E-mail Forensics in a Corporate Exchange Environment (Part 4)

If you would like to read the other parts in this article series please go to:

Outlook Analysis

Although nowadays a great part of an investigation is done at the Exchange server level, there might be situations where a forensics investigator needs to analyze e-mail clients in order to collect evidence.

E-mail clients, such as Microsoft Outlook and Outlook Express, enable users to send and receive e-mails, manage newsgroups and organize helpful information in contacts and calendars. Outlook is probably the most common e-mail client in any organization. It is part of the Microsoft Office suite and provides a platform for e-mail management. The primary data file types associated with Outlook are personal data file (.PST) and offline data file (.OST) files. These PST and OST files contain a user’s e-mail, calendar, contacts and other data that allows Outlook to function effectively for the user. There is a wide variety of different ways for an investigator to get to the data within a PST or OST file. Perhaps the easiest is to add a PST file into Outlook on a forensic workstation. Once the PST file is opened, the investigator can access and view the user’s mail and other Outlook items as if he was the user himself. If the PST is password protected, this is obviously more of a challenge, but there are numerous tools available for cracking PST passwords. Other than Outlook itself, virtually any forensic suite processes Outlook data files for viewing and searching by the investigator.

Furthermore, the advantage of using a forensic suite to parse e-mail is that many of them can recover deleted items from the unallocated space within the PST or OST file. Outlook data files have their own structures, similar to their own file systems, complete with unallocated space in which investigators can find snippets of deleted conversations and even entire messages.

It is also very important to understand two different methods of operation in Outlook: online and cached mode. When Outlook is configured to use Cached Exchange Mode, Outlook works from a local copy of a user's Exchange mailbox that is stored in an OST file on the user's computer. The cached mailbox is updated periodically from Exchange. Cached Exchange Mode was introduced in Outlook 2003 to provide users a better online and offline experience as cached mode lets users move between connected and disconnected environments without interrupting their experience in Outlook. Also, it protects users from network latency and connectivity issues while they are using Outlook.

In contrast, Online Mode works by using information directly from the Exchange server. When new information is required in Outlook, a request is made to the server and the information is displayed. Mailbox data is only cached in memory and never written to disk. Therefore, if the user experiences any network issues that prevent the connection to Exchange, it becomes impossible to access any mailbox data.

It is not the purpose of this article to teach how to use expensive commercial forensic tools, but to explain how to perform a forensics investigation using Exchange itself and a tool called MFCMapi.
Scenario 1 – Drinks. In the following sections let us continue with this scenario where Offender sent an innocuous e-mail but Victim changed the body of that e-mail to a different message in order to frame Offender.


The Microsoft Exchange Server MAPI Editor Tool is basically a MAPI client which allows administrators or forensic investigators to view or set details about a user's message storage files. MAPI Editor is usually used for troubleshooting purposes as it provides a view of the low-level contents (raw data) of the Exchange storage databases. Although this tool is mainly used on live Exchange data, it can also be used to work on PST or OST files, making it very useful in any forensics investigation.

In order to use MFCMapi, Outlook also needs to be installed on the same machine as MFCMapi makes use of the Outlook API.

This is a powerful tool whereby users can change raw data. Changes to data may be difficult to reverse. This tool enables changing data to something that is not valid or to corrupted data. This can be difficult or impossible to recover from. This tool is reserved for professionals who understand how MAPI and Exchange work and should not be used carelessly.

Exporting Mailbox to PST

One of the first tasks when investigating a user’s mailbox is typically to perform a backup of the mailbox so that an intact copy of it can be kept safe and unaltered. A common approach is for administrators to export the entire mailbox to a PST file using the Exchange Management Shell and the New-MailboxExportRequest cmdlet:

Figure 4.1: Exporting Mailbox to PST

When exporting a mailbox to a PST file using this method, it is very important to not use the ExcludeDumpster parameter, which specifies whether to exclude the Recoverable Items folder. By not specifying it, the PST file will include the Recoverable Items folder with the Deletions, Versions and Purges   subfolders.

