Thunderbird forensic

De Linuxmemo.

Version actuelle en date du 7 janvier 2021 à 12:53

[modifier] global-messages.db.sqlite

contacts, identities

SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id;
SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id AND contacts.name LIKE '%bank%';
SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id AND contacts.name LIKE 'BEA';

messages, messagesText_content

SELECT DISTINCT docid, c1subject, c3author FROM messagesText_content WHERE c3author LIKE '%amazon%';
SELECT DISTINCT docid, c1subject, c4recipients FROM messagesText_content WHERE c4recipients LIKE '%amazon%';

body of the message

SELECT DISTINCT docid, c1subject, c2attachmentNames, c0body FROM messagesText_content WHERE c3author LIKE '%amazon%' AND docid=2314;

attachments

SELECT DISTINCT docid, c1subject, c2attachmentNames FROM messagesText_content WHERE c3author LIKE '%amazon%' AND c2attachmentNames <> ;

date

SELECT DISTINCT datetime(messages.date/1000000, 'unixepoch', 'localtime'), docid, c1subject, c2attachmentNames
FROM messages, messagesText_content 
WHERE c3author LIKE '%amazon%'
AND c2attachmentNames <> 
AND messages.id=messagesText_content.docid;

folderLocations

SELECT id, name FROM folderLocations;

SELECT DISTINCT folderLocations.id, name, c1subject, docid
FROM folderLocations, messages, messagesText_content
WHERE folderLocations.id=messages.folderID
AND folderLocations.name='Amazon'
AND messages.id=messagesText_content.docid;

SELECT DISTINCT docid, c1subject, c2attachmentNames, c0body
FROM messagesText_content
WHERE docid=7505;

[modifier] logins.json

cat logins.json | python -m json.tool > formatted.json

[modifier] cert9.db

An NSS certificate database.

[modifier] key4.db

An NSS key database.