E-mail Forensics in a Corporate Exchange Environment (Part 2)

If you would like to read the other parts in this article series please go to:

Message Tracking Logs

Message Tracking is an Exchange feature that records log files of e-mail traffic as messages travel between mailboxes within the organization. These logs help track message flow as they provide information about the path the message has taken as it makes its way through Exchange as well as information regarding the sender, recipient, message subject, and date and time. They can also be used to troubleshoot issues related to mail flow, produce reports, or to even analyze e-mail traffic patterns.

Although only available in Exchange on-premises, Exchange Online has a similar feature called Message Trace which provides similar information.

While with Exchange 2000 and 2003 message tracking had to be manually enabled, since the 2007 version it is enabled by default to record the last 30 days of e-mail activity. This is a feature of the Transport Service and since every single message has to go through this service even if the sender and recipient are on the same mailbox server, it becomes easy for Exchange to record information regarding e-mail flow.

First we need to check the current status of message tracking on all transport servers so we can verify if information regarding the e-mail(s) being investigated was logged. By using the Exchange Management Shell, we run the following cmdlet:

Figure 2.1: Checking Message Tracking Log Settings

As we can see, MessageTrackingLogEnabled is set to True and MessageTrackingLogMaxAge is set to 30 days, meaning that information regarding every e-mail flowing through the Exchange organization is being logged and kept for 30 days.

An important property to note here is MessageTrackingLogMaxDirectorySize, which is set to approximately 1GB by default. If there is a huge amount of e-mail traffic in the organization, it is possible that these logs will take more than 1GB of space, in which case Exchange starts deleting older logs in order to keep the folder maximum size to 1GB. This means that there might be less than 30 days’ worth of data kept in these logs.

Scenario 1 – Drinks. Let us assume that, in this case, Offender sent the following innocuous e-mail but Victim changed the body of that e-mail to a different message in order to frame Offender.

Figure 2.2: Original Innocent E-mail

If message tracking is enabled and keeping logs that cover the time period we are interested in for the investigation, then we can start looking for our message using the Get-MessageTrackingLog cmdlet:

Figure 2.3: Gathering Data using Message Tracking Logs

As we can see from the screenshot above, Offender sent an e-mail at “27/04/2013 15:36:11” to the user Victim with the subject Drinks. This e-mail is first identified by the EventId of RECEIVE, meaning Exchange received the e-mail from the user. The Mail Submission service then successfully notified a Hub Transport server that the message is awaiting submission in the mailbox store (EventId SUBMIT), and finally the message was delivered to the recipients’ mailbox (EventId DELIVER).

The problem here is that these logs do not contain the body of the e-mail itself. As such, at this stage we can only prove that an e-mail was sent and delivered by the two parties involved.


eDiscovery helps organizations perform discovery searches for relevant content within users’ mailboxes. This may be a requirement by an organizational policy, compliance or even a lawsuit for example.

To perform an eDiscovery search in Exchange, administrators use a feature called Multi Mailbox Search in Exchange 2010 or In-Place eDiscovery in Exchange 2013. These features are able to search one or more mailboxes for items (e-mails, calendar appointments, tasks, etc.) that match keywords specified. It is also possible to narrow the search to a specific period of time, allowing the search to perform much quicker and to reduce the number of false-positive matches.

In order for eDiscovery to be useful for an investigation, one of the follow requisites needs to be meet:

  • Single Item Recovery is enabled for the mailboxes being investigated and the retention period (14 days by default) has not yet passed;
  • Mailboxes being investigated were placed on Litigation Hold or in-Place Hold before the e-mail was sent/received and are still on Litigation Hold at the time of the investigation.

If one of these conditions is met, then an administrator can recover any deleted e-mail from users’ mailboxes (discounting the fact that they can possibly be on backup). Possibly more important in some scenarios, is using these features on the victim’s mailbox. Because a copy of every item modified is also kept when these are manually edited, this allows the investigator to determine if the victim tampered with the received e-mail in order to frame someone or gain advantage of a situation.

Litigation Hold, the hold feature introduced in Exchange 2010 to preserve data for eDiscovery, is still available in Exchange 2013 and on the new version of Exchange Online (based on Exchange 2013). Whereas In-Place Hold provides granular hold capability based on query parameters, hold period and the ability to place a mailbox on multiple holds, litigation hold only allows changing to place all items on hold indefinitely or until hold is removed.

All these features have already been discussed in previous MSExchange.org articles, so I will not cover them here and will assume the reader is familiar with how they work. For more details, please refer to:

If hold or single item recovery is enabled on mailboxes being investigated, they can prove invaluable for the investigation as they can retain any deleted or tampered e-mails until the investigation is complete or the administrator decides otherwise. Assuming this is the case, let us see how to take advantage of these features.

Scenario 1 – Drinks. Let us continue with this scenario where Offender sent an innocuous e-mail but Victim changed the body of that e-mail to a different message in order to frame him.

Assuming Hold was enabled when the e-mail was received and that it is still enabled, we can perform an eDiscovery search on the victim’s mailbox to gather all items relevant to the investigation.

When we open the results of our search of the Victim’s mailbox, we see the search found two items: the altered e-mail in the user’s Inbox folder and a saved copy in the Versions special folder (because Hold was enabled when the user modified the e-mail). We can see that the From, Subject and Received fields are identical. However, the Size and, more importantly, the Body are not:

Figure 2.4: Tampered E-mail

Figure 2.5: Original Innocent E-mail

Hold and Single Item Recovery are two features crucial for any investigation. They allow not only the recovery of any deleted item, but also to easily check if items have been tampered with. If we were looking for a deleted e-mail, the procedure would have been identical but the original e-mail(s) would be located in the Purges special folder instead.


In this second part of our article, we started to look at extracting data using Exchange features, namely using Message Tracking Logs and eDiscovery. In the next article, we will use Mailbox and Administrator Auditing.

If you would like to read the other parts in this article series please go to:

Nuno Mota

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Published by
Nuno Mota

Recent Posts

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

2 days ago

Why SMBs need a standalone solution for Windows 10 patch management

Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…

2 days ago

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

2 days ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

3 days ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

3 days ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

3 days ago