Get Introduced to Mozilla Thunderbird
Mozilla Thunderbird is an open source cross-platform email application that also serves as a chat, newsgroup and news feed client. The primary and the most classic feature about it is that you can have a single account with multiple identities to manage multiple emails, newsfeeds and newsgroup. Apart from this it has multiple search options, advance filters and labels for messages, which help managing the things in a better way.
Features that symbolizes Mozilla Thunderbird
Why Perform Forensic Search on Thunderbird?
When we talk of digital forensics, Forensics of Local mailboxes is a major part of it. Forensic searches are performed Thunderbird, in order to investigate any offence conducted, the experts make close and through analysis of it. There are a specific fields that encloses some distinct and discreet information that allows the experts to reach the root of the problem.
Overview of Mozilla Thunderbird Forensics
The data storage files for Mozilla Thunderbird are namely Mbox and Maildir. The Mbox incorporates the Unix mailbox format that stores many emails in a single file. Whereas, on the other hand Maildir (also known as the maildir-lite), has a single file for each email. Although thunderbird incorporates this as a storage file but also terms it to be very buggy for normal use.
Apart from this Mozilla Thunderbird uses the MORK format in order to manage its internal database. Things such as the address book data is stored the MAB files and MSF file stores the mail folder summary, both of these use the MORK format. So what we can compile is:
Talking about Maildir file, the internal structure of this file format is usually contains the following 3 subcategories; tmp, new, cur.
These file extensions are used to deal with the emails. The ‘tmp’ extension is used while the mail is being delivered, a new mail arrives to the ‘new’ extension directory and the once that are read are moved to the ‘cur’.
Mozilla thunderbird is an open source email – client with all other features that are considered to be mandatory for every email client. Being a free of cost application it has spread worldwide, hence it has become an efficient tools in the world of cybercrime. Hence as a result the need for digital forensics has emerged as a matter of concern. Forensic search for the Thunderbird email, is helpful in gathering the required evidences that are essential to finding the actual criminal and provide the sufferer justice.
But in order to do the forensic investigation in a proper manner it’s very necessary that the forensic investigator has all the required information. Therefore, it is required to have a deep level study of the Thunderbird email data in order to collect all the information needed for the forensic investigation.
Digital Forensic Investigation involves these three steps:
Acquisition is the process in which an exact copy of the data is created. This process is also referred to as Imaging. After acquiring the data the next step that is on the way is the Analysis part. In this the content is analyzed in order to examine the evidence that may or may not supports/contradict the signs of tampering of the data.
Once the analysis is over, a report is produced for the non – technical individuals that contains the complete audit information.
During the whole process the forensic investigators genrally face many challenges. A few of them are discussed below:
The main challenge that is faced by the forensic investigators is at the step 2, which is while analyzing the data. This is caused as the investigators do not have the complete the information that is required for the investigation to proceed. The prime reason for this is the deletion of the data.
In case the emails are in the junk folder, they can be revived, but if in case they are deleted from there as well it can cause a problematic situation. Hence it is necessary to revive the lost data in order to have precise results.
Forensic Investigation Tool
The next challenge for any forensic investigator is to have the detailed and a sound research on the thunderbird email files. For this they need a reliable email viewer that they can easily analyze every aspect of the email, for example the massage header, its body and the attachments.
Mozilla Thunderbird Forensics Investigator
The Thunderbird Mbox Viewer is boon to the forensic experts, as it allowed the investigators to analyze data in the Mbox files without even if the email client is not available. Its User Friendly GUI provide the easy to preview the data in all vectors.
Let us look up at the key features of Tool:
- Provides various view modes, which acts as a boon for the Digital Forensics experts, as it allows them to investigate in all vectors.
- It is compatible with all versions of windows OS.
- Offers the following view modes:
- The tool does not have any sort of file size limitation. It has been successfully tested on files up to 1TB.
PDF is the best format for the presentation of the evidence. The Pro version of it, allows you to convert the MBOX to PDF format. Furthermore in order to perform deep level forensic search a sophisticated but robust utility can be incorporated, that is the Email Forensics Tool.