Apple Mail MBOX Format – Forensic Requirements Explored

Apple mail is a default email reader provided with Mac OS X, which is also known as the Mail.app. The application is an email reader because it technically lets you read emails that exist on a cloud/web server. Apple Mail is a desktop-based application that lets you read emails locally on your Mac machine. Apple Mail is a completely competent application to serve exchange of emails with support for POP3 as well as IMAP protocols. The advanced filter allows the end user to receive desired copy of emails. However, being a local email client the application has a default repository, which is located at a directory namely ‘Mail’ under Library of the active User Account on the machine.

Email Repository: Apple Mail MBOX Format

MBOX format files, also popularly known as Mailbox files were the default email repository of Apple Mail or the Mail.app. The storage was located at the above-described location itself. The file is a simple (flat) text based file that stores a collection of emails belonging to a respective email directory on the application. Emails were collectively stored in one single mailbox file with separators and appended to the end.

However, since the release of Mac OS 10.4 and above versions, Apple Mail, as part of its upgrade changed the way it used to store emails. The practice of storing messages appended in an MBOX file was ended with the beginning of individual email storage.

EMLX files were introduced as a replacement of MBOX files in order to store an individual copy of every message within an email folder. Therefore, changing the storage structure to Library>Mail>MBOX>EMLX.

Reading Between The Lines: Apple Mail MBOX Format Forensics

The fact that Apple Mail is a desktop application for locally reading emails elucidates that it certainly leaves behind footprints of any/all activities carried out by the user on the system hard drive, especially related to the exchange of emails. These footprints were previously left in the form of an MBOX file.

Rise in digital attacks has elevated both with Windows and Mac users. However, the deal with MBOX format files is that they have the following conditions to be processed:

• An MBOX file is flexible enough to be read using a number of local mail programs like; Mozilla Thunderbird (Cross Platform Application) or Mac Mail (Mac Based Platform). However, the file is still dependent on the application, which requires installation and configuration for the same thus eliminating the scope of instant access.
• On the other hand, text editors end the dependability issue for mailbox files by offering a view of the appended messages within. However, corresponding attachments can still not be viewed / accessed.

Therefore, the usage of an external program becomes even more essential to be implemented for the examination of an Apple Mail MBOX format file. Some of the benefits that a dedicated forensics application serves include:

1. Offers Standalone Data Processing: MBOX files require either an email platform or a text editor to be viewed. Therefore, utilizing a standalone application would help avail a streamlined investigation.
2. Dedicated Email Examination: An email consists of multiple parts that include both header and message body. Readability of attachments is not provided with text editors for emails. Therefore, investigators are only able to perform partial email examination.

MBOX Viewer is a standalone application built to read email and attachments appended within the mailbox file. The tool is programmed to offer readability of mails along with attachments, attributes, and associated information maintained as it is for the messages. As a freeware, the tool offers to be a great forensics aid to be kept handy for investigation purposes.