Every email you send passes through an email server at some point. The key question is whether the email still lives on the server or has been moved to local storage on a device like a workstation.
In many business environments, email systems use a mix of both—recent emails are usually accessible through the company’s email server, while older messages are often archived locally on workstations or synchronized for offline use.
---------------------------------------------------------------------------------------------------------
Cloud vs. On-Premises Mail Servers
In recent years, many organizations have shifted from traditional on-premises email servers to cloud-based solutions or Software as a Service (SaaS) platforms like Microsoft 365 and Google Workspace. This transition has brought both advantages and challenges for evidence collection. With less direct control over physical infrastructure, organizations must rely on the tools provided by these platforms to search, preserve, and extract email and related server logs.
Despite these changes, the goal remains the same: investigators need efficient ways to identify, extract, and analyze relevant emails and logs.
---------------------------------------------------------------------------------------------------------
Techniques for Evidence Acquisition from Email Servers
Export Individual Mailboxes
This involves directly exporting mailboxes for the accounts in question.
Vendor-Specific Tools
Email platforms like Microsoft 365 and Google Workspace often come with built-in tools to help search, filter, and extract emails.
Third-Party Tools and APIs
Specialized third-party tools often leverage APIs (Application Programming Interfaces) to access email systems and server logs.
Interestingly, APIs can sometimes yield more detailed or complete results compared to vendor-provided graphical tools.
---------------------------------------------------------------------------------------------------------
The Recoverable Items Folder: A Goldmine for Investigations
Modern email systems like Microsoft Exchange and Microsoft 365 include a feature called the Recoverable Items folder. This folder ensures that emails, even those deleted by users, aren’t immediately lost. Instead, emails go through several stages before being permanently purged:
Deletions: When users delete emails (even with <Shift> + <Delete>), the messages move to this subfolder.
Purges: Once the retention period (14 days by default) expires, emails are moved here temporarily before being permanently deleted.
DiscoveryHold: Emails under a legal or eDiscovery hold are preserved indefinitely.
Versions: If an email is modified while on hold, the system creates a snapshot of the original version using a “copy-on-write” method. This ensures the integrity of evidence.
---------------------------------------------------------------------------------------------------------
Leveraging PowerShell for Exchange Server Investigations
If you’re working with an on-premises Exchange Server, PowerShell is your best friend. It offers powerful tools to search, filter, and export data directly from the server without disrupting operations.
Here are some common PowerShell commands for email investigations:
Commands for Exchange 2010 SP1 and Above:
New-MailboxImportRequest: Used to import mailbox data.
New-MailboxExportRequest: Used to export mailbox data.
Example Syntax:
New-MailboxExportRequest -Mailbox akash_patel -FilePath \\Server\Folder\akash_patel.pstExport with Date Range and Advanced Filtering:New-MailboxExportRequest -Mailbox akash_patel -ContentFilter {(body -like "*Welcome*") -and (Received -gt "01/01/2024" -and Received -lt "03/01/2024")} -FilePath \\Server\Folder\akash_AdvancedFiltered.pstExport Multiple Mailboxes:Get-Mailbox -ResultSize Unlimited | Where-Object {$_.RecipientTypeDetails -eq "UserMailbox"} | New-MailboxExportRequest -FilePath \\Server\Folder\AllMailboxes.pstIncremental Export:New-MailboxExportRequest -Mailbox akash_patel -IncludeFolders "#Inbox#" -FilePath \\Server\Folder\Akash_Incremental.pst -IsArchiveExchange Server 2007
Exchange 2007 introduced similar but slightly different PowerShell-based commands for mailbox exports. These commands require the Exchange Management Tools to be installed as a snap-in to PowerShell.
Example Commands:
Export-Mailbox -Identity akash@gmail.com -PSTFolderPath C:\akash.pst Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath C:\PSTExport with Date Range:Export-Mailbox -Identity akash@gmail.com -StartDate "01/01/2022" -EndDate "03/01/2022" -PSTFolderPath C:\akash_DateFiltered.pstExport to Network Location:Get-Mailbox -Database 'Corporate' | Export-Mailbox -PSTFolderPath \\Network\Share\Corporate.pstExport Specific Folder:Export-Mailbox -Identity akash@gmail.com -IncludeFolders "\Sent Items" -PSTFolderPath C:\akash_SentItems.pst
Exchange Server 2003, 2000, and 5.5
For older versions of Exchange, the primary tool for exporting mailbox data is ExMerge. While it lacks some of the advanced features of newer tools, ExMerge is capable of exporting individual user mailboxes to .PST files.
Limitation of ExMerge:
2 GB PST Size Limit: This can be problematic for large mailboxes.
Example command:
ExMerge -B -F C:\userlist.txt -D C:\PST\ -S ExchangeServerNameConclusion
PowerShell Cmdlets: Offer a flexible and powerful way to export mailbox data with advanced filtering options. Suitable for Exchange 2010 and above.
ExMerge: Useful for older versions of Exchange but has a 2 GB PST size limitation.
When choosing a method for extracting email data from Exchange servers, consider the version of Exchange, the size of mailboxes, required features, and compatibility with other tools or processes. Always ensure that the chosen method aligns with forensic best practices to maintain data integrity and admissibility in legal proceedings.
---------------------------------------------------------------------------------------------------------
Best Practices for Email Evidence Collection
Understand Your Tools
Collaborate with Administrators
Test Before You Rely
Plan for Legacy Systems
---------------------------------------------------------------------------------------------------------
Wrapping Up
Modern email forensics is all about flexibility. Whether you’re using built-in vendor tools, APIs, or third-party solutions, preparation is key. Knowing how to navigate recoverable items, export mailboxes, and use filtering tools can make or break an investigation.
By combining a clear understanding of email server technology with effective tools and techniques, you’ll be well-equipped to gather and analyze evidence in today’s complex email landscape.
------------------------------------------Dean------------------------------------------------------
Comments