Dealing with corporate databases which are involved in certain case is probably the most crucial and equally difficult tasks for investigators. This also involves getting acquainted accesses for the environment in corporate offices to acquire databases. Microsoft Exchange being the most engrained server program in corporates around the globe, investigators have to deal with Exchange server databases for exploration. This also involves many processes like shutdown of the servers in order to fetch the Exchange databases for further analysis on it. To avail this requirement, users tend to perform various methodologies in order to bring the databases from active servers to other platforms so as to analyze it without needing the server. This can be easily done by using Microsoft Exchange eDiscovery export tool. This software is capable to export email data from Exchange databases to PST files which can be transferred to the investigation work-station. Let us see how this software is a progressive product for Exchange server email forensic analysis;
The necessity of an advanced eDiscovery export tool generates because of unattainability of various servers at investigation workstation. It is quite impossible to bring along all the servers at one place for investigators. Moreover, in order to analyze any database it will be required to shut down all Exchange servers in organizations which again can bring despondent productivity. Microsoft Exchange e-discovery export tool is essential for email investigation especially when it is linked to server based emails. This software allows users to transport emails from Exchange databases stored on servers to locally accessible PST files. These PST files can be then easily accessed using Outlook application. Some manual procedures which can be implemented for EDB to PST but these manual procedures work only in certain situations and thus it cannot be trusted always. In such situation investigators need an export tool which can perform an organized migration of Exchange email data to PST files.
Along with the functionality of exporting Exchange EDB databases to PST files, E-discovery tool for Exchange like Mailxaminer has Advance Search facilities. This Advance Search which has many filters embedded, based on which the searching can be done inside the Exchange databases through specific keyword and algorithms. Many search functions like General, PreDefined, Advance and Proximity allows to search through the EDB files once the files are loaded to the application.
General: It is a basic searching facility which helps to search for specific keywords against all the emails’ subject, recipients, sender, and body. It also allows modifying the search by adding an operator to the keywords like AND/OR/etc. This kind of modification in searching can bring the dubious emails in searches instead of searching all the emails thoroughly.
PreDefined: This search is kind of Regular Expressions search and a particular pattern of evidences are targeted to be searched in the emails. This includes various categories and subcategories based on which the searches can be made. This includes Phone numbers, Date & Time, Product keys, URLs, etc.
Advance: This is more advance version of the general searching mechanism. It has broad searching facility and a specific keyword can be searched in specific category as well applying the operators.
Proximity: This is quite a “hit or miss” method using which one can provide two input characters and provide maximum up to 4 words in between the two input characters.
Selective emails which are suspicious or have some form of evidences in them can be exported from the Exchange databases to PST files. Exchange mailboxes and public folders both can be exported easily to PST file. Once the emails are exported to PST files it can be further analyzed using the MS Outlook application for accessing emails and analyzing even better. One of the dominant e-discovery tools, Mailxaminer allows this EDB to PST conversion for all or selective emails which have evidentiary elements in it. Its extended support towards all version of Exchange server especially advance versions allows users to attain e-discovery Exchange 2010 export to PST as well.
In order to perform a thorough analysis on the Exchange databases one has to extract the emails better platform so as to have full access on it without any bindings of server or environment. EDB to PST conversion is best suitable way to perform Exchange forensics and this can be done in a systematized form using advance utilities like MailXaminer.