Incredimail Forensics: The Need Of The Hour
Incredimail has gained popularity as one of the most sort after email clients. The features which make this email client as one of its kind are its eye-catching Animations, Background Themes, Skins, Emoticons and a large number of Ecards.
Since Incredimail is an email client, therefor similar to other email clients, it also becomes the source and the target for carrying out unlawful or criminal offenses. And this is at such times Incredimail Forensics becomes a necessary undertaking.
How Does Incredimail Store Its Data?
The very first step towards a complete forensic analysis of Incredimail is to find out the default location where Incredimail stores its complete data. Similar to other email clients, Incredimail stores its data locally on the user machine in which it’s configured.
The emails or text messages exchanged via Incredimail are stored in the default file named as IMM file. Denoted with the extension .imm the file stands for Incredimail Mail file. Since the IMM file only stores mails, it can be opened and viewed in a text editor. During Incredimail forensics, techies can extract the evidence from IMM file. The default location is:
In Windows 7:
In Windows XP:
C:\Documents and Settings\[Profile Name]\Local Settings\Application Data\IM\Identities\[GUID]\Message Store\Messages
The identities folder consists of various folders like Address-Book, Message Store, Logs, Signature, etc. With a forensic perspective, the folders Address Book and the Message Store hold greatest importance. Therefore, we will focus mainly on these folders.
The Address book as the name clearly suggests enlists the contacts stored in Incredimail. These contacts are stored in a SQLite DB file named as AddrBook.db3 and also a backup of the address book namely AddrBook.db3.bak is also created by default.
Incredimail stores information about its message store in different folders. For each attribute there exists a different folder like Attachments, Messages, Pictures, etc. you will also notice that accompanying the different folders, there also exists a SQLite file named as Messagestore.db. This SQLite file is mainly comprised of the header properties of all the emails.
In order to perform Incredimail forensics and carve out the messages store in Incredimail email client, Messages folder is selected. This folder contains different mails and the mails are stored in the IMM format with .imm extension.
How To View Incredimail IMM Files?
Incredimail, as discussed above stores its mails in IMM format. These IMM files can only be accessible via Incredimail and no other application can be used for the same purpose. Therefore, the question which arises is how the forensic experts can access these mails in case Incredimail is not available. Or in other case what if the file has been hampered deliberately and is in a corrupted state?
All these queries have only one answer – deployment of Incredimail IMM Viewer. IMM Viewer is a third party application and as the name suggest is deployed for viewing Incredimail IMM files. The software is email client independent and hence can be used even if Incredimail is not installed in the user machine. What’s more, the software also supports assessment of corrupted IMM files (which is the thing, even Incredimail cannot support!!). This enables the forensicators to recover emails from a damaged IMM file and facilitates in an efficient Incredimail forensic investigation.