Live Exchange Forensics: Evidence Examination

Creative Team | December 29th, 2014 | Forensics

Exchange Server provides fundamental infrastructure for messaging system. It provides a database to store email data, an infrastructure for how messaging data is moved, and defines an access point for receiving emails from different mail clients.

Email is one of the most utilized service for exchange of information by individuals and businesses. Although a lot of attempts are made to prevent an email from being used for unauthorized activities, but they are not enough to prevent email breaching. There are two inherent limitations of an email that makes it possible for a spammer to use it for illegitimate activities:

  1. By default, there is no encryption mode used while the message is passed from sender to receiver. Also, there is no integrity test performed at the receiver’s end.
  2. For sending emails, the SMTP protocol is used that do not use any authentication mechanism. And the worst part is; an email header can be easily forged, manipulating the source of the email.


How Exchange Server Stores User Database?

There can be one or more storage groups that maintain a set of database individually. Collectively, all these databases are termed as an Information Store.

In MS Exchange 2003, the mailbox database of Exchange Server gets saved into priv.edb and priv.stm file. While the private folder of information store, i.e. the priv.edb stores messages, headers, and the text attachments while the priv.stm contains multimedia data that is MIME encoded. On the other hand, the shared data within the organization gets saved in a public folder, i.e. pub.edb and pub.stm file.

However, this way of storing database is changed in Exchange 2007, 2010, and 2013 edition where only EDB files store the mailboxes and public folders in priv.edb and pub.edb respectively.

Collecting Emails from Live Exchange Server

During collection and preservation of email data i.e. during the email forensics investigation of live Exchange Server, certain approaches can be made depending upon the matter of facts. For example:

  1. Exporting mailbox of the custodian using MS Outlook. This can be done by copying the local copy of mailbox, i.e. OST into PST file format.
  2. In Exchange 2007, 2010, and 2013, this can be done through Exchange Management Shell (PowerShell cmdlets). This can be used for multiple mailbox export at once.
  3. There are specialized third party tools that allows extracting and saving Exchange mailboxes in Outlook PST file, in spite of the mailbox size.


One of the disadvantages of using any of these approaches is they do not export the deleted items from the mailbox. The items that are deleted from mailbox gets saved at a special retention area which is called Dumpster. The deleted messages are preserved for a configured time period in a un-allocated space in the MS Exchange database. Using Outlook will not export recoverable deleted messages.

Recover Deleted Items from Mailbox

The concept of “Dumpster” in Exchange 2007 is introduced as “Recoverable Items Folder” in Exchange 2010 and 2013. There is a possibility to get back soft deleted mailbox data from Dumpster or RIF (depending upon version of Exchange Server in use). Deletions, Versions, Purges, Discovery Hold, Audits, and calendar logging are the sub folder of Recoverable Items Folder that store the deleted contents of the mailbox.

In-Place Hold and Litigation Hold: In Exchange 2013, In-Place hold helps to save the mailbox items from automated deletion. This facility in Exchange 2010 is available as litigation-hold. If this option is enabled, it will prevent Managed Folder Assistant to remove messages from DiscoveryHold and Purge sub folder of Recoverable Items Folder.

Single Item Recovery: Even if the deleted items have surpassed the retention period, there is a possibility to get them back without restoring the backup. The purged items are moved to Single Items Recovery folder when the Managed Folder Assistant is processed for the Recoverable Items Folder. In addition to this, if any changes are made to the mailbox, different copies get saved in the Versions folder of RIF.

Mailbox Audit Logging

In an enterprise, there are mailboxes that contain confidential data. This can be the mailbox of HR department, the company’s CEO or normal mailboxes of employees that have to be analyzed for regulatory compliance or legal proceedings. Although, administrators are less interested in the mailbox of a user, but there can be some dishonest one that tries to access a mailbox to obtain sensitive information for their own advantage.

With Exchange 2010, a new feature called Auditing Mailbox Access which records the operations that are performed on a mailbox such as copying or deletion. The audit entries are saved in the “Audit” sub-folder of the Recoverable Items Folder. However, this option can be used only when auditing for a mailbox is enabled.

Conclusion: For forensic investigation of live Exchange emails, most of the investigators prefer third party tools for analyzing Outlook emails. In the above section some basic methods to analyze data from a live Exchange Server has been discussed that can be further accompanied by tools like MailXaminer for email tampering investigation or evidence collection.