Exchange Server Database (EDB) Mailboxes Forensics Analysis

Introduction of Exchange Server

Microsoft developed Exchange Server as a mail Server, contact manager and calendaring software that runs on Windows Server. As a messaging platform that allows its users to transfer data on a wide range of network transfer protocols using special hardware and software configuration. It is a reliable and flexible platform that increases productivity of the business communication as it can be accessed from anywhere. It has a potential to manage risk and thus protect the vital information from getting lost.

Role of Exchange Server Database in Digital Forensics

Exchange mails plays crucial role in forensics. Detailed information about any offense can be extracted by the experts on carefully examination. Different email fields enclose some distinct and discrete information which helps the investigators to reach the main ground of an issue.

Overview of Microsoft Exchange Email Forensics

Storage in Exchange Server

Exchange Server uses database and Extensible Search Engine (ESE) to save data. Some of the files that are useful for forensics point of view include .stm, .edb, .tmp and .chk.

Exchange Server Storage

The Information Store is the chief element for the management of database in Exchange server. It comprises of two different databases namely, Public Information Store and Private Information Store. The Private Information Store Database manages data present in the user's mailbox while Public Information Store Database is employed for handling data in the shared folders.

In MS Exchange 2003, the database of the mailbox gets stored into two different files i.e., priv.edb and priv.stm. The information contained in priv.edb files includes messages, text attachments and headers while priv.stm files holds multimedia data which are MIME encoded. In the same way, shared data of an organization gets stored in pub.edb and pub.stm files.

Folder in Exchange Server

The mode of saving database got changed for the later version of Exchange Server. Now, only EDB files are used to store mailboxes and shared folders. Entire data of mailbox are stored in priv.edb and the shared folders get stored in pub.edb.

Forensic Analysis of Exchange Database

Transaction log files (.log) keep a track on any changes done to the database of the Exchange Server. The transactions that are committed are reflected in the log files.
Checkpoint (.chk) files are created to keep details of the transactions that are written to database. Moreover, they help to recover deleted data and to bring database to consistent state.
Temporary files (.temp) are created in order to prevent data loss at the time of converting binary data into readable text.

Need Of MS Exchange Server Forensics

Exchange Server has emerged as a communication hub for the organizations. It is widely used to transmit crucial emails including negotiation, business agreements and conversation. Although Exchange Server is highly secured but still there are chances that the offenders can bypass the security shield by malicious means. Hence Microsoft Exchange Server forensics comes into the picture.

There are various factors that are responsible for the exposure of email communication to illegitimate. Some of the reasons are listed here:

There is no encryption applied on the messages during its transmission
Integrity test is not performed by the receiver
SMTP Protocol is used for sending emails which do not make use of authentication mechanism
One can easily have a hold over the message header and thus the original message can be altered

Challenges Faced In Exchange Server Forensics

Exchange Server Forensics is a wide arena that requires collection and analysis of evidence collected from Exchange Server environment. In the investigation process the experts face a lot of challenges. Some of the challenges faced by the experts are mentioned below:

Analyzing Live Exchange Mailboxes

Exchange Server is widely used by a large number of organizations. However, if there is any leakage of information or any scams in the organization, Exchange user's mailboxes can provide crucial information regarding the issue. The experts face a lot of difficulty in collecting the information as it is not worthy to shutdown an active database or even to hamper its working. Moreover, ESI collection is time consuming.

Exchange Server Forensics

Hence, the experts look for an efficient way using which they can overcome the above mentioned challenge and can extract & view information from Live Exchange Server

Examining Evidence Devoid Of Exchange Server

The evidence collected from the Exchange Server is either in the form of STM or EDB files. These files cannot be opened for examination as it is not possible to mount them on different Microsoft Exchange Server. Thus, requirement of some advanced technology comes into the picture using which one can read these files.

For this purpose the experts look for the tools that are employed in opening EDB or STM files and view its contents.

Analyzing Live Exchange Mailboxes

Before permanent deletion of any data, it passes through multiple security layers. Once a date is deleted from its defined location, it is sent to Deleted Items first

Dumpster

If a user deletes data from there too, it resides in the Dumpster for a definite duration. The time for which a data resides in dumpster is called Retention Period. The retention period depends on the version of Exchange Server being used. The following table lists Retention period for different version of Exchange Server:

Version of Exchange Server	Retention Period
Exchange 5.5	0 days
Exchange 2000	7 days
Exchange 2003	7 days
Exchange 2007	14 days
Exchange 2010	14 days

Retention Period

When an item crosses retention period in dumpster, it gets deleted permanently from the database.

Note: A Purge folder is present that saves the messages that had crossed the retention period. However, it works only when there is a recovery of a single item. Moreover, litigation hold should be enabled.

Even after permanent deletion of data, there are chances to recover them that help in investigation process. The restoration depends on the configuration managed by the administrator. For a better result the experts prefer to use a Exchange Forensic Software for the restoration of permanently deleted mails.

Mailxaminer - Tool For MS Exchange Server Forensics

Several steps are taken to secure email system but still they are inadequate. Organizations generally have an excellent email policy but it is not sufficient to prevent its users from violating it and in such cases monitoring is required. However, in some cases it does not provide adequate result and hence drags the people towards forensic email analysis. To reach the root cause of an issue, forensic examiners needs effective tool to perform analysis with a high efficiency.

One such tool is Mailxaminer with is equipped with advanced algorithm to deal with issues of Exchange Server forensic investigation. Some of the features provided by the tool include:

Case management facility to make the investigation faster and efficient
Supports multiple file formats
Can examine Exchange Server mailboxes without dismounting them
Provides multiple views of mail so that investigation can be done with ease
Provides option to recover even permanently deleted items

Conclusion:

Some examples of illegitimate include phishing, spamming, racial abuse, disclosure of some confidential information etc. In order to deal with such scenarios Microsoft Exchange Server forensics plays an important role. It is a broad domain; therefore, use of any insubstantial MS Exchange Server Forensic tool may cost you high. Thus, it is always advised to select for a robust MS Exchange Forensic Software to proceed in this domain.