Digital Evidence Ventures Recovers Mails from Decommissioned Servers for Forensic Analysis and Fight Corporate Litigation
Digital Evidence Ventures (DEV) is a digital forensics and eDiscovery firm based in Sacramento, California. It provides digital forensics services and litigation support to law firms and businesses in the areas of computer and cell phone forensics. DEV is led by ex-FBI agents and non-practicing attorneys who help attorneys and businesses gather and analyze the data to obtain evidence to resolve litigations or help businesses to make informed decisions.
One of the clients of Digital Evidence Ventures needed help with a corporate litigation where they had an order to preserve all emails from the mailboxes of a decommissioned server. The client organization needed to extract the mailboxes from the archived EDB files of the decommissioned server to allow forensic analysis.
The key 'technical' challenge was faced with extracting and exporting the mailboxes from the decommissioned server without the original server setup and AD configuration. Also, the client organization was in urgent need to extract emails from multiple EDB files to PSTs for responding to the order on time.
The following sections summarize the key challenges faced by DEV forensic experts:
- Export Mailboxes from Decommissioned Server
As the server was decommissioned, it would require the team to rebuild the domain with Exchange and domain controller for mounting the database and exporting the mailboxes by using PowerShell cmdlets. However, exporting mailboxes to PSTs via Exchange Management Shell by using PowerShell cmdlets or Exchange Admin Center (EAC) requires a functional Exchange server.
Restoring a decommissioned server is a time-taking process. It could take several hours to weeks to restore the decommissioned server and extract mail data for analysis. However, the client needed to preserve the information and evidence at the earliest possible to proceed and fight the litigation.
Following were the key business needs:
- Multiple EDB file to PST file conversion from a decommissioned Exchange server
- Gather the required information and evidence within the shortest time span
Multiple EDB to PST File Conversion
As the EDB files were offline and couldn't be mounted, the only solution left was to extract the mailboxes from the EDB files in a way that could serve as a forensic evidence.
DEV team tried to extract the mailboxes by using forensic toolkit from Parabens® and Access Data®. Paraben Forensic Toolkit supports the Exchange database (EDB) file and export emails to PST. However, it could not extract the required information and was unable to display the required emails, email content, and custodians of the emails stored in the EDB files. The team experienced similar issues with Access Data Forensics Toolkit.
After assessing a few forensic toolkits, DEV team came across Stellar Toolkit for Exchange; a software suite that "exports" EDB files to PSTs from decommissioned servers without setting up the complete Exchange Server & AD. The tool also extracts mailboxes including deleted emails from the EDB files of a decommissioned or inactive server.
The team downloaded the free trial version of Exchange toolkit from Stellar and used it to scan the offline EDB files, copied from the decommissioned Exchange server. The tool was able to scan all the mailboxes and preview the mailbox contents, including email body text, attachments, contacts, calendar, etc. It could also find and preview the deleted emails.
After verifying the mailbox data, the team decided to activate the software and successfully converted Multiple EDB files to PSTs.
The toolkit allowed extraction of the required mailbox data and provided custodian information needed for the lawsuit. It helped in preserving the emails and other mailbox data required by the client organization for further investigation.
Stellar Toolkit for Exchange helped Digital Evidence Ventures to find and preserve the mailboxes for its client organization. The toolkit saved the required mailboxes to PST files with original integrity, as verified using the Preview feature. The software served as an efficient solution to extract the mailboxes in the given time span.