Home  »  Blog  »  Forensics  »  Kerio Email Forensic Analysis : Uncover What’s Inside Kerio User Profiles

Kerio Email Forensic Analysis : Uncover What’s Inside Kerio User Profiles

Admin | Forensics Kerio Connect Software Technology | 6 minutes read | Last updated on July 20th, 2023,
kerio email forensic analysis

In current times, email messages are widely used in all business enterprises. Therefore, it is fairly common for these businesses to receive suspicious messages from hackers. In such scenario, the company seeks assistance from law regulation and enforcement agencies. These agencies might ask them to provide complete log details in order to deal with such criminal activity.

But this is not the case with Kerio Connect Server as it doesn’t provide any assistance during such illegal activities. Therefore, system administrators have to explore deeply and manually dig out log files, which obviously takes long time to complete.

To handle such situations, law and order agencies seek assistance from forensic examiners, but they become worried when there seems no possible way of yielding suitable evidence. Nevertheless, there are other ways too, for obtaining and presenting the accountable evidence in judicial law, in order to punish the offender.

So, here in this blog we will explore all the possibilities of extracting evidence from Kerio Connect email messages. Let’s first understand about the Kerio Connect Email Client before exploring its forensic facets.

The Essential Guide to Understanding Your “Kerio Connect” Email App

Kerio Connect is a groupware collaboration server and a business emailing application, offered by Kerio Technologies. It is widely popular among users due to its prompt task accomplishment. Connecting and teaming up with any devices and continuous synchronization of data among them is one of the best and most highlighting features of Kerio. This feature enables users to access email messages even through their mobile devices. Thanks to its remarkable expertise, Kerio has officially been termed as “Office Workhouse”. The app even supports users in efficiently organizing and managing their messages, calendars, contacts, regardless of the device they or platform are using.

Now let’s move on to the forensic aspects of Kerio email client. To extract forensic evidence, we will comprehend deeply about in which form Kerio stores its data and where it is located.

A Closer Look at Kerio Connect Forensic Analysis

Kerio Connect Mail folder storage location path

  • The Kerio configuration data is stored at following location

C:\Program Files\Kerio\MailServer

  • Store directory is found at the following path.

C:\Program Files\Kerio\MailServer\Store

Why Store.FDB File is Important – Understand from Forensic Viewpoint

FDB files are created when Kerio mailboxes are synchronized with Outlook via Kerio Connector for Outlook. They are basically the cache files that contains copy of the Kerio Connect data, just like OST files that that cache files of the Exchange Server user mailboxes.

Kerio Connect 7.1.x use single store.fbd database file. This file contains cache of emails, mail folders, contacts, calendars etc., which is located in a folder in the user profile.

Kerio Outlook Connector 7.2.x and later use multiple FDB database files. They are named using their respective folder IDs. Kerio uses these files for installation purpose.

Where are Kerio Store.DB files located ?

The exact store location where Kerio FDB files are located is:

For Windows Vista, 7, 8

C:\Users\<username>\AppData\Local\Kerio\Outlook Connector\<OutlookProfileName>  

For Windows XP

C:\Documents and Settings\<username>\Application Data\Kerio\Outlook Connector\<OutlookProfileName>

(if you are unable to view some folders then it is possible that they are hidden. You’ll first need to turn on “Show Hidden Files and Folders” option to make them visible and further navigation.

How Kerio Saves Email Messages and Other Data?

Kerio saves all email messages in individual files in system directories, where each directory relates to an email folder.  For example, all email messages belonging to INBOX are shown in the folder/directory named “Inbox”, as  

store/mail/DOMAIN/USER/INBOX/#msgs

Similarly, all sent messages, deleted emails, drafts etc. are found in “Sent Items”, “Deleted Items”, “Drafts”, system directory. Any emails saved in custom folders are also available in their “Custom Folders” directory.

For contacts, calendars, notes etc., separate system directories are there named as Contacts, Calendars and Notes respectively and will show their respective items as :

For contacts :

store/mail/DOMAIN/USER/Contacts/#msgs.

