Live Exchange Forensics – Evidence Examination

LIVE EXCHANGE FORENSICS
author
Published By Anurag Sharma
Anuraag Singh
Approved By Anuraag Singh
Published On October 27th, 2022
Reading Time 6 Minutes Reading
Category Forensics

Before diving into live Exchange forensics, we should know about MS Exchange itself. MS Exchange is an emailing server and calendaring server, with Microsoft as its origin. Moreover, it exclusively operates on the Windows server operating system. Primarily, Exchange Server uses a proprietary protocol i.e., MAPI. Later on, it added support for IMAP, POP3, and EAS. Additionally, the standard SMTP protocol is in use to connect with the other internet mail servers.

Even though emails are one of the most utilized services for the exchange of information by individuals and businesses. Evidently, a lot of attempts are happening to prevent an email from falling into the wrong hands for malicious activities. However, they are not enough to prevent email breaching. There are two inherent limitations of an email that makes it possible for a spammer to use it for illegitimate activities:

  • By default, there is no involvement of the encryption mode while the message communicates from the sender to the receiver. Also, there is no integrity test at the receiver’s end.
  • For sending emails, the SMTP protocol is in use that does not operate any authentication mechanism. in addition, the worst part is that it’s easy to forge an email header thereby manipulating the source of the email.

If you are on the verge to perform live exchange forensics analysis, then check out this blog and get the examination of the Exchange Server database file instantly.

How Exchange Server Stores User Database?

Exchange Server has two main components i.e., storage group and databases. We call a storage group a ” container”, which is useful to store mailboxes and public folder stores. Whenever an Exchange Server is being installed, Initially, the system creates mailboxes and public folders at the time of Exchange server installation. Moreover, the default mailbox store consists of two database files i.e., Priv1.edb and Priv1.stm.

The Priv1.edb is a rich text file, which includes message headers, attachments and message text. Whereas, Priv1.stm file consists of streaming internet content i.e., multimedia files such as audio, video, etc.

Collecting Emails from Live Exchange Server

During the collection and preservation phase of email data i.e., the email forensics investigation of live Exchange Server. There exist certain approaches, which are helpful in considering the matter of facts. For example:

  • Exporting mailbox of the custodian using MS Outlook. For this, copying the local copy of the mailbox, i.e. OST into PST file format is crucial.
  • In Exchange server editions such as 2019, 2016, 2013, etc. Exchange Management Shell (PowerShell cmdlets) is useful. It is in use for multiple mailbox export at once.
  • There are specialized third-party tools that allow extracting and saving Exchange mailboxes in Outlook PST file, despite the mailbox size.

One of the shortcomings of using any of these approaches is that they do not export the deleted items from the mailbox. The items that are deleted from the mailbox get saved at a special retention area which is called a Dumpster. The deleted messages are preserved for a configured time period in unallocated space in the MS Exchange database. Using Outlook, it will not export recoverable deleted messages.

Here’s How to Recover Deleted Items from Mailbox?

The concept of “Dumpster” in the earlier versions of Exchange is what we call “Recoverable Items Folder”. There is a possibility to get back soft deleted mailbox data from Dumpster or RIF (depending upon version of Exchange Server in use). Deletions, Versions, Purges, Discovery Hold, Audits, and calendar logging are the sub folder of Recoverable Items Folder that stores the deleted contents of the mailbox.

In-Place Hold and Litigation Hold
In-Place hold helps to preserve the mailbox items, which matches the query parameters. Besides this, it helps to protect the items from data deleted by the users or through automated processes. In order to preserve the items under user mailboxes and to protect the items, which got deleted from the user’s end, one can make use of Litigation Hold.

Note: In case, you put the mailbox in both In-Place and Litigation Hold. Then, Litigation Hold takes the preference as it holds the complete mailbox.

Single Item Recovery
Even if the deleted items have surpassed the retention period, there is a possibility to get them back without restoring the backup. The purged items are goes to a Single Items Recovery folder when the Managed Folder Assistant completes processing for the Recoverable Items Folder.

Mailbox Audit Logging
In an enterprise, there are some mailboxes that contain confidential data. This can be the mailbox of HR department, the company’s CEO or normal mailboxes of employees that have to be under analyzation for regulatory compliance or legal proceedings. Although, administrators are less interested in the mailbox of a user, but there can be some dishonest one that tries to access a mailbox to obtain sensitive information for their own advantage. Therefore, it is important to track access to the mailboxes by users other than the mailbox owner.

Using the Auditing Mailbox Access feature which records the operations on a mailbox such as copying or deletion. It saves the audit entries in the “Audit” sub-folder of the Recoverable Items Folder. However, this option can be useful only when auditing for a mailbox is in enable mode.

Hassle-free Solution to Perform Live Exchange Forensics

Avail MailXaminer Email Examiner Software, which is a fully-equipped software to initiate live Exchange forensics. Moreover, it helps to analyze every detail from emails and other attributes from the Exchange database without facing any technical glitches. The best part of the software is that it does not require the installation of any external software applications. As a result, one can instantly analyze the data from the Exchange Server to thoroughly investigate the case.

Winding Things Up!

For the purpose of forensics investigation of live Exchange emails, most of the investigators prefer third-party tools. In the above section, some basic methods to analyze data from a live Exchange Server are present. This can be further accompanied by a full-fledged tool like MailXaminer. The software helps to perform an in-depth examination of emails without any hassle.

author

By Anurag Sharma

Tech enthusiast & cyber expert for the past 5 years. Love to solve complicated scenarios to counter cyber crimes with in-depth technical knowledge.