Mozilla Thunderbird Email Forensics

Creative Team | January 9th, 2015 | Forensics

Mozilla Thunderbird having been launched as a charge-less application, the developer company Mozilla has come up with a novel idea of providing the desktop emailing facility to everyone without any kind of restriction or limitation. But with users of Thunderbird having been spread worldwide it becomes source as well as target for carrying out cyber crimes and becoming the affected-subject to commit crimes respectively. Therefore, the Mozilla Thunderbird mailbox forensics analysis becomes a matter of high concern to reach-out to the suspects, prove them criminals and render justice to the victimized persons. However, a complete know how of the email program is necessary to be acknowledged and gained by the forensic investigators of Thunderbird. Hence, a deep study must be done on this particular mail program to gain an insight into its underlying structure and thereby devise ways to collect data for forensic investigation.

A Detailed Analysis of Thunderbird Program

‘Thunderbird’, developed by the non-profit Mozilla Foundation, a global community, is a free of cost and open source desktop email application for public. It can be set up by any of the two available options, Standard & Custom, as displayed in the image below. The former alternative allows the program to be installed with the most common options, whereas the latter is for experienced users.


  • Main Functionalities:

“Thunderbird offers users to create accounts for various purposes like emailing, newsgroups, chat facilities like Facebook Chat, Google Talk, Internet Relay Chat (IRC), Twitter & XMPP and feeds as well. Together with these facilities the client offers Address Book to store contact information of multiple known one’s either from office or personal contacts. The Address Book stores contact details in two separate folders called Collected Addresses and Personal Address Book.”


Its File FormatsTo store all the data items falling into the email category it creates a file with .mbox extension. MBOX is known to be a Unix mailbox format, i.e. one file that holds a number of emails all together. Moreover, it uses Mork and MozStorage (based on SQLite) file formats for its internal database where the former has been used since version 3. Though Mork was due to be replaced with MozStorage file type in Thunderbird 3.0, it is still being used. Being a desktop based email application, these were the basic amenities of the application. However, to bestow upon these services with ease and to make emailing easier and available to all, it provides more enhanced features.

Offering multiple characteristics in addition to the foremost functionality of emailing and that too free of charge, Thunderbird has become one of the most widely used program all over the world. With users of the concerned email program has spread worldwide, cyber crimes with it have shown a steady rise in comparison to the crimes committed in the traditionally organized way.

Moreover, in spite of tight security also it is one of the highly demanded resorted ways to commit crimes. Therefore, the Mozilla Thunderbird forensics study (an attempt has been made above, here in this section) and methods to collect evidence from it in the correct manner (an attempt shall be made in further sections of the blog), is quite essential from the investigators point of view. This is because only if the proofs are accurate and reliable that they shall become admissible in the court of law.

Techniques to Analyze & Investigate Thunderbird Activities

Even though tight security features have been incorporated in the Thunderbird, investigation can be done on the illicit activities carried out by means of the concerned application. There exist numerous cyber offenses. Out of the many illegitimate actions the ones that are of peak jeopardy are tax-refund fraud, corporate account takeover, identity theft, theft of sensitive data, theft of intellectual property, etc. The malicious purposes of identity theft can be many such as opening a line of credit, purchasing services or goods, buying or renting a house or apartment(s), receiving medical care, obtaining employment, etc. However, regardless of the felonies conducted different techniques exist that can be adopted to collect evidences against the suspects.

  • Thunderbird ‘Email’ Investigation

The continued dependence on ‘communications with emails’ in Thunderbird makes certain that it remains a major source of evidence as compared to chats, feeds and newsgroups.  As of emails it contains both structured and unstructured data that need to be examined, where the former provides qualitative information to the forensics investigators and can be extracted by means of digital forensic investigation tools.

Also, these explored ways, mainly focus on triage and examination of unstructured email data to recognize the key aspects and relationships within an email network. This is because unstructured data is more complicated as it comprises info of networks such as power relations, relations of the inter-networking devices within the network and identification of the key factors. Such information’s are indeed very complex in nature and the main hazard associated with unstructured data is that there are currently no standardized tools in existence for its forensic analysis. Some of the methods are explored herein, in the below sections of the blog.

Method 1: – Email Forensic Investigation with ‘File Format’

As emails form the most important part of an email client, email examination becomes the basis of the cyber crimes rather than chat, newsgroups or feeds.  It has been stated in the above section that Thunderbird saves its emails and attachments as .mbox file. Hence, one professional utility that can be brought into use to view and examine Thunderbird emails & its attached attachments, stored as MBOX files is MBOX Viewer.

