Over the past years, digital mode of communication has been the most common way to interact between the users. No doubt, e-mail has revolutionized for both personal or professional communication providing ease and faster delivery. Along with this, crimes committed within electronic or digital domains have been raised drastically. This has led to increased demand of Email data investigation to effectively search for, locate and preserve the evidence in presentable form. In this blog, we are going to discuss about one such email client i.e., Mulberry Mail and the possible approach to extract evidence through Mulberry Mail Forensics.
Mulberry Mail is an open-source and freely available desktop-based email client, which was developed by Cyrusoft for Apple Macintosh versions. Later it supported both Windows as well as Linux OS. This email client can be used with email servers supporting IMAP, POP3, SMTP and others providing platform for messaging, contact & calendar management. As it provides free of cost service, criminals has high chance of using Mulberry Mail to distribute obscene images, hyperlinks to pornographic websites, spreading critical information or planning for criminal act in near future. Some of the criminals believe that once the email has been deleted from the email client, it cannot be restored. However, with the advancement in the field of digital investigation, it has become quite simple to restore the emails and search for information that can be presented as effective evidence.
While studying about the Mulberry Mail, it was observed that the default storage location of the email messages in Windows system is found at the below path:
“C:\Documents and Settings\Administrator\Application Data\Cyrusoft\Mulberry\Mailboxes”
All the email messages are stored in separate user mailboxes that creates file with .mbx extension for each folder. This type of data is similar to that of MBOX file type. Hence, these MBX files associated with Mulberry account can be renamed as MBOX file extension before proceeding with further investigation.
Email Forensic investigation involves stages such as email acquisition to ensure the exact copy of data is created and is not modified, in-depth analysis to extract evidence and report presentation. However, the issue arises when investigators needs to work with complicated search and email management of the Mulberry Mail. Another challenge is case of non-effective spam filtering where spam mails are not filtered from the user’s mailbox and it comes with not-so friendly user interface. Due to these reasons, investigation teams often find it difficult to extract information from emails exchanged using Mulberry email client.
While carrying out any email forensics, it is necessary to be able to search and locate the information that can be helpful in terms of forensics aspects. After studying about the Mulberry Mail client, it was observed that it does not provide effective search mechanism. Due to this reason, email data present in Mulberry Mail client cannot be analyzed properly. Investigators are in need of solution that can provide robust-search option, which is why MailXaminer is the best way to carry out Mulberry Mail Forensics. The advanced algorithms supported by the tool are commendable, as it has been incorporated with unique capability to analyze email artifacts. It further allows all the search results to be saved for future reference. It not only saves the time of investigators but also gives more time to analyze data to get close with the evidence at the earliest time possible.
After going through the examination of Mulberry Mail client, it was found that analysis of Mulberry email data individually is not an easy task due to its poor search mechanism. In order to overcome the investigative challenges related to email clients like Mulberry Mail, forensic teams need to focus more on developing advanced techniques for effective extraction of evidence. MailXaminer is one example for the efficacious forensic investigation of several email clients that comes as a stand-alone application, which does not require external support for parsing through an email data.