Zoho Mail Forensics

Creative Team | April 8th, 2015 | Forensics

Before October 2008, Zoho served applications to make business easier. In that particular month emerged its webmail service, Zoho Mail. The clutter-free and familiarly designed webmail service that works on its end user privacy like no other provider does. The service started out for businesses and organizations along with Zoho Lite, a free counterpart. Even though Zoho Lite is available for free and can be connected with a number of existing webmail or Outlook accounts, office apps aren’t compromised with and are offered for creating & accessing documents on the account.

For instant communication with contacts, Zoho also features a chat application in its Apps section. The app can collaborate with contacts of Yahoo Mail, Facebook, QQ Mail, MSN, Google Mail, MySpace, etc., with just a simple sign in. Earlier the service did not consider including sender IP in the internet header of an email when sending it from the web. However, now it does support that as well as extremely powerful and rigorously tested security policy.

Zoho Mail Suite

Being a web mail service with cloud based storage; the paper discusses probable ways of detecting and examining activities carried out on Zoho mail via mediums like; browser forensics and local storage of Zoho mail, if any.

Why NOT Network Forensics?

Zoho Mail at A Glance

  • No Advertisements
  • No Aliases
  • Signup through Tor Browser not allowed
  • 20 MB is the limit for attachment
  • HSTS applied (Strict Transport Security on HTTP)
  • Spam and Virus Filter
  • 5 GB of Inbox size provided
  • Account left inactive for 120 days straight, liable to termination
  • Works on JavaScript
  • Imports EML and PST file types
  • Exports emails in EML File Type
  • Address Book Import/Export supported in CSV, vCard, & LDIF
  • Mail header includes User IP

In addition to these, Zoho Mail ensures a secure connection by implementing AES-256 Bit of encryption on data while it is being sent over through internet; also the connection is made through SSL. Thus, even applications like packet sniffers may also fail to retrieve information.

Vulnerabilities Zoho Mail Is Unaffected By

The service has been tested by developers against vulnerabilities such as: SQL injection, XSS (cross-site scripting).

Zoho Mail  is chiefly known for its strongly encrypted network. This, in the past has even put notable cryptologists in trouble from law enforcement agencies across trying to decrypt messages exchanged over some of the renowned web mail services as part of their study. Thus, a network that can’t be intruded cannot be examined with network forensic techniques too. However, there are alternatives that can be adopted for digging into the activities of Zoho Mail through traces of it left behind on the PC.

Traces For Investigation In Web Browsers: Potential Evidence Storage

Zoho Mail is accessible over web browser both; on mobile as well as desktop computer/laptops. Thus, the only local storage of activities carried out in the account accessed from a machine can be found in either system files or most importantly in web browser(s).

The local file storage of a web browser used for logging in and out of a Zoho account can be examined for traces of evidence leading to:

  • The activities that may have been carried out in the account
  • Timestamp of login/logout
  • Redirection to links
  • History of the links visited
  • Downloads performed on it/from the account
  • Search words list
  • Images
  • Account credentials

Analyzing web browser activity can thus prove to be an important step during the forensics of Zoho Mail. Cache files of a web browser may consist of images from visited web pages, JS based malwares conscientious for activities that may seem suspicious.

Cache files for example, store a valuable set of information regarding the browsing history, timestamp and websites visited. While Login Data/Web Data file (Google Chrome) is a SQLite file capable of storing account credentials however the password value remains encrypted but indicated along with the respective email address.


  • History
  • Search Words
  • Cache
  • Download
  • Cookies
  • Last Session
  • Login Data/Web Data
  • Visited Links

Folder Structure

TIP: Mozilla Firefox comes with an Add-On to view the browser cache right on the browser with ample of information along with images.

NOTE: The random alphabet combination prefixed to ‘.default’ is the profile name.

A Different Angle At Zoho Mail Forensics: EML File Analysis

As stated above Zoho Mail can both import as well as export emails in .eml file type. Thus, EML file forensics is applicable too in the case of Zoho Mail Forensics (if created).


EML Export: The traces of downloaded emails remain on the respective mail account in its Inbox folder. Zoho Mail doesn’t directly start the import of emails. Instead, a mail with the download link of a RAR file consisting of the emails as EML format file is sent to the account holder.


Parse EML File: The file is constructed to comply with a standard RFC5322 format thus; they are free to be used on a number of email server, applications, and clients. As the file is structured in a simple text format, it can be opened and traversed on Notepad and any other form of text editor freely available online.

Role of Third Party: The standard header parsing techniques can be applied for the examination of EML files. However, involvement of third party applications is and should be done by investigators for precision and quick pace of analysis. MailXaminer is a dedicated email analysis platform for cloud and desktop based email clients. With the provision of 7+ email header preview and analysis options, it sure is the quickest and accurate method to investigate EML files. Further, the investigation IP can be done with the help of respective ISP for tracking and down the involvements and other particulars of the activities taken place.

Conclusion: Zoho Mail clearly is one of the most secure communication networks which have maintained its standard with up to date security protocols and encryptions during data transfer over network. Thus, network forensics plays no role in the scenario as the security cannot be broken unless the account has been hacked. Above stated forensic methodologies can be implemented to study the patterns, traces, evidences associated to the email service to conduct Zoho Mail Forensics.