Forensic for Exchange (aka FFE) and Email Analysis Software PRO User
Manual
Copyright© 2007 Innovative Technology
Concepts, Inc.
Abstract
Forensic for Exchange is a tool that allows the user to search an exchange database for deleted email content that may reside in an inaccessible area, such as the white space area. FFE has the ability to perform keyword searching, which allows the user to look for mail data within in a certain criteria or pattern. FFE does not rely on database indexes, mailbox Id’s or any database related function but rather scans at a byte level. It does not matter if the database is corrupted, missing data, users migrated to another server, or the whole database has been migrated to another server. FFE will still find deleted mail data. Please keep in mind that FFE is a discovery tool, not a recovery tool.
The main screen or initial startup screen (Seen Below), allows a pre-programmed algorithm to run on a database to find messages that reside in exchange format. This portion will scan up to 2.1 GB of white space in exchange.
The problem is that because the white space area can be overwritten, there is no set way this data can be scanned. Therefore, the advanced scanning, or “Email Analysis” portion is needed, which can support files over 60 GB (Seen Below).
The first thing that must be done is the user must open an .edb file or .stm file for review. This is accomplished by clicking on “File Options”, then clicking on “Open Edb File” or by pressing the F2 button.
Once the .edb file or .stm file has been open, the following information will be displayed if available: the real organization name, server name, database state, repair count, Db signature date and last access time.
FFE has many different options, which gives you complete control over the database. You can start the scan at any beginning point in the file, to any end point in the file. You can change the primary search header boundary to any thing you want. You can change the copy, and scan format to UTF7, UTF8 and UTF32, Unicode or Regular Decoding.
The user also has control over message types, which can be changed from the standard format to three different types of HTML formatted messages.
With FFE, you can change the read buffer size from the default of 6KB, to any size needed. This allows the file sizes of the .eml and .html files to be increased or decreased as needed, on the fly. This enables the possibility of discovering email content that otherwise may not be possible.
FFE can scan and extract email content from the .stm file in exchange with excellent results. You have the ability to do an initial scan for a particular keyword, without having to copy off data. A log file is generated which provides the user with the following information: The offset in the file where the keyword was found; What message the keyword seems to be in, (for example: The From: and perhaps the To:) .
FFE does have the ability to find
Once a keyword has been entered, it will show up in the “Searching For Keyword” box.
If desired at this point you would change the decoder, format setting, start position, stop position and file size. Alternatively, if desired the user would enable discovery mode with file copy or discovery mode only. Discovery mode only does not copy off files, but simply generates a log file letting you know if the keyword was found (If the keyword is found, the log file will have the offset where the keyword was found and in what message it seems to be in).
Next, you would begin the scan by clicking on start, then clicking the start analysis button.
Once the scan has started, data will start populating in the “write buffer” area. You can use the scroll bar to review the data as it is being scanned for and copied off to files. If you have entered a keyword, only messages that have the keyword will be populated in the “write buffer” area and will be copied to a file. As seen below, this message has information relating to the keyword “contract”.
Note: (Email addresses have been blotted out for privacy reasons)
Typically information such as Received from:, Date:, Message- ID:, subject and other information will be displayed in the “write buffer” area.
As stated before a user can also change the boundary header information. What this means is that FFE will use the information inputted into the “Change Boundary Header” box as the starting point of where data should be begin copied into the Read/Write buffer area.
For instance, lets say the user changes the boundary header to “To: Aaron” and changes the file size to 7 Kb. What happens is FFE will scan the database areas for the phrase “To: Aaron”. If FFE finds this phrase, it will start copying data from that point down to 7KB
(If a keyword has been entered, FFE will scan the 7kb of data in the read buffer for that keyword).
In addition, the number of files being copied will populate the “Files Written” area as well as the file path will populate the “Output File Path” area.
Under the “Find Exchange Information” portion, there are two options, “Retrieve Org Info” and “Find Recipient List”.
If a user clicks on the “Retrieve Org Info” button, FFE will populate the “write buffer” area with information relating to environment that the exchange database resided on.
If the “Find Recipient List” button is clicked, FFE will attempt to locate recipients throughout the database. Note: (There may be duplicate entries as FFE tries to retrieve information from several different areas in the database.)
FFE scans the database then copies the information found to an .xls file.
The data for the recipient list will be held in a excel spreadsheet named for the server the database is from. Typically, the data looks as it does in the screen shot below.
FFE will also have the ability to ingest the data found into a sql database so that the data can be further reviewed by more than one person at a time as well as will have the ability to print out reports.