Blog >> Thunderbird

Investigating Thunderbird Windows Application

21/09/2021 Tuesday

Mozilla Thunderbird was developed by the Mozilla Foundation as an open-source cross-platform email application that provides personal information management, news client, chat client and RSS feed. Thunderbird was designed to adopt the style of Mozilla's Firefox web browser.

Digital Forensics Value of Thunderbird Artifacts

Mailboxes make an essential part of our lives since it is considered one of the most important methods of communication in the 21st century. In accordance, the forensics of mailboxes is a crucial part of digital forensics. Forensic searches are carried out to investigate and find any leads of a felony or wrong acts which helps in solving a case or problem.

Location of Thunderbird Artifacts

Thunderbird artifacts are stored in the following locations:

C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\places.sqlite
C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\cookies.sqlite
C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\favicons.sqlite
C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\ImapMail
C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\global-messages-db.sqlite
C:\Users\%username%\AppData\Roaming\Thunderbird\Profile\history.mab

Structure of Thunderbird Artifacts

Thunderbird is made of a series of files and folders that are under the profile directory. Its artifacts are stored in SQLite database files such as places.sqlite which holds information of bookmarks, favicons, input history, keywords, browsing history, and the clicked-on links in mail messages. Thunderbird also stores cookies and global messages.

Analyzing Thunderbird Artifacts with ArtiFast Windows

This section discusses how to use ArtiFast to extract Thunderbird artifacts from Windows machines and what kind of digital forensics insight we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Thunderbird Artifacts:

ArtiFast can analyze Thunderbird Addressbook, DB Email, MBOX Email, Places, Bookmarks, Cookies, and Favicons for new and older versions. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of the Mozilla Thunderbird artifacts in ArtiFast software.

Thunderbird Addressbook Artifact

This artifact contains information of history.mab file, which stands for Mozilla Address Book. MAB stores personal and business contact information such as:

• Last Modified Date - The date and time when the date entry was last modified.
• Contact First Name - Contact first name.
• Contact Last Name - Contact last name.
• Contact Display Name - Contact display name.
• Contact Is Display Name Preferred - Indicates whether the contact’s display name is preferred.
• Contact Nickname - The contact assigned name.
• Contact Additional Email - The contact additional email.
• Contact Prefers To Receive Mail Format As - Preferred mail format .
• Contact Work Phone - Contact work phone.
• Contact Home Phone - Contact home phone.
• Contact Fax Number - Contact fax number.
• Contact Pager Number - Contact pager number.
• Contact Mobile Number - Contact mobile number.
• Contact Primary Email - Contact primary email.
• NoGUI Database Row ID - NoGUI database row Id.
• NoGUI Lowercase Primary Email - NoGUI lowercase primary email.
• NoGUI Popularity Index - NoGUI popularity index.
• NoGUI Record Key - NoGUI record key.
• Other Custom Line 1 - Custom line 1.
• Other Custom Line 2 - Custom line 2.
• Other Custom Line 3 - Custom line 3.
• Other Custom Line 4 - Custom line 4.
• Other Notes Area - Other notes area.
• Photo Image Name - Photo image name.
• Photo Source Type - Photo source type.
• Photo URI - Photo URI.
• Private Address Line 1 - Private address line 1.
• Private Address Line 2 - Private address line 2.
• Private Birth Day - Private birth day.
• Private Birth Month - Private birth month.
• Private Birth Year - Private birth year.
• Private City - Private city.
• Private Country - Private country.
• Private State Or Province - Private state or province.
• Private Web Page - Private web page.
• Private ZIP Or Postal Code - Private zip or postal address.
• Work Address Line 1 - Work address line 1.
• Work Address Line 2 - Work address line 2.
• Work City - Work city.
• Work Country - Work country.
• Work Department - Work department.
• Work Job Title - Work job title.
• Work Organization - Work organization.
• Work State Or Province - Work state or province.
• Work Web Page - Work web page.
• Work ZIP Or Postal Code - Work zip or postal code.
• Chat AIM - Work AIM.
• Chat Google Talk - Chat Google Talk.
• Chat ICQ - Chat ICQ.
• Chat IRC Nick - Chat IRC Nick.
• Chat Jabber ID - Chat Jabber ID.
• Chat MSN - Chat MSN.
• Chat QO - Chat QO.
• Chat Skype - Chat Skype.
• Chat Yahoo - Chat Yahoo.
• Message Date - The date and time of the message.

