Contact Us    Webinars   
Blog

SeaMonkey Email Forensics — Overview

MailXaminer | December 22nd, 2014 | Forensics

SeaMonkey, being an all-in-one Internet application suite containing web browser, email client, HTML editor and IRC client becomes an important target suite for forensic investigation. Moreover, because it is one of the most widely used application all across the globe, many cyber criminals routes to it for giving end results to their ill-fated intents. Hence, the SeaMonkey email forensics analysis is on the rise these days. However, to examine the wrongdoings committed by its use, it is essential to gain a complete know how of SeaMonkey. The entire information includes the technology utilized to build it, the internal working mechanism, the platforms it can function upon, its different releases and how they differ from each other and many more.

But the most important thing that is required to examine it accurately is the comprehension of the file formats that it utilizes. This is because of the fact that file types that store the data items are the key to eDiscovery & investigation and moreover it forms the basis of Intelligent Analysis. Also the file types hardly vary with newer releases and almost remain the same in each version. Only when such information are collected and scrutinized correctly it is likely that the investigators would be able to prove suspects actions against the standards of law. Thereby, finally confirming them guilty hence punished. This means that by the gathering the files of specific type i.e. belonging to SeaMonkey application from the user’s system, SeaMonkey forensics investigation can be carried out factually and conceded in the court of law and morally as well.

Brief Introduction of SeaMonkey

As said above, SeaMonkey as is an all-in-one Internet application suite available free of cost and as an open-source. Its all-in-one concept is an inherited property from the original NetScape Communicator and by this it means that it is a complete package containing web browser, email and news client, HTML editor & IRC Chat. In SeaMonkey, these components are known as SeaMonkey Navigator, SeaMonkey Mail & Newsgroups, SeaMonkey Composer and built-in chat called ChatZilla respectively. Though owned by SeaMonkey Council community now, it was originally developed by non-profit Mozilla Foundation and is a continuation of Mozilla application suite based on the same source code. It is compatible in all the three major operating systems that are Windows, Mac OS X and Linux and it has different system requirements for all the three. It is available in multiple foreign languages and the count is about 26. 2.32 Beta 1 is the latest version of the Internet suite, released on December 16, 2014 available for all three platforms and can be downloaded from the official website: http://www.seamonkey-project.org/. It offers two installation skins that are Standard & Custom wherein the former is suited for all users whereas the latter provides customization option and is best suits high-tech users only. This introduction of SeaMonkey is indeed necessary for Seamonkey mailbox analysis.

  • Operating System & Their Compatible Versions

 

In the table below are given the compatible OS and their versions that are supported by SeaMonkey.

compatible-releases

  • Sea Monkey Suite Components & Their Features

  1. Web Browser – SeaMonkey Browser offers several features such as Sync, Tabbed browsing, session restore, powerful add-ons management capability, unique Data Manager, Lightweight themes, Feed detection, Smart Location Bar, Popup blocker, Find as you type to navigate to different pages, Safe Mode. It also includes features such as advanced security settings, web form auto-completion, download management, themes, toolbar customization, and support for the latest web standards.
  2. Mail & Newsgroups – SeaMonkey Mail & Newsgroups component renders characteristics like Tabbed Mail functionality, Junk mail detection, Tags and Mail Views, support for multiple accounts, Blogs & News Feeds. It also includes characteristics such as S/MIME, Address Books, return receipts, digital signing, LDAP support, message filters, HTML message support, dictionary, IMAP and POP configuration support, customizable labels, add-ons as well as integration with the rest of the suite.
  3. Composer – It is another chief component of SeaMonkey in addition to browser and Mail & News client. It contains simple but powerful HTML editor that keeps on getting better with many more functionalities. It also proposes dynamic image and table resizing, superior CSS support, quick insert and delete of table cells and support for positioned layers. The functionalities built-in are appropriate and technologically advanced enough for website projects and all types of documents too.
  4. . IRC Chat (ChatZilla) – With simple yet powerful IRC client, SeaMonkey provides chat sessions on Internet Relay Chat networks. Many networks and channels are easy to keep track of in a well-familiar tab-type interface. The overall look and feel i.e. interface of the chat can be altered by choosing from several different in-built patterns out of which many be downloaded. Motif’s can even be created by user’s themselves with Cascading Style Sheet (CSS).
  5. Web Development Tools – DOM Inspector and JavaScript Debugger (‘Venkman’) are the two web development tools offered by SeaMonkey.  The former enables users to explore its underlying structure and inspect the document structure of web sites, add-ons and even the SeaMonkey Internet application suite ‘chrome’ itself. It also permits to inspect a large number of properties of any element in the concerned hierarchy, including JavaScript objects and CSS styles. Whereas the latter lets users debug the code of JavaScript on respective web pages, add-ons and in SeaMonkey too with assistance of a complete set of proficient debugging tools.

