Getting Started with Opera Mailbox Forensics For Windows

Creative Team | April 27th, 2015 | Forensics

Opera Software, the successful provider of Opera Web Browser extends its efficient services through an email and news client which is known as Opera Mail. From its version 1 to 12, this mail client was an integrated part of the browser but from the year 2013, this mail client was separately made available for Windows and OS X. Simplified interface, emailing facility, spam filtering, contacts management, and support to mail protocol standards, i.e. POP3 and IMAP is what makes it a choice of users.


Starting with Opera mailbox forensics, the mailbox database of Opera Mail is indexed in a file and the messages are automatically sorted in the default views (Unread, Received, Pinned, Outbox, Sent, Drafts, Spam, and Individual Labels).


The subscribed emails of the application gets saved into the “Mailing Lists” view. The emails will be directly saved into this view when the subject header will have following specifications:

  • X-Mailing-List
  • List-ID
  • List-Post
  • Mailing-List

Opera MBS File Forensics

Attachments filtering is another unique feature of Opera Mail that is hard to find in other mail applications. The message attachments are automatically categorized by the application as:

·         Documents

·         Images

·         Music

·         Video

·         Archives



The option to follow a particular contact defined priority of the account holder. If a contact is followed, all the emails received from him will get saved into the “Followed Contacts” view of the application. img6

How Does Opera Mail Saves the Mailbox? | Opera Mailbox Forensics

The email data of Opera Mail gets saved into .mbs file which saves single message along with its attachment. The folder saving the MBS files get stored at Drive>> Users>> Username>> AppData>> Local>> Opera Mail>> Mail>> Store>> Account


The MBS is the mailbox file which is similar to the MBOX file. However, there is a difference in the fact that MBOX file stores messages of a folder while the MBS file saves individual mails. For the forensic analysis of the Opera mail one has to dig into these MBS files. Such files can be opened and viewed with freeware applications like MBOX Viewer that shows message with its properties and attachments.

Spam Filtering in Opera Mail:

Opera Mail uses Bayesian statistics to detect if an email is spam or not. In this case, the spam filter verifies the emails that is received day by day. This might include the domain in email address, website link, the name of company etc. These phrases help the spam filter to know which mail to trust or which to distrust. The Bayesian filter keeps a track of unread or deleted mails and use this analysis to filter spam in future. The frequency of deleted mails helps to define a rule for incoming mail filtering.

If the received email is marked as spam, the application will block the images and attachments. Only when the user permits the application to load the images, it can be opened and viewed.

Opera MBS File Forensics

Although this proves helpful in Opera MBS file forensics, but it is not an effective way to filter spam as it works on trial and hit method.

How to Investigate an MBS Email – Opera MBS File Forensics?

Analyzing the Header: The header of an MBS file store routing information of the message. Along with this, fields of email header like SPF, Domain-Key Signature, Return-path, Message ID etc. gives hint about authenticity of the email.

Checking the Hop: Hop of an email gives an estimation about number of servers that the message have crossed while it’s traversal to the receiver. The IP address of a domain can help to analyze if a proxy server has been used in between to forge the email header.

Verifying the HTML Source: The HTML source of the email gives a clue about what tactics have been used by the suspect to get information from the victim. This generally helps in identity theft cases.

The Opera mailbox forensics investigation process if accompanied by email analysis tool, it can lead to quick collection of litigation friendly evidences. Within a single interface, the preservation and analysis phase of ediscovery can be executed with accomplished results.