Zoho Mail Forensics for Mailbox Analysis

Creative Team | April 8th, 2015 | Forensics

Before October 2008, Zoho served applications to make business easier. In that particular month emerged its webmail service, Zoho Mail. The clutter-free and familiarly designed webmail service that works on its end user privacy as no other providers do. The service started out for businesses and organizations along with Zoho Lite, a free counterpart. With the increase of Zoho email usage, the criminal activities through it also increased respectively which leads to the need of Zoho mail forensics for the Zoho mailbox analysis and header forensics.

Even though Zoho Lite is available for free and can be connected with a number of existing webmail or Outlook accounts, office apps aren’t compromised with it and are offered for creating & accessing documents on the account. For instant communication with contacts, Zoho also features a chat application in its Apps section. The app can collaborate with contacts of Yahoo Mail, Facebook, QQ Mail, MSN, Google Mail, MySpace, etc., with just a simple sign in. Earlier the service did not consider including sender IP in the internet header of an email when sending it from the web. However, now it does support that as well as extremely powerful and rigorously tested security policy.

Zoho Mail Suite

Being a webmail service with cloud based storage; the paper discusses probable ways of detecting and examining activities carried out on Zoho mail via mediums like; browser forensics and Zoho mail forensics on local storage, if any.

Why NOT Network Forensics?

Zoho Mail at A Glance

  • No Advertisements
  • No Aliases
  • Signup through Tor Browser not allowed
  • 20 MB is the limit for attachment
  • HSTS applied (Strict Transport Security on HTTP)
  • Spam and Virus Filter
  • 5 GB of Inbox size provided
  • Account left inactive for 120 days straight, liable to termination
  • Works on JavaScript
  • Imports EML and PST file types
  • Exports emails in EML File Type
  • Address Book Import/Export supported in CSV, vCard, & LDIF
  • Mail header includes User IP

In addition to these, Zoho Mail ensures a secure connection by implementing AES-256 Bit of encryption on data while it is being sent over through internet; also the connection is made through SSL. Thus, even applications like packet sniffers may also fail to retrieve information.

Vulnerabilities Zoho Mail Is Unaffected By

The service has been tested by developers against vulnerabilities such as SQL injection, XSS (cross-site scripting).

Zoho Mail  is chiefly known for its strongly encrypted network. This, in the past has even put notable cryptologists in trouble from law enforcement agencies across trying to decrypt messages exchanged over some of the renowned web mail services as part of their study. Thus, a network that can’t be intruded cannot be examined with network forensic techniques too. However, there are alternatives that can be adopted for digging into the activities of Zoho Mail through traces of it left behind on the PC.

Traces for Zoho Mailbox Investigation in Web Browsers

Zoho Mail is accessible over web browser of mobile as well as desktop computer/laptops. During the Zoho email analysis the potential evidence storage/ local storage of activities carried out in the account accessed from a machine, that can be either found in system files or in web browser(s).

The local file storage of a web browser used for logging in and out of the account and Zoho mailbox analysis for traces of evidence leading to:

  • The activities that may have been carried out in the account
  • Timestamp of login/logout
  • Redirection to links
  • History of the links visited
  • Downloads performed on it/from the account
  • Search words list
  • Images
  • Account credentials

Analyzing web browser activity can thus prove to be an important step during the Zoho mail forensics. Cache files of a web browser may consist of images from visited web pages, JS based malware conscientious for activities that may seem suspicious.

Cache files for example store a valuable set of information regarding the browsing history, timestamp and websites visited. While Login Data/Web Data file (Google Chrome) is an SQLite file capable of storing account credentials however the password value remains encrypted but indicated along with the respective email address.


  • History
  • Search Words
  • Cache
  • Download
  • Cookies
  • Last Session
  • Login Data/Web Data
  • Visited Links
Folder Structure

TIP: Mozilla Firefox comes with an Add-On to view the browser cache right on the browser with ample of information along with images.

NOTE: The random alphabet combination prefixed to ‘.default’ is the profile name.

A Different Angle At Zoho Mail Forensics: EML File Analysis

As stated above Zoho Mail can both import as well as export emails in the .eml file type. Thus, EML file forensics is applicable too in the case of Zoho email analysis (if created).


EML Export: The traces of downloaded emails remain on the respective mail account in its Inbox folder. Zoho Mail doesn’t directly start the import of emails. Instead, a mail with the download link of a RAR file consisting of the emails as EML format file is sent to the account holder.


Parse EML File: The file is constructed to comply with a standard RFC5322 format thus; they are free to be used on a number of email server, applications, and clients. As the file is structured in a simple text format, it can be opened and traversed on Notepad and any other form of text editor freely available online.

