Yahoo Mail is amongst popular email services associated with the myriad of users. With the increase in net surfing and internet usage, users associated with a wide array of illegal activities have also enlarged. Security loopholes in Yahoo emailing have ultimately raised the need for Yahoo email forensics investigation. Yahoo email header analysis and email investigation process are associated with various stages like; collection, analysis, preservation, and reporting. It must be brought into notice that web-browser based emails like Yahoo emails are more difficult to trace. But, a detailed record is available for each e-mail transaction on which analysis can be done. This blog will elaborate the need for Yahoo email investigation and various methods and utilities to undergo investigation. It also discusses various email spoofing methods. To go further into Yahoo email forensics, let us see first what exactly email consists of:
Email and Its Components: E-mail is globally standardized and comprises of three main components; Mailbox, Domain Name, Message-ID, and ENVID. Mailbox is a conceptual storage entity with the basic identity of the email address. Email address comprises of user name and domain separated by “@”. Domain names can be defined as a global reference to an Internet resource like the host, network or service. Coming to the header part, Yahoo email header analysis is the most important factor for investigators in reaching the truths inside. It confides details through various sets of fields which help to trace information.
Step 1: Save Header Data in Another File
Another Windows will open with header details for that particular email through which you can manually perform Yahoo email analysis on
Step 2: Analyze the Header Information
Open the Text file which was saved and go through the elements
Open the Text file which was saved and go through the elements. First few lines show the E-mail Servers through which email message travelled.
X-Apparently-To: Line no.1 – This discloses the recipient’s email address. While performing an investigation. In Yahoo email forensics one can validate this field with an e-mail service provider. This email id must match the id used by the victim. This field can be referred to as “To, BCC or CC” and the presence of To does not confirm that it was sent as “To”.
Return Path: Line no. 2 – This indicates the address for replying which is termed as “Reply to” in the
Return Path: Line no. 2 – This indicates the address for replying which is termed as “Reply to” in the front end. However, this field can be easily spoofed and hence not be trusted unless analyzed by professionals.
Received-SPF: Line no. 3 – Type of email service used for sending email will be exposed here. An ID number is also involved here, which can be used to examine logs form, transmitting e-mail server determining the genuineness of an email if it was sent from the same service. If this ID is unavailable, a message has chances of being spoofed.
X-YmailISG: Line no. 4 – X represents “Custom Header”, Ymail means “Yahoo Mail”, and ISG means “Inbound Spam Guard”
X-Originating-IP & Received: from Line no. 5 & 7 – IP Address can be traced with these fields. The later one is also capable to reveal the name of the server, which was used to send an email.
DKIM-Signature: Line no. 8 – Signature of the email is stored in this field. All the signatures and key-fetching data will be saved here with a simple “tag=value” syntax. For investigators, this DKIM provides a technique to validate and confirm a domain name, identity associated with a message through cryptographic authentication.
Message ID: Line no. 10 – Message ID is a unique ID authorized to a specific email message by an email server. This Message ID can be used to track the message on the originating email server in email logs.
MIME Version: Line no. 11- This option will provide the version of the MIME message format. Like, in this case it is 1.0 version. This helps in the further Yahoo email investigation.
Content-Length: Line no. 13 – It will show the number of characters present within that email message.
Subject: Line no. 11 – It shows the subject of the email or the reason to open that particular email message.
Acquisition of web email data is one of the typical
Click on the Add Evidence button from the left top section of forensic software to acquire the Yahoo email data. Then select the Yahoo option from the Webmail section of the add file tab. By providing the User Name & Password in the respective section user can access the yahoo email account directly. The user can easily add multiple accounts through CSV file and can use the Date Filter option to access the email data in date order.
Note: To access & perform Yahoo email analysis directly through the email analyzer tool
Turn Off Two-Step Verification
Turn On Allow Apps that use
lesssecure sign in
In the email tab of the Yahoo email analyzer tool displays the list of Yahoo mails present in the mailbox.
Yahoo email forensics being a specialized part of digital forensics exclusively dealing with the forensic investigation of yahoo emails and its components. The manual methods furnished to investigate the emails mentioned above might not work in spoofed conditions. Email deletion is another aspect where these techniques might not work. Investigators adopt some Forensics Tools like FTK and MailXaminer to work on bulk data altogether, which are capable to track and identify the true identity of senders. Some tools even have the caliber to export yahoo mail to outlook. Yahoo mail accounts can comprise of bulk emails and thus to go through each and every email one has to take the help of such email forensic tools. Unethical means of email spoofing and crimes might have evoked, but advancement in technology is ready to fight back against such threats.