Sunday 8 March 2009

Yahoo mailbox

An MLAT request brought CD-R to my door recently. The OIC informed me that the CD contained a Yahoo mailbox but wanted my help because he could not read them. I found that the CD contained a tar.gz file.

Once this archive was unpacked I saw it contained two very large text files. These files were generic Mbox files. The next problem was how to view the contents. I found that Apple Mail would happily import Mbox files (File/Import Mailboxes) however I live in a mainly windows world so needed a Windows method for the OIC to preview the emails.

Thunderbird came to mind, however although this program uses the mbox format for its mailboxes it does not offer an easy way to import them. I did track down an extension to Thunderbird that provided this functionality but it only worked on one of my two mbox files. I also found that Opera 9 would also import my mbox files.


The problem with both Thunderbird and Opera is that the boxes available to the OIC in this case, and our customers in general, mostly do not have these programs installed. Ideally a way of getting the email messages into Outlook Express would be the best bet. The solution to this is provided by using the Mid Michigan Computer Forensics Group's M2CFG Yahoo! Email/Text Parser. This program parses out the email messages into .eml files which can be dragged into Outlook Express (and a number of other Email clients).

As it turned out the two mboxes I had extracted for the OIC were so full of emails with attachments that it was too complicated for him to process efficiently. So they came back to me to investigate. I added the mbox text files into Encase v6.12.1 and searched for email with the mbox option selected which resulted in Encase parsing out the emails and attachments very well. Reporting them was another matter!


5 comments:

Anonymous said...

I can recommend Intella for viewing and reporting on these mailboxes.

geegaw said...

If you've got a Linux box, you could run the "dovecot" imap server. Then just configure it so that it knows that mail files are stored in mbox format. Something like this in /etc/dovecot.conf will do:

mail_location = mbox:~/mail:INBOX=/var/mail/%u

Then, make sure that the dovecot service is eanbled, and the firewall will allow access the imap port (143) and restart the service.

After that, copy your mbox files into the ~user/mail directory.

Once all that is in place, you can start up any email client that has imap capabilities, such as MS Outlook and read the mail boxes.

For Outlook 2003, you'll need to mark all the messages for download, then send/receive, to make sure that the full messages end up in your local PST file.

You can also export a folder to a PST file, thus converting from mbox format to PST.

Alex said...

If so,I recommend to use unbeaten tool in my view,because program is reliable and has many facilitites-recover pst outlook file,also software can fix problems with your mailbox and restore its normal operation,restore your mailbox and extract all critical information from these files,will work under all versions of Windows operating system, from Windows 98 to Windows Vista,ecovering pst files from Microsoft Outlook does not modify the source file during recovery process, you may try any other recovery service,yet recovering .pst files and Outlook pst file recover for the first time.

Mike said...

I want a tool which can convert ost to pst, i have a tool for pst repair
Repair outlook pst file tool
to repair pst file. I have deleted my email, but still i recover all my emails, www.repair-outlook-pst-file.com. Now i have problem with ost, please tell a tool to convert ost to pst.

Alex said...

Today I saw on good software which works with mails-convert ost.I tried it and I was surprised,because tool helped to recover some of my old,but important mails.Moreover utility showed how it repair your data and convert it to *.pst format, that can be easily opened by any email client.