Role of Third Party: The standard header parsing techniques can be applied for the examination of EML files. However, the involvement of third party applications is and should be done by investigators for precision and quick pace of Zoho email analysis. MailXaminer is a dedicated email analysis platform for cloud and desktop based email clients. With the provision of 7+ email header preview and analysis options, it sure is the quickest and accurate method to investigate EML files. Further, the investigation IP can be done with respective ISP for tracking and down the involvements and other particulars of the activities taken place.

Zoho Mail Forensics with Email Analysis Software

After Understanding the Zoho mail database analysis now you think about how to perform Zoho header forensics email analysis on single emails. During the forensic investigation the most difficult task is accessing the email data from the webmails. With the increase in illegal activity through the email exchange the necessity of email forensics also increasing. With the help of the most recommended email forensics tool, the process of analysing the Zoho mail can easily perform. By the help of MailXaminer the investigator can easily perform Zoho mail forensics. Another specialty of this forensic tool is it allows the investigator to easily access both the business and private email data through simple steps. To perform Zoho email analysis with the help of Zoho email forensics tool follow the process given below.

Add the Zoho Mail account to the software through the add evidence option. Select the Zoho Mail option from the Webmail list and provide the User Name & Password to access the email data. The user can easily add multiple accounts through the bulk option and also the date filter is available to reduce the accessing time.

The Software allow to examine the email data with different views such as “Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments”. This property makes the tool differ from the other forensics software. It helps the investigators to examine and analyse the email data in different view from the same platform during Zoho mail forensics.

Mail view: This view helps the investigator to examine the email messages through user perspective and perform Zoho email analysis directly on the message data. That is it will shows the basic header details like From, To, subject etc. and the email message body.

Property view: This help the investigator to get the brief summery of the email data without examine the entire data. It contains common fields such as: “Body details, Dates, Internet Header Details, Message flags, Recipients, Represent sender, Sender details, Subject”

Header view: It provide the detailed view of the email header. This informations help the investigator to track the email during the Zoho email header forensics.

The common attribute of Zoho Mail that are used to analyze during Zoho email forencs are described bellow:

  • Delivered-To:This will show the email address of the receiver.
  • Recieved-SPF: SPF means “Sender Policy Framework” It is mainly used for prevent the forgery of the sender. It shows either Pass or Fail. When the MTA discard the established connection it will give “Fail” as the value otherwise “Pass”.
  • Authentication-Results: It illustrate the authentication report of the receiver after the complete delivery of message.
  • Return-Path: It will be the address to which the notices need to be send. Normally it would be the address of the sender.
  • DKIM-Signature: It is the Domainkeys Identified Mxail. During Zoho email header forensics it help to guarantee the domain authenticity by allowing the sender to link a domain name with each mail message.
  • Reply-To: This field will be same as that of From. It will shows the mail address through which you can replay to the sender.
  • MIME-Version: It shows the MIME version used in the email.
  • X-mailer: This header field shows the details of the software used to send the email.
  • Message-ID:It represents the unique Id which used to identify each emails.
  • List-Unsubscribe:It is the option field which is used by publishers or marketers in the header of the mail.
  • X-CSA-Complaints:CSA means Certifies sender alliance. This field contains the full headers to a whitelist complaints.

Email Hop: It is an another special view provided by tool to simplifies the process of Zoho mail forensics. Which help the investigator to track the path of the email message. It will represent the path in between the sender and receiver in means of graph and Hop server. It shows all the routers, gates and switches through which the email is passed.

MIME: It represents the inner detail of the SMTP mail. Which will include the MIME version, Textual or non textual attachment and header informations.

RTF: It will show the result only if the Rich Text Formatting of the email is available. This helps to maintain the originality of email message. The formatting and font of email can be analyzed through this view.

HTML: It provides the HTML representation of the email data. During the zoho email forensics this view helps the investigators to easily examine data to check if any changes were done on the message to remove its originality.

Hex: During the Zoho mail forensics hex view of the tool help the examiners to analyse the evidence in hexadecimal format. Email data manipulation can easily find through this view. This view contains three values such as “Offset, Hex code, Textual value”.

Conclusion: Zoho Mail clearly is one of the most secure communication networks which have maintained its standard with up to date security protocols and encryptions during data transfer over the network. Thus, network forensics plays no role in the scenario as the security cannot be broken unless the account has been hacked. Above stated forensic methodologies can be implemented to study the patterns, traces, evidence associated with the email service to conduct Zoho Mail Forensics with the help of forensic investigation tool.