Analyze Thunderbird MBOX Artifacts with Thunderbird Email Viewer

MailXaminer | May 16th, 2020 | Forensics

Mozilla Thunderbird is a desktop-based email client which was released in the year 2004 and it has experienced vast growth in its user count. With such a rapid increment in the consumers, the number of illicit activities initiated by Thunderbird users has also increased. Therefore, to find suspects and prove them guilty in the court of law, the forensic analysis of Thunderbird emails came into force. Digital forensics examiners need to execute an in-depth analysis of the Thunderbird emails with the assistance of a proficient tool like Thunderbird email viewer.

MailXaminer: An Ultimate Thunderbird Email Viewer or Examiner

MailXaminer is one of the efficient Thunderbird email examination software which is used to fetch out the evidence from Thunderbird emails. The Email Examiner Software primarily analyzes the data stored in the MBOX file of Thunderbird, which locally stores the Thunderbird emails. The robust and powerful mechanism of MailXaminer makes it possible to extract evidence from the corrupted or deliberately damaged MBOX file. It gives a detailed preview of the email data stored in the MBOX file. It facilitates the forensic investigators in carrying out a deep analysis of the source of the emails via email header analysis, attachments, and email body analysis.

Some of the exemplary features of Thunderbird email viewer software are as follows:

  • Scan & recover deleted or corrupt emails of the MBOX file. Extract evidence from the header of emails even if it is forged.
  • Bookmark crucial emails & attachments to create a quick list of evidence.
  • Advanced search mechanism to find specific emails using keywords, subject, sender, etc.
  • Advanced case management options ensure an effective investigation of Thunderbird emails with a large team.
  • Preview emails in different modes which ensures in-depth analysis of email headers, email and attachment properties, etc.
  • Link Analysis intelligence facilitates to find the connection in exchanged emails between culprit and the associated suspects of a crime.
  • Skin Tone Analysis feature reveals the presence of any obscene images in Thunderbird data files including all the images and other attachments classified under low, high, and moderate sections.
  • The option of Tagging Thunderbird emails to categorize them for effectual and time-saving investigation.
  • Team collaboration feature allows multiple forensic examiners to work on Thunderbird emails on different machines to generate maximum output.

Manual Extraction of Evidence from Thunderbird MBOX Files

Thunderbird data files are stored locally in the user machine with .mbox extension. These MBOX files have crucial importance to extract the evidential information regarding the conducted offense. The Thunderbird stores its email data in the MBOXRD file, a kind of MBOX file. The emails in an MBOXRD format file are stored in a simple MIME format. In Thunderbird, for each default mail folder, a corresponding MBOXRD file is created locally with the same file name as of the default mail folders.

For instance, the Inbox folder of Thunderbird creates with MBOXRD file format, named INBOX. It is to be noted that MBOXRD files do not possess any extension.

Thunderbird Inbox Email Viewer

If we analyze more deeply, some user defined email folders like Sent Mail folder can be found under the .sbd folder.

Thunderbird Sent Mail Viewer

Thunderbird IMAP mail data and profile can also be found in the folder named ImapMail.

Thunderbird ImapMail Viewer

On the other hand, the POP mail profile folder and local folders are stored in the Mail folder.

Thunderbird POP Mail Viewer

Other important data files that store the information regarding Thunderbird emails include global-messages-sqlite.db file. This can be found at the location as shown in the screenshot. Thunderbird uses this file for indexing and to search for emails.

Thunderbird Database Viewer

MSF File (Mail Summary File)

For each MBOXRD file, there exist some corresponding .msf files which are used for storing the indexed folders of Thunderbird in Mork format. This Mork format is used by Thunderbird for storing the data like an address book.

MSF File

Manually extracting evidence from Thunderbird emails is a time consuming and a complete in-efficient task. Manual procedures do not guarantee complete recovery of artifacts and have a risk of missing crucial evidential information. Therefore, Thunderbird Email Viewer like MailXaminer is the first choice of forensic experts to yield maximum output in the investigation.

Search using Thunderbird Email Viewer with Powerful Filter & Search Options

Explore required email data with the powerful search mechanism of the software which helps to find databased on keywords, logical operators, categories, criteria, etc. Different search options provide multiple ways to search the clue and evidence in the forged data. Through the following steps, you can perform the search operation on the MBOX file.

STEP 1: Add MBOX file

Add the suspected file into the software through the “Add Evidence” option. From that select Mozilla Thunderbird(*.*) to add the MBOX file.

Add MBOX File

STEP 2: Search Option

After scanning the MBOX file, you can view the specific email data through the search option. There you can select General Search, Proximity Search, Regular Expression, Stem Search, Fuzzy Search, and Wildcard Search according to the requirement. All of these searches are based on different searching algorithms.

MBOX File Analysis

STEP 3: Search Using Logical Operators

Users can search the data using logical operators AND, OR, NOT. It can be used to perform an advanced search on the MBOX File type.

Search Operators

STEP 4: Export option

The tool allows you to selectively export the resultant emails into various file formats like PDF, EML, MSG, HTML, etc.

Export File

Analyze MBOX Emails & Attachments with Different View Options

MailXaminer provides the option to preview emails in different views such as Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments, and Word Cloud. Each view helps to get some different information from the email. With a range of MBOX forensic preview options, it becomes easy to find evidence spoliation in the email content. Users can also analyze the head section to put together all the collected evidence for the judicial or legal proceedings.

Thunderbird Email viewer

Conclusion

The in-depth investigation on the MBOX file of Mozilla Thunderbird using MailXaminer is the easiest way to obtain the evidence in the digital forensics email investigation. MailXaminer is a reliable Email Investigation Tool that provides the option to search and analyze the MBOX file in a very accurate manner.