E-mail Tampering

Using Exchange together with the Litigation Hold and eDiscovery feature we have already proved that the original e-mail was tampered with in order to make it look like Offender was guilty of harassment. But what if the forensics investigator does not have access to Exchange to perform the eDiscovery search? As long as Litigation Hold or Single Item Recovery were enabled when the e-mail was changed, and the administrator exported the mailbox to a PST file without excluding the Recoverable Items folder, when the forensics investigator accesses the PST file, it will contain this folder with the original versions of every altered or deleted e-mails:

Figure 4.2: Recoverable Items Folder in PST with Original Unaltered E-mail

As it can be seen from the screenshot above, the mailbox to PST export also included the Recoverable Items folder in the PST file, allowing easy access to it by the investigator. In this case, we can see the Deletions, Purges and Versions subfolders where, in the last one, the original unaltered e-mail is located.

Using MFCMapi, we can open the user’s mailbox directly from Exchange (which requires FullAccess permissions to the mailbox) or we can open the PST file itself. MFCMapi gives the investigator access to every single file in the mailbox/PST including hundreds of item properties not visible through Outlook or other tools.

The above could also be checked using MFCMapi to access the Recoverable Items folder:

Figure 4.3: Versions Special Folder in MFCMapi

By navigating to Recoverable Items and then selecting the Versions subfolder (as we are looking for a modified e-mail), we can get access to the entire content of the folder. To do so, right-click on the Versions folder and select Open Contents Table. This will open a new MFCMapi with all the existing items in this folder:

Figure 4.4: E-mails in Versions Special Folder

We can now right-click on the e-mail with the subject “Drinks” and select Open message to open the e-mail itself:

Figure 4.5: Opening E-mail in Versions Special Folder

Figure 4.6: Unaltered E-mail in Versions Special Folder

This way we have now recovered the original e-mail sent from Offender to Victim. By comparing it to the current e-mail in the Victim’s inbox (or just by the fact it is in this folder), we can prove that it was indeed altered.

The investigator can easily export this e-mail by selecting the Export message... option in the menu shown in Figure 4.5.

However, a problem might arise where either the administrator did not include the Recoverable Items folder in the mailbox export, or Litigation Hold or Single Item Recovery were not enabled for the mailbox when the e-mail was altered.


In this part of our article series we started to look at extracting data directly from Outlook or from a PST file. In the next and final part, we will continue with this approach.

If you would like to read the other parts in this article series please go to:

Nuno Mota

Nuno Mota is an Exchange MVP working as a Microsoft Messaging Specialist for a financial institution. He is passionate about Exchange, Lync, Active Directory, PowerShell, and Security. Besides writing his personal Exchange blog, LetsExchange.blogspot.com, he regularly participates in the Exchange TechNet forums and is the author of the book “Microsoft Exchange Server 2013 High Availability.”

Published by
Nuno Mota

Recent Posts

Qumulo raises $125M for cloud data management across a hybrid setup

Qumulo is an up-and-coming data management solution focusing on managing files in a hybrid setup.…

2 days ago

Why SMBs need a standalone solution for Windows 10 patch management

Is patch management for the Windows PCs at your business driving you crazy? Maybe there's…

2 days ago

Microsoft Teams guest access: How to enable and manage it

Two of the main factors that affect the total cost of an organization’s Microsoft 365…

2 days ago

Samsung Galaxy Unpacked 2020: Everything you need to know

Samsung rolled out the all-new Galaxy Z Fold 2, Note 20, Note 20 Ultra handsets…

3 days ago

SAN vs. NAS: Detailed comparison of these two storage technologies

SAN and NAS provide dedicated storage for a group of users using completely different approaches…

3 days ago

Generation 1 virtual machines: Modernize them and bring them up to date

In many companies, Generation 1 virtual machines have been superseded by Gen 2 VMs. But…

3 days ago