Aditya Mahajan*, Laxmikant Gudipaty and Mohinder S. Dahiya
Institute of Forensic Science, Gujarat Forensic Sciences University, Gujarat, India
Received Date: June 09, 2013; Accepted Date: August 17, 2013; Published Date: August 21, 2013
Citation: M Aditya, G Laxmikant, M.S. Dahiya (2013) Extracting Passwords and User- Related Data from Yahoo Messenger and Mail Client on Android Phones. J Inform Tech Softw Eng 3:120. doi:10.4172/2165-7866.1000120
Copyright: © 2013 M Aditya, et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Visit for more related articles at Journal of Information Technology & Software Engineering
The purpose of this paper is to provide a simplified methodology to extract information stored in the internal memory of phone like chat logs, contact history, email history and user login password of a user using a Yahoo Messenger and Yahoo Mail application App on an Android Phone .This will help us classify the fore-mentioned artifacts as per their forensic importance to a forensic investigator depending upon the nature of the digital crime being analyzed. The introduction of smartphones into the market has opened up a whole new scope of possibilities on how a mobile phone can be used by a user. The modern day smartphones are capable of strongly competing with computers in terms of the functionality and features that they can provide. Some of these features include email support, instant messengers, interactive games, GPS navigation, music player, document viewers and readers. The feature which we intend to primarily focus on in this paper is Yahoo instant messenger applications and Yahoo mail client application that can be freely downloaded and installed on Android Smartphone. The recovery of digital evidence in the form of user names, Passwords, conversations and contacts details on Instant messengers and mail clients may yield valuable information regarding the suspect/victim’s chatting and email history or their contacts list details.
Android forensics; Yahoo Messenger forensics; Yahoo Mail Client Forensics; FileSystem extraction; SQLite database browser
Instant messenger applications are those applications that support instant messaging communication in a bidirectional manner at real time speeds between users who are logged in to the messenger. The more recent instant messengers not only provide text messaging but also audio and video communication at real-time. The modern day smartphones support instant messaging thereby increasing their functionality well beyond the basic call sending/receiving and SMS feature. Instant messengers on smartphones however require the user to be logged on using a unique username and a password. Once logged in to the messenger using a registered username and password, the user can then communicate via text, audio or video with anyone who is added to their contact list and is logged on to the messenger at that instant. Similar to messenger application, an email client allows a logged in user to send or receive emails on the smartphone.
During the research, experiments were conducted on Android phones for discovering the objects of potential evidentiary value such as chat history, contact lists, user login name, password, email history associated with the Yahoo instant messenger application  and email clients installed on the smart phone. This discovery may provide substantial information regarding the user and his/her contact details, chat log and most importantly the login password of the user who has signed in to the application. The Yahoo mail client application was downloaded from the Google Play Store and installed onto the phone with Android Version 2.2 (Froyo). However, we found the password stored in plain text form which was easily readable. This forensically relevant information may prove to be very vital in proving a crime or providing a lead to the investigators to further investigate a digital crime and successfully establish the occurrence of a crime. The basic methodology and the purpose behind the research is to try and discover the precise locations on the phone’s memory from where forensically relevant information fore mentioned can be retrieved.
Following the steps mentioned below, we were able to successfully extract the user password.
1. Using a forensically approved method to perform file system extraction of Android test devices.
2. Browsing through the filesystem to find the precise location where chat logs, contacts list and passwords related to Yahoo Messenger application are stored ( \data\data\com.yahoo. mobile.client.android.im ).These artifacts are usually stored in .db (SQLite ) database files
3. Analyzing the database files using a database browser such as SQLite Database browser.
Using a forensically approved method maintains the integrity of the data on the device and doesn’t alter or change any data on the cell phones .
The main motive behind this research is to ascertain whether the applications installed or run on the Smartphone leave any artifacts on the device’s internal memory or not. This evidentiary data may prove to be very crucial during investigations of any criminal case. The list of possible evidentiary artifacts associated with Yahoo messenger and Yahoo mail client that may be discovered on phone’s internal memory are as follows:
1. Contact list
2. Login Username
3. Login Password
4. Instant messaging conversations
5. Mailing history
The aforementioned objects may help us recreate a scenario that may have occurred at the crime. Further investigation of such objects may provide valuable leads that affect the verdict of a case.
However these evidentiary objects need to be extracted and analyzed in a forensically sound manner to be help admissible in court of law. The integrity of the data should not be compromised with under any circumstances. With this intention, the tests and experiments conducted in this paper have been performed following the guidelines established by NIST .
