If you would like to read the other parts in this article series please go to:
Although nowadays a great part of an investigation is done at the Exchange server level, there might be situations where a forensics investigator needs to analyze e-mail clients in order to collect evidence.
E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive e-mails, manage newsgroups and organize helpful information in contacts and calendars. Outlook is probably the most common e-mail client in any organization. It is part of the Microsoft Office suite and provides a platform for e-mail management. The primary data file types associated with Outlook are personal data file (.PST) and offline data file (.OST) files. These PST and OST files contain a user’s e-mail, calendar, contacts and other data that allows Outlook to function effectively for the user. There is a wide variety of different ways for an investigator to get to the data within a PST or OST file. Perhaps the easiest is to add a PST file into Outlook on a forensic workstation. Once the PST file is opened, the investigator can access and view the user’s mail and other Outlook items as if he was the user himself. If the PST is password protected, this is obviously more of a challenge, but there are numerous tools available for cracking PST passwords. Other than Outlook itself, virtually any forensic suite processes Outlook data files for viewing and searching by the investigator.
Furthermore, the advantage of using a forensic suite to parse e-mail is that many of them can recover deleted items from the unallocated space within the PST or OST file. Outlook data files have their own structures, similar to their own file systems, complete with unallocated space in which investigators can find snippets of deleted conversations and even entire messages.
It is also very important to understand two different methods of operation in Outlook: online and cached mode. When Outlook is configured to use Cached Exchange Mode, Outlook works from a local copy of a user's Exchange mailbox that is stored in an OST file on the user's computer. The cached mailbox is updated periodically from Exchange. Cached Exchange Mode was introduced in Outlook 2003 to provide users a better online and offline experience as cached mode lets users move between connected and disconnected environments without interrupting their experience in Outlook. Also, it protects users from network latency and connectivity issues while they are using Outlook.
In contrast, Online Mode works by using information directly from the Exchange server. When new information is required in Outlook, a request is made to the server and the information is displayed. Mailbox data is only cached in memory and never written to disk. Therefore, if the user experiences any network issues that prevent the connection to Exchange, it becomes impossible to access any mailbox data.
It is not the purpose of this article to teach how to use expensive commercial forensic tools, but to explain how to perform a forensics investigation using Exchange itself and a tool called MFCMapi.
Scenario 1 – Drinks. In the following sections let us continue with this scenario where Offender sent an innocuous e-mail but Victim changed the body of that e-mail to a different message in order to frame Offender.
The Microsoft Exchange Server MAPI Editor Tool is basically a MAPI client which allows administrators or forensic investigators to view or set details about a user's message storage files. MAPI Editor is usually used for troubleshooting purposes as it provides a view of the low-level contents (raw data) of the Exchange storage databases. Although this tool is mainly used on live Exchange data, it can also be used to work on PST or OST files, making it very useful in any forensics investigation.
In order to use MFCMapi, Outlook also needs to be installed on the same machine as MFCMapi makes use of the Outlook API.
This is a powerful tool whereby users can change raw data. Changes to data may be difficult to reverse. This tool enables changing data to something that is not valid or to corrupted data. This can be difficult or impossible to recover from. This tool is reserved for professionals who understand how MAPI and Exchange work and should not be used carelessly.
Exporting Mailbox to PST
One of the first tasks when investigating a user’s mailbox is typically to perform a backup of the mailbox so that an intact copy of it can be kept safe and unaltered. A common approach is for administrators to export the entire mailbox to a PST file using the Exchange Management Shell and the New-MailboxExportRequest cmdlet:
Figure 4.1: Exporting Mailbox to PST
When exporting a mailbox to a PST file using this method, it is very important to not use the ExcludeDumpster parameter, which specifies whether to exclude the Recoverable Items folder. By not specifying it, the PST file will include the Recoverable Items folder with the Deletions, Versions and Purges subfolders.
Using Exchange together with the Litigation Hold and eDiscovery feature we have already proved that the original e-mail was tampered with in order to make it look like Offender was guilty of harassment. But what if the forensics investigator does not have access to Exchange to perform the eDiscovery search? As long as Litigation Hold or Single Item Recovery were enabled when the e-mail was changed, and the administrator exported the mailbox to a PST file without excluding the Recoverable Items folder, when the forensics investigator accesses the PST file, it will contain this folder with the original versions of every altered or deleted e-mails:
Figure 4.2: Recoverable Items Folder in PST with Original Unaltered E-mail
As it can be seen from the screenshot above, the mailbox to PST export also included the Recoverable Items folder in the PST file, allowing easy access to it by the investigator. In this case, we can see the Deletions, Purges and Versions subfolders where, in the last one, the original unaltered e-mail is located.
Using MFCMapi, we can open the user’s mailbox directly from Exchange (which requires FullAccess permissions to the mailbox) or we can open the PST file itself. MFCMapi gives the investigator access to every single file in the mailbox/PST including hundreds of item properties not visible through Outlook or other tools.
The above could also be checked using MFCMapi to access the Recoverable Items folder:
Figure 4.3: Versions Special Folder in MFCMapi
By navigating to Recoverable Items and then selecting the Versions subfolder (as we are looking for a modified e-mail), we can get access to the entire content of the folder. To do so, right-click on the Versions folder and select Open Contents Table. This will open a new MFCMapi with all the existing items in this folder:
Figure 4.4: E-mails in Versions Special Folder
We can now right-click on the e-mail with the subject “Drinks” and select Open message to open the e-mail itself:
Figure 4.5: Opening E-mail in Versions Special Folder
Figure 4.6: Unaltered E-mail in Versions Special Folder
This way we have now recovered the original e-mail sent from Offender to Victim. By comparing it to the current e-mail in the Victim’s inbox (or just by the fact it is in this folder), we can prove that it was indeed altered.
The investigator can easily export this e-mail by selecting the Export message... option in the menu shown in Figure 4.5.
However, a problem might arise where either the administrator did not include the Recoverable Items folder in the mailbox export, or Litigation Hold or Single Item Recovery were not enabled for the mailbox when the e-mail was altered.
In this part of our article series we started to look at extracting data directly from Outlook or from a PST file. In the next and final part, we will continue with this approach.
If you would like to read the other parts in this article series please go to: