MS Exchange Forensics: Investigating Email Retention and Discovery 

MS Exchange Forensics: Investigating Email Retention and Discovery 

May 27

With over a trillion messages sent per year, it’s fair to say that email is big business. It’s the crutch companies use to hold up communications between clients, partners, employees, and others in the network. In today’s digital world, those emails are more than marketing messages and offers – their contents may very well be considered evidence in a court of law.

Email servers and clients are often chock full of databases that contain messages, contacts, calendars, and metadata in various forms. Just about every organization has standards or rules to abide by, so there may come a day when your pool of Exchange mailboxes need to be combed in order to satisfy a legal request. In this case, your company must channel its inner CSI Miami and adopt a forensics mindset to drive the discovery efforts.

Whereas Horatio and the CSI gang surfed the streets of Miami in attempt to solve complex crimes, Exchange forensics revolves around exploring everyone’s favorite enterprise email server for digital evidence. It’s often an extremely detailed process that entails searching through countless messages and converting them into PST files that can be examined by the appropriate parties. eDiscovery specialists and IT security experts in fields from law enforcement to the financial sector are tasked with this tedious process that routinely involves sifting through hundreds of gigabytes of data.

Forensic-friendliness in Exchange

Microsoft catches a lot of flack for a lot of things, but a track record of developing useful and user-friendly software speaks for itself. Exchange boasts quite a few features designed to assist companies in playing the role of digital detectives. There are retention tags that preserve mailbox items for a certain period of time, in addition to discovery capabilities that let you pry deep into the server to retrieve specific items. Features such as these are a huge part of what makes Exchange so awesome, but even this baked goodness can come up short during the investigative process.

In the case of Exchange forensics, human intervention and bad luck can make discovering evidence extremely difficult. Examples: A user’s inbox and deleted messages suddenly vanish because an administrator failed to retain them for the appropriate length of time. A wicked storm sweeps through, knocking your server offline and corrupting multiple databases in the process. These are two realistic scenarios that can circumvent Exchange’s useful features and put you in a bind when it comes time to produce for litigation purposes.

A Sound Backup Plan

Whether you operate in the medical field or the retail business, have hundreds or thousands of mailboxes, planning execution will determine how smooth your Exchange forensic efforts go over. In addition to creating policies that dictate how mailbox items will be stored and discovered, it’s critical to devise a backup and disaster recovery strategy that goes beyond those safeguards baked into the mail server. You could say it’s a twofold problem that fortunately, has a twofold solution in a pair of proven tools.

ShadowProtect Server has the first part covered with bulletproof data protection for your Exchange system. The software makes backup copies of your entire messaging server – files, services, and configuration settings included, which you can keep locally, online in the cloud, or in both spots. Storage location aside, the goal is making sure you have those emails, contacts, appointments, and other data when regulatory compliance comes calling. ShadowProtect Server also covers your recovery of Exchange servers.  As you may have guessed, this product takes those backups, which have been neatly packaged in a lean image file, and quickly restores them to get your operation back up and running.

Next is the recovery element, a task that is perfectly suited for a tool like ShadowProtect Granular Recovery for Exchange (GRE). When you face the task of locating small items in large Exchange databases (which are not as straightforward as one would hope), GRE offers granular goodness, so you can search and recover entire mailboxes, folders, or the individual email messages you’re looking for in your forensic search. Recover individual or bulk items to a live Exchange server, or export to a separate PST file, the latter of which may be ideal in the evaluation process you’re trying to accommodate.

Exchange interfaces with a broad range of mediums, meaning your forensic activities could have you scanning a wide variety of nooks and crannies.  You might have to probe desktops, servers, smartphones, tablets, tapes, and other storage containers in search of potential evidence. Prepare, strap up with the right tools, and these investigative efforts can help track down deleted emails, contacts, notes, and other vital information needed to appease whatever legal situations come your way.

Photo Credit: Seth Anderson via Flickr