Yahoo Artifacts Backup for Yahoo Mail Forensics

With the extended usage of the emailing, millions of users are part of multiple Web-based and desktop email clients. The three major web-based emailing platforms are; Gmail, Hotmail and Yahoo Mail. Being one of the popular emailing services, the possibility of culprit to be part of Yahoo is very high. Once the law enforcement investigators gets the authorization to make the investigation on sealed computer systems, email ids, etc. a thorough analysis has to be done using various strategies and methodologies. The blog will discuss about few methods to perform the Yahoo email forensics and creates the Yahoo email backup to collect the artifacts in order to analyze them in detail.

Strategy 1: Accumulate Data From Browser Artifacts

While accessing Yahoo Mail on the system using browsers, many artifacts are stored in various elements of browsers. Most importantly, cache, cookies, and history are best resources to find the evidences to collect browser relics. Date and time stamps can be collected from the history and cookies but the cache memory holds the most precious data components for investigation. Cache memory preserves web page elements to local disk and many emails read by suspect can be found in the cache folders. The location however depends on the Operating System and Browser. Location depending on the Browser and Operating Systems are mentioned below where you can perform Yahoo mail forensics and find crucial artifacts.

Cache Locations

Other browser stores might only show details of visiting site but cache folders located in the above mentioned locations will show the actual matter available in the page or email message. One major disadvantage of these cached pages is it might not show messages from Sent folder by suspect. This is because the message is mere typed on the screen without needing storing it and then it is sent. Once the cache items are collected it can be viewed and parsed through forensics tools.

Strategy 2: Reach and Analyse Yahoo Email Header

Yahoo mail header is another resource to collect the artifacts from. Email header comprises of the information related to origins and genuine contents of the emails. A deep analysis made on the elements like Message ID and DKIM can help you carve out many evidences.
How to Reach to The Headers of Yahoo Mail?

• Log into Yahoo! Mail account with correct credentials.
• Select the email whose header you want to view.
• Expand “More” option available in the menu.
• Click on “View Full Header”.
• The header will be available for viewing.
• Data from the header can be copied for further analysis.

Strategy 3: Create a Backup of Yahoo for Offline Analysis

In order to perform analysis on Yahoo emails in bulk, it is better to create a backup of Yahoo emails in desktop email client file format so that the analysis is done to the bulk emails. It will also end the requirement of logging in repetitively. The backup also terminates any chances of making changes in the emails and the artefacts can be collected securely for investigation. But it is important to take the backup right away to avoid any manipulation done with the emails. Yahoo Backup tool can be utilized to backup Yahoo mails to various file formats like; PST, EML, MSG, or MBOX.

Yahoo Email Backup for Bulk Email Investigation:

Yahoo mail backup is an expertise mail backup solution specially designed for the forensic investigation of Yahoo mails. The application downloads all the emails in various email file formats and allows storing the emails locally. Another benefit of downloading the emails in a desktop email file is it makes the evidence portable. Investigators can share the download emails easily with colleagues and perform investigations. Below mentioned are the steps involved for downloading emails after successful installation of the Yahoo mail backup solution.

• Launch the application and provide the credentials of the suspect whose emails are supposed to be backed up.

• In the next step, you can choose the file format to which the downloading will be done. There are limited email file options; PST, EML, MSG, & MBOX but all of them are standard email files accessible in commonly used desktop email clients. Provide the preferred destination location to save downloaded emails.

• One more anticipated and useful option from an investigator’s perspective is Email filters in the form of Date-wise and Folder-wise filters.

Date Filters: If the investigation has to be done on emails belonging to a certain time span or the investigator is sure that the emails allied to the crime scene belong to a particular span of days, an investigator can use this email filter option to analyse the Yahoo email header. To & From fields is to provide the range of time and emails associated with this range will get downloaded only.

Folder-wise Filter: By default, all the email folders are selected, but if the investigation has to be done on specific folders only, it can be un-checked. The software also creates a backup of messenger chats denoted as Y! Conversations.

Once done, click on Start and the downloading of emails will proceed.

Conclusion

The E-mailing system involves multiple components associated with sender and receiver client & server systems. These components along with scrutiny of emails origin can help to analyze cybercriminals’ emails. Collection of the emails and storing them in a secured manner using email backup tools like Yahoo email Backup can be the most important and primary stage of Yahoo mail forensics. Once the emails in bulk are collected, their components can be explored in detail. Other artefacts can be accumulated through browser cache, headers, etc. The strategies enlightened in the above section can help to analyze the emails in bulk.