As per our previous Vietnam cloud email study, 3.1% of all domains in the Vietnam DNS top level domain (.vn) use Zoho mail (now renamed as Workplace). This article describes the forensics information available to organisations using any of the multiple variants of Zoho email hosting plans.
For custom domains, Zoho offers a free “web-mail only” plan for up to 25 users, which makes quite a big difference to Google, where their basic package for 25 users would cost US$125 per month. The free plan is very limited (5GB per user no possibility of an email client), but would be suitable for smaller organisations.
Beyond the free plan, Zoho has three different offerings with full email functionality (POP/IMAP and Active Sync). They are called Standard, Pro and Enterprise, and are currently (May 2018) priced at $3, $6 and $10 per user/month respectively, with discounts if payed for annually.
Most features do gradually increase on each level. Items like:
- Mailbox size grows up to 1TB on Enterprise,
- Attachment sizes grow from 25MB on the free plan all the way to 40MB on Enterprise
The only Digital Forensic features on the Pro and Enterprise plans description are focused on Zoho docs (document management).
- Audit trail, alongside advanced analytics and report available from Pro level.
- eDiscovery features available on Enterprise.
Zoho Mail Free Plan
The entry plan for Zoho Workplace is the Free plan – which allows up to 25 users for a single domain through webmail only (no desktop or mobile clients can connection).
The forensic information is available in two areas: the per-user accounts management screen (https://accounts.zoho.com/u/h#home) and the Administrative Control panel (https://mailadmin.zoho.com/cpanel)
The account management screen has 8 tools available on a 3 by 3 grid.
The interesting part for forensics purposes is the bottom row:
- Active authtokens will manage any Oauth permissions for applications (mobile or desktop), browser extensions and so on. Empty on the free plan (service is webmail only).
- Active sessions will give a list of current session open with Zoho servers (those that have not been logged out). This allows for sessions to be closed.
Note that by default, the Zoho sessions expire in 30 days. If the browser is closed without a clean log out, the browser will remain authenticated with the platform for a month.
- Activity history, gives a list of past browser sessions – including user-agent, referrers, sign in date and IP addresses. The activity history is only available for the current month.
On the administrative side of things, Zoho account administrators can also see quite a few things in the Zoho Control Panel.
The first point of call is the Login History on the User Details list. Displays the same information as the user-based Activity History, with slightly more detailed time granularity.
Audit logs for administrative actions are available on Mail Administration -> Troubleshoot -> Audit logs. Administrative events like creating a mailbox, changing a mailbox configuration…etc. will be logged here. This is only useful if the problem under investigation involved the compromise of admin credentials and intruders have been tampering with service configuration.
The mail logs (email headers for emails sent and received) can also be seen on Mail Administration -> Troubleshoot -> Mail Logs. On all plans the search capabilities are limited to a 4 day search, but this can be used as a sliding window to cover larger periods of time. Email logs are only available for 30 days.
Even on the free plan, the Zoho email forensics capability is adequate, however the retention logs limited to 30 days across all plans (similar to the session maximum duration) is a hard cut-off on investigations.
Zoho Mail Standard Plan
Our next step on this digital forensics evaluation was to upgrade to the Standard plan. This is pretty seamless in the Zoho control panel, all it took was a $6 debit card payment. Our two users were immediately updated with new features.
Email-wise, the ability to connect via both the Zoho app or an email client was the most visible change. This means that the Active Authtokens screen will contain finally token information. This example is of a Zoho Mail Android app.
The accounts can also use standard email apps by generating an app password to allow the use of POP/IMAP clients (after allowing IMAP access).
However IMAP/SMTP access is not being logged anywhere, only browsers and Zoho mail app logins are logged. Not even on the administrative interface login history.
This a blind spot for digital forensics on the Zoho platform.
Our main advice is not to enable IMAP or POP3 access at all on the accounts, and force users to use webmail and the official Oauth based mobile apps.
- The Free plan has good information available for digital forensics, although the webmail-only function limits its use.
- The Standard plan also contains good digital forensics information, but has a significant blind spot on IMAP/POP3 access, which should be disabled to preserve log integrity.
- The Pro and Enterprise plans contain information only needed for those organisations that use Zoho docs for their document storage (audit trail, analytics and e-Discovery).
- All plans have a 30 day retention limit for email related logs, which will be a problem for dormant breaches that may go undetected longer.