Efforts have been taken to ensure that a realistic crime scenario is replicated and the investigation is performed in a reliable manner. Similar to a real time crime scenario, a suspect or victim may have installed Android applications namely Yahoo Messenger version 1.8.3  and Yahoo Mail Client Version 1.8.1  on their Smartphone. The mobiles used may be rooted or unrooted. Considering all these circumstances, we designed our tests accordingly. A mobile phone was specially rooted  for these experiments while keeping others unrooted.
A secure workstation devoid of any form of malware was configured and setup. Details of the workstation are as follows:
• Windows7 Professional - SP1
• RAM - 8 GB
• System Type- 64 bit Operating System
• Processor - Intel Core i7- 3770 CPU @3.40 Ghz
This setup was disconnected from any form of network to ensure utmost security from vulnerabilities caused by networks. The experiments were conducted keeping the predefined settings of the devices intact. The internal memory configurations such as cache size were left unaltered. Hash values were also generated prior to experiments. Hash values  play very important role in order to submit evidence in court of law. Hash Values calculated for all the phones are given in Table 1. Figure 1 shows the Mobile phones and equipment used for testing and experiments. Following is the list of Hardware’s and software’s used for testing and conducting experiments:
|Android Device||Hash Value (SHA 256)|
|Sony Xperia Neo V (MT11i)||6A3F63E4EVEB0D036CB9AE25A2183B761C3B79128A59DE92481B68AF4CD2B24|
|HTC A8181 Desire||23BD7BC18C36A20BC3F07501570A9EF5C787A6701C49E4E4A4EE80D6EFB761A6|
Table 1: Hash Values calculated for phones.
• 3 Android phones
• Sony Xperia Mt11i – Neo V (version: 4.0.4 – ICS)
• LG P698 F Optimus Dual( version: 2.3.4 – Ginger Bread )
• HTC A8181 Desire (version: 2.2.1 – Froyo)
• Cellebrite UFED Classic Ultimate (version: 126.96.36.199)
• Yahoo Messenger and Yahoo Mail Client
• SQLite Database Browser (version: 2.0)
• USB data cables
• SuperOne Click (Version: 2.3.3)
• Android Commander (version: 0.7.9.11)
However, Cellebrite UFED is not the only tool which extracts this data, Micro Systemation’s XRY tool can also recover this data and can be used for analysis.
The following scenarios were incorporated as a part of test procedure
1. Rooted Android smartphones
2. Unrooted Android smartphones.
Scenario of rooted smart phones: The following phone was rooted in order to perform the experiments:
• LG P698F Optimus Dual (Android 2.3.4 Gingerbread)
Rooting an Android device is a methodology by which we gain root privileges of a device. Acquiring root access of a device allows the user to gain elevated privileges thereby allowing the user to access permissions and rights that are by default not available to the user of unrooted mobile. The main purpose of rooting in our test scenario is to secure access to root folder i.e. internal memory of the smartphone. This will eliminate the need to perform filesystem extraction of the smartphone as the folders & files of the root directory (internal memory) are directly accessible after gaining root privileges. The directories can then be directly copied using freely available tools namely Root Explorer for the device and Android Commander for desktop PC. Acquisition process through Android Commander is later described in this paper.
The Yahoo Messenger and Yahoo Mail client applications were then installed on the device from Android’s official application source Google Play Store [3,4]. The evidentiary objects related to these applications that left a trace on the device’s internal memory were then located and analyzed without having to use expensive imaging and extraction tools.
Scenario of un-rooted smart phones: Following Unrooted phones were taken in-order to perform tests and experiments:
1. Sony Xperia MT11i – Neo V (version: 4.0.4 – ICS)
2. HTC Desire A8181 (version: 2.2.1 – ICS)
Unrooted Android phones restrict the access to root files and folders residing in the internal memory of the phone. To extract the data from those folders without rooting the phone, mobile data extraction device UFED from Cellebrite was used. Physical, FileSystem and Logical extractions are supported by UFED (Universal Forensic Extraction Device) [7,8] which covers extensive range of phones. However, FileSystem extractions were carried out here for manual analysis of data extracted from both phones. Filesystem extraction extracts all the files and folders which contain database files, log files, login-Id’s information, chat logs and other important data.
The major difference of an unrooted Android phones compared to rooted phones is the unavailability of root access. This disallows accessibility to the root folder present on the internal memory of the device. Therefore such devices compulsorily require complete filesystem extractions in order to acquire folders that are otherwise unavailable without root access. The potential evidence related to yahoo can then be accessed by analyzing the output of filesystem extraction tool used via UFED Classic Ultimate. Thereafter we can investigate the potential evidence left behind by the Yahoo Messenger and Yahoo Mail application.
