders to produce evidences against a suspect. All these things can be achieved only when every evidence is correct and in orderly formats. In the next para we are about to discuss how to analyze evidence in Mailbird email client.

How to Analyze Mailbird Email Client

It is very important, interesting and a tough task to find an evidence from any email clients stored in various file formats. There a many different ways to find an information and present that as evidence from local computer. Every tool applies their search techniques for finding evidence but every tool does not support for search of each single info. Every tool has its own search limitations such as some tool can search only text data, some can search text as well as images, and some can search for text, image, and video for evidence. So searching depends on the type of the evidence. To search for evidence in Mailbird, it is necessary to know the storage location of mails in local computer. As you know, Mailbird supports many email clients GMAIL, HOTMAIL, OUTLOOK, Yahoo and any other email services provider supporting IMAP and POP3. So examination of Mailbird can be achieved related to the email services used. Investigator need to know the location of Mailbird user data storage. Mailbird store emails and other items in user data location inside User folder in Windows OS. It creates separate storage folder for each user who are accessing Mailbird on one machine.
To proceed the investigation process, it is necessary to know User data location. Mailbox stores all user data locally on client’s computer. Fig 2 displays about location of user data. In Mailbird folder, there are three different folders and three files. While searching for an information in Mailbox user data, forensics team needs to look inside the Store folder. It is the folder where actual data is being stored.

User Data Location

For Windows 7/8/8.1/10
C:\Users\admin\AppData\Local\Mailbird

User Data Location

Figure 2: User Data Location

Mailbird Store

Figure 3: Mailbird Store

As you can see in fig. 3 there are two different folders A and MessageIndex and three different files but for forensics purpose, main focus will be on Store.db file. All attachments are stored in A folder and all header of emails are stored in MessageIndex folder and Store.db file store all text messages. If a forensic investigator wants to take data from any machine and access it in their machine using Mailbird then he/she has to copy Mailbird folder completely and paste at same location in their machine in which they want to access data for searching evidence.

Problem While Copying Mailbird User Account Data

As we have discussed that all user data are present inside Mailbox folder but inside of mailbox folder each parts are separated and present in different folder. Therefore, it is not a good idea to just copy Mailbird folder and access all data in other machine for Mailbird forensics purpose. Because there is probability of corruption of user data while copying it that way, so it is recommended that we save Mailbird folder in Tgz format also called Tar Zipped format and then copy that .tgz folder before starting the investigation.

Conclusion

Mailbird is a new and rising email client nowadays and in case of any cyber security issues, forensic team can investigate for evidence inside user data. User data should be saved as .Tgz file format to avoid corruption and investigation can be carried out using third party tool, MailXaminer that provides multiple facilities and help in email related forensic investigation for Mailbird.