Sunday, 8 March 2009

Yahoo mailbox

An MLAT request brought CD-R to my door recently. The OIC informed me that the CD contained a Yahoo mailbox but wanted my help because he could not read them. I found that the CD contained a tar.gz file.

Once this archive was unpacked I saw it contained two very large text files. These files were generic Mbox files. The next problem was how to view the contents. I found that Apple Mail would happily import Mbox files (File/Import Mailboxes) however I live in a mainly windows world so needed a Windows method for the OIC to preview the emails.

Thunderbird came to mind, however although this program uses the mbox format for its mailboxes it does not offer an easy way to import them. I did track down an extension to Thunderbird that provided this functionality but it only worked on one of my two mbox files. I also found that Opera 9 would also import my mbox files.

The problem with both Thunderbird and Opera is that the boxes available to the OIC in this case, and our customers in general, mostly do not have these programs installed. Ideally a way of getting the email messages into Outlook Express would be the best bet. The solution to this is provided by using the Mid Michigan Computer Forensics Group's M2CFG Yahoo! Email/Text Parser. This program parses out the email messages into .eml files which can be dragged into Outlook Express (and a number of other Email clients).

As it turned out the two mboxes I had extracted for the OIC were so full of emails with attachments that it was too complicated for him to process efficiently. So they came back to me to investigate. I added the mbox text files into Encase v6.12.1 and searched for email with the mbox option selected which resulted in Encase parsing out the emails and attachments very well. Reporting them was another matter!


Mitch Impey said...

I can recommend Intella for viewing and reporting on these mailboxes.

geegaw said...

If you've got a Linux box, you could run the "dovecot" imap server. Then just configure it so that it knows that mail files are stored in mbox format. Something like this in /etc/dovecot.conf will do:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Then, make sure that the dovecot service is eanbled, and the firewall will allow access the imap port (143) and restart the service.

After that, copy your mbox files into the ~user/mail directory.

Once all that is in place, you can start up any email client that has imap capabilities, such as MS Outlook and read the mail boxes.

For Outlook 2003, you'll need to mark all the messages for download, then send/receive, to make sure that the full messages end up in your local PST file.

You can also export a folder to a PST file, thus converting from mbox format to PST.

Alex said...

Mike said...

Alex said...

