In this article we look at the key advantages of using message tracking logs while performing forensics analysis on Ms Exchange mailboxes
Forensic Analysis in MS Exchange is used for investigating mailboxes; this investigation makes use of certain features which keep the record of all conversations and their logs. Message Tracking Log is one such feature, this keeps a record of the log files of all emails that are exchanged between mailboxes belonging to a single organization. During investigation, messages are tracked using the path stored by this feature. One can not only make out the path used by the message to travel across Exchange, but also get details about the sender and the recipient of the message, along with the subject, date and time of the message. This feature also helps users figure out problems in mail flow, producing reports and analyzing the pattern of email traffic.
Availability of Message Tracking Logs in MS Exchange
You will not find this feature in Exchange online, but there is an alternative to it that has been provided, it’s called the Message Trace feature. Message Tracking is readily available in Exchange on-premises. In the 2000 and 2003 edition of MS Exchange, the user had to manually enable the feature. It was activated by default only from the 2007 edition and onwards, and records activity from the past 30 days. This feature is a part of the Transport service of the mailbox, therefore all mails that pass through the mailbox, have to go through this feature. Therefore, Exchange can easily record information of the mail flow
Using Message Tracking Logs in MS Exchange
Message Tracking Log in MS Exchange greatly helps with Forensic Analysis. Through Message Tracking Logs, Forensic Investigation can be done quickly and efficiently. The path of a mail can be easily traced through the recorded logs of the conversation, followed by necessary action.
The steps for using the feature with MS Exchange for Forensic Analysis are as follows:
- You need to begin by checking the current status of message tracking present on all Transport Servers; this will help in the process of verification of log recording for the emails being investigated. You can then make use of Exchange Management Shell for running the cmdlet.
- In the cmdlet make sure the Message Tacking Log is activated, and the age for the same is set to 30 days. This will mean all the information, about each email, passing through Exchange is being recorded and logged.
How does it help to use Message Tracking Logs
To use Message Tracking Logs, you do not necessarily have to implement investigation. It often happens that sometimes, a simple email exchange takes a bad turn. Where the recipient changes the content of the mail and becomes a victim, thus making the sender an offender. Message Tracking Logs do not reveal the original content of the message, but the original date, time and subject can be verified. Thus the feature not only helps in identifying the culprit, but also helps in protecting those who have been falsely accused. So while you can always run a recover Exchange program to bring back any lost data, it is equally important to fix accountability which message tracking logs facilitate.
Van Sutton is a data recovery expert in DataNumen, Inc., which is the world leader in data recovery technologies, including repair Outlook pst error and bkf recovery software products. For more information visit www.datanumen.com