Zimbra Server Forensics

MailXaminer | December 9th, 2015 | Forensics

To examine the stored messages in MSG File format of Zimbra Server, first, we have to understand the Zimbra Server throughly. Zimbra Server manages complete data like mailbox contents, messages, contacts, calendars, etc. It is supported on Linux operating system only. The MTA Server receives the messages and passes them through a set of created filters. The messages are then finally deposited to the correct mailbox. It is available in both open-source and commercial versions. In the commercial versions, closed-source components like MAPI connector are made available. The MAPI connector enables the user to synchronize Outlook contact and calendar with Zimbra Server.

Zimbra Server can be installed in both single-Server as well as multi-Server environments. When installed in single-user environment, all the services associated with the Server are stored on different disk partitions. However, in multi-Server installation, the LDAP and MTA services are installed on separate Servers.

Mailbox Server Volumes

There are multiple volumes for mailbox Server:

  • Message Store

The mailbox messages are stored at the location opt/zimbra/store.

  • Data Store

The data store is in the form of SQL database and gets stored in MySQL database files. The storage location of the data store is opt/zimbra/db.

  • Index Store

The index files belonging to it are stored at the location opt/zimbra/index.

  • Backup Store

The Zimbra Server stores its full and incremental backup at the location opt/zimbra/log.

  • Log Files

All the components of Zimbra Server have a log file associated with it. They are stored at the location opt/zimbra/log.

It is advised to store the log files and the backup files on different locations of the disk in order to minimize the possibility of data loss due to disk failure.

Default Database Format of Zimbra Server

The database of Zimbra Server mailbox is stored in MSG file. As shown in the above section, the default location of the files is opt/zimbra/store. For each mailbox message, a MSG file is created in Zimbra Server. This is similar to Outlook, where for every single message an EML file is created.

Zimbra Server Email Forensic Analysis via MailXaminer

Mailxaminer is a professional forensics utility and enables to perform a complete analysis of Zimbra Server MSG files . In order to perform a complete and effectual Zimbra Server forensics, deploying professional application is more beneficial as compared to the manual analysis. One such efficacious tool for performing the analysis on Zimbra Server is MailXaminer.

The users can perform the Zimbra Server database analysis with the help of below mentioned procedure:

  • Install and run MailXaminer.
  • Click on File option and create a New Case
  • Click on Scan File option to scan Zimbra database.

Zimbra Server Forensics

  • From the list of files, select Zimbra Server (*.msg)

file

  • Select Browse option for selecting file.

Zimbra Server Database Analysis

  • During Zimbra Server forensics, select the Custodian name by selecting Add New option.

add-file

  • Enter the name and select Add option.

click-add

  • Once the custodian name is changed, select Add option.

select-custodian

  • The software will show the scanning status of Zimbra Server database analysis.

Zimbra Server Forensics

  • Click on View option to view the complete MSG file forensics.
  • The complete root structure of the case will be shown in the left pane.

mail

  • All the emails residing in the file will be visible on the left pane.

view

Note: While conducting Zimbra Server forensics the software offers multiple options for scrutinizing Zimbra Server database in an elaborate manner. The user can make use of Bookmark option to mark the last analyzed mail. in addition to this the user can also tag the mails with different names and can also mark the messages as privilege.

  • Click on Export option to export the data.

export

  • Select PDF option for exporting the emails in PDF format.

Zimbra Server Database Analysis

  • The software offers many features while exporting like Naming Conventions for naming the output PDF files. Other options are also available for customizing the output PDF files. Select the Folder that you want to export.

Click on OK to proceed.

naming-convention

  • The export process status will be visible.

Zimbra Server Forensics

  • Once the export process is finished, a complete report will be generated.

report

Once the above process is finished, the Zimbra Server files will be exported successfully.

 Forensics Analysisof Zimbra Server MSG files can be done efficiently with the assistance of MailXaminer. The different features embedded in the software facilitate perfect analysis of the Zimbra Server file.