Method 2: – Email Investigation by ‘Header Analysis’

Header analysis is also one of the keys to valid and authentic investigation of emails of all mail programs be it web or desktop-based. And so is the case with emails of Thunderbird desktop based email program. A screenshot of how the header of an email received in Thunderbird appears is shown by means of the screenshot pasted below.


Note – Extensions such as enigmail may add extra headers.

The Message-ID field has three parts: Message-ID: [time].[salt]@[domain-name]. They are explained as follows:

  • First Part – It shows the time (in seconds) the message was sent past the epoch in hexadecimal.
  • Second Part – It shows a random value called salt. The salt is of the format #0#0#0# where ‘#’ is any random digit. As Thunderbird utilizes the salt like a number, it may be shorter if 0s are the leading digits. For instance, a salt of ‘0030608’ shall get displayed as ‘30608’.
  • Third Part – It contains the fully qualified sender’s domain name.

As a whole, the header gives information about the metadata like message id, date, receiver id, user agent, X-Accept-Language, MIME version, sender id, subject, content type, content transfer, the path traversed by the emails, IP address, etc. However, some of the details can be spoofed by the sender’s to conceal their identity. Lastly, a detailed examination of all the header data can be correlated to draw evidences.

Steps to extract header of an email in Thunderbird

Step 1: Select the email and open it in a new tab or window, as shown in the below given image.


Step 2: Click on the View tab and then select the option Message Source. Once the button Message Source is clicked upon the header of the email gets displayed.


Step 3: Finally, the message header appears on the screen.

Method 3: – Email Investigation by ‘Bait Tactics’ 

In a bait tactic exploration of Thunderbird email, a mail with http: “<img src>” tag having the source of image at some system is sent to the sender of email under examination, which stores-in the real email address. Here, it must be acknowledged that the computer system remains in the custody of the investigators and they only monitor them. When the email is opened, a log report having the IP address of the recipient, i.e. sender of the mail-under-investigation is recorded on the http server hosting the image. Finally, in this way the sender of illegitimate mail prohibited by the court of law, is tracked down.

However, if the recipient is using a proxy server then Internet Protocol (IP) address of the proxy server is noted down. The log details on proxy server are then utilized to trace the sender of the email-under-investigation. If the proxy server’s record details are unavailable due to one or more causes, then investigators may send the tactic email containing either Embedded Java Applet that runs on receiver’s PC or HTML page with Active X Object. Both these things endeavor to dig out the IP address of the receiver’s machine and inform it to the investigators.

Method 4: – Email Forensic Scrutiny by ‘Server Investigation’

In Thunderbird email investigation by the server, copies of the delivered emails as well as server logs are inspected to identify the exact source of the message. The mails eliminated from the sender or receiver client, whose retrieval seems impossible, may be requested from servers, i.e. either Proxy or Internet Service Provider (ISP). This is because most of them preserve a copy of all emails after they get sent or say delivered. Further on, the stored logs maintained by the servers can be investigated to trace the address of the machine responsible for making the send/ receive operation of the particular email.

Further, SMTP servers that store info such as credit card no. and other data belonging to the owner of a mailbox can be used to identify and seek out the person. However, it should be noted that the servers keep the replicas of the transacted mails and server logs for a limited time period only. Moreover, many servers do not co-operate with the investigators in the investigating operation. These are the two major drawbacks in forensic analysis of Thunderbird emails by investigating the server.

Method 5: – ‘Network Device Investigation’ for Analyzing Mails

In this form of Thunderbird mail investigation, logs recorded by the inter-networking devices like modems, routers, switches, firewalls are used to investigate the source of an email message. This form of investigation is rather complex and is used only when the logs of servers, either proxy or ISP, are unavailable due to one or more reason. For example, when the ISP or proxy servers do not form and maintain the log report. Or can be used when they do not assist investigators in investigating the emails for catching hold of the offenders.

Conclusion Drawn

Finally, in any of the ways described above, Mozilla Thunderbird forensics analysis of emails can be accomplished. Even other well proven methods can be discovered and researched for forensic investigation. However, the email messages can be studied either manually or by a combination of a few professional e-discovery and digital forensic investigation tools. One external tool for digging up the artifacts from suspect driven emails is MailXaminer. Several other third party software applications can be brought into suse as well for examining the emails of Thunderbird. However, reliability and authenticity of the outputs of the tools must be acknowledged and tested before bringing in use.