Blog

Any Way To Open EDB Files Outside Exchange For Forensic Search ?

Carl Wilson | May 20th, 2015 | Email Forensics

With the growing number of cyber crimes in the recent past, the IT staff of enterprises deploying Exchange servers is highly concerned regarding the security of their server. But once a crime is committed, the only option to get hold of the culprit is by seeking help from forensic investigators. One of the crucial and primary steps in the whole process is getting access to Exchange Server, through which the crime has been committed. The best way to extract maximum evidences is by examining the mounted EDB mailboxes in the Live Exchange Server environment. But getting access and opening EDB files in Exchange Server, at times proves to be more challenging than the whole investigation process itself. Owing to the reluctance of organization to let the forensic investigators peek in the Exchange environment, the examiners choose to open EDB files outside Exchange server.

Barriers In Analyzing Mounted EDB Files

The disinclination of Exchange server administrators (if at a suspect end) is the biggest barrier in the path of effective analysis of mounted EDB files. Also other issues that an Exchange forensic investigator may face whilst performing the investigation on mounted EDB files are:

  • Email Evidence Spoliation

In cases when a particular crime has been instigated via Exchange server, the foremost necessity is to get an exact status of the server database. Conducting forensic analysis on Live Exchange server increases the risk of tampering of crime evidences. Any tampering with the database may lead to email evidence spoliation from the end of current Exchange server users. This fiddling of the database, in most cases is done deliberately to wipe out the crucial artifacts. Therefore, the forensic investigators prefer searching artifacts in EDB files that are in a dismounted state.

  • No Facility To Search Inside EDB Files

Additionally, accessing mounted EDB files does not enable the users to search for particular evidence in the mailboxes. To be precise, forensic investigation requires the evidences to be collected in the least possible time. Therefore, search options help narrow down the investigation process up to the required data. But this facility unfortunately is not featured whilst analyzing EDB files in a mounted state.

Advantages Of Accessing EDB Files In Dismounted State

The foremost advantage, if you open EDB files outside Exchange, is the elimination of email evidence spoliation factor. Once an investigator gets hold of the EDB file, there is no room for any tampering of evidences. This can happen if and only if the EDB files are dismounted as soon as the crime has been reported. A complete analysis of the file can be carried out without worrying about the changes that could have been made otherwise in mounted state. Therefore, accessing EDB files in a dismounted state ensures that the evidence collected are true to the best knowledge of the investigators and are not hampered.

In order to enable the forensic investigators to possess evidence at an optimum level and in the least duration of time, we have modeled a solution that will assist in doing the same. Exchange EDB Viewer is the result of our consideration of the above issues and has been designed on the grounds of the experiences of our experts. The tool is the most optimized solution to carry out Exchange Database Forensics.

Search Within Dismounted EDB Files With Exchange EDB Viewer

Exchange EDB Viewer is one of the most prominent and exemplary tool developed to enhance the complete investigation process of dismounted EDB files. The tool with its search option, pegs down the database to a specific area of interest of the forensic examiners. It is a perfect solution to open EDB files outside Exchange server environment.

Download

NOTE: – The search feature is available with the full version of the tool. To avail the full version, please click here.

The Search option enables to search for emails containing a particular keyword. This not only facilitates to focus on concerned mails, but also saves the time that would have been wasted otherwise.

open edb files outside exchange

The software also offers a bunch of different Views in which the mails of EDB files can be viewed. The different views enable the forensic experts to carefully examine each and every artifact from emails of dismounted EDB files.

Exchange EDB Viewer assists the examiners to recover the mailboxes of EDB files that have been corrupted deliberately or by accident. The advance scan enables to access data from an EDB file, even if the state of corruption is very high.

Conclusion

With the plethora of features, Exchange EDB Viewer is one of the best tools that can be deployed for efficient examining and forensic investigation of EDB file in a dismounted state. The search option is one of the most corking options that the application offers o access EDB files that are dismounted from Exchange Server.