Forensics have come a long way. Formerly the domain of medical examiners and police crime labs, we now have all sorts of forensic occupations. Forensic accountants analyze financial records of companies to gather evidence of crime; forensic engineers recreate situations such as bridge collapses to figure out what happened. Forensics have become a mainstay of popular culture, leading to widespread public familiarity with some aspects of forensic science. Law enforcement professionals have a phrase for this phenomenon, "the CSI effect," referring to the tendency of amateurs to have inappropriately high expectations for crime solving because of what they see on TV shows such as the popular CSI: Crime Scene Investigation.
Sadly, the CSI effect is alive and well when it comes to Exchange Server organizations. There are several common circumstances where Exchange data collection might be required, such as recovering mailbox data of users who have left a company, performing internal investigations, and capturing data pursuant to subpoenas or other legal demands. These circumstances each have somewhat different characteristics:
If you're recovering a former employee's mailbox, your interest is typically just in getting the mail data; metadata such as read/unread status isn't as important, and there's usually no legal requirement to preserve a chain of custody.
For internal company investigations, the goal is usually to copy some data from a target mailbox without the target becoming aware of it. Sometimes you need a way to search multiple mailboxes and export the results, again without tipping off the targets or changing any data.
For responding to subpoenas or other legal or regulatory demands, you typically need a way to gather all the requested data without altering anything, as well as proving that you retrieved all the data you were asked for. These requests frequently require cross-mailbox searching.
Interestingly, the most commonly used Exchange forensic tool is (drum roll, please) the venerable Exchange Server Mailbox Merge Wizard, commonly known as ExMerge. This utility has the virtue of being very well understood in the Exchange community, and it provides a fairly robust way to move mailbox data and metadata into a PST file. Its logging options are adequate, provided you increase logging above the default level. It doesn't offer any way to search mailboxes, though, which makes it hard to be sure you’ve captured all the content required for your collection.
The Exchange Server 2007 Move-Mailbox cmdlet through Exchange Management Shell solves the search problem by offering a way to search multiple mailboxes for content, then extract matching messages to a PST file. This method solves the most common problems of the three cases listed above. As a bonus, Move-Mailbox is both faster and more robust than the ExMerge engine, and you can use it even if you don't have any Exchange 2007 servers deployed. To do so, you need to install the Exchange 2007 management tools on a workstation (not on your Exchange 2003 servers!) with the Exchange 2007 prerequisites, including Windows PowerShell 1.0 and the .NET Framework 2.0.
The larger question is what best practices are appropriate for performing forensic collections on Exchange servers. There are lots of best practices for conventional forensic data recoveries using tools such as Guidance Software's EnCase eDiscovery. However, many Exchange administrators don't know the common rules of computer forensics, and many of the people who do know those rules don't know much about Exchange. I'm interested in hearing what has, and hasn't, worked well for you during forensic collections—drop me a note at probichaux@windowsITpro.com to let me know, and I'll summarize the results in a future column.
End of Article
This article is useless for "real world' email recovery and discovery in an enterprise setting for forensic purposes. In the real world you would need to recover individual mailboxes in .PST format from numerous backups of the Exchange Database going back many years and then use discovery tools to search on specific criteria, for example "Enron", "Jeffrey Skilling", "Arthur Anderson", "etc...". There are numerous tools on the market that are used for this specific purpose and believe, I was hoping to see the "Pros", "Cons" specific to these tools at least mentioned in your article. Good article for the novice who wants to recover an email from last week, but won't help anyone who is serious about retrieving sensitive email for any real investigation.
calbert_1999 May 10, 2008 (Article Rating: )
In cases that require "enterprise setting" forensic recoveries, 99% of the customers I've encountered go to an outside firm with specialized expertise and tools. My goal wasn't to teach anyone how to conduct these very complex, and legally fraught, operations ab initio. Sorry you took it that way.
The last paragraph is really the most important one in the column because there are so few standards on what constitutes a forensically acceptable collection. For example, compare what your average forensic investigator knows about, looks at, and expects from logs from a disk copy vs. e-mail collection logs.
paulrobichaux May 12, 2008 (Article Rating: )
A new way to promote a good digital chain of custody is to <a href="http://hack-igations.blogspot.com/2008/04/text-message-investigations.html">authenticate records with a voice signature</a>. A voice signature can help show who collected the evidence, when it was collected, and that it has not changed since collection. --Ben http://hack-igations.blogspot.com/2008/04/text-message-investigations.html
As some wise person once said, nothing is ever truly free. Such is the case with VMs, which can quickly mutate from a cost-reducing Dr. Jekyll into a time-consuming, profligate nightmare that would do Mr. Hyde proud. ...
An often irreverent look at some of the week's other news, including OLPC and Windows XP, the XP SP3 constant reboot issue, Yahoo! vs. Icahn, 10 million Xbox 360s in North America, April video game stats, Microsoft innovation, CBS and CNET, and much more ...
EXCHANGE 2007 Mastery Series – May 29, 2008 3 Info-packed eLearning seminars for only $99! Learn the pros and cons of your mailbox high availability options, see real-world examples of Transport Rules, and get started with basic PowerShell commands with Mark Arnold, MCSE+M and Microsoft MVP.
Windows IT Pro Master CD: Take the Experts with You! Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the Windows IT Pro Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!
Making the Case for Oracle Database on Windows One of the best-kept secrets in the IT industry is the depth of support Oracle offers to customers deploying its databases on Microsoft Windows platforms.
SQL Server Magazine Master CD: Take the Experts with You! Find the solutions you need in thousands of searchable articles, helpful bonus content, and loads of expert advice with the SQL Server Magazine Master CD. Order comes with a 1-year subscription to the new, online articles posted every day!
Attention User Group Leaders... Announcing the eNews Generator—a FREE HTML e-newsletter builder for user group leaders. Build your HTML and text e-newsletters in minutes. And add Windows IT Pro & SQL Server Mag articles alongside your own message!.
Become a fan of Windows IT Pro on Facebook Join the Windows IT Pro fan club on Facebook. Chat with other IT Pros, upload your pictures, check out what's up n' coming in the next issue and more!
Get Started with Oracle on Windows DVD Learn how Oracle gives you the power to grow by providing a scalable, easy-to-use platform for running your business at a price you can afford.
Exchange and Outlook Update Fundamentals CD Gain an introduction to Exchange, learn server security requirements, and understand how unified communications can play a role in your messaging strategies with this free Exchange CD.
)
)
Register
In the real world you would need to recover individual mailboxes in .PST format from numerous backups of the Exchange Database going back many years and then use discovery tools to search on specific criteria, for example "Enron", "Jeffrey Skilling", "Arthur Anderson", "etc...".
There are numerous tools on the market that are used for this specific purpose and believe, I was hoping to see the "Pros", "Cons" specific to these tools at least mentioned in your article.
Good article for the novice who wants to recover an email from last week, but won't help anyone who is serious about retrieving sensitive email for any real investigation.
calbert_1999 May 10, 2008 (Article Rating: