MS Exchange Server Forensics
Investigate Exchange Server Mailboxes with Exchange Forensic Tool
Introduction of Exchange Server
Microsoft developed Exchange Server as a mail Server, contact manager and calendaring software that runs on Windows Server. As a messaging platform that allows its users to transfer data on a wide range of network transfer protocols using special hardware and software configuration. It is a reliable and flexible platform that increases productivity of the business communication as it can be accessed from anywhere. It has a potential to manage risk and thus protect the vital information from getting lost.
Role of Exchange Server Database in Digital Forensics
Exchange mails plays crucial role in forensics. Detailed information about any offense can be extracted by the experts on carefully examination. Different email fields enclose some distinct and discrete information which helps the investigators to reach the main ground of an issue.
Overview of Microsoft Exchange Email Forensics
Exchange Server uses database and Extensible Search Engine (ESE) to save data. Some of the files that are useful for forensics point of view include .stm, .edb, .tmp and .chk.
The Information Store is the chief element for the management of database in Exchange server. It comprises of two different databases namely, Public Information Store and Private Information Store. The Private Information Store Database manages data present in the user's mailbox while Public Information Store Database is employed for handling data in the shared folders.
The mode of saving database got changed for the later version of Exchange Server. Now, only EDB files are used to store mailboxes and shared folders. Entire data of mailbox are stored in priv.edb and the shared folders get stored in pub.edb.
Transaction log files (.log) keep a track on any changes done to the database of the Exchange Server. The transactions that are committed are reflected in the log files.
Checkpoint (.chk) files are created to keep details of the transactions that are written to database. Moreover, they help to recover deleted data and to bring database to consistent state.
Temporary files (.temp) are created in order to prevent data loss at the time of converting binary data into readable text.
Exchange Server has emerged as a communication hub for the organizations. It is widely used to transmit crucial emails including negotiation, business agreements and conversation. Although Exchange Server is highly secured but still there are chances that the offenders can bypass the security shield by malicious means. Hence Microsoft Exchange Server forensics comes into the picture.
There are various factors that are responsible for the exposure of email communication to illegitimate. Some of the reasons are listed here:
Exchange Server Forensics is a wide arena that requires collection and analysis of evidence collected from Exchange Server environment. In the investigation process the experts face a lot of challenges. Some of the challenges faced by the experts are mentioned below:
Analyzing Live Exchange Mailboxes
Exchange Server is widely used by a large number of organizations. However, if there is any leakage of information or any scams in the organization, Exchange user's mailboxes can provide crucial information regarding the issue. The experts face a lot of difficulty in collecting the information as it is not worthy to shutdown an active database or even to hamper its working. Moreover, ESI collection is time consuming.
Examining Evidence Devoid Of Exchange Server
The evidence collected from the Exchange Server is either in the form of STM or EDB files. These files cannot be opened for examination as it is not possible to mount them on different Microsoft Exchange Server. Thus, requirement of some advanced technology comes into the picture using which one can read these files.
For this purpose the experts look for the tools that are employed in opening EDB or STM files and view its contents.
Analyzing Live Exchange Mailboxes
Before permanent deletion of any data, it passes through multiple security layers. Once a date is deleted from its defined location, it is sent to Deleted Items first
If a user deletes data from there too, it resides in the Dumpster for a definite duration. The time for which a data resides in dumpster is called Retention Period. The retention period depends on the version of Exchange Server being used. The following table lists Retention period for different version of Exchange Server:
|Version of Exchange Server||Retention Period|
|Exchange 5.5||0 days|
|Exchange 2000||7 days|
|Exchange 2003||7 days|
|Exchange 2007||14 days|
|Exchange 2010||14 days|
When an item crosses retention period in dumpster, it gets deleted permanently from the database.
Even after permanent deletion of data, there are chances to recover them that help in investigation process. The restoration depends on the configuration managed by the administrator. For a better result the experts prefer to use a Exchange Forensic Software for the restoration of permanently deleted mails.
– Tool For MS Exchange Server Forensics
Several steps are taken to secure email system but still they are inadequate. Organizations generally have an excellent email policy but it is not sufficient to prevent its users from violating it and in such cases monitoring is required. However, in some cases it does not provide adequate result and hence drags the people towards forensic email analysis. To reach the root cause of an issue, forensic examiners needs effective tool to perform analysis with a high efficiency.
One such tool is with is equipped with advanced algorithm to deal with issues of Exchange Server forensic investigation. Some of the features provided by the tool include:
- Case management facility to make the investigation faster and efficient
- Supports multiple file formats
- Can examine Exchange Server mailboxes without dismounting them
- Provides multiple views of mail so that investigation can be done with ease
- Provides option to recover even permanently deleted items