In this article we look at key concepts related to Ms Exchange Forensics Analysis and look how the same is performed on in-house mail servers and related infrastructure.
With the increasing importance of emails as the primary medium of official communication, the threats to email security have also increased. While all companies take steps to ensure the safety of all email accounts and mailboxes, but somehow some of them still fall short on safety. This is probably because the techniques used by hackers are also advancing, and Exchange Forensic Analysis is used to find out if the culprit was someone within the organization.
Exchange Forensic Analysis
Exchange Forensic Analysis is done by Forensic experts, and not by laymen, in-case of a leak or any other damage, the analysis is first performed in the Exchange system within the organization, and then moves towards the clients, if nothing useful comes out form the analysis. The main purpose of a Forensic Analysis is to find out the main culprit, and get them punished in the court of law. A lot of the times an Exchange Forensic Analysis is used to prove innocence of business owners and crime of the culprits, so one should be very careful with the investigation and its results, as they can be easily manipulated by the culprits.
Key Concepts of Exchange Forensic Analysis
It can simply be described as an investigative process, but it entails multiple other crucial operations and functions which form its key components, and have been described below.
Extracting and Identifying Data: If there has been a crime, it means the accounts were used for reasons beyond exchanging emails. So you will first have to identify all the reasons the server is used for in the organization, this will involve investigating the Databases, calendars, etc, in the mailboxes. Once it has been identified, the malicious data will then have to be extracted and reported for necessary further action.
Analyzing Exchange System This is precisely what we have been talking about till now, but here we will go in the details of how exactly is it done. For subjecting your Exchange System to analysis, you do not have to shut servers anymore, to avoid data loss. Today we have access to advanced tools; these can perform analysis on active servers and minimize data loss.
*To preserve your emails, Exchange Forensic Analysis makes use of different approaches.
- The first approach involves exporting duplicate mailboxes from server with the help of MS Outlook, Exchange Management Shell or third party tool.
- Obtaining a backup of the entire database from an optimally done full backup of the Exchange Server Database. In case a recovery action needs to be performed, forensic experts would call in an recover ost tool.
- Bringing the Exchange databases offline, temporarily, for the purpose of creating a copy.
- Making use of specialized software for accessing the Exchange Server live, over network and creating copies of individual mailboxes or entire database file.
None of these approaches are full proof, and all have their share of advantages and disadvantages.
Van Sutton is a data recovery expert in DataNumen, Inc., which is the world leader in data recovery technologies, including repair Outlook pst problem and bkf recovery software products. For more information visit www.datanumen.com