Processing Microsoft Exchange Database (EDB) Files

[jon.pearse]

Background

In version 1.9 we have added the capability to index MS Exchange EDB files, in their entirety or by mailbox. Since then we have increased support to versions 2003, 2007 and 2010, 2013 and 2016. This post will step you through the process of extracting and indexing mailboxes from an EDB file.

 

 

Configuration
Before we get into processing EDB files, we need to make a configuration change. Processing EDB files requires more dedicated memory. The Service memory allocation for the case should be set to at least 4GB.

Note: Since the lowest recommended setting for EDB files is 4GB, processing EDB files should be kept to systems running 64bit operating systems and with sufficient RAM.  32bit operating systems are limited to using approximately 3GB RAM (even if more physical memory is installed) and therefore the above settings will not work for 32bit systems. You must also be mindful not to set the memory settings higher than what your machine and OS supports. E.g. the total amount of memory used for Service memory allocation is calculated this way. The number you set for Service memory allocation, multiplied by the number of Crawlers. So, if you have say 6 crawlers and 4GB set for the Service memory allocation, then the total amount of memory used will be 24GB. The following is an example for a system with 32GB RAM:

• Keep the 'Memory allocation' setting to Auto.
• Set 4GB for the 'Service memory allocation' setting. Or, higher if you have adequate physical memory installed in the system. 
• Leave the crawlers as Auto.
  
  See this post for more information on the different memory and crawler setting in Intella.
  https://community.vound-software.com/topic/434-optimizing-intella-memory-settings-for-best-performance/

This 'Service memory allocation' setting is available in the Case Manager. Click on the case then click the Edit button. Now click on the Advanced button. 

 

Now set the 'Service memory allocation' setting to 4GB, then click on OK to save the settings.

 

Processing EDB Files

You will notice when adding a new source that there is an option for 'MS Exchange EDB Archive'. Select this option and navigate to the EDB file you wish to process. 

 

Note: You could use the 'File or Folder' option to ingest EDB data sources however, you will not get the mailbox chooser options with this method.

 

 

 

Once the EDB file has been opened, it will display all of the mailboxes contained in the EDB file. Select the individual mailboxes you want to index by checking the desired mailbox check boxes.

 

From here on, the processing steps are similar to the steps taken for adding any evidence type. On the next window you can edit the source name and time zone information.

 

You can set additional indexing settings as required.

 

The 'Cache original evidence files' setting is useful if the indexed case will be moved to another location for searching, review and export. This allows you to export the original evidence files from the case without having to have the source files available on a separate location. In the case of an EDB file, the extracted mail data is always cached into the case. Caching the EDB file itself will significantly increase the case size and indexing time for no benefit. Therefore you will typically want to turn this off for EDB files.

 

Post-processing tasks are a good way to run additional search criteria directly after the indexing phase has completed. In this example we will search for the term 'Fraud' and the results will be tagged in a tag named 01 - Hits for 'Fraud'.

 

Click Next to continue.

 

Lastly, complete the Add New Source wizard by checking the 'Yes, I want to index this source now' check box and clicking on Finish.

 

Note: It may take some time before Intella reports any indexed items. The reporting of indexed items is dependent on the size of the file and the complexity of the data.

 

 

Once the processing is complete, under the Location facet you will see the EDB source and under that source you will see the mailboxes which were processed.

 

In my example you can see that items have also been tagged from the Post-processing tasks which were run.

 

Intella supports adding addition mailboxes from the original EDB file to the same EDB source which is shown under Location. Because the top level source (the EDB file) has already been added to the case as a data source, we can't use the 'Add New Source' wizard to add additional mailboxes. Instead we add mailboxes by selecting Sources, then Edit Sources from the menu. This will show the 'Edit Sources' window.

 

Select the 'Select Mailboxes...' button which will show a list of the mailboxes in the EDB file. Note that mailboxes which have already been processed are greyed out. Select the mailboxes you want to add to the case and click on Ok.

 

Note: It is not possible to remove already indexed mailboxes from the case.

 

 

 

Once back in the Edit Sources window you will notice that the Apply button is now active. Select the appropriate time zone then click on the 'Apply' then 'Close' buttons.

 

A message will be displayed stating that sources have been modified and whether you want to index the sources. Click on Yes to start indexing the new mailboxes.

 

Note: In version 1.9, new sources or additional selected mailboxes can be indexed later without having to index the entire case by selecting “Index new data” in the Sources menu.

 

 

Again, once the processing is complete, under the Location facet you will see the original EDB source. Under the original source you will see the existing mailboxes along with the new mailboxes just indexed.