The following operations and activities were performed using both sets of mobiles phones i.e. rooted as well as unrooted:
➣ Common activities performed:
• Installing Yahoo messenger and Yahoo mail client applications from Google Play Store.
• Logging into Yahoo Messenger using test username and password.
• Instant Messaging using Yahoo Messenger application
• Logging into Yahoo Mail Client application using test username and password.
• Sending emails via Yahoo Mail Client application
• Receiving emails on device via Yahoo Mail Client application.
File system acquisition
This stage involves acquisition of filesystem located on the internal memory of each smartphone. The unrooted smartphones used in the testing procedure require acquisition  using hardware based devices such as UFED Classic Ultimate. This acquisition is performed in a forensically approved manner to ensure that evidences discovered can be admitted in the court. This approach also compulsorily requires enabling USB Debugging  from settings menu on each device.
The acquisition of the rooted devices requires no physical hardware device for extraction and could be performed using freely available tools like Oxygen Forensics and MobilEdit. Acquisition can also be done using simple “dd” command in computer after connecting the cellphone to the computer. However, the drawback of such an approach is admissibility in court  as it involves rooting an Android phone. The procedure of rooting a device involves certain write operations on the internal memory of the device thereby affecting its integrity.
After acquisition of filesystem dumps of each of the test devices, a thorough forensic examination of the files and folders extracted was performed. The location of databases associated with Yahoo Messenger and Yahoo Mail apps was determined and evidentiary data was extracted and analyzed using forensically admissible techniques. The manual examination and analysis of databases so found, helped us acquire potential evidences i.e. Instant messaging chat logs, user login names, passwords ,mails sent and received related to Yahoo messenger and Yahoo mail Android applications installed on the test phones.
Implementation and analysis phase
First stage of this experiment involved installation of Yahoo Messenger and Yahoo Mail Client applications on all the test devices. A common set of activities to be performed were decided upon and conducted on each device. The criteria behind deciding these activities was to ensure that the activities could replicate a real time scenario and help provide data that might prove to be crucial as per a digital forensic experts perspective.
The activities performed on the Yahoo Messenger application and Yahoo mail application on each of the test devices are:
• Creation of test user account.
• Logging into the application using test user name and password
• Sending mails
• Sending mails
Table 2 describes the activities briefly. After thoroughly performing the above mentioned activities, a file system acquisition of each device was acquired using different approaches. The approaches implemented to obtain the required data have been described later in the paper.
|Yahoo Messenger||1) Logging in with username [email protected]|
|2) Send instant messages to [email protected]|
|3) Receive instant messages from [email protected]|
|Yahoo Mail Client||1) Logging in with username [email protected]|
|2) Send email to [email protected]|
|3) Receive email from [email protected]|
Table 2: Activities performed using Applications for testing.
Approach for rooted phones
Prerequisites: This approach requires acquiring superuser/root privileges of the following Android Smartphone by rooting the device.
Device: LG P698F Optimus dual (Android 2.3.4 Ginger Bread): A third party tool called SuperOneClick  was installed on the forensic workstation.
Under the Settings menu in the Android device >Applications>Deve lopment>Enable USB Debugging option is enabled. After downloading and installing the LG USB drivers and other required drivers, the device is connected to the workstation and the “SuperOneClick” application is executed. The Root Device button is clicked upon to begin the rooting of the device. This takes approximately ten minutes to complete followed by a device reboot. After rebooting the device, a SuperUser application is automatically installed on the device which means root privileges for the device have been acquired and the user is now a root user.
Acquisition of rooted phone: As mentioned earlier, file system acquisition on a rooted phone requires no additional hardware based extraction devices. A third party free application like Android commander will allow the user to view the root directory on a rooted device and support pulling and pushing of directories within the internal memory of the mobile device. The folders that are of importance to us from an examiner’s perspective are:
1) \data\data\com.yahoo.mobile.client.android.im\databases\ (Yahoo Messenger related artifacts)
2) \data\data\com.yahoo.mobile.client.android.yahoo\ databases\ (Yahoo mail application related artifacts)
Since our primary focus is on extraction potential evidentiary data related to Yahoo messenger and Yahoo mail application from Android Devices, we can merely pull or fetch the above mentioned directories leaving rest of the directories intact. An application called Android Commanders that is free for download is downloaded from “www. Androidcommander.com” and installed on forensic workstation being used. This application will provide an elaborate view of all the available folders on the internal memory of the device.
The methodology employed to extract the desired folders is as follows:
1) Enable USB debugging on the device and connect the device to the preconfigured workstation.
