Tricks To Simplify Exchange Email Forensics

Microsoft Exchange Server has provided a secure messaging environment and offers a database to store the communication information. The user database gets saved in two forms: mailboxes and the public folders that gets saved as priv.edb and pub.edb file respectively and for simplification it required Exchange email analysis.

For Exchange email forensics, most of the investigators prefer using third party tools that helps to analyze Outlook data but Microsoft has embedded options in this server applications for eDiscovery and compliance purpose. 

Some challenges involved in email forensics of Exchange Server

Access to live Exchange Server and its mailboxes: May be the business runs on the server or may be the server itself is a business. In both the cases, it is not possible to shut down the servers and perform eDiscovery proceedings.

For this, saving Exchange mailbox to PST can act as a solution. With every version of Exchange, Microsoft has provided a solution to export mailbox into PST and that tool when the Server is in live mode.

       Restoring deleted Data and mailboxes from Database: Deletion can be categorized as Soft or Hard Deleted. This terminology works for both items and mailbox deletion.

Items: If the items are deleted from mailbox but can be restored from dumpster using the “Recoverable Items” option in Outlook or OWA, it is termed as soft deletion.

Mailbox: If a mailbox is disconnected from database but still resides in dumpster, it is soft deleted because it can be connected back to the DB. If the retention period is passed and the mailbox is purged from dumpster, it is considered as hard deleted.

For restoring the hard deleted emails, there are in-place hold/litigation hold options available as a part of Exchange eDiscovery option. These folders holds the deleted items or mailbox for a certain time period after they have passed the retention period. 

Verifying Genuineness of the Exchange DB Administrator:  How loyal is the database administrator and who have access to the mailbox with what permissions. Answer to all these questions can be a guide in investigation.

The Mailbox Auditing feature in Exchange helps to know who has accessed the mailbox, at what time, with what permissions, and what changes have been made. However, this feature will be helpful only when it is enabled.

More than these helpful tricks for Exchange email forensics, there are third party tools that help in evidence collection and analysis of emails. Specially designed email investigation tools like MailXaminer helps to download mailboxes from live Exchange environment and do exchange email analysis of  tampering issues of emails.