Thunderbird forensics: profiles, passwords and mail
2026-06-21 · 4 min
Thunderbird is built on the same Mozilla platform as Firefox, and that shows up directly in forensics: it stores saved account passwords with the exact NSS scheme Firefox uses. If you can decrypt Firefox logins, you can decrypt Thunderbird's IMAP and SMTP passwords with the same two files and the same workflow. The mail itself is a separate problem — this post is honest about where the tool helps and where it only orients you.
Profile location
Thunderbird keeps each profile in a randomly-named directory, and a
profiles.ini at the parent level maps profile names to folders — the same
convention as Firefox profiles.
Windows
%APPDATA%\Thunderbird\Profiles\<profile>
macOS
~/Library/Thunderbird/Profiles/<profile>
Linux
~/.thunderbird/<profile>
Read profiles.ini first to identify the default profile and avoid
analysing a stale one.
Saved passwords: the same NSS as Firefox
This is the part that matters most. Thunderbird stores IMAP, SMTP, POP and other account passwords using the identical NSS credential store as Firefox:
| File | Holds |
|---|---|
logins.json | the encrypted account passwords |
key4.db | the key that decrypts them (legacy: key3.db) |
Both sit in the profile root, both are protected by a primary password
(empty by default), and the derivation — global salt + primary password,
then 3DES or PBES2/AES-256 — is exactly what we documented for Firefox. See
decrypting Firefox passwords for
the full key-derivation chain and the password-check self-verification.
Because the scheme is identical, the tool's Firefox NSS decryptor recovers Thunderbird credentials with no changes. The workflow is the same as the in-browser Firefox decryptor:
- Load
key4.dbandlogins.jsonfrom the Thunderbird profile. - Enter the primary password, or leave it blank.
- Decrypt — the hostnames will read
imap://…,smtp://…andmailbox://…instead ofhttps://…, but everything else is the same.
For background on where these files live across applications, see where browser passwords are stored.
Mail artifacts (orientation only)
Beyond credentials, a Thunderbird profile holds the mail data itself. The tool can open the SQLite files, but it has no Thunderbird-specific mail or Gloda parser — treat this section as a map, and reach for a dedicated mail tool for message content.
| Artifact | Format | What's inside |
|---|---|---|
global-messages-db.sqlite | SQLite | The Gloda global message index: senders, recipients, subjects, and indexed body text |
abook.sqlite, *.mab | SQLite / Mork | Address books (contacts) |
| Message stores | mbox or maildir | The actual messages, per folder |
prefs.js | Text | Account and server configuration |
A few notes on each:
global-messages-db.sqliteis the richest single artifact for triage — Gloda indexes message metadata and body text, so it can surface content even when you haven't parsed the raw stores. It is an index, though, not the source of truth; the message stores are authoritative.- Message stores are classic mbox files (one file per folder) or a maildir layout, depending on the account's storage setting. Parse these with a mail tool, not a browser-artifact tool.
prefs.jscarries the account topology — server names, ports, usernames and which security each account uses. It pairs naturally with the decryptedlogins.json:prefs.jstells you which account a recovered password belongs to.
What the tool does and doesn't do
To be clear about scope:
- Supported — credentials. Decrypting
logins.jsonwithkey4.dbvia the NSS decryptor. Same engine, same primary-password handling as Firefox. - Orientation — mail stores. It can open the SQLite containers, but reconstructing threads, attachments and folder structure is a job for a mail/Gloda parser. Use this post to know what to collect and where it lives.
If your goal is account passwords, Thunderbird is effectively a Firefox
profile. If your goal is the mail, collect global-messages-db.sqlite, the
message stores and prefs.js, then move to a mail-aware tool.