E-mail Forensics in a Corporate Exchange Environment (Part 1)

If you would like to read the other parts in this article series please go to:


E-mail is the most utilized form of communication for businesses and individuals nowadays, and a critical system for any organization. From meeting requests to the distribution of documents and general conversation, it is very hard, if not impossible, to find an organization of any size that does not rely on e-mail. A report from the market research firm Radicati Group, states that in 2011 there were 3.1 billion active e-mail accounts in the world (an increase of 5% over 2010). The report also noted that corporate employees sent and received 105 e-mails a day on average. Royal Pingdom, which monitors the Internet usage, stated that in 2010, 107 trillion e-mails were sent. That is 294 billion e-mails sent per day! With a quarter of the average worker’s day spent in reading and replying to e-mails, it is easy to see the importance of e-mail in today’s world.

Unfortunately, e-mail communication is often exposed to illegitimate uses due to mainly two inherent limitations:

  1. There is rarely no encryption at the sender end and/or integrity checks at the recipient end;
  2. The widely used e-mail protocol Simple Mail Transfer Protocol [SMTP] lacks a source authentication mechanism. Worse, the metadata in the header of an e-mail which contains information about the sender and the path which the message travelled can easily be forged.

Some common examples of these illegitimate uses are spam, phishing, cyber bullying, racial abuse, disclosure of confidential information, child pornography and sexual harassment. In the vast majority of these e-mail cybercrimes the tactics used vary from simple anonymity to impersonation and identity theft.

Although there have been many attempts into securing e-mail systems, most are still inadequately secured. Installing antiviruses, filters, firewalls and scanners is simply not enough to secure e-mail communications. Most companies have a good e-mail policy in place, but it is not enough to prevent users from breaching it and, as such, monitoring is put in place in case the need for investigation arises. However, in some cases all of this does not provide the information needed… This is why Forensic Analysis plays a major role by examining suspected e-mail accounts in an attempt to gather evidence to prosecute criminals in the court of law. To achieve this, a forensic investigator needs efficient tools and techniques to perform the analysis with a high degree of accuracy and in a timely fashion.

Businesses often depend on forensics analysis to prove their innocence in a lawsuit or to establish if a particular user disclosed private information for example. When someone or even the whole company is being investigated, it is imperative that all information is thoroughly analyzed as offenders will always use dubious methods in order to not get caught.

Scenario Information

To help exploring situations where users misuse an e-mail system and a forensics investigator is performing analysis on the system to determine what exactly happened, three fictional scenarios were created and used throughout this article:

Scenario E-mail   Subject Offender   Innocent? Notes
1 – Drinks Drinks Yes Victim changed e-mail body in order to frame offender.
2 – Lunch Lunch? No Offender sends inappropriate e-mail to victim.
3 – Dinner Dinner Tonight Yes E-mail with inappropriate content sent to victim by hacker using SendAs permissions to impersonate Offender.

Table 1

Involved in these scenarios are three fictional characters whose names also categorize their role:

  • Offender – a user who sent an inappropriate e-mail to a work colleague (Victim);
  • Victim – in scenarios 2 and 3, this user received inappropriate e-mails. In scenario 1 she is actually the criminal pretending to be a victim;
  • Hacker – a user who managed to gain access to Offender’s mailbox and sent an inappropriate e-mail to Victim (could simply be co-worker).

Identification and Extraction of Data

The first steps in any e-mail investigation are to identify all the potential sources of information and how e-mail servers and clients are used in the organization. These servers are no longer just to send and receive simple messages. They have expanded into full databases, document repositories, contact and calendar managers with many other uses. Organizations use these powerful messaging servers to manage workflow, communicate with employees and customers, and to share data. A skilled e-mail forensic investigator will identify how the messaging system is being used far beyond e-mail, as an investigation often involves other items such as calendar appointments, for example.

Forensic analysis of a messaging system often produces significant information about users and the organization itself. Nowadays this is much more than simply looking at e-mail messages.

Exchange Analysis

Every Exchange forensic analysis should start on the Exchange system itself. If the required information is not available on Exchange, then a deeper analysis at the client side is typically performed.

Laptop, desktop and servers once played a supporting role in the corporate environment: shutting them down for traditional forensic imaging tended to have only a minor impact on the company. However, in today’s business environment, shutting down servers can have tremendously negative impacts on the company. In many instances, the company’s servers are not just supporting the business – they are the business. The availability of software tools and methodologies capable of preserving data from live, running servers means that it is no longer absolutely necessary to shut down a production e-mail server in order to preserve data from it. A good set of tools and a sound methodology allow investigators to strike a balance between the requirements for a forensically sound preservation process and the business imperative of minimizing impact on normal operations during the preservation process.

To preserve e-mail from a live Microsoft Exchange server, forensic investigators typically take one of several different approaches, depending on the characteristics of the misuse being investigated. Those approaches might include:

  • Exporting a copy of a mailbox from the server using the Microsoft Outlook e-mail client, the Exchange Management Shell or a specialized 3rd-party tool;
  • Obtaining a backup copy of the entire Exchange Server database from a properly created full backup of the server;
  • Temporarily bringing the Exchange database(s) offline to create a copy;
  • Using specialised software such as F-Response or EnCase Enterprise to access a live Exchange server over the network and copying either individual mailboxes or an entire Exchange database file.

Each approach has its advantages and disadvantages. When exporting a mailbox, some e-mail properties get updated with the date and time of the export, which in certain cases means the loss of important information as we shall see.

One of the most complete collections from an Exchange server is to collect a copy of the mailbox database files. The main advantage in this case is that the process preserves and collects all e-mail in the store for all users with accounts on the server. If during the course of the investigation it becomes apparent that new users should be added to the investigation, then those users’ mailboxes have already been preserved and collected.

Traditionally, the collection of these files from live servers would require shutting down e-mail server services for a period of time because files that are open for access by Exchange cannot typically be copied from the server. This temporary shutdown can have a negative impact on the company and the productivity of its employees. In some cases, a process like this is scheduled to be done out of hours or over a weekend to further minimize impact on the company.

Some 3rd-party software utilities can also be used to access the live Exchange server over the network and to preserve copies of the files comprising the information store.

Another approach to collecting mailbox database files is to collect a recent full backup of Exchange, if there is one. Once these files are preserved and collected, there are a number of 3rd-party utilities on the market today that can extract mailboxes from them, such as Kernel Exchange EDB Viewer or Kernel EDB to PST.

A different approach that is becoming more and more important, is to use features of Exchange to perform the investigation. Exchange has a number of features such as audit logs or In-Place Hold that help, amongst other purposes, the investigation of misuse by keeping a data intact and a detailed log of actions performed in the messaging system.


In the first part of this article series, we looked at the importance of e-mail and forensics investigation, the scenarios we will be using, and how data is often collected and preserved from an Exchange environment. In the next article we will start looking at extracting data using Exchange features.

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top