Opus Technologies Recovers Mailboxes from Crashed Exchange Server, Restores Email Connectivity
Digital Evidence Ventures Recovers Mails from Decommissioned Servers for Forensic Analysis and Fight Corporate Litigation
Digital Evidence Ventures (DEV) is a digital forensics and eDiscovery firm based in Sacramento, California. It provides digital forensics services and litigation support to law firms and businesses in the areas of computer and cell phone forensics. DEV is led by ex-FBI agents and non-practicing attorneys who help attorneys and businesses gather and analyze the data to obtain evidence to resolve litigations or help businesses to make informed decisions.
One of the clients of Digital Evidence Ventures needed help with a corporate litigation where they had an order to preserve all emails from the mailboxes of a decommissioned server. The client organization needed to extract the mailboxes from the archived EDB files of the decommissioned server to allow forensic analysis.
The key 'technical' challenge was faced with restoring the mailboxes of the decommissioned server without the original server setup and AD configuration. Also, the client organization was in urgent need of restoring the emails for responding to the order on time.
The following sections summarize the key challenges faced by DEV forensic experts:
- Restoring the Decommissioned Server
As the server was decommissioned, it would require the team to rebuild the domain with Exchange and domain controller for mounting the database and restoring the mailboxes. However, this standard restoration proceed didn't guarantee success as the transaction log files were missing and the AD was not available. Further, force mounting the database could potentially affect the mailbox data and turn it invalid as evidence.
- Time Scarcity
Restoring a decommissioned server is a time-taking process. It could take several hours to weeks to restore the decommissioned server and extract mail data for analysis. However, the client needed to preserve the information and evidence at the earliest possible to proceed and fight the litigation.
Following were the key business needs:
- Recover and preserve mailboxes from a decommissioned Exchange server
- Gather the required information and evidence within the shortest time span
Mailbox Recovery Attempts
As the EDB files couldn't be mounted, the only solution left was to extract the mailboxes from the EDB files in a way that could serve as a forensic evidence.
DEV team tried to extract the mailboxes by using forensic toolkit from Parabens® and Access Data®. Paraben Forensic Toolkit supports the Exchange database (EDB) file and export emails to PST. However, it could not extract the required information and was unable to display the required emails, email content, and custodians of the mails stored in the EDB files. Also, the deleted mail items when exported to PST were not tagged separately, leading to a difficulty in distinguishing between the exported emails. The team experienced similar issues with Access Data Forensics Toolkit.
After assessing a few forensic toolkits, DEV team came across Stellar Toolkit for Exchange; a software suite that "converts" offline and hosted EDB files and extracts mailboxes without dismounting the database. The tool can extract mailboxes including deleted emails from the EDB files of a decommissioned or inactive server.
The team downloaded the free trial version of Exchange toolkit from Stellar and used it to scan the archived EDB files, copied from the decommissioned Exchange server. The tool was able to scan all the mailboxes and preview the mailbox contents, including email body text, attachments, contacts, calendar, etc. It could also find and preview the deleted emails.
After verifying the mailbox data, the team decided to activate the software and extract the required emails in PST file.
The toolkit allowed extraction of the required mailbox data and provided custodian information needed for the lawsuit. It helped in preserving the emails and other mailbox data required by the client organization for further investigation.
Stellar Toolkit for Exchange helped Digital Evidence Ventures to find and preserve the mailboxes for its client organization. The toolkit saved the required mailboxes to PST files with original integrity, as verified using the Preview feature. The software served as an efficient solution to extract the mailboxes in the given time span.