Extract Forensic Evidences From Live@EDU Account

Creative Team | August 1st, 2016 | Forensics

In this Article you will read about the topic “Extract Forensic Evidences from Live@EDU Account”.

As we know that with the development of advanced technologies, the crime rates have also increased tremendously. Every individual uses one web-based service or another for multiple purposes like emailing, exchanging documents, retrieving information, educational services, etc. One such area that requires forensic investigation is Microsoft Live@EDU, which is now known as Office 365 for Education. It is a free suite of hosted Microsoft Services & applications, which has been developed mainly for educational needs.

What exactly is Microsoft Live@EDU?

Microsoft provides various convenient services for each individual whether he/she is an employee, student or teacher. Microsoft Live@EDU is a cloud-based platform that is meant for the interaction of students and educators. It provides educational institutions with a Microsoft platform for delivering email, calendaring, communication, collaboration services and storage capabilities without any fee involved. It is the combination of Microsoft Outlook Live feature with 10 GB Exchange Experience and Windows Live benefits such as 25 GB SkyDrive online storage, Windows Live Messenger and Office Web Apps with SkyDrive.

Need For Forensic Investigation

As we knows that Live@Edu is a subset of Exchange Online and Office Web Apps for academic institutions, students and teachers use it for storing or sharing information online. The main arena that needs to be focused while talking in terms of investigation purpose is the storage locations. Two main storage locations that we need to look for evidences in Office 365 for Education are:

  • Exchange storage for emails, calendars, contacts, etc.
  • SkyDrive Storage for information and Office online documents

The users of Office 365 for education has the most confidential & sensitive data in these storage area where mail contents, group feeds, activities or assignments updates by teacher for their students are stored. Need for investigation arises when the data stored are leaked or if it has been modified/accessed by un-authorized users for illegal purpose.

Challenges Involved in Investigation of Office 365 Data

  • Storage Location
    Like any other web-based Office 365 platform, Live@Edu does not employ any of the file formats for storing the data. It becomes quite difficult for forensic team to get physical acquisition of the data, which is the foremost phase in carrying out any investigation. To download any Office 365 data, the users are required to have a valid and registered Microsoft account.
  • Large Amount of Account Data
    Another challenge is each Live@Edu account will contain large number of emails and searching for a particular email becomes tiring and hectic. In the next section, we will learn about some of the ways to carry out the investigation.

How to carry out the Investigation on Office 365 for Education?

  • Audit Trails
    The most important thing to investigate Office 365 data is to use Audit Trails, which is a useful means for ensuring security & gathering information for investigation purpose. It is necessary to ensure that the audit trails is enabled and properly configured. Audit is a record with all the details of anyone accessing the account along with timestamp & any actions performed on it. However, the problem is Auditing is not enabled for all the Office 365 mailboxes by default. If the user mailbox has disabled Audits, we cannot trace information present in it such as Authentication logs, client connection details, message tracking data, etc. Event details have to be collected with the help of Microsoft support or using Web Console/PowerShell commands. The audit information will be available in target mailbox if it has been enabled.
  • eDiscovery Feature
    Office 365 for Education has an inbuilt eDiscovery feature that facilitates the investigators with a search option. It helps in searching the mailboxes in the organization for emails and other message types containing specific keywords. There are two types of eDiscovery feature:

    1. Exchange In-Place eDiscovery
      It provides an Exchange administrator the ability to conduct searches on inbox, archived mailbox, calendar, tasks, etc. using Exchange Administration Console. It is included with A2 license for Admin as well as for the searches. It has limit of 5000 mailboxes for search size using EAC interface.
    2. SharePoint eDiscovery
      It is available in eDiscovery center that comes as a part of SharePoint Online requiring A3 license for both admin queries and for the users that are searched. It has search limit of 100 SharePoint sources, 500 keywords and 1500 exchange sources.

The most important part of this investigation is the ability to extract forensic evidences From Live@EDU Account. The procedure of carrying out investigation on a cloud-based service such as Office 365 for Education is a cumbersome task, as there is no control over the data. Imaging is an important part of the investigation procedure, which can be accomplished only by downloading the data to a local platform. A third party tool can best serve this purpose by downloading the cloud storage to the investigation machine, making sure that it remains safe throughout and results can be generated in the form of presentable evidence. In order to overcome this issue and carry out the investigation efficiently a tool like MailXaminer can be taken into usage. It can be defined as a reliable solution that helps in examining multiple email clients to fulfill the need of email forensic analysis. Moreover, its provision of support for creating a clone of the cloud data on the software itself makes it an appropriate choice.


The blog has been focused to study the need of carrying out to Extract Evidence from Live@EDU account. Since it is cloud-based platform for enhancing interaction between students and teachers, the information exchanged related to school activities can be misused or modified. It has further discussed the challenges and possible ways to carry out the investigation. However, due to inability to extract presentable evidences using manual approach, a third party email investigation tool has been suggested in the end of the blog.