News We Recently Launched an Export Tool for G Suite, Exchange, Office 365, O365 Archive.

IncrediMail Forensics

Key to Persual IncrediMail IMM Mailbox

Need of IMM Mailbox Forensics

IncrediMail –first of its kind email client has kicked up to a notch. Reason is, because it is free, has fascinating and eye-catching gallery that contains hundreds of animations, background images, 3-D effect, skins, sounds, e-cards. Nonetheless, to activate some of its incredible options (like Backup, VIP support, Amazing Skins, No advertisements) one has to pay for it.

Since its an email client and used for email communication like other email applications with a network, the suspicion of vulnerability remains same and thus need of IncrediMail Forensics comes up somehow infront. This article consists various terms related to IncrediMail Email Client, from its data storage particulars to database vulnerabilities and ins and outs to confront from such subtle issues.

IncrediMail Database File Location

Alike every email client, IncrediMail stores the data – fundamentally emails, contacts, attachments, etc. into a file or a database, but quite differently. IncrediMail Email client creates different database files and linked them in a coherent manner.

Lets have a deep analysis:

When you configure an email account in IncrediMail application, it creates its own database and save emails in the drive and to reach over there, you may use this command or follow the path shared below.

C:\Users\%username%\Appdata\Local\IM\Identities

path

At this location, "Indentities" folder contains the various folders, that currently stores the application data and represents them with a unique string value. Because, our motto through this article is to examine the root email data (IMM Mailbox Forensics) file only, we won't discuss about any other data files anymore.

IMM Forensics

So, to dig out the core data repository where all the emails are saved, we move directly on "Message Store" folder. This email client works cleverly and creates a few folders for each attribute. The given below image narrow down more about it, here you can see the different folders for diverse email attributes (Attachments, IndexB, IndexH, Messages, Pictures) and an aside "MessageStore.db" file.

Noteworthy Fact: MessageStore.db is a SQLlite file.

"MessageStore.db" is the most crucial database file that contains all header properties of emails and hereby all other attributes of emails are linked to each other.

Let's move further and look-up where the emails are actually exists. To so do, hit on "Messages" folder and again need to click on any one of the folders having numeric values (1,2,3..so on). Now, you will see lots of folders having some kind of untidy string values and each of these folders possess an IML file – means an email.

Message Store

Noteworthy Fact: In short, IncrediMail saves emails in an IML file format.

We got to know that this email client keeps each email separately with .iml file extension in a folder that usually wrap up using a sort of complicated string values.

Now, the question is, What file format actually it is and how it can be accessed. What if, there is a need to delve into these files after a crime scene?

These are the common questions which are asked fairly often to an email forensic expert. So, before moving ahead, it's important to understand the data file and structure so that the necessary data could be read and opt-out.

IML Forensics

Can I Read IML/IMM Mailbox File with Forensic Viewer?

Yes, after testing some tool on this file and digging deeper, it has been noted that data structure of .iml is almost similar to EML. However, the users who have used IncrediMail (2.0) in the past would also be familiar with the term IMM. The older version of this email client creates IMM file instead of IML and this file contain entire mailbox items in its entirety. IMM file can be accessed using SysTools IMM File Viewer

Conclusion: Remember though, Being a forensic evangelist, you supposed to have a fresh or untouched data of IncrediMail so both data can be used to follow up. Subscribe, the upgrade facility of IncrediMail wherein a user could create a backup of her/his database.