Spicebird Email Forensics – Search for Evidence

Creative Team | July 9th, 2016 | Forensics
In today’s world, the computer technology is playing an important role in everyone’s life. Since its usage is increasing therefore, the computer crimes are also increasing day-by-day like unauthorized intrusion, intellectual theft, financial fraud, etc. To stabilize all these computer-based crimes, Computer Forensics plays a major role. It involves the analysis of digital information for the usage of resolving criminal or administrative cases.
Most of the proofs are gathered from the emails, which are stored on the user’s hard drive. In the field of computer forensics, mainly email services are used as the source of evidence that is mainly in MBOX file format. MBOX supports various email applications such as Thunderbird, Opera Mail, Entourage, etc. One such desktop-based email application is Spicebird. In this article, we will illustrate the possible solution and way to analyze the Spicebird Emails for finding Evidences. The goal of an email investigator is to find the crime that was committed. There exists various evidence, which helps investigators to acquire the dot and nail the criminal.

Analysis of Spicebird

The Forensics of local mailbox plays a major role in investigation. Many forensic searches are performed in a way to examine the crime execution, the specialist make analysis of it. Spicebird was a freeware email application that manages all the information.

Data storage in Spicebird

The storage of data in Spicebird are namely as MBOX. The MBOX includes UNIX mailbox format, which stores various mails in one file. The default location for the storage of Spicebird data in the system:


As all the messages are saved in ImapMail folder, then all the subfolders like trash, spam, drafts, all mails and their .msf files of Gmail account, exist inside the Gmail.sbd. The files with no file extension are the MBOX files however; MSF files represent the inbox of MBOX file. It is also known as Mail summary file. Even one can also store the Inbox and Inbox.msf file in ImapMail folder. However, if emails are imported from any other email application, then it gets store in local folder as mentioned:

Here the email messages are saved in MBOX file format along with its respective indexes saved in MSF.

Requirement for Spicebird Investigation

Spicebird is an open source email application with all the necessary features. As it is free to utilize so, it is used worldwide. Therefore, the requirement for forensics has come forward as an issue of concern. Forensic investigation for Spicebird email application is useful getting the necessary proofs, which are important in finding the real criminals.
However, in a manner of doing investigation it is important for a researcher to have all the mandatory information. For this, a deep level of knowledge about Spicebird is required for an investigator. However, an investigator faces various challenges such as:
  • Email Deletion: Many times, after committing a crime, user generally deletes an email data. However, emails are kept in junk folder can be easily revived but serval times; it is also deleted from junk folder. It creates problem as well as challenge for an investigator to get back the lost data to have accurate results.
  • Detailed Research: The investigators need to have a detailed research on Spicebird email application. For this, they need a reliable email viewer to view the data to analyze each aspect of data such as attachments, body, header, etc.
To overcome with all the challenges which are faced by an investigator there is an application namely, MailXaminer. It allows the investigator to analyze the Spicebird data even without email client installation. It has user-friendly graphical interface that makes easy for users to preview the data in all vectors.


Spicebird Email Forensics is a way to investigate the any illegal activity carried out involving the application as the object or subject of the act. One can utilize MailXaminer for the purpose of email investigation in a scenario like this, as the tool is a standalone and enables examination of email data of Spicebird without the need of having the client configured on the respective machine.