Exchange Database Forensics Evidence Collection
Exchange Server is a messaging platform developed by Microsoft. It is database packed and gives the facility to transfer data on a variety of network transport protocols. It works on Windows Server Operating System with special hardware/software configuration.
Although Exchange Server offers immense help in generating a private communication network but still through malicious means, it is possible to bypass the security shield. This gives rise to an urgent necessity of Exchange database forensics.
Exchange Server Forensic Analysis – Investigate Storage Archives
Microsoft Exchange is an email server, which uses a database and the Extensible Store Engine (ESE) to store data. The files that are useful in forensics investigation are .edb, .stm, .log, .chk, and .temp. Up to Exchange 2003, it uses to store the email database in two types of files:
EDB: This saves the rich text data of the emailing system. Also known as the MAPI store, it saves messages that have been received from MAPI clients.
STM: It contains MIME formatted data which includes email attachments, images, audio, document files, etc. This includes messages sent from the SMTP client.
Note: If there is no SMTP connectivity of the network to the outside world, then the STM files will hardly grow. However, if the POP3, IMAP, or Outlook Web Access clients are used, the STM files will grow enormously.
Exchange Server Forensic Analysis revolves around these two files that make up an Information Store which is further divided into storage sections: Private Store and Public Store. In these stores, the personal user accounts and shared data with permissions get stored respectively. On the machine, this data is stored as priv.edb and priv.stm (Private Folder) and pub.edb/pub.stm (Public Store).
Also, any changes or updations done to the database are logged into a transaction log file (.log). These transactions on completion are committed to the database to update it. To keep a record of which transaction is written to the database, checkpoint files (.chk) are created. These files help in recovering deleted data and bringing back the database into a consistent state. Also, to prevent any data loss while the binary data is converted into readable text, the temporary file (.temp) is created by Exchange Server.
Restoring Permanently Deleted Data
Before an Exchange item is permanently lost, it passes multiple security layers. This includes Dumpster and its components like Deletion, Versions, Purges, and Discovery Hold. These sub-folders of dumpsters are not visible to end-user, but they play a major role in the compilation and investigation practices.
Deletions: After being removed from the “Deleted Items Folder”, the items are moved to this folder of the dumpster. Here, the deleted item stays for a specified time interval which is called the Retention Period.
Purges: This folder saves the messages that have passed the retention period. It will work only if the Single Item Recovery and Litigation hold are enabled.
Even if the messages are deleted from the mailbox or the database, they hold a fair chance of recovery which definitely helps in the forensics investigation process. However, a lot is dependent upon how the configuration is managed by the administrator.
Analyzing Evidences without Exchange Server
Exchange evidence collected in the standard file formats, i.e. EDB or STM can cause issues in reading the data. This is because the database cannot be mounted on a different Exchange Server which makes a call for a technology that allows reading the database along with metadata to carve relevant artefacts.
In this concern, the investigators equip their machines with viewers that allow opening an EDB or STM file and viewing its contents with a single interface. EDB Viewer Freeware is an example of advanced technology using which a user can easily view Exchange EDB files. This tool is nowadays used in the forensics of Exchange databases without the availability of an ideal platform.
Extracting Data from Offline Database For Forensic Analysis
For some businesses, the Server is used for communication but for some Server is the business. For this reason, bringing the Server down for forensics investigation is not possible.
In general cases, the database of Exchange Server is collected in the offline state which is generally unreadable. The adopted mantra by investigators is to move the Exchange mailbox into the Outlook PST file. To convert offline EDB mailboxes into PST, there are third-party tools that are available in the market. Data from both public and private stores can be exported to PST so that it can be read in Outlook.
If the database is online, the built-in tools by Microsoft like ExMerge, PowerShell Commands, Exchange Admin Center etc. can be used. These tools help in migrating the mailboxes into PST and at the same time allow accessing them. The mailboxes are blocked only at the final stage of migration. But this is time-consuming and generally not preferred for seizing evidence.
Testing Mailbox Audit Log
The name “Private Store” itself suggests that the data saved in it is restricted for sharing. To ensure that no delegate user accesses the mailbox or performs any undesired activity on it, mailbox owners prefer to enable the mailbox auditing option. However, this facility is controlled by the administrator.
While this option will keep a track of who accessed the mailbox with details like IP address, hostname, and which client used to access the mailbox, it allows restricting delegate users to access, move or delete an item.
This built-in facility in Exchange Server can be of great help but only when mailbox auditing is enabled. This log will be available in the “Audits Subfolder” of the Recoverable Items Folder (Dumpster). By default, the entries in the log are preserved only for 90 days which can be increased by the administrator as per the requirement.
Exchange in Virtual Environment
From Exchange Server 2007, immense support for virtualization is provided to organizations. Some of the popular applications that help in creating a virtual environment for Exchange Server are VMware, Hyper-V etc. In that scenario, the database gets saved on Virtual Hard Disks in different file formats.
Although, the database gets saved in EDB file format only but is packed in files like VHD, VMDK etc. To overcome the challenge of dismounting the virtual hard disk files and mounting them to a different environment with the same configuration, the idea adopted is to extract the EDB file data into PST from VHD/VMDK files. This can be done through applications like Virtual Machine Email Recovery software.
These are some of the tricks that can prove beneficial in collecting the Exchange databases for eDiscovery. The evidence thus collected can be further investigated to bring the criminals to justice.