Extracting email from Zimbra is not all that challenging. These simple steps show you how.
Zimbra is one of the most popular enterprise-class email, calendar, and collaboration solution. It is cloud-based but can also be treated as a standard POP3 mail server. Zimbra offers a web-based interface for users and can be held in a personal or corporate cloud.
Zimbra can be supported with the following specifications.
Cloud Platforms
The following Cloud Platforms are supported:
- Oracle Cloud Infrastructure as a Service New
- VMware vCloud Director
- VMware vCloud Air
- Image editing can be undone (cropping, rotation, etc.)
Virtualization Platforms
The following hypervisors are supported:
- VMware vSphere 4.x
- VMware vSphere 5.x
- XenServer 6.2
- XenServer 6.5
- KVM
Operating Systems
The following Operating Systems are supported:
- Red Hat® Enterprise Linux® 7 (64-bit)
- Red Hat Enterprise Linux 6 (64-bit), patch level 4 or later is required
- Oracle Linux 7.2
- Oracle Linux 6.6
- CentOS Linux® 7 (64-bit)
- CentOS Linux 6 (64-bit), patch level 4 or later is required
- Ubuntu 14.04 LTS Server Edition (64-bit)
- Ubuntu 12.04.4 LTS Server Edition (64-bit) running the saucy (3.11) or later kernel is required
With Zimbra being cloud-based, you do not tackle it for forensics at the server itself. Instead, you can deal with each mail archive separately. This is a great option when the discovery of email processing might be limited to a single custodian.
If you go into Zimbra and select the following options you will be provided with an offline backup of the mail archive associated with that account:
Exporting all account data:
– Go to Preferences>Import/Export
– In Export, select the Type as Account
– Make sure Source displays All folders.
– Click Export.
– In the dialog that opens, select Save File and select where to save the file.
The account data is saved as a tgz file.
The .tgz file is an archive which you can extract and add folders with emails as Email file evidence (E3/Add Evidence/E-mail database/Email file).
There is also an option to convert Zimbra mail files into PST files using 3rd party tools. You can see more details on this option here:
We made the support of Zimbra mail even easier in the 1.7 version of the E3 Platform with a quick parsing of the mail archives.
Related Articles
Investigating Fileless Malware Through Volatile Memory Forensics: Building an Open-Source DFIR Workflow
Guest Blogger: Anas Zahid Fileless malware has become one of the most challenging threats facing modern defenders. Unlike traditional malware, fileless attacks often operate entirely within memory, leveraging trusted operating system components such as PowerShell,...
Decoding Financial Fraud: Tools and Methodology
Guest Blogger: Vladislav Hamppu Many people think that online investigation is just a Google search. In reality, it’s about working with digital footprints and automation. Using my recent case as an example, here is how it works in practice: First Environment Setup I...
Behind the Scenes of ClickFix: Blockchain-Based Dead Drop C2 Resolver
Guest Blogger: Manasi Joshi What if a malware’s C2 infrastructure wasn’t hardcoded—but resolved dynamically from a blockchain? I was recently analysing a ClickFix campaign. While analysing, I expected the usual—hardcoded domains, maybe some layered obfuscation. That’s...