 

  • SeaMonkey Profile Folder

SeaMonkey stores all the personal information as well as other data. It includes info like passwords, emails, news messages, bookmarks, address books, cookies, installed add-ons and user preferences in a set of folder called profile. The profile folder also holds all information about the alterations made to the home page, changes made to the toolbar, while using the application. This is a useful feature for using the program the next time. Another type of info that the profile stores are contents like history, visited sites and web pages, read/ unread email messages, word(s) entered into search fields, etc.

Note – The storage location of profile folder is separate from the Program Files of SeaMonkey on the machine.

Operations on Profile Folders – A variety of operations can be performed on profiles such as they can be created, managed and deleted. They can even be migrated from Mozilla mail clients like NetScape, SeaMonkey and Thunderbird email program. And they can be relocated as well anywhere on the hard disk of the machine.

Directories in SeaMonkey

In total there exists five different directories in SeaMonkey and they are mentioned in the table below, with short briefing of what type of data or information they contain.

directories

Methods to Analyze SeaMonkey Application

The different way-outs in which SeaMonkey email forensics analysis can be carried out and validated are described here in this section, although the file formats examination remains the chief-most and more significant.

  1. Profile Folder Investigation

Even if SeaMonkey is removed on Windows by Control Panel in the Start Menu, on Linux by removing the SeaMonkey folder or on Mac OS X its data items including emails can be studied and facts retrieved by examining the Profile folder. This is because SeaMonkey 2.0 or any other higher edition that users install, after un-installing SeaMonkey, continues using the data from the profile folder formed originally. Therefore, info like: bookmarks, browsing history, add-ons, email messages, news messages, extensions or other can be gathered from the profile folder and thereby studied in detail to extract important artifacts. The profile folder is located at some default locations depending upon the operating system.

Default ‘Profile’ Location – Each profile in SeaMonkey is saved on system’s hard disk drive in the profile folder which in turn is stored at separate locations depending on the kind of OS.

os-&-its-versions

 

Note – These are the default locations of profile folder by SeaMonkey version 2.0 and newer releases. Edition 1.x does not allocate these locations and utilizes data from an independent location. However, profile folder locations can be altered and managed manually.

  1. Study of SeaMonkey File Formats

SeaMonkey works with the file extensions mentioned below. Moreover, as SeaMonkey is built on Mozilla’s source code many of the file extensions are common with Thunderbird,

  • Default File Extensions – .jsm, .mab, .mar, .moz-backup, .na2, .sbd
  • Common File Formats Used – .do, .download, .htm, .jar, .json, .xhtml, .xpi
  • Other Associated File Types – .ap, .apautoreg, .cache, .cer, .cms, .htm~,  .jspa, .jspx, .maff, .moz, .pht, .rc, .s, .sbstore, .sht, .xht, .zul

 

Some File Formats Explained

  1. MAR file – The .mar file includes Mozilla archive file. It is created by SeaMonkey but cannot be opened directly by it. It can neither be converted into any other file type. This file type is associated with internal data files, temporary files, caches, etc.
  2. Moz-Backup File – It is the Mozilla backup file. SeaMonkey is the default software related to moz-backup file type.
  3. NA2 File – It is the Seamonkey Address Book file. .na2 file contains saved address book with contacts. It was used in the old Netscape Communicator also and for the same purpose.
  4. MAB file .mab is the Mozilla address book file format and is located in profile directory in the .slt folder. SeaMonkey can create this file type, open and edit it as well. However, it cannot be converted into any other format.
  5. SBD File – It is the Mozilla mail subdirectory file and can be also used by SeaMonkey. However, it cannot be opened directly by it or any other software.
  6. JSM File – It is Mozilla Firefox module file and is also used by SeaMonkey application. But it cannot be opened directly by any software not even by SeaMonkey.
  7. Do file – It is Java Servlet file and is basically used for used for creating Web pages dynamic in nature. It is associated with many browsers including that of SeaMonkey. Moreover, the content of the file can edit a JSP web developer whose results can be seen in any common browser.
  8. Download File – It is Mozilla partial download file and is generally associated with web browsers based on Mozilla Gecko web layout. It can neither be opened nor converted directly by any software. Moreover, Mozilla download manager gives .download extension to incomplete download files.
  9. HTM File – It is Hyper Text Markup Language (HTML) web page file. The HTML language render a means to form structured documents by following structural rules for text such as headings, lists, paragraphs, quotes, links and other items. It is the main language for writing web pages. abook.mab – Personal address book.

 

  • Some More File Formats Briefed

Some important SeaMonkey file formats are mentioned in the table below. These files can be extracted and their stored data can be examined by forensic investigators. The below given file types, serve as important means for SeaMonkey forensics and collection of evidences to be proved in the court of law.

file-types

Conclusion – 

In this way, by studying the files, SeaMonkey forensics analysis can be done by forensic investigators. They can be studied either manually or by using any external and professional e-discovery and email header analysis tool. One utility for extracting artifacts from suspected emails is MailXaminer – trusted email forensics software. Even other third party software utilities can be brought in use as well.