Live Exchange Forensics: Evidence Examination

MailXaminer | November 16th, 2020 | Forensics

MS Exchange is an emailing server and calendaring server, which is invented by Microsoft. Moreover, it exclusively operates on the Windows server operating system. Primarily, Exchange Server uses proprietary protocol i.e., MAPI. Later on, it added support for IMAP, POP3, and EAS. Additionally, the standard SMTP protocol is being used to connect with the other internet mail servers.

Even though emails are one of the most utilized services for the exchange of information by individuals and businesses. However, a lot of attempts are being made to prevent an email from getting utilized for unauthorized activities, but they are not enough to prevent email breaching. There are two inherent limitations of an email that makes it possible for a spammer to use it for illegitimate activities:

  • By default, there is no encryption mode used while the message is passed from the sender to the receiver. Also, there is no integrity test performed at the receiver’s end.
  • For sending emails, the SMTP protocol is used that does not use any authentication mechanism. And the worst part is that an email header can be easily forged thereby manipulating the source of the email.

If you are on the verge to perform live exchange forensics analysis, then check out this blog and get your Exchange Server database file examined instantly.

How Exchange Server Stores User Database?

Exchange Server has two main components i.e., storage group and databases. The storage group is called a container, which is used to store mailboxes and public folder stores. Whenever an Exchange Server is being installed, the mailboxes and public folder are created initially. Moreover, the default mailbox store consists of two database files i.e., Priv1.edb and Priv1.stm.

The Priv1.edb is a rich text file, which includes message headers, attachments and message text. Whereas, Priv1.stm file consists of streaming internet content i.e., multimedia files such as audio, video, etc.

Collecting Emails from Live Exchange Server

During the collection and preservation phase of email data i.e., the email forensics investigation of live Exchange Server. There exist certain approaches, which can be utilized considering the matter of facts. For example:

  • Exporting mailbox of the custodian using MS Outlook. This can be done by copying the local copy of the mailbox, i.e. OST into PST file format.
  • In Exchange server editions such as 2019, 2016, 2013, etc. this can be done through Exchange Management Shell (PowerShell cmdlets). This can be used for multiple mailbox export at once.
  • There are specialized third-party tools that allow extracting and saving Exchange mailboxes in Outlook PST file, despite the mailbox size.

One of the shortcomings of using any of these approaches is that they do not export the deleted items from the mailbox. The items that are deleted from the mailbox get saved at a special retention area which is called a Dumpster. The deleted messages are preserved for a configured time period in unallocated space in the MS Exchange database. Using Outlook, it will not export recoverable deleted messages.

Here’s How to Recover Deleted Items from Mailbox?

The concept of “Dumpster” in the earlier versions of Exchange is introduced as “Recoverable Items Folder”. There is a possibility to get back soft deleted mailbox data from Dumpster or RIF (depending upon version of Exchange Server in use). Deletions, Versions, Purges, Discovery Hold, Audits, and calendar logging are the sub folder of Recoverable Items Folder that stores the deleted contents of the mailbox.

In-Place Hold and Litigation Hold
In-Place hold helps to preserve the mailbox items, which matches the query parameters. Besides this, it helps to protect the items from data deleted by the users or through automated processes. In order to preserve the items under user mailboxes and to protect the items, which got deleted from the user’s end, one can make use of Litigation Hold.

Note: In case, you put the mailbox in both In-Place and Litigation Hold. Then, Litigation Hold takes the preference as it holds the complete mailbox.

Single Item Recovery
Even if the deleted items have surpassed the retention period, there is a possibility to get them back without restoring the backup. The purged items are moved to a Single Items Recovery folder when the Managed Folder Assistant is processed for the Recoverable Items Folder.

Mailbox Audit Logging
In an enterprise, there are some mailboxes that contain confidential data. This can be the mailbox of HR department, the company’s CEO or normal mailboxes of employees that have to be analyzed for regulatory compliance or legal proceedings. Although, administrators are less interested in the mailbox of a user, but there can be some dishonest one that tries to access a mailbox to obtain sensitive information for their own advantage. Therefore, it is important to track access to the mailboxes by users other than the mailbox owner.

Using the feature called Auditing Mailbox Access which records the operations that are performed on a mailbox such as copying or deletion. The audit entries are saved in the “Audit” sub-folder of the Recoverable Items Folder. However, this option can be used only when auditing for a mailbox is enabled.

Hassle-free Solution to Perform Live Exchange Forensics

Avail MailXaminer Email Examiner Software, which is a fully-equipped software to initiate live Exchange forensics. Moreover, it helps to analyze every detail from emails and other attributes from the Exchange database without facing any technical glitches. The best part of the software is that it does not require the installation of any external software applications. As a result, one can instantly analyze the data from the Exchange Server to thoroughly investigate the case.

Winding Things Up!

For the purpose of forensics investigation of live Exchange emails, most of the investigators prefer third-party tools. In the above section, some basic methods to analyze data from a live Exchange Server has been discussed. This can be further accompanied by a full-fledged tool like MailXaminer. The software helps to perform an in-depth examination of emails without any hassle.