Investigating Thunderbird Windows Application

21/09/2021 Tuesday

Mozilla Thunderbird was developed by the Mozilla Foundation as an open-source cross-platform email application that provides personal information management, news client, chat client and RSS feed. Thunderbird was designed to adopt the style of Mozilla's Firefox web browser.

Digital Forensics Value of Thunderbird Artifacts

Mailboxes make an essential part of our lives since it is considered one of the most important methods of communication in the 21st century. In accordance, the forensics of mailboxes is a crucial part of digital forensics. Forensic searches are carried out to investigate and find any leads of a felony or wrong acts which helps in solving a case or problem.

Location of Thunderbird Artifacts

Thunderbird artifacts are stored in the following locations:


Structure of Thunderbird Artifacts

Thunderbird is made of a series of files and folders that are under the profile directory. Its artifacts are stored in SQLite database files such as places.sqlite which holds information of bookmarks, favicons, input history, keywords, browsing history, and the clicked-on links in mail messages. Thunderbird also stores cookies and global messages.

Analyzing Thunderbird Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast to extract Thunderbird artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Thunderbird Artifacts:

ArtiFast can analyze Thunderbird Addressbook, DB Email, MBOX Email, Places, Bookmarks, Cookies, and Favicons for new and older versions. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of the Mozilla Thunderbird artifacts in ArtiFast software.

Thunderbird Addressbook Artifact

This artifact contains information of history.mab file, which stands for Mozilla Address Book. MAB stores personal and business contact information such as:

Thunderbird DB Email Artifact

This artifact contains information of the global-messages-db.sqlite database. The Global Database, Gloda, is an indexing system that Thunderbird use to search messages. The details you can view include:

Thunderbird MBOX Email Artifact

This artifact contains information about the stored emails such as:

Thunderbird Places Artifact

This artifact contains information about the history and maintains a record for the visited links such as:

Thunderbird Bookmarks Artifact

This artifact contains the information of the bookmarked emails such as:

Thunderbird Cookies Artifact

The artifact contains information about all of the saved cookies such as:

Thunderbird Favicons Artifact

The artifact stores all the small icons associated with a particular email. The details you can view include:

Thunderbird Cache 2 Artifact

This artifact contains the cached entries in Thunderbird such as: