±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36006
New Yesterday: 0 Visitors: 110

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Large-Scale Exchange Mailbox Collections

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

fasita
Newbie
 

Large-Scale Exchange Mailbox Collections

Post Posted: Apr 14, 15 20:00

Hello,

Looking for some thoughts from anyone who may have addressed this before. I'm working on a POC for a large corporation that uses Exchange and has about 70,000 mailboxes, probably across multiple Exchange servers.

We would be requested to export various mailboxes on a per-matter basis for preservation and possible production. What is the most efficient way to do this? I read elsewhere that mounting the .edb files locally using F-Response and then parsing/exporting with NEMX has worked in the past. Anyone have success going this route? Or have other suggestions as to how to accomplish this? Thanks!  
 
  

nightworker
Senior Member
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 14, 15 20:03

i used paraben network email examiner to do this before it is so good
or you can use mairix to index and export in linux  
 
  

dacorr
Newbie
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 14, 15 20:24

This depends on money available and how mailboxes are set up including the wider exchange estate, for example what is the retention and does it archive to a third party solution.

If this is part of a disclosure (ediscovery) exercise and the request is targeting specific mailboxes I have encountered multiple issues in the past with this in that Exchange is not the best solution for indexing mailbox data and was prone to missing things. Exchange had an ediscovery module attachment that allowed a clone of the mailbox to be utilised but was still poor at indexing.

Also if a solution was present to archive specific mailboxes this would generate duplicates or STUBS pointing to the archived location which made review problematic as they all had to be connected togeather again.

You would also need to identify what the dumpster retention is also and the tool will need to pull dumpter data for each mailbox.

I have also found that if active directory was in use and an account deleted it may not have actually deleted the mailbox object so mail was present for deleted AD accounts.

You can use mailmerge to export mailboxes but depending on the organisation if the user has moved countries supported by different exchange servers there maybe multiple mailboxes in existance and you would need to check each one which can be problematic if permisisons are different on each server. Also while using mailmerge to export to PST can cause the file to become corrupt or not every item could be exported due to forms or the source email was encrypted.

Unless you utilised somthing like Accessdata end to end and had agents you may need to use powershell and a service account that had exchange admin rights. I should point out that the above may not be suitable for court and it would take a script or the use of the ediscovery module to allow these type of requests to be completed more efficiently. I should also highlight that as many users operate a mailbox as a document store some of these exports may be huge and there may not be enough free space on the server to export them.

Dac  
 
  

paraben
Member
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 14, 15 21:29

Since you already have NEMX, you may want to look into CyFIR. This is Paraben's former network forensic tool so it's fully compatible with NEMX and you can perform live examinations, exporting, etc. of Exchange files.
_________________
Paraben Corporation 
 
  

eyez0n
Member
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 15, 15 00:53

DISCLAIMER: I work for Nuix.

Nuix easily handles .edb's and allows an examiner to "pre-filter" .edb's and only select those mailboxes, folders, and/or email messages he/she wishes to ingest and process.

In the video below, the pre-filter pane is shown but all mailboxes were selected for that demo. The user has the opportunity to change that default behavior with a simple click of the mouse and only select those items of interest. This is a great way to conduct targeted ingestion of data.

[video width=250 height=200]https://www.youtube.com/watch?v=5dQVtzgSrpM[/video]  
 
  

shep47
Senior Member
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 17, 15 00:09

Disclaimer: I work for Kroll Ontrack

Kroll Ontrack Power Controls handles EDBs and you can export to PST.

As well as having a GUI, Power Controls has full scripting capability so multiple tasks can be set up and run. For instance, with a little scripting knowledge (included in the manual) you can trawl multiple EDBs and recover single/multiple custodians PSTs to a location of your choice.

I have used this to search over 20TB of backup EDB's with over 1.5m mailboxes and extract the selected custodians to individual PSTs.

www.krollontrack.co.uk...rcontrols/

Some of the capabilities are detailed in these videos:

www.krollontrack.co.uk...index.html

If you would like to know more about the scripting please PM me.

Regards  
 
  

Adam10541
Senior Member
 

Re: Large-Scale Exchange Mailbox Collections

Post Posted: Apr 17, 15 05:46

If you are going to work with the EDB directly then you need to figure out if you are going to do it live or static.

Depending on how the network is setup you may be able to work with archive/backup versions of the EDB (nightly, hourly backups depending on their setup) then you don't have to worry about working with a dirty EDB. My experience is that plenty of tools claim they can work with an active EDB, but the reality is most can't despite their claims.

If you have a static EDB then any of the aforementioned tools will work, my preference is Systools Exchange Recovery, not because it's the best but because it's simple and it works, allowing me to extract out PST archives for each individual user then I can work with them in my email tool of choice.  
 

Page 1 of 2
Page 1, 2  Next