Owen O'Connor

Abstract

In most organisations Microsoft Exchange is far more than a mail system: it is the organisational memory, storing huge volumes of email as well as calendars, contacts, notes, task lists etc. While the evidence stored in Exchange is of great evidential value, investigations involving Exchange can be complex due to limited audit trails and poor forensic preparedness. 

Fortunately, the number of forensically-valuable artefacts inside Exchange mailboxes is increasing. For example, recent versions of Exchange and Outlook store now store key configuration and usage data within user mailboxes rather than on end-user devices. When dealing with a modern Exchange environment, or with Exchange Online in Office 365, these artefacts can be rich enough to reconstruct user activity at a very granular level, including details of content accessed and client devices used. 

This interactive workshop will examine the structure and contents of modern Exchange mailboxes, including system folders, hidden user folders and hidden system data. An investigative approach will be demonstrated which is based on “in-mailbox” forensic artefacts rather than on analysis of client systems, and a sample of in-mailbox artefacts will be presented.