Guidelines to Perform Exchange Forensics Through Log File

Alessia Manon | Modified: January 23rd, 2017 | Email Forensics

Transaction log files maintain a record of all changes or activities performed in the Microsoft Exchange server. Information to be updated in a mailbox database is firstly written to an Exchange transaction log. Basically, it is a database file, which is automatically created by the server and considered as a time-stamped event document for a specific system. Later on, the content of this transaction log file is written to the server database file, which is in Exchange EDB format. Therefore in the next section read how to perform Exchange Forensics Through Log File

Technical Description of Log File

  • The server log files are a collection of operations performed in a database like modification, receiving emails, and creation of a mail. It also stores the record of activities, which are performed in Exchange calendars, tasks, notes, contacts, etc. Each of the server databases is having its own set of transaction log with a .log extension. Each log file is having either 1 MB or 1024 KB size, therefore when file size completion takes place, the Exchange server closes the file and renames it with a sequential number. For example, first log file name with full size will be Enn00000001.log where nn is base or prefix name in two digits.
  • There is one another file created in the Exchange server i.e., Checkpoint. This file tracks the current status of the process to write log information in an EDB database file.

Terminologies Related to Exchange Log File Analysis

Before proceeding further with Exchange Forensics through log file procedure, one need to have complete knowledge about following terms:

Mailbox: A user who is working on the Exchange server

Exchange Database: The major file on which forensics is to be performed because it stores entire operations performed by a user. Remember that one is assigned to a Mailbox database when Mailbox creation takes place.

Mailbox Storage Group: The combination of entire Exchange database that is assigned to each mailbox or user. By default, one can create 5 mailbox storage group

Depth Analysis of Exchange Log Files

In order to perform an investigation on an Exchange log file, users can go through following concepts for collecting evidence from it:

#1: Analyze Common Database Storage Group

It might be possible that an investigator is provided with more than one mailboxes, which are using only one mailbox database storage group. Therefore, all log files generated by a user from such storage group will be having the same manner of log file name. One just has to open these log files in a Hex Editor for understanding its structuring. In addition, the location of its concern database file i.e., EDB is 0x2DF.

#2: Examine Log Files of Message Sender

Whenever a user will send a mail, it will be first recorded in the log file and then written to the server mailbox database. Therefore, for analyzing such transaction log files, one will have to go through following a set of instructions:

Learn whether the message is sent from Microsoft OWA or from MS Outlook
Now look for O.W.A text or 4F 00 57 00 41 hexadecimal value in present log file to determine that sending action is performed by Microsoft Outlook Web Access. If such text/value is not found in log file then it means that activity is performed by Outlook

exchange forensics

If the mail is sent from Microsoft OWA then follows below-mentioned steps:

a) Search for HTML text or 3C 68 74 6D 6C hexadecimal value from the current log file

b) Now look for 2B 2F E1 82 value and then ignore 8-bytes after that. Here you will find details of receiver’s id along with name

c) In a backward manner, search for D0 01 hexadecimal value and then count 8-bytes in such a way that this text comes from 7th and 8th position. This procedure will help you in determining Data and time of the mail

d) To retrieve header part of message and other information, find out M.I.M.E – V.e.r.s.i.o.n or 4D 00 49 00 4D 00 45 00 2D 56 00 65 00 72 00 73 00 69 00 6F 00 6E hexadecimal value in a backward manner

If the mail is sent from Microsoft Outlook then, follow below mentioned steps:
1) The message body is in simple HTML format therefore, first search for HTML text or 3C 68 74 6D 6C hexadecimal value and then, look ‘Body’ Tag

2) Just after a tag from the provided code, look for D0 01 and choose 8-byte in such a way that D0 D1 bytes appear at the 7th and 8th position. This scenario will enable you to determine to send time duration of the mail

3) It’s time to learn the name of the person who had sent the message. To do the same, search for ED text in a forward manner and then count next 17-Bytes. After counting these 17-bytes, leave all of them and then next to them see the sender’s name

4) Find out 03 00 DE 5F 03 00 DF 5F 1F 00 F6 5F 02 01 F7 5F 03 00 FD 5F 03 00 FF 5F 01 E4 04 hexadecimal value and then investigate the receiver’s name.

5) After the recipient’s name, look for 56 50 52 4F and then for D0. When you encounter D0, count and leave next 22-bytes to view Subject of the message

#3: Examine Exchange Forensics through Log Files of Receiver Message

In order to acquire information of received message from the log file, you have to go through following instructions:

Look for HTML or 3C 68 74 6D 6C hexadecimal value to determine body of the message

  • As in Examine Log Files of Message Sender section, you will find body of message with its text format using ‘Body’ tag with same guidelines

Note: There will be only a single difference between Microsoft OWA and Outlook that if next searching is after tag then, it is Outlook and if it is before then, it is MS Outlook for Web Access Entire email details will be gathered from email header. This header can be determined by searching for 52 00 65 00 63 00 65 00 69 00 76 00 65 00 64 hexadecimal value or R.e.c.e.i.v.e.d text

#4: Examine Rich Text Formatted Email

  • Since we know that Microsoft Outlook provides facility to send mail in a Rich text format, therefore, in such case there are some changes that occur in the log file. Hence, it is mandatory to know those changes in order to perform complete Exchange forensics through the log file.
  • The mail body presentation is only the change that we are talking about and with reference to the size issue, the body gets compressed. Due to this reason, the body is represented in LZF format.
  • Other guidelines or trips remains are same. Just searching for body is altered in which you have to search for 00 00 4C 5A 46, which is a pure LZF file header and will be ending with 70 7D

Conclusion

Forensic investigation has now become an essential part of any cybercrime investigation because evidence gathered are considered as truthful and a valid proof of the Law. With the increase in the invention of new technologies and applications, a careful study is required to gather information from system data files. One such file is transaction log file of the Exchange server. In this blog, one can find all the criteria through which they can perform an investigation on Exchange forensics through log files.