browserforensics
Back to all articles

Thunderbird forensics: profiles, passwords and mail

2026-06-21 · 4 min

Thunderbird is built on the same Mozilla platform as Firefox, and that shows up directly in forensics: it stores saved account passwords with the exact NSS scheme Firefox uses. If you can decrypt Firefox logins, you can decrypt Thunderbird's IMAP and SMTP passwords with the same two files and the same workflow. The mail itself is a separate problem — this post is honest about where the tool helps and where it only orients you.

Profile location

Thunderbird keeps each profile in a randomly-named directory, and a profiles.ini at the parent level maps profile names to folders — the same convention as Firefox profiles.

Windows

%APPDATA%\Thunderbird\Profiles\<profile>

macOS

~/Library/Thunderbird/Profiles/<profile>

Linux

~/.thunderbird/<profile>

Read profiles.ini first to identify the default profile and avoid analysing a stale one.

Saved passwords: the same NSS as Firefox

This is the part that matters most. Thunderbird stores IMAP, SMTP, POP and other account passwords using the identical NSS credential store as Firefox:

FileHolds
logins.jsonthe encrypted account passwords
key4.dbthe key that decrypts them (legacy: key3.db)

Both sit in the profile root, both are protected by a primary password (empty by default), and the derivation — global salt + primary password, then 3DES or PBES2/AES-256 — is exactly what we documented for Firefox. See decrypting Firefox passwords for the full key-derivation chain and the password-check self-verification.

Because the scheme is identical, the tool's Firefox NSS decryptor recovers Thunderbird credentials with no changes. The workflow is the same as the in-browser Firefox decryptor:

  1. Load key4.db and logins.json from the Thunderbird profile.
  2. Enter the primary password, or leave it blank.
  3. Decrypt — the hostnames will read imap://…, smtp://… and mailbox://… instead of https://…, but everything else is the same.

For background on where these files live across applications, see where browser passwords are stored.

Mail artifacts (orientation only)

Beyond credentials, a Thunderbird profile holds the mail data itself. The tool can open the SQLite files, but it has no Thunderbird-specific mail or Gloda parser — treat this section as a map, and reach for a dedicated mail tool for message content.

ArtifactFormatWhat's inside
global-messages-db.sqliteSQLiteThe Gloda global message index: senders, recipients, subjects, and indexed body text
abook.sqlite, *.mabSQLite / MorkAddress books (contacts)
Message storesmbox or maildirThe actual messages, per folder
prefs.jsTextAccount and server configuration

A few notes on each:

  • global-messages-db.sqlite is the richest single artifact for triage — Gloda indexes message metadata and body text, so it can surface content even when you haven't parsed the raw stores. It is an index, though, not the source of truth; the message stores are authoritative.
  • Message stores are classic mbox files (one file per folder) or a maildir layout, depending on the account's storage setting. Parse these with a mail tool, not a browser-artifact tool.
  • prefs.js carries the account topology — server names, ports, usernames and which security each account uses. It pairs naturally with the decrypted logins.json: prefs.js tells you which account a recovered password belongs to.

What the tool does and doesn't do

To be clear about scope:

  • Supported — credentials. Decrypting logins.json with key4.db via the NSS decryptor. Same engine, same primary-password handling as Firefox.
  • Orientation — mail stores. It can open the SQLite containers, but reconstructing threads, attachments and folder structure is a job for a mail/Gloda parser. Use this post to know what to collect and where it lives.

If your goal is account passwords, Thunderbird is effectively a Firefox profile. If your goal is the mail, collect global-messages-db.sqlite, the message stores and prefs.js, then move to a mail-aware tool.

Further reading