Exchange Header Analysis

Nowadays email is the most commonly means of communication for business as well as individual. With a quarter of an average of worker's day spent in reading as well as replying to mails, it is easy to see the importance of mail these days. Unfortunately, email communication is often unprotected to illegitimate utilization due to mainly two essential limitations, i.e. no encryption at the sender end, lack in authentication mechanism. In the following section, we will discuss deep about the Exchange header analysis.

Introduction – Exchange Header Analysis

Each Exchange forensic analysis is started on Exchange system itself. If the information that is required does not exist on Exchange, then a deep analysis at the client side is typically performed. For preserving email from a live Exchange server, forensic investigators typically take various approaches that depend on the characteristics of the misuse being investigated. For performing the proper investigation, proper data extraction is required by using Exchange features.

How to Analyze of Exchange Header

Message Tracking is a feature of an Exchange, which keeps the records of log files of mail traffic as messages that travel between all the mailboxes within an organization. All these logs help to track the flow of message as they give information about the path the message, which is occupied as it creates its way via Exchange and information regarding the sender, message subject, recipient, time, and date. They can be utilized to troubleshoot issues that are related to mail flow, produce reports, or for analyzing whole mail traffic patterns.

Firstly, it is essential to check the status for message tracking on all servers so that it is easy to verify if information related to mail is being investigated was logged. By utilizing Exchange Management Shell, we run the mentioned cmdlet

Now, we can see that the MessageTrackingLogEnabled is set to True and MessageTrackingLogMaxAge is set to 30 days, which means that information related to every email flows through the Exchange organization, which is being logged as well as kept for 30 days.

If the tracking of message tracking is enabled then, we can start observing for our message by using the Get-MessageTrackingLog cmdlet:

The problem here is that not all these logs contain the body of the email itself. As such, at this point we can only prove that mail was sent as well as delivered.

Auditing Mailbox allows administrators to perform record operations on mailbox such as deletion or copy of mails. After enabling an audit for more than one mailboxes and configuring the level of details, which is required to be captured, audit entries are captured in the subfolder of Audit of the Recoverable Items folder and can be interrogated by using the Exchange Management Shell.

Even when look at the message headers then, there is no indication that who exactly the hacker is, who sent the e-mail.

For starting off with, we require the confirmation auditing is enabled for the Offender's mailbox. Moreover, the Send As action is being audited. An investigator might go through the whole log, as it might not be clear at first.

Now it can be determined that logging is enabled, utilize the Search-MailboxAuditLog cmdlet so that we can find out if any emails were sent from the Offender's mailbox by using SendAs permissions. As these type of logs mainly encloses a lot of information that can be filtered the information by only returning Operations of the type SendAs.

The above screenshots clear that logs tell us that the email client used to send the email was Outlook.

Scenarios of users abusing the SendAs functionality to send emails pretending to be other users are typically easy for identify and investigate. These are mainly the reasons: SendAs permissions have to be allotted by administrators; and information regarding who actually sent the mail is logged in the message tracking logs.

Auditing Mailbox Access becomes more valuable when there is a necessity to prove that someone logged into another user's mailbox and did something in that mailbox without permission, such as deleting an email.

Conclusion

To find an evidence is quiet important for this it is important to perform the Exchange header analysis. The above-discussion covers the same part after understanding user's need and requirements the way for performing analyze of exchange header. Find out any evidence within the emails by advance Email Search Software.