Thunderbird forensic
De Linuxmemo.
Sommaire |
[modifier] global-messages.db.sqlite
contacts, identities
SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id; SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id AND contacts.name LIKE '%bank%'; SELECT contacts.name, identities.value FROM contacts, identities WHERE contacts.id=identities.id AND contacts.name LIKE 'BEA';
messages, messagesText_content
SELECT DISTINCT docid, c1subject, c3author FROM messagesText_content WHERE c3author LIKE '%amazon%'; SELECT DISTINCT docid, c1subject, c4recipients FROM messagesText_content WHERE c4recipients LIKE '%amazon%';
body of the message
SELECT DISTINCT docid, c1subject, c2attachmentNames, c0body FROM messagesText_content WHERE c3author LIKE '%amazon%' AND docid=2314;
attachments
SELECT DISTINCT docid, c1subject, c2attachmentNames FROM messagesText_content WHERE c3author LIKE '%amazon%' AND c2attachmentNames <> ;
date
SELECT DISTINCT datetime(messages.date/1000000, 'unixepoch', 'localtime'), docid, c1subject, c2attachmentNames FROM messages, messagesText_content WHERE c3author LIKE '%amazon%' AND c2attachmentNames <> AND messages.id=messagesText_content.docid;
folderLocations
SELECT id, name FROM folderLocations;
SELECT DISTINCT folderLocations.id, name, c1subject, docid FROM folderLocations, messages, messagesText_content WHERE folderLocations.id=messages.folderID AND folderLocations.name='Amazon' AND messages.id=messagesText_content.docid;
SELECT DISTINCT docid, c1subject, c2attachmentNames, c0body FROM messagesText_content WHERE docid=7505;
[modifier] logins.json
cat logins.json | python -m json.tool > formatted.json
[modifier] cert9.db
An NSS certificate database.
[modifier] key4.db
An NSS key database.
