Hi,

Thanks for taking the time to read this message.


During a forensic investigation, I encountered the remnants of what I think is a Zimbra addressbook. I would appreciate it very much if someone could confirm my findings and educate me on some things I don't know.



There are several "records" separated by a <RS>, ie. hex 0x1E

Within each "record" there are "fields" separated by a <GS>, ie. hex 0x1D

This is what a "record" looks like:


<rs>id<gs>18020<gs>l<gs>13<gs>d<gs>1388745677 000<gs>rev<gs>171589<gs>fileAsStr<gs>Doe, John<gs>lastName<gs>Doe<gs>email<gs>John.Doe@d omain.com<gs>fullName<gs>Doe John<gs>firstName<gs>John<rs>


Could any of you verify my findings/enlight me on the missing stuff

id = unique ID per contact in the address book?

l = 13 for each and every record in the address book. What is this ?

d = Unix time. Is this the date/time when the contact has been created?

rev = ?

How does this address book end up on the PC when (s)he is running a webmail service with https?


Thanks for your reply.

Best regards,
André