Mozilla Thunderbird Forensic Investigator

Investigate Every byte

Investigate the post crime scene by analyzing every bit of the data available. get to the bottom of the story and unveil the actual culprit with the mozilla thunderbird forensic investigator.

Version: 4.0, Size: 14.4 MB, Language: English, Compatibility: Windows 7 / 8 / 8.1 / 10

Download Now
Version 4.0
           windows supported

Investigate every byte

Get Introduced to Mozilla Thunderbird

Mozilla Thunderbird is an open source cross-platform email application that also serves as a chat, newsgroup and news feed client. The primary and the most classic feature about it is that you can have a single account with multiple identities to manage multiple emails, newsfeeds and newsgroup. Apart from this it has multiple search options, advance filters and labels for messages, which help managing the things in a better way.

More about Thunderbird

Features that symbolizes Mozilla Thunderbird

  • Message management: Single account multiple ID's
  • Junk filtering: Includes a bayeisian filter
  • Extensions and themes: Setup themes as per your mood
  • Standards support: Support both POP as well as IMAP protocols
  • File formats supported: Stores in two typs of file formats:
    • Mbox – Holds multiple email using a single file
    • Maildir – it has only a single file assigned for an email (usually considered to be very buggy)

  • Cross-platform support: Thunderbird has released its numerous versions for the following operating system:
    • Windows
    • OS X
  • Security features of thunderbird: It offers enterprise and government-grade security features that are:
    • SSl/TSL connection IMAP and SMTP servers
    • Also offers S/MIME emails, i.e. it has certified digital signatures and message encryption.

Mozilla thunderbird features

Why Perform Forensic Search on Thunderbird?

When we talk of digital forensics, Forensics of Local mailboxes is a major part of it. Forensic searches are performed Thunderbird, in order to investigate any offence conducted, the experts make close and through analysis of it. There are a specific fields that encloses some distinct and discreet information that allows the experts to reach the root of the problem.

Overview of Mozilla Thunderbird Forensics

Storage in Mozilla Thunderbird

The data storage files for Mozilla Thunderbird are namely Mbox and Maildir. The Mbox incorporates the Unix mailbox format that stores many emails in a single file. Whereas, on the other hand Maildir (also known as the maildir-lite), has a single file for each email. Although thunderbird incorporates this as a storage file but also terms it to be very buggy for normal use.

Apart from this Mozilla Thunderbird uses the MORK format in order to manage its internal database. Things such as the address book data is stored the MAB files and MSF file stores the mail folder summary, both of these use the MORK format. So what we can compile is:

Thunderbird data storage

Talking about Maildir file, the internal structure of this file format is usually contains the following 3 subcategories; tmp, new, cur.  

Internal structure of Maildir

These file extensions are used to deal with the emails. The ‘tmp’ extension is used while the mail is being delivered, a new mail arrives to the ‘new’ extension directory and the once that are read are moved to the ‘cur’.

Need for Mozilla Thunderbird Forensics

Mozilla thunderbird is an open source email – client with all other features that are considered to be mandatory for every email client. Being a free of cost application it has spread worldwide, hence it has become an efficient tools in the world of cybercrime. Hence as a result the need for digital forensics has emerged as a matter of concern. Forensic search for the Thunderbird email, is helpful in gathering the required evidences that are essential to finding the actual criminal and provide the sufferer justice.

But in order to do the forensic investigation in a proper manner it’s very necessary that the forensic investigator has all the required information. Therefore, it is required to have a deep level study of the Thunderbird email data in order to collect all the information needed for the forensic investigation.


Challenges Faced while performing search on Mozilla Thunderbird

Digital Forensic Investigation involves these three steps:

Steps Involved in forensic investigation

Acquisition is the process in which an exact copy of the data is created. This process is also referred to as Imaging. After acquiring the data the next step that is on the way is the Analysis part. In this the content is analyzed in order to examine the evidence that may or may not supports/contradict the signs of tampering of the data.

Once the analysis is over, a report is produced for the non – technical individuals that contains the complete audit information.

During the whole process the forensic investigators genrally face many challenges. A few of them are discussed below:

Email Inaccessibility

The main challenge that is faced by the forensic investigators is at the step 2, which is while analyzing the data. This is caused as the investigators do not have the complete the information that is required for the investigation to proceed. The prime reason for this is the deletion of the data.

In case the emails are in the junk folder, they can be revived, but if in case they are deleted from there as well it can cause a problematic situation. Hence it is necessary to revive the lost data in order to have precise results.

Forensic Investigation Tool

The next challenge for any forensic investigator is to have the detailed and a sound research on the thunderbird email files. For this they need a reliable email viewer that they can easily analyze every aspect of the email, for example the massage header, its body and the attachments.

Hence, the experts seek for an efficient resource that would make them overcome such challenges and can extract the and view the information in the Mbox.

Mozilla Thunderbird Forensics Investigator

The Thunderbird Mbox Viewer is boon to the forensic experts, as it allowed the investigators to analyze data in the Mbox files without even if the email client is not available. Its User Friendly GUI provide the easy to preview the data in all vectors.

Let us look up at the key features of Tool:

  1. Provides various view modes, which acts as a boon for the Digital Forensics experts, as it allows them to investigate in all vectors.
  1. It is compatible with all versions of windows OS.
  2. Offers the following view modes:
    • Normal Mail view
    • Hex View
    • Properties View
    • Message Header View
    • MIME View
    • HTML View
    • RTF View
    • Attachments
  3. The tool does not have any sort of file size limitation. It has been successfully tested on files up to 1TB.

Mozilla thunderbird forensics investigator specifications


PDF is the best format for the presentation of the evidence. The Pro version of it, allows you to convert the MBOX to PDF format. Furthermore in order to perform deep level forensic search a sophisticated but robust utility can be incorporated, that is the Email Forensics Tool.