Contact Us    Webinars   
Blog

Postbox Email Forensics

Creative Team | January 7th, 2015 | Forensics

The postbox email client is available for both Mac and Windows and is a professional and paid email client. Features and facilities it provides are unparalleled and worth for the cost it takes. It was not only the first email client to deliver Conversation views, it was evidently chosen for its initiation for various other facilities as well like; thread-powered tagging, Document & Image searching, Quick Replies etc. Postbox has made an evolution in the emailing field with its overpowered Social networking integration, favorite accounts fast access, Gmail label support, Dropbox support, and much more. Besides the fact that this desktop email client serves offline, it offers a unique performance and service. The section below will highlight the forensics aspects done to the Postbox application covering where and how to find email storage, important files, and securities provided.

Postbox – Storage & Portability

Postbox saves data related to the Postbox email client in a specific location which depends on the Operating System and version. “Postbox” folder is created which encapsulates other folders as “Cash Reports” and “Profiles”. Email data is saved in “ImapMail” folder which comes under Profiles.

Location on Windows Versions:

Windows XP:

Documents and Settings\<Windows User Name>\Application Data\Postbox

Here Application Data folder is a hidden folder on XP OS and to make it visible go to the Windows Explorer window>>Tools>>Folder Options>>View>>View>>Show hidden files and folders.

Windows 7/Vista:

Users\username\AppData\Roaming\Postbox

Here AppData folder is a hidden folder and to make it visible go to the Windows Explorer window>>Organize>>Folder and Search Options>>Folder Options>>View>> Show hidden files and folders.

 

default folder location

 

Storage Files:

Folder you are looking for can belong to;

  • Local Folder
  • Global Inbox

Both of these can be found in Mail/Local Folders directory in profile. As mentioned before, email storage is done in “imap.googlemail.com” folder under Profiles folder. The folders are stored as MBOX Files which are text files as you can see in the image Inbox folder is saved as “INBOX”, other folders are also saved as same name likewise.

For each mail folder two files can be viewed. For example, for inbox folder; “INBOX” and “INBOX.msf” are created. The relevant mail folder is the file without .msf extension. File with MSF (Mail Summary File) is mere an index file to the mail file. While performing investigation or importing file, this MBOX file without (.msf) extension is important comprising email data.

The file can be read using a text editor which comprises a raw message including all the headers and strings of characters. “prefs.js” or “Mail subdirectory” can be checked to assure that the profile is the one you were looking for. Importance of prefs.js file can is illustrated in detail in section below.

*.sbd subdirectories are used to create a folder hierarchy. Thus, a Local Folders\1\2\xyz folder would be stored as a “xyz.” mbox file at Mail\Local Folders\1.sbd\2.sbd\3.sbd . an empty xyz.sbd subdirectory will also be created for future perspective to create a child folder.

Portability to Another Machine

All the Postbox mails and settings are stored in above mentioned location. These settings and setup can be easily duplicated to another machine for further investigation easily by copying whole folder. The setup for Postbox email client can be replicated easily.

configuration-settings

 

MSF File

 

Importance of prefs.js File

This prefs.js is stored in Profile folder as well. The prefs.js file is basically part of all the Mozilla-based applications like; Postbox, Thunderbird, Firefox, Mozilla Suite, SeaMonkey, etc. and are used to store settings. Information like; account name to which the application has been configured, server settings, and all the details will be saved in this file. The most important thing pref.js file stores is it saves the changes made in settings from default to changed values. It must be remembered that prefs.js does not contain original settings. It only comprises of the changes made in the settings.

roaming folder

This prefs.js file is also a plain text file and can be opened in text editor as well. It is also recommended not to make any changes to this file as it might end up corrupting the entire profile.

prefs

 

Profile Not Available: Corruption Issue

What if machine is not showing the profile? Well, Mozilla-based email applications have this issue if a default name is used for the profile it starts a new wizard instead of opening the configured account. Same can happen with Postbox application as well. It may happen just because the Postbox application lost the track of your profile and hence it is showing fresh new wizard.

There is also possibility that the prefs.js file is corrupted or some changes have been made purposely to hide information or email data. Investigators must know that the email data and address books are still available but application rejects to index it and display on interface. To investigate such kind of profiles the accounts have to be recreated or data has to be collected from backup (if available). (Also check if there is another prefs.js file like prefs-1.js)

Postbox first checks the profiles.ini file to search for the profiles in system. If only one profile is configured and it is un-recoverable, the profile.ini file can be deleted and then the new profile can be re-created following instructions carefully. This will automatically generate a new profile.ini and the profile will display data.

profiles

 

unable-to-view

Postbox – Securities & Encryption

Postbox email application provides three options for security as;

  • None
  • SSL/TLS
  • STARTTLS

So the application is secured with prominent protocols. Banking sites or online stores pertaining to cash payment use SSL (Secure Sockets Layer). SSL and TLS both are used to encrypt the communication channel between systems (server and computer). STARTTLS is another way to take upon an existing insecure connection in order to upgrade it to secure connection using SSL/TLS. Investigators need to understand these types of securities and encryption in order to forensically analyze the Postbox email header and other related evidence artifacts.

Conclusion: Once the data evidences are collected following the above mentioned tactics, it is processed through third party programs like MailXaminer to examine it better. This is necessary to interrogate the emails in bulk and reach to the segments where manual procedures fail to reach. Email applications like Postbox are used less and hence very decisive tools are required for its investigations.