Blog

Yahoo Artifacts Backup for Yahoo Mail Forensics

Olivia Dehaviland | September 26th, 2017 | Updates

With the extended usage of the emailing, millions of users are part of multiple Web-based and desktop email clients. The three major web-based emailing platforms are; Gmail, Hotmail and Yahoo Mail. Being one of the popular emailing services, the possibility of culprit to be part of Yahoo is very high. Once the law enforcement investigators gets the authorization to make the investigation on sealed computer systems, email ids, etc. a thorough analysis has to be done using various strategies and methodologies. The blog will discuss about few methods to perform the Yahoo email forensics and creates the Yahoo email backup to collect the artifacts in order to analyze them in detail.

Strategy 1: Accumulate Data From Browser Artifacts

While accessing Yahoo Mail on the system using browsers, many artifacts are stored in various elements of browsers. Most importantly, cache, cookies, and history are best resources to find the evidences to collect browser relics. Date and time stamps can be collected from the history and cookies but the cache memory holds the most precious data components for investigation. Cache memory preserves web page elements to local disk and many emails read by suspect can be found in the cache folders. The location however depends on the Operating System and Browser. Location depending on the Browser and Operating Systems are mentioned below where you can perform Yahoo mail forensics and find crucial artifacts.

Cache Locations

Analyse Yahoo Email Header

 

Yahoo Email Viewer

Yahoo Email Backup

Other browser stores might only show details of visiting site but cache folders located in the above mentioned locations will show the actual matter available in the page or email message. One major disadvantage of these cached pages is it might not show messages from Sent folder by suspect. This is because the message is mere typed on the screen without needing storing it and then it is sent. Once the cache items are collected it can be viewed and parsed through forensics tools.

Strategy 2: Reach and Analyse Yahoo Email Header

Yahoo mail header is another resource to collect the artifacts from. Email header comprises of the information related to origins and genuine contents of the emails. A deep analysis made on the elements like Message ID and DKIM can help you carve out many evidences.
How to Reach to The Headers of Yahoo Mail?

  • Log into Yahoo! Mail account with correct credentials.
  • Select the email whose header you want to view.
  • Expand “More” option available in the menu.
  • Click on “View Full Header”.
  • The header will be available for viewing.
  • Data from the header can be copied for further analysis.

Yahoo Mail Forensics

 

Strategy 3: Create Backup of Yahoo for Offline Analysis

In order to perform analysis on Yahoo emails in bulk, it is better to create a backup of Yahoo emails in desktop email client file format so that the analysis is done to the bulk emails. It will also end the requirement of logging in repetitively. The backup also terminates any chances of making changes in the emails and the artifacts can be collected securely for investigation. But it is important to take the backup in a right away to avoid any manipulation done with the emails. Yahoo Backup tool can be utilized to backup Yahoo mails to various file formats like; PST, EML, MSG, or MBOX.

Yahoo Email Backup for Bulk Email Investigation:

Yahoo mail backup is an expertise mail backup solution especially designed for the forensic investigation of Yahoo mails. The application downloads all the emails in various email file formats and allows storing the emails locally. Another benefit of downloading the emails in a desktop email file is it makes the evidences portable. Investigators can share the download emails easily with colleagues and perform investigation. Below mentioned are the steps involved for downloading emails after successful installation of Yahoo mail backup solution.

  • Launch the application and provide the credentials of the suspect whose emails are supposed to be backed up.

Analyse Yahoo Email Header

 

Download

  • In next step you can choose the file format to which the downloading will be done. There are limited email file options; PST, EML, MSG, & MBOX but all of them are standard email files accessible in commonly used desktop email clients. Provide the preferred destination location to save downloaded emails.

Yahoo Email Backup

  • One more anticipated and useful option on investigator’s perspective is Email filters in the form of Date-wise and Folder-wise filters.

Date Filters: If investigation has to be done on emails belonging to certain time span or investigator is sure that the emails allied to crime scene belong to particular span of days, investigator can use this email filter option to analyse Yahoo email header. To & From fields is to provide the range of time and emails associated to this range will get downloaded only.

Folder-wise Filter: By default all the email folders are selected, but if investigation has to be done on specific folders only, it can be un-checked. Software also creates backup of messenger chats denoted as Y! Conversations.

Once done, click on Start and the downloading of emails will proceed.

Yahoo Mail Forensics

Conclusion: E-mailing system involves multiple components associated with sender and receiver client & server systems. These components along with scrutiny of emails origin can help to analyze cybercriminals emails. Collection of the emails and storing it in secured manner using email backup tools like Yahoo email Backup can be the most important and primary stage of the Yahoo mail forensics. Once the emails in bulk are collected, its components can be explored in detail. Other artifacts can be accumulated through browser cache, headers, etc. The strategies enlightened in the above section can help to analyze the emails in bulk.