Yahoo Mailbox Forensics

Creative Team | December 8th, 2014 | Forensics

Yahoo Mail is amongst popular email services associated with myriad of users. With increase in net surfing and internet usage, users associated with a wide array of illegal activities have also enlarged. Security loopholes in Yahoo emailing have ultimately raised the need for Yahoo email forensics. E-mail forensics done on Yahoo mailbox, yahoo mail header analysis, etc. is associated with various stages like; collection, analysis, preservation, and reporting. It must be brought into notice that web-browser based emails like Yahoo emails are more difficult to trace. But, a detailed record is available for each e-mail transaction on which analysis can be done. This blog will elaborate need for Yahoo email investigation and various methods and utilities to undergo investigation. It also discusses about various email spoofing methods. To go further into yahoo email forensics, let us see first what exactly email consists of;

Email and Its Components: E-mail is globally standardized and comprises of three main components; Mailbox, Domain Name, Message-ID and ENVID. Mailbox is a conceptual storage entity with basic identity of email address. Email address comprises of username and domain separated by “@”. Domain names can be defined as a global reference to an Internet resource like host, network or service. Coming to header part, the Yahoo mail header analysis is most important factor for investigators in reaching the truths inside. It confides details through various sets of fields which help to trace information.


How to Analyze Yahoo Email Headers?

Yahoo email headers can be analyzed by extracting header information of suspicious email and going through its details. This can be done through below mentioned steps one by one.

Step 1: Save Header Data in Another File

  • Sign in the Yahoo! Mail account whose emails have to be analyzed.
  • Go to Inbox and view the list of email messages.
  • Open the email message to be analyzed.
  • Click on More options and go to drop-down Menu.
  • Select “View Full Header” option from this Menu.
  • Another Windows will open with header details for that particular email.
  • Copy it to another text file and save it safely.
  • Close the header info and Yahoo application.

Step 2: Analyze the Header Information

Open the Text file which was saved and go through the elements.First few lines show the E-mail Servers through which email message travelled.




X-Apparently-To: Line no.1 – This discloses the recipient’s email address. While performing an investigation, one can validate this field with e-mail service provider. This email id must match the id used by the victim. This field can be referred to as “To, BCC or CC” and the presence of To does not confirm that it was sent as “To”.

Return Path: Line no. 2 – This indicates the address for replying which is termed as “Reply to” in front end. However, this field can be easily spoofed and hence not be trusted unless analyzed by professionals.

Received-SPF: Line no. 3 – Type of email service used for sending email will be exposed here. An ID number is also involved here, which can be used to examine logs form, transmitting e-mail server determining genuineness of an email if it was sent from the same service. If this ID is unavailable, a message has chances of being spoofed.

X-Originating-IP & Received: from: Line no. 5 & 7 – IP Address can be traced with these fields. The later one is also capable to reveal the name of the server, which was used to send email.

DKIM-Signature: Line no. 8 – Signature of the email is stored in this field. All the signatures and key-fetching data will be saved here with a simple “tag=value” syntax. For investigators this DKIM provides a technique to validate and confirm a domain name, identity associated with a message through cryptographic authentication.

Message ID: Line no. 10 – Message ID is a unique ID authorized to specific email message by email server. This Message ID can be used to track the message on originating email server in email logs.

MIME Version: Line no. 11- This option will provide the version of the MIME message format. Like in this case it is 1.0 version. This helps in further investigation.



E-mail forensics being a specialized part of digital forensics exclusively dealing with the forensic investigation of yahoo emails and its components. The methods furnished to investigate the emails mentioned above might not work in spoofed conditions. Email deletion is another aspect where these techniques might not work. Investigators adopt some Forensics Tools like FTK and MailXaminer to work on bulk data altogether, which are capable to track and identify the true identity of senders. Some tools even have the caliber to export yahoo mail to outlook. Yahoo mail accounts can comprise of bulk emails and thus to go through each and every email one has to take the help of such email forensic tools. Unethical means of email spoofing and crimes might have evoked, but advancement in technology is ready to fight back against such threats.