Exchange - WikiLeaks

Exchange

Analysis of the Exchange Database

By Joachim Metz

Summary

Microsoft Exchange uses the Extensible Storage Engine (ESE) Database File (EDB) format to store its tables. This specification is based on reverse engineering. This document is intended as a working document for the