Thunderbird DB Email Artifact

This artifact contains information of the global-messages-db.sqlite database. The Global Database, Gloda, is an indexing system that Thunderbird use to search messages. The details you can view include:

• Attachments - Attachments.
• BCC - BCC email.
• CC - CC email.
• DB Message Id - DB message Id.
• Folder Name - Folder name.
• Folder URI - Folder URI.
• From - From.
• Header Message Id - Header message Id.
• Is Encrypted - Indicates whether the email is encrypted.
• Is Forwarded - Indicates whether the email is Forwarded.
• Is Read - Indicates whether the email is read.
• Is Replied - Indicates whether the email is replied.
• Is Starred - Indicates whether the email is starred.
• Message Body - Message body.
• Row Id - Row Id.
• Subject - Email subject.
• To - Email to.

Thunderbird MBOX Email Artifact

This artifact contains information about the stored emails such as:

• Attachments - Attachments.
• BCC - BCC email.
• CC - CC email.
• Body - Body.
• Folder Name - Folder name.
• Headers - Headers.
• Importance - Importance.
• Located At - Located at.
• Message ID - Message Id.
• Sender - Email sender.
• Subject - Email subject.
• To - Email to.
• Message Date - The date and time of the message.

Thunderbird Places Artifact

This artifact contains information about the history and maintains a record for the visited links such as:

• Favicon ID - Favicon Id.
• Foreign Count - Foreign count.
• Frecency - Frecency score given to each URI.
• GUID - GUID.
• Hidden - Indicates whether the webpage is hidden.
• ID - ID.
• Reverse Host - Reverse host.
• Row ID - Row Id.
• Title - The title of the visited webpage.
• Typed - The number of times that the user has manually typed the web webpage URL.
• URL - The URL of the visited webpage.
• Visit Count - The number of times that the user has visited a webpage.
• Last Visit Date - The date and time when a webpage was last visited.
• Added Date - The date and time when the webpage was added.

Thunderbird Bookmarks Artifact

This artifact contains the information of the bookmarked emails such as:

• Bookmark URL - The URL of the bookmarked webpage.
• Bookmark Title - The title of the bookmark.
• Parent Title - Bookmark parent title.
• Last Modified Date - The date and time the bookmark was last modified.
• Bookmark Position - Bookmark position.
• Bookmark Guid - Bookmark GUID.

Thunderbird Cookies Artifact

The artifact contains information about all of the saved cookies such as:

• Host - Host domain name.
• Name - Cookies' name.
• Value - The value of the cookie.
• Path - The path to the cookie.
• Last Access Date - The date and time when the cookie was last accessed.
• Creation Date - The date and time when the cookie was created.
• Expiration Date - The date and time when the extension cookie will expire if it was set to expire.
• Base Domain Name - Base domain name.
• Is Secure Connection - Indicates whether the connection is secure or not.
• Is Http Only - Indicates whether the browser supports HTTP Only or not.

Thunderbird Favicons Artifact

The artifact stores all the small icons associated with a particular email. The details you can view include:

• Expiration Date - The date and time when the favicon will expire.
• Icon URL - The Icon file URL.
• Mime Type - Mime type.

Thunderbird Cache 2 Artifact

This artifact contains the cached entries in Thunderbird such as:

• Cache Location - Path of this cache file on the disk.
• Fetch Count - The Number of times this cache file was fetched.
• HTTP Content - HTTP header contents.
• Key - The key or URL of this cache file.
• Cache File Creation Date - The date and time when the cached entry was created.
• Expiry Date - The expiry date of this cache file.
• Last Fetched Date - The date and time when the cache file was last fetched.
• Last Modified Date - The date and time when the cached entry was last modified.