MBOX analysis to examine emails and attachments from a diverse number of applications. Diagnose any changes done in the header to get exact routing information of a mail message with various forensic views. Follow thorough MBOX file analysis process with a collection of evidence & exporting results in different file formats. Digital forensic tool MailXaminer provides the option to MBOX analysis with Thunderbird email viewer. It performs accurate forensic analysis of MBOX email.
Mozilla Thunderbird with its launch in the year 2003 has experienced a vast growth in the count of its users. With such an increment in the consumers, the number of illicit activities initiated by Thunderbird users has also increased. Therefore, in order to reach out the suspects and prove them guilty in the lawsuit, the forensic analysis of Thunderbird emails is mandatory. For doing the same, it is necessary for the forensicators to execute an in-depth analysis of the Thunderbird emails. This can be done with the assistance of a proficient tool like Thunderbird email viewer.
MailXaminer is one of the most far-famed Thunderbird Email Viewer, deployed by forensicators to carve out the evidence from Thunderbird emails. The software primarily focuses on the extraction of data from MBOX file of Thunderbird, which stores Thunderbird emails locally. The robust and powerful mechanism of MailXaminer makes it possible to extract evidence from even corrupted or deliberately damaged MBOX file. It gives a detailed preview of each strand of data residing in the MBOX file. It facilitates the forensicators in carrying out a deep analysis of the source of the emails via email header analysis, attachments, and email body analysis. Some of the exemplary features of Thunderbird Email Viewer which makes it a class apart are:
Thunderbird data is stored locally in the user machine in the form of MBOX files. These MBOX files are of crucial importance in order to extract the information regarding the conducted felonies. Basically the Thunderbird stores emails in MBOXRD file, a kind of MBOX file. The emails in an MBOXRD file are stored in a simple MIME format. For each default mail folder in Thunderbird, a corresponding MBOXRD file is created locally. They have the same name as of the default mail folders. For instance, Inbox folder of Thunderbird client has the MBOXRD file named as INBOX. It is to be noted that these files do not possess any extension.
If we search more deeply, the user defined email folders and Sent Mail folder can be found under [Gmail].sbd folder.
The IMAP mail profile of Thunderbird gets stored in the folder named ImapMail.
On the other hand, POP mail profile folder and local folders are stored in the Mail folder.
Other files which store the information regarding Thunderbird emails include global-messages-sqlite.db file. This can be found at the location as shown in the screenshot. Thunderbird uses this file to index and to search mails.
For each MBOXRD file, there exists a corresponding. MSF file used for storing folder indexes of Thunderbird in Mork format. This Mork format is used by Thunderbird for storing data like an address book.
Extracting evidence from Thunderbird emails manually is a time consuming and a complete inefficient task. Manual procedures do not guarantee complete recovery of artifacts and pose the danger of missing crucial evidence. Therefore Thunderbird Email Viewer like MailXaminer is the first choice of forensic experts in order to yield maximum output from the investigation.
MailXaminer provides the option to preview the emails in different views such as Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments. Each view provides different information about the email. With a range of MBOX forensic view options, it becomes easy to find evidence spoliation in email content or head section to put together all the collected evidence for the judicial or legal proceeding.
Explore specific email with different search options, which include search on the basis of keywords, logical operators, categories, criteria etc. Different search options provide multiple ways to search for the evidence from the forged data. Through the following steps, you can perform the search operation on the MBOX file.
Add the file to be added through the Add Evidence option. From that select Mozilla Thunderbird(*.*) to add the MBOX file.
After MBOX file is scanned, you can preview the emails through search option. There you can select either General or Proximity search according to the purposes.
Use Logical Operators AND, OR, NOT and Search Algorithms such as Wildcard Search, Stem Search, Fuzzy Search, Regular Expression search to perform an advanced search on MBOX File type.
The tool allows you to selectively export the resultant emails into various file format like PDF, EML, MSG, HTML etc.
The in-depth investigation on MBOX file of Mozilla Thunderbird is the easiest way to obtain the evidence in Digital Forensics Email Investigation. MailXaminer is a reliable Email Investigation tool which provides the option to search and analysis the MBOX file in a very accurate manner.