Investigating Microsoft Exchange Mailstorage
Posted by Jack H. Ward, Last modified by Jack H. Ward on 05 February 2018 07:19 AM

Electronic Evidence Examiner allows you to investigate the following versions of Microsoft Exchange (EDB) information stores: 5.0, 5.5, 2000, 2003, 2007, 2010, and 2013.

Microsoft Exchange mailstorage is stored in an *.edb file.

Its default location in all versions of Windows is C:\Program Files\Exchsrvr\Mdbdata\*.edb.

Please note that bodies of some messages can be stored in the *.stm file. The path to this file can be defined separately in the EDB settings.

To investigate a Microsoft Exchange mailstorage, do the following:

1.  Have the Add New Evidence window open.
2. In the Category list, select E-mail Database. In the Source Type list, select EDB database, EDB 5.5 database, or EDB 2013 database. Click OK.

3. In the standard Open window, navigate to the desired *.edb Click OK.
4. Enter the Evidence name (by default, the name of the file to be added) and click OK.
5. Define the EDB Database Settings and click OK.

6. The Microsoft Exchange mailstorage is added to the case.
7. The mailstorage structure is displayed in the Case Content pane (to the left), messages stored in the mailbox are displayed in the Data View pane (to the right).

8. The deleted messages are displayed in the Data View pane in the folders they were deleted from. The deleted messages are marked with a red X.
9. Select the message in the Data View pane. Its contents are displayed in the E-mail Data pane (below the message list).

10. You can view the message contents in different formats and/or view the attachments.

 Microsoft Exchange Mailstorage.png (44.86 KB)
 Microsoft Exchange Mailstorage settings.png (14.07 KB)
 Microsoft Exchange Mailstorage 1.png (66.15 KB)
 Microsoft Exchange Mailstorage 2.png (20.92 KB)
(0 vote(s))
Not helpful

Comments (0)