±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36300
New Yesterday: 2 Visitors: 136

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Working with mounted EDB archives

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

Adam10541
Senior Member
 

Working with mounted EDB archives

Post Posted: Apr 04, 13 08:08

I'm just wondering if anyone here has recent experience working on a mounted EDB archive?

I have had a couple of jobs in the past working on Exchange servers but I've been able to unmount the EDB then use Systools exchange recovery to pull out the mail boxes I need, or use Exmerge in some cases.

I have a couple jobs that look likely in the not too distant future and I strongly suspect they will be on newer Exchange versions and unmounting the EDB may not be an option (although I will push for this as the fastest and best solution).

Any thoughts on ways to extract mailboxes from a mounted EDB archive?  
 
  

chrism
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 04, 13 17:22

I believe you have two options:

- Take an image of the exchange database live (not shut-down) and apply the transaction logs post-acquisition to bring the 'dirty' database back into a clean status - you can use the 'eseutil' command for this. Make sure you image both the database files (.edb) and the transaction logs, they are usually located on two different disks for performance reasons. You can then parse the database using X-Ways, FTK or my favourite "Kernel for Exchange Server". Kernel will even parse dirty .edb databases Smile

- Take the data live. I've used the "Export-Mailbox" cmdlet in the Exchange Management Shell before with good results. You can get more information in regards to this approach here:
technet.microsoft.com/...g.80).aspx

Watch out in regards to Exchange 2010, I believe they have significantly changed the file structure of the .edb database with this release so all of the forensics tools are now starting to catch up. I believe the latest Paraben's Network Email Examiner tool and the latest X-Ways support the new format.

Although there are other approaches these are the two I've done before in the past.  
 
  

Adam10541
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 05, 13 05:28

Thanks Chirsm, just looking at the Technet article you linked to but it seems to suggest that this command only exports from one mail box to another rather than exporting the selected mailboxes direct to a .PST (although in the section referring to dumpster files it does allude to a .PST). Have you used this method to export mail boxes direct to .PST?

With regards to imaging the dirty EDB I have Systools Exchange Recovery which I believe will parse the EDB in that state as well (not tested yet), I may see if my IT guy will let me test on our server first. There may also be privacy concerns with me imaging the entire EDB archive, but I can probably talk them around if I need to.  
 
  

chrism
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 05, 13 16:16

Hi Adam,

I've used the cmdlet to export to a PST. You can see some examples here:
technet.microsoft.com/...35123.aspx

One of the examples is:

Code:
Export-Mailbox -Identity  john @ contoso.com -PSTFolderPath C:\PSTFiles\john.pst 

You can also use it to filter on date ranges and to conduct keyword searches on-the-fly (have not tested this function yet) by using:

Code:
Export-mailbox -Identity  john @ contoso.com -PSTFolderPath D:\PSTs -StartDate 1/1/07 -EndDate 12/1/07 -SubjectKeywords:'review' -ContentKeywords:'project','alpha'
 

Last edited by chrism on Apr 09, 13 15:09; edited 2 times in total
 
  

Adam10541
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 09, 13 05:37

Thanks chrism that's precisely what I needed.

I think I'd rather just export the mbox to PST then let forensic tools do the keyword searches, I have more confidence in them that MS for that process Smile  
 
  

chrism
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 09, 13 15:10

I would do the same thing! It would be quite interesting to do a like-for-like comparison to see what method is more effective.  
 
  

isth
Senior Member
 

Re: Working with mounted EDB archives

Post Posted: Apr 09, 13 21:20

Be sure that the account you're using to run the exchange cmdlet has administrative access to the share you are exporting the PSTs to, else it won't work.  
 

Page 1 of 2
Page 1, 2  Next