Introduction of Kerio Mail client
Considering the extensive usage of email messages in business enterprises, it is somewhat common that meet the situations when there is a suspicion of messages which are illegal received by the company from some hackers. In such scenarios, the company takes the assistance from law enforcement agencies which may come and ask for a log details that will help them to deal against criminal activity. And, as there is no single way to accomplice this with a Kerio Connect server. Perhaps, system administrators got more crucial things to do and it is obvious that digging out the log file manually would take long time.
In order to deal with such kind of situations, the law enforcement agencies take the assistance from forensic investigators but when there is no particular way to bring forth appropriate evidence, they feel annoyed. However, still there are options which bring out the culpable evidence before law so as to punish the defendant. So, here we will see how to extract and view the evidence from messages of Kerio Connect. Let's first get a deep knowledge about this email application before looking out for its forensic aspects.
Kerio Connect is basically a commercial emailing application and a groupware server put forth by Kerio Technologies. It is a complete robust platform that also claims speeding of work. One of the most attributed aspect of Kerio is the ability to connect and collaborate with any devices and constantly synchronize the data, thereby moving the barriers of office boundaries and allow to access email messages through iPhone. Due to its overwhelming capabilities, Kerio officially named as "Office Workhouse". Users can collaborate calendars, contacts, messages, irrespective of the platform.
Now we can work on forensics aspects. In order to carve out the evidence forensically, it is must to first have knowledge about the file location and the form in which Kerio stores its data.
Investigation carried out by Forensics on Kerio
The mail folder storage location path of Kerio Connect is as follows:
All the data get saved on the following location
The store directory is located in the following path
STORE.FDB importance according to Forensics
Firebird i.e. FBD is a SQL RDBMS system which is open source for professionals and supports it is usage on a number of platform like Windows, Linux and a variety of UNIX operating system. What really happens is that all the contacts, email messages, and calendars get cached in a database file which is known as STORE.FDB which is located in a folder in a user profile. Kerio uses the database for installations that does not contain much of data. In a way of forensic investigators can consider these files as Exchange Server mailbox files.
Kerio connect stores the emails in the form of separate files in the system directories, where each directory here corresponds to an email folder. All the messages associated to INBOX can be easily found in the directory called "inbox" like _STORE_/mail/DOMAIN/USER/INBOX/#msgs. Similarly, the sent mails will be present in a system directory knows as "Sent Items". Now, one can easily notice various indexes that built around those messages.
Now, it can be easily noticed that numerous indexes are built around those messages.
store/mail/domain.ltd/#public/ perhaps refers to the shared users
Tracing messages by carefully reading email headers
The ID of message is located in the message header which is unique that is assigned to the messages by email server. By effectively correlating the ID of message with the server logs, user can effortlessly make out the data applicable to the messages which are received and sent from a particular system. E-mail header can provide investigators with heath of data like record path pass through by the message from its journey from sender to the receiver. The one way to analyse the email headers is accessing them from bottom to top.
Steps to open Kerio Webmail Files in different formats
In such type of situations, forensic utilities like third party viewer software applications are available that can provide great support to investigators in order to examine the Kerio data carefully. The tool will extract the data by browsing the location and allow to view Kerio Mail data in different email file formats. Perform three simple steps and accomplish the desired task:
In the above section I have described about Kerio webmail application and how to open Kerio mail files in other email application format. Implement the steps and you will surely achieve the task you were looking for.