process for acquiri...
 
Notifications
Clear all

process for acquiring single mailboxes from exchange server

7 Posts
4 Users
0 Likes
875 Views
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

What would constitute a forensically sound acquisition of a single user’s mailbox within an exchange server mailbox database? Taking the server offline, imaging it is not an option for a number of reasons, so I need to come up with a reasonable compromise for acquiring single user mailboxes, that we could demonstrate hasn’t updated anything in the users mailbox as part of the process. Bare in mind this are only ever for internal investigations of employee misuse, typically excessive personal usage of corporate mail service between staff.

There are numerous features in Exchange such as New-MailboxExportRequest cmdlet which will create a PST snapshot copy of the mailbox at a point in time, and is absolutely ideal for what we need – but it’s how sound that process is and could it be challenged in terms of updates it may make to the mailbox (pretty confident next to nothing). Just trying to come up with a suitable efficient process without having to image an entire mailbox database server which as soon as its rebooted will be receiving new mail and sending new mail instantly so we could never cross reference to the two either. More often than not these reviews take place while the user is still actively employed and still has access to their exchange mailbox via Outlook or OWA. I’m sure I am not unique in this type of request and would be amazed if people image the whole server hosting the MB database every time, so what have you come up with a sound alternative process?

 
Posted : 05/10/2017 1:10 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

I used to pull the PST from Exchange directly but depended on the version of the EXCH server. They have built-in ways like you mentioned and all that is fine if you document the process you took for chain of custody. 3rd party tools also work fine, but document, etc….

Additionally, check to see if any preservation or retention policies affect your acquisition to make sure you are getting everything within scope.

Finally, if there is access to the EDB backups, local PST or OSTs, then you may want to acquire them as well for additional evidence and validation, too.

 
Posted : 05/10/2017 1:21 pm
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

I used to pull the PST from Exchange directly but depended on the version of the EXCH server. They have built-in ways like you mentioned and all that is fine if you document the process you took for chain of custody. 3rd party tools also work fine, but document, etc….

Additionally, check to see if any preservation or retention policies affect your acquisition to make sure you are getting everything within scope.

Finally, if there is access to the EDB backups, local PST or OSTs, then you may want to acquire them as well for additional evidence and validation, too.

Appreciate the response and pointers. the EDB backups are gigantic unfortunately but its a fair point.

 
Posted : 05/10/2017 1:23 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

Appreciate the response and pointers. the EDB backups are gigantic unfortunately but its a fair point.

One alternative to exporting the mailbox via PowerShell or imaging the server would be to connect to the Exchange Server via Exchange Web Services (EWS) as a client and download the messages. Exporting via PowerShell should generally be faster; but downloading via EWS can be easier to explain in terms of the footprint you leave on the server.

 
Posted : 05/10/2017 9:59 pm
benfindlay
(@benfindlay)
Posts: 142
Estimable Member
 

There was an excellent presentation at F3 at their 2015 conference about investigating Exchange, by a chap called Owen O'Connor. Tools like MrMAPI and MFCMAPI were demonstrated/discussed.

The short version of the talk was that if you're just getting the OST/PST file then you are missing a huge amount of potentially useful & relevant stuff.

I've just done a quick Google search and found this, which may be of interest

https://www.sans.org/summit-archives/file/summit-archive-1492187159.pdf

Hope this helps,

Ben

 
Posted : 06/10/2017 7:33 am
(@paulo111)
Posts: 36
Eminent Member
Topic starter
 

thanks everyone for the pointers.

 
Posted : 06/10/2017 8:21 am
gungora
(@gungora)
Posts: 33
Eminent Member
 

There was an excellent presentation at F3 at their 2015 conference about investigating Exchange, by a chap called Owen O'Connor. Tools like MrMAPI and MFCMAPI were demonstrated/discussed.

The short version of the talk was that if you're just getting the OST/PST file then you are missing a huge amount of potentially useful & relevant stuff.

I've just done a quick Google search and found this, which may be of interest

https://www.sans.org/summit-archives/file/summit-archive-1492187159.pdf

Hope this helps,

Ben

That is a great point. If a mailbox is being preserved for the purposes of review and production of the contents of the emails, a PowerShell export or EWS download might suffice. On the other hand, investigation of the Exchange Server for incident response warrants deeper dive.

As the author of the presentation also states, while Griffin's MFCMAPI is a great tool (I would also recommend "Inside MAPI" by De La Cruz & Thaler as a great reference if you can find it) it is not designed as a forensics tool. I would tread carefully as a user error can result in significant changes to the target mailbox.

 
Posted : 06/10/2017 6:37 pm
Share: