Analyze Thunderbird MBOX Artifacts with Thunderbird Email Viewer

Published By Jaspreet Singh
Anuraag Singh
Approved By Anuraag Singh
Published On May 31st, 2023
Reading Time 6 Minutes Reading
Category Forensics

Mozilla Thunderbird is a desktop-based email client which was released in the year 2004 and it has experienced vast growth in its user count. Since it is a free and open-source platform, hackers use this email client to carry out various fraudulent activities. It may sound odd but it’s true. Therefore, to find the culprits who use Thunderbird as their online weapon to carry out fraud, investigators have to perform a proper email analysis. And, to make their analysis smooth and even better, they use Thunderbird email viewer for finding out relevant evidence which can be presented in front of the court of law.

Let’s learn about such an email viewer tool that can easily view and analyze Thunderbird emails.

An Ultimate Thunderbird Email Viewer or Examiner

MailXaminer is one of the efficient Thunderbird email analysis software which is used to fetch evidence from Thunderbird emails. This software primarily analyzes the data stored in the MBOX file of Thunderbird, which locally stores the Thunderbird emails. The robust and powerful mechanism of this tool makes it possible to extract evidence from the corrupted or deliberately damaged MBOX file. It gives a detailed preview of the email data stored in the MBOX file. It facilitates forensic investigators in carrying out a deep analysis of the source of the emails via email header analysis, attachments, and email body analysis.

Some of the exemplary features of Thunderbird email viewer software are as follows:

  • Scan & recover deleted or corrupt emails of the MBOX file. Extract evidence from the header of emails even if it is forged.
  • Bookmark crucial emails & attachments to create a quick list of evidence.
  • Advanced search mechanism to find specific emails using keywords, subject, sender, etc.
  • Advanced case management options ensure an effective investigation of Thunderbird emails with a large team.
  • Preview emails in different modes which ensures in-depth analysis of email headers, email, and attachment properties, etc.
  • Link Analysis intelligence facilitates to find the connection in exchanged emails between culprit and the associated suspects of a crime.
  • Skin Tone Analysis feature reveals the presence of any obscene images in Thunderbird data files including all the images and other attachments classified under low, high, and moderate sections.
  • The option of Tagging Thunderbird emails to categorize them for effectual and time-saving investigation.
  • Team collaboration feature allows multiple forensic examiners to work on Thunderbird emails on different machines to generate maximum output.

Manual Extraction of Evidence from Thunderbird MBOX Files

Thunderbird data files are stored locally in the user machine with the .mbox extension. These MBOX files have crucial importance to extract the evidential information regarding the conducted offense. The Thunderbird stores its email data in the MBOXRD file, a kind of MBOX file. The emails in an MBOXRD format file are stored in a simple MIME format. In Thunderbird, for each default mail folder, a corresponding MBOXRD file is created locally with the same file name as of the default mail folders.

For instance, the Inbox folder of Thunderbird creates with MBOXRD file format, named INBOX. It is to be noted that MBOXRD files do not possess any extension.

Thunderbird Inbox Email Viewer

If we analyze more deeply, some user defined email folders like Sent Mail folder can be found under the .sbd folder.

Thunderbird Sent Mail Viewer

Thunderbird IMAP mail data and profile can also be found in the folder named ImapMail.

Thunderbird ImapMail Viewer

On the other hand, the POP mail profile folder and local folders are stored in the Mail folder.

Thunderbird POP Mail Viewer

Other important data files that store the information regarding Thunderbird emails include global-messages-sqlite.db file. This can be found at the location shown in the screenshot. Thunderbird uses this file for indexing and searching for emails.

Thunderbird Database Viewer

MSF File (Mail Summary File)

For each MBOXRD file, there exist some corresponding .msf files which are used for storing the indexed folders of Thunderbird in Mork format. This Mork format is used by Thunderbird for storing the data like an address book.

MSF File

Manually extracting evidence from Thunderbird emails is a time-consuming and completely inefficient task. Manual procedures do not guarantee complete recovery of artifacts and have a risk of missing crucial evidential information. Therefore, Thunderbird Email Viewer is the first choice of forensic experts to yield maximum output in the investigation.

Search Emails using Thunderbird Email Viewer with Powerful Filter & Search Options

Explore required email data with the powerful search mechanism of the software which helps to find data based on keywords, logical operators, categories, criteria, etc. Different search options provide multiple ways to search the clue and evidence in the forged data. Through the following steps, you can perform the search operation on the MBOX file.

STEP 1: Add the MBOX file

Add the suspected file into the software through the Add New Evidence option. From that select Mozilla Thunderbird(*.*) to add the MBOX file.


STEP 2: Search Option

After scanning the MBOX file, you can view the specific email data through the search option. There you can select General Search, Proximity Search, Regular Expression, Stem Search, Fuzzy Search, and Wildcard Search according to the requirement. All of these searches are based on different search algorithms.


STEP 3: Search Using Logical Operators

Users can search the data using logical operators AND, OR, and NOT. It can be used to perform an advanced search on the MBOX File type.


STEP 4: Export option

The tool allows you to selectively export the resultant emails into various file formats like PDF, EML, MSG, HTML, etc.

exportAnalyze MBOX Emails & Attachments with Different View Options

This software provides the option to preview emails in different views such as Message, Hex, Properties, Message Header, MIME, HTML, RTF, Attachments, etc. Each view helps to get some different information from the email. With a range of MBOX forensic preview options, it becomes easy to find evidence of spoliation in the email content. Users can also analyze the head section to put together all the collected evidence for judicial or legal proceedings.



The in-depth investigation of the MBOX file can be done through the above-mentioned Thunderbird email Viewer tool. It is the easiest way to obtain evidence in the digital forensics email investigation.  Thus, it is a reliable tool that provides the option to search and analyze the MBOX file in a very accurate manner.