Yahoo Email Forensics

Creative Team | December 8th, 2014 | Forensics

Yahoo Mail is amongst popular email services associated with the myriad of users. With the increase in net surfing and internet usage, users associated with a wide array of illegal activities have also enlarged. Security loopholes in Yahoo emailing have ultimately raised the need for Yahoo email forensics investigation. Yahoo email header analysis and email investigation process are associated with various stages like; collection, analysis, preservation, and reporting. It must be brought into notice that web-browser based emails like Yahoo emails are more difficult to trace. But, a detailed record is available for each e-mail transaction on which analysis can be done. This blog will elaborate the need for Yahoo email investigation and various methods and utilities to undergo investigation. It also discusses various email spoofing methods. To go further into Yahoo email forensics, let us see first what exactly email consists of:

Email and Its Components: E-mail is globally standardized and comprises of three main components; Mailbox, Domain Name, Message-ID, and ENVID. Mailbox is a conceptual storage entity with the basic identity of the email address. Email address comprises of user name and domain separated by “@”. Domain names can be defined as a global reference to an Internet resource like the host, network or service. Coming to the header part, Yahoo email header analysis is the most important factor for investigators in reaching the truths inside. It confides details through various sets of fields which help to trace information.

How to perform Yahoo Email Header Analysis?

In Yahoo email forensics email headers can manually analyzed by extracting header information of suspicious email and going through its details. This can be done through below mentioned steps one by one.

Step 1: Save Header Data in Another File

  • Sign in the Yahoo! Mail account and go to the Inbox to view the email messages
  • Open the email message to be analyzed. Click on More options and go to drop-down Menu.
Yahoo mail
  • Select “View raw message” option from the more options menu.
View raw message

Another Windows will open with header details for that particular email through which you can manually perform Yahoo email analysis on header.

message header
  • Copy it to another text file and save it safely to perform Yahoo email header analysis.

Step 2: Analyze the Header Information

Open the Text file which was saved and go through the elements.First few lines show the E-mail Servers through which email message travelled.

Open the Text file which was saved and go through the elements. First few lines show the E-mail Servers through which email message travelled.

message header analysis

X-Apparently-To: Line no.1 – This discloses the recipient’s email address. While performing an investigation. In Yahoo email forensics one can validate this field with an e-mail service provider. This email id must match the id used by the victim. This field can be referred to as “To, BCC or CC” and the presence of To does not confirm that it was sent as “To”.

Return Path: Line no. 2 – This indicates the address for replying which is termed as “Reply to” in the front end. However, this field can be easily spoofed and hence not be trusted unless analyzed by professionals.

Return Path: Line no. 2 – This indicates the address for replying which is termed as “Reply to” in the front end. However, this field can be easily spoofed and hence not be trusted unless analyzed by professionals.

Received-SPF: Line no. 3 – Type of email service used for sending email will be exposed here. An ID number is also involved here, which can be used to examine logs form, transmitting e-mail server determining the genuineness of an email if it was sent from the same service. If this ID is unavailable, a message has chances of being spoofed.

X-YmailISG: Line no. 4 – X represents “Custom Header”, Ymail means “Yahoo Mail”, and ISG means “Inbound Spam Guard”

X-Originating-IP & Received: from Line no. 5 & 7 – IP Address can be traced with these fields. The later one is also capable to reveal the name of the server, which was used to send an email.

DKIM-Signature: Line no. 8 – Signature of the email is stored in this field. All the signatures and key-fetching data will be saved here with a simple “tag=value” syntax. For investigators, this DKIM provides a technique to validate and confirm a domain name, identity associated with a message through cryptographic authentication.

Message ID: Line no. 10 – Message ID is a unique ID authorized to a specific email message by an email server. This Message ID can be used to track the message on the originating email server in email logs.

MIME Version: Line no. 11- This option will provide the version of the MIME message format. Like, in this case it is 1.0 version. This helps in the further Yahoo email investigation.

Content-Length: Line no. 13 – It will show the number of characters present within that email message.

Subject: Line no. 11 – It shows the subject of the email or the reason to open that particular email message.

Yahoo Email Forensics with Email Analysis Tool

Acquisition of web email data is one of the typical task during the Email Forensic Investigation. Nowadays a lot of forensics analyzer tools are available to simplify the process of email evidence extraction and analysis. Even though most of the tools are not supporting the extraction of email data directly from the webmails. MailXaminer is the most recommended and versatile email digital forensics software which helps the investigators to perform Yahoo email forensics. To perform a Yahoo email analysis with the help email analyzer tool follow the process given below.

Click on the Add Evidence button from the left top section of forensic software to acquire the Yahoo email data. Then select the Yahoo option from the Webmail section of the add file tab. By providing the User Name & Password in the respective section user can access the yahoo email account directly. The user can easily add multiple accounts through CSV file and can use the Date Filter option to access the email data in date order.

adding Yahoo mail

Note: To access & perform Yahoo email analysis directly through the email analyzer tool

Turn Off Two-Step Verification

Turn On Allow Apps that use less secure sign in

In the email tab of the Yahoo email analyzer tool displays the list of Yahoo mails present in the mailbox. User can access the data either folder wise or altogether through recursive listing of items. During the Yahoo email forensics the tool provide different views like “Mail, Hex, Message Header, MIME, Email Hop, HTML, RTF, Attachments” to analyse the email data forensically. Each view help to acquire different information related to the Yahoo mail.

preview email
  • Mail view allows the investigator to examine analyse email message in user perspective. Which provide the common information like Subject, From & To address, Tags, email message etc.
  • Hex view allow to examine the entire email data in Hex value. Which provide the Offset, Hex code and textual value of the email message
  • Properties view provides the short view of the mail attributes which help the investigator to analyse and understand the Yahoo mail data in briefly.
  • Message Header helps the investigator to perform Yahoo email header analysis in simple and proper way. This Yahoo email header analyzer property of the tool provides the complete header information of Yahoo mail.
  • Email Hop helps to obtain the actual path through which the email message travelled. Which provide the path in means of geological graph and Hop server address. It will show the gateway, router and switches through which the email passed.
  • HTML view represents the email data in the form of HTML scripts. This view help the investigator to easily compare find the changes done on the data.
  • RTF are helpful to maintain the originality of themail. This view help the examiner to analyse the font and formatting of the email message.
  • Attachment view help to preview and analyse the attachment present within the email data.


Yahoo email forensics being a specialized part of digital forensics exclusively dealing with the forensic investigation of yahoo emails and its components. The manual methods furnished to investigate the emails mentioned above might not work in spoofed conditions. Email deletion is another aspect where these techniques might not work. Investigators adopt some Forensics Tools like FTK and MailXaminer to work on bulk data altogether, which are capable to track and identify the true identity of senders. Some tools even have the caliber to export yahoo mail to outlook. Yahoo mail accounts can comprise of bulk emails and thus to go through each and every email one has to take the help of such email forensic tools. Unethical means of email spoofing and crimes might have evoked, but advancement in technology is ready to fight back against such threats.