News

New Update - MailXaminer Introduces its New Subscription Plan

News

SysTools Commitment to Child Safety: Upholding the Fight Against CSAM

Home » Blog » Forensics » Postbox Email Forensics: Investigate Postbox Email Mailbox Effectively

Postbox Email Forensics: Investigate Postbox Email Mailbox Effectively

author
Published By Mansi Joshi
Anuraag Singh
Approved By Anuraag Singh
Published On May 23rd, 2025
Reading Time 6 Minutes Reading
Category Forensics

The Postbox email client is available for both Mac and Windows and is a professional and paid email client. The features and facilities it provides are unparalleled and worth the cost it takes. It was not only the first email client to deliver Conversation views, but it was chosen for its initiation of various other facilities as well, like thread-powered tagging, Document & Image searching, Quick Replies, etc.

Postbox has made an evolution in the emailing field with its overpowered Social networking integration, favorite accounts fast access, Gmail label support, Dropbox support, and much more. Besides the fact that this desktop email client serves offline, it offers a unique performance and service. The section below will highlight the forensics aspects done to the Postbox application, covering where and how to find email storage, important files, and security provided.

Postbox – Storage & Portability

Postbox saves data related to the Postbox email client in a specific location which depends on the Operating System and version. “Postbox” folder is created which encapsulates other folders as “Cash Reports” and “Profiles”. Email data is saved in “ImapMail” folder which comes under Profiles.

Location on Windows Versions:

Windows XP:

Documents and Settings\<Windows User Name>\Application Data\Postbox

Here Application Data folder is a hidden folder on XP OS and to make it visible go to the Windows Explorer window>>Tools>>Folder Options>>View>>View>>Show hidden files and folders.

Windows 7/Vista:

Users\username\AppData\Roaming\Postbox

Here AppData folder is a hidden folder and to make it visible go to the Windows Explorer window>>Organize>>Folder and Search Options>>Folder Options>>View>> Show hidden files and folders.

 

default folder location

 

Storage Files:

The folder you are looking for can belong to;

  • Local Folder
  • Global Inbox

Both of these can be found in Mail/Local Folders directory in profile. As mentioned before, email storage is done in “imap.googlemail.com” folder under Profiles folder. The folders are stored as MBOX Files which are text files as you can see in the image Inbox folder is saved as “INBOX”, other folders are also saved as same name likewise.

For each mail folder two files can be viewed. For example, for inbox folder; “INBOX” and “INBOX.msf” are created. The relevant mail folder is the file without .msf extension. File with MSF (Mail Summary File) is mere an index file to the mail file. While performing investigation or importing file, this MBOX file without (.msf) extension is important comprising email data.

The file can be read using a text editor which comprises a raw message including all the headers and strings of characters. prefs.js” or Mail subdirectory” can be checked to assure that the profile is the one you were looking for. Importance of prefs.js file can is illustrated in detail in section below.

*.sbd subdirectories are used to create a folder hierarchy. Thus, a Local Folders\1\2\xyz folder would be stored as a “xyz.” mbox file at Mail\Local Folders\1.sbd\2.sbd\3.sbd . an empty xyz.sbd subdirectory will also be created for future perspective to create a child folder.

Portability to Another Machine

All the Postbox mails and settings are stored in above mentioned location. These settings and setup can be easily duplicated to another machine for further investigation easily by copying whole folder. The setup for Postbox email client can be replicated easily.

configuration-settings

 

MSF File

 

Importance of prefs.js File

This prefs.js is stored in the Profile folder as well. The prefs.js file is part of all the Mozilla-based applications like Postbox, Thunderbird, Firefox, Mozilla Suite, SeaMonkey, etc., and is used to store settings. Information like the account name to which the application has been configured, server settings, and all the details will be saved in this file. The most important thing the ref.js file stores is that it saves the changes made in settings from the default to the changed values. It must be remembered that prefs.js does not contain original settings. It only comprises the changes made in the settings.

roaming folder

This prefs.js file is also a plain text file and can be opened in text editor as well. It is also recommended not to make any changes to this file as it might end up corrupting the entire profile.

prefs

 

Profile Not Available: Corruption Issue

What if machine is not showing the profile? Well, Mozilla-based email applications have this issue if a default name is used for the profile it starts a new wizard instead of opening the configured account. Same can happen with Postbox application as well. It may happen just because the Postbox application lost the track of your profile and hence it is showing fresh new wizard.

There is also the possibility that the prefs.js file is corrupted or some changes have been made purposely to hide information or email data. Investigators must know that the email data and address books are still available, but the application refuses to index them and display them on the interface. To investigate such kind of profiles, the accounts have to be recreated or data has to be collected from backup (if available). (Also check if there is another prefs.js file like prefs-1.js)

Postbox first checks the profiles.ini file to search for the profiles in the system. If only one profile is configured and it is unrecoverable, the profile.ini file can be deleted, and then the new profile can be re-created following the instructions carefully. This will automatically generate a new profile.ini, and the profile will display data.

profiles

 

unable-to-view

Postbox – Securities & Encryption

Postbox email application provides three options for security as;

  • None
  • SSL/TLS
  • STARTTLS

So the application is secured with prominent protocols. Banking sites or online stores about cash payments use SSL (Secure Sockets Layer). SSL and TLS both are used to encrypt the communication channel between systems (server and client).

MailXaminer is another way to take an existing insecure connection to upgrade it to a secure connection using SSL/TLS. Investigators need to understand these types of securities and encryption to forensically analyze the Postbox email header and other related evidence artifacts. Post is one of the wide range email clients offers this email forensic software.

postbox analysis

Conclusion: Once the data evidences are collected following the above-mentioned tactics, it is processed through third-party programs like MailXaminer to examine it better. This is necessary to interrogate the emails in bulk and reach the segments that manual procedures fail to reach. Email applications like Postbox are used less, and hence ,very decisive tools are required for its investigations.

author

By Mansi Joshi

Tech enthusiast & cyber expert for the past 5 years. Love to solve complicated scenarios to counter cyber crimes with in-depth technical knowledge.