Yahoo Mail is considered as one of the most secured email client. Yahoo started from an idea, turned out to be a hobby and the successfully a full time passion for its developers Jerry Yang and David Filo. Yahoo "Yet another Hierarchical Officious Oracle" started in 1995 from Stanford University and known as successful global internet media company serving millions of clients. If we see in depth yahoo is not a complete search engine, it is a Subject directory.
Now, talking about Yahoo mail it is an internet portal providing a structured view of thousands and millions of websites and web pages. If we see the percentage analysis of people using the mails we will found 70% of total world's population is using mail service daily and among them 50% of users are Yahoo Mail users.
Need to Perform Yahoo Mail Forensics
As stated above a big patch of world's population use Yahoo mail. It is prevalent the top email applications on web, smartphones etc. that promises facilities like limitless storage to users.
Nevertheless, recently it has been perceived that there has been an upheaval in a number of business groups with problems linked to junk emails and unsolicited bulk email messages which eventually results in need for litigation procedures. These legal cases usually contain one party that claims another party for unlawfully abolishing vital information by sending spam messages.
In such kind of cases proper forensic investigation is needed to be carried out so as to determine the aboriginality of the spam mails in order to yield it as concrete evidence in the court of law. This is one of the spam message case we are discussing but there are many such cases which have cloaked the minds of Government Authorities including Yahoo mail in performing cybercrime investigation. Here are some imperative reasons that leads to the need of performing Yahoo mail forensics.
If we talk about Forensics Investigation, its ontology revolve around three basic terms that are:
Acquisition also referred as Imaging, is mainly the task of making exact copy of data to be used in forensics. In the analysis part, the data imaged will be analyzed by the experts where each and every section is analyzed to generate a good source of artifacts to be presented in law court.
In the final step, Report is being prepared to present all the collected source of artifacts carved from the data.
In case of Yahoo the forensics revolve around mails and so ontology followed will include:
Acquisition in Yahoo Forensics
In the Acquisition process of any Forensics Investigation, the data is being copied from the digital media device. This digital media found at crime scene is being seized by the authorized law enforcement agencies. This whole process is considered as seizure.
After seizing the device, Acquisition is performed on the digital media device using a hard drive duplicator in Write block mode. Basically Forensic duplicator are the devices used for this purpose some examples are Encase, TrueBack, tableau etc. To prevent tampering, the device is being sent to secure storage. Later the image created of the digital media is being verified using "hashing".
Analysis in Yahoo Forensics
After the acquisition process the analysis of the hard drive duplicator file is being done. Various artifacts are located and evidence carving is being performed to generate artifacts to be presented to solve the case. The analysis process can be performed in two systematic steps.
In this part we will try to locate all the sources from were artifacts can be drawn out. For this we should have the knowledge of the location were Yahoo data is being saved.
Whenever we access the Yahoo mail in our browser, lots of information is being stored in the various locations (on machine) of browser which can later be used for investigation. The cache, history and cookies are the best location to get evidences. History can be used to get time stamp and date for the access. The cache memory contain all the details at which the suspect in the cases visited the mail. With various Operating system the location of cache memory also changes.
The above shown image shows the cache location in various Operating Systems using Internet Explorer as a Search Engine.
This image shows the cache location in various Operating systems using Google Chrome as a Search Engine.
The above shown image shows the cache location in various Operating system using Mozilla Firefox as Search engine.
So by visiting the location according to the Operating System and search engine used by the suspect the expert can carve out the artifacts for solving the case.
The most important or can say a part around which Yahoo forensics revolve is the Yahoo email. And the main part in any email to be studied or analyzed from forensics point of view is its header which contain all the necessary required information. For viewing the full header of any mail in the Yahoo, you have perform following steps.
The option is shown below in the screenshot.
In this way the header can be seen completely. If you want to analyze the header of mails in bulk it's better to take backup using a Utility to view them in offline mode. So Yahoo Backup tool can be used to perform the header viewing task.
The Email header is of two type brief header and full header.The suspects involved can forge the brief header but the exact sender information can be viewed in the full header portion. The above performed action shows you the full header of the mail.
Yahoo mail Header structure: - If we see the format of Yahoo mail header, we will analyze that the format of Yahoo header changes from time to time. This header part plays very significant role in artifacts carving process. Domain Key Signature, Sender IP address and other relevant information can be viewed from this header part.
Domain Key Signature also referred as DomainKeys Identified Mail is the field that will show the organization that takes the responsibility for the message send. Below image shows how the Domain Key Signature looks alike.
The Mail Header of the Yahoo gives you all the below shown information which can be a good source of artifacts for Yahoo forensics.
The above shown field gives some or other relevant information about Yahoo mail.
X-Apparently-To: This field will show the email address of the recipients. This is referred as To, BCC or CC in the brief header.
Return Path: This section will show the address referred to "Reply To" section in mail interface. This section can be spoofed easily and so cannot be relied upon.
Received-SPF: The email service used for mailing this message is shown in this section. In the cases involving spam messages, it will not show the ID number shown above that will indicate spoofing of message.
X-Originating-IP & Received: from: These fields show the Internet Protocol Address later used for reveling the server name.
DKIM-Signature: This is the Domain Key Signature which is discussed in the above section. This shows the mail signature.
Message ID: This section will show the unique ID given or assigned to every message making it authenticated.
MIME Version: This field will show the MIME format of the yahoo mail.
The Message ID Field in the above shown mail header structure can be very good source to fetch information of the device sending the message.
This is how the Message ID looks alike when the message is being sent from an Android application.
Similar the according to the sending device the Message ID changes. So carving the location of sender device can be excellent success in the case.
The above discussed processes can be followed in the analysis part of the Yahoo. Now, we will move towards the final step of the Yahoo forensics ontology.
The report formation is the final and the important aspect of Yahoo Forensics course. This final stage report will be containing all the source of artifacts carved out during analysis process in the form which can be understood by the non-technical individuals or for a layman. The other documentation and all the Meta information are the part of this final report.
This final stage report will be presented to the law commissioning the case and they will decide to present the evidence in law court or not. The Report is a kind of final output or can say a representation of the whole analysis preformed. So by making good report expert can disseminate the analyses in better way to the audience. The outlining and organization of the report are some important factor to keep in mind while report formation. The PDF is the ideal format to submit the report prepared.
Also Read: How to Save Yahoo Mail to Computer?
So Yahoo forensics can play major role in any forensic investigation of any digital crime case involving Yahoo mail. The above elaborated content can be very helpful in context to any Forensics Email Investigation where Yahoo mail is used by the suspect. The simple three step ontology followed in above content will make the investigation simple yet very effective for carving out evidence and solving the case effectively.