2) Launch the Android commander application on the workstation and select the device from the list of devices available list. This will allow us access into the root directories of the internal memory
3) Thereafter we can simply pull the folders of interest and save them on the desired location on the workstation.
File system acquisition of unrooted devices: Steps for Filesystem Extraction from UFED :
1. Under settings menu, go to development and Enable USB debugging option.
2. Connect mobile phone to source port via USB cable.
3. In UFED, Under Filesystem option, select mobile phone model.
4. Press continue for extraction
The files and folders will be extracted into a “.zip” file to the USB drive attached at the destination port of UFED.
This section focuses on representation of the outcome of the experiments conducted. The results of analysis of each of the applications “Yahoo Mail and Yahoo Messenger”, related data has been enlisted below for simplified  understanding and concise representation of the study.
Yahoo Chat/IM application examination and results
Following the golden rule of forensics, the acquisition of desired folders from phone’s internal memory was performed ensuring complete integrity of data.
The examination of “\data\data\com.yahoo.mobile.client.android. im\databases\” revealed several forensically vital artifacts stores in SQLITE databases (.db files)
These SQLite databases are lightweight databases for mobiles for stories important entries and tuples in tabular form.
The messenger.db found in “\data\data\com.yahoo.mobile. client.android.im\databases\” revealed a lot of forensically important information. The list of “.db” files found present on the internal memory are:
Table 3 shows the different artifacts found in different database files mentioning particular table.
|Database File Name||Table Name||Artifacts Found|
|Messenger.db||Users||Usernames of Yahoo application users|
|Message_1||Instant Messaging/Chat conversations along with TIMESTAMPS|
|Buddies_2||Messenger Contact List|
|Share.db||Accounts||All Login user names used for application|
Table 3: Artifacts found in Yahoo Chat/IM.
The instant messaging conversations/chats displayed both sender and recipient name along with Timestamps of the conversation. Timestamps are forensically very important as they help in establishing the timeline of when the conversation happened. This may provide valuable leads regarding the time at which the conversation occurred.
Apart from the two databases discussed above, the other three databases did not provide any data that could be important from a forensic investigation perspective.
Yahoo mail client application examination and analysis
Similar approach was followed to analyze the “data/data/com. yahoo.mobileclient.androidyahoo” folder which yielded far more interesting results related to the mail client used on the devices. We could recover snippets of emails sent or received along with their source and destination email addresses. Such information could come in handy when a case requires proof of the mail being sent or received. The user name or email id used to login to the messenger client and the password associated with that user id could also be recovered on specific devices i.e. Devices running Android version 2.2. The recovery of password on devices running Android versions beyond version 2.2 was not possible. This clearly implies that the Application developers came up with better security mechanism to ensure privacy of user data is not compromised.
The lists of databases found on the Yahoo Mail client application folder are
The most important database from a forensic perspective is webview.db. This database file revealed valuable artifacts given in Table 4.
|Database File Name||Table Name||Artifacts Found|
|Webview.db||Formdata||1. Sent Email History
2. Received Email History
|Password||1. Email Address of the User
2. Password of the user (in Plain Text)
Table 4: Artifacts found in Yahoo Mail Client.
Screenshots of artifacts found on Android devices during experiments and analysis
Figure 2 and 3 shows the list of contacts and friends added in the yahoo account profile of the userfound in the table named as ‘Buddies_2’.
Figure 4 shows the list of login-id’s used by the cellphone user found in table ‘Users’.
Figure 5 is the most important data which is found in table ‘password’ which stores and shows the password of the respective login-id.
In Figure 6, following is the significance of Values in the “iAmSender” Parameter:
If value=‘0’, Message is Sent by the User
If value=‘1’, Message is received by the User
Also, for every chat message sent by the user, a unique hash value is generated by the application.
The Forensic examination of Yahoo Mail and Yahoo Messenger were aimed at determining whether the operations performed by these applications leave any traces on the internal phone memory. The tests conducted provided valuable results that helped us to retrieve forensically vital artifacts such as Chat Logs, Contact list, login name, passwords (password only in Android 2.2). The tests results have been represented in a simplified manner for better understanding of the reader. The password retrieval was the most turning point of this paper as most Android phones store password in encrypted form or in token and not in simple text whereas in this, the password was retrieved in simple text. The artifacts discussed in the paper have tremendous potential to act as a source of evidence and provide valuable leads in a digital crime case. We hope that the paper provides a valuable insight to forensic examiners who deal with cases where Yahoo Mail and Yahoo Messenger are objects of interest.