For calendars :

store/mail/DOMAIN/USER/Calendars/#msgs.

For Notes :

store/mail/DOMAIN/USER/Notes/#msgs.

Kerio saves all shared users data in #public folders at the following location

store/mail/domain/#public/

The log files comprising of both ASCII text document alongwith Index for each item, is stored at :

store/logs

Each mail folder (E.g. Inbox, Outbox, Sent Items etc.) contains the actual mail messages in #msgs folder. The folders show some other Meta files such as index.fld, properties.fld, search.fld, status.fld

The messages shown in the inbox #msgs folder are further displayed in EML format.

Similarly, all other Kerio Item folders such as Sent Items, Outbox, Contacts, Calendars, Notes etc. will show their respective data in EML format displayed under #msgs folder.

Examining EML Files

The email messages (in .eml format) can be further examined for forensic analysis. Since each email message is saved as an individual EML file, each one them can be individually analysed using text editor. The examiners can verify the message creation date and time by analysing the timestamp found in the Date line of message header. In addition, to check the modification status of the message, they can dig out the last modified date and time from the timestamp shown in the Delivery date line of the email message header. 

Analyse Email Headers Meticulously for Email Message Tracking

The message ID displayed in the email message header is a unique ID that email server assigns to each message. One can easily extract data and analyze its relevancy to the messages being transferred from a particular system by just comparing the message ID with server logs. The email message header can provide helpful information to the investigators such as the path navigated by the email message right from its journey’s staring point to the final destination. One method of examining the message headers is to access them from bottom to top. You can also utilize forensic examining utilities that provide great help in deciphering data in EML files.

Is Your Kerio Connect Account Compromised?

Is there any way to know if your Kerio Connect account is hacked or not? In case investigators are doubtful concerning the likelihood of tampering with Kerio Connect user accounts, they can check it out by analysing following indications:

  • Slow performance of Kerio Connect Server
  • Bouncing back of email messages that you never sent
  • Blacklisting of external IP address
  • Long mail queue having list of multiple email messages to be sent to address, without your knowledge

If investigators identify all these sudden changes, then they can easily conclude that the particular account has been compromised. They need to further probe which specific user account has been hacked, among the several accounts on the server. For this, they need to enable a column in message queue screen inside the Kerio Connect interface. It will show which account is authorised for sending of email messages.

  • Open Kerio Connect Web Administration Interface
  • Click on Status tab >> Message Queue (to enable this option)

Once the mail message queue is enabled, examiners can quickly investigate the exact source of the particular email message being sent. The sender’s IP will further assist in detecting whether the message has been transmitted internally or externally. Moreover, the authorized sender will further disclose whether passwords of other accounts have been conceded or not.

Hacked email accounts are prone to acutely compromising the privacy of any business organization and thus, pose a susceptible menace to the company’s proprietary information and data. Using above-mentioned ways, forensic investigators can extract crucial evidences from Kerio Connect application and assist law and order enforcement agencies to prepare and present their case in judicial court.

Alternative Solution to Export Kerio Connect Files to Other Important File Formats

Alternatively, you can also use a professional Kerio Converter to easily and accurately export Kerio Connect files to 15+ saving options. You can easily convert Kerio user mailboxes to PST, PDF, EML, MSG, MBOX, HTML, DOC, RTF, Office 365, Exchange, Gmail, IMAP Server and many more. The app is simple to use and provides complete Kerio data migration including emails, contacts, calendars, notes, tasks etc. without losing data integrity. You can simply run this tool on any Windows (32bit and 64bit) OS edition and save Kerio files with exact results.

win download buynow

Conclusion

Considering the current inflation of cyber-criminal activities, it becomes imperative for every business user to secure their crucial data from theft and hacking. Although most cloud-based services provide robust security features that are hard to break. But uncertainties can happen any time, and if it has struck you, then you can follow up this blog where we have tried to provide as much information as possible to help you with Kerio email forensic analysis. Alternatively, a professional solution is also suggested that you may download and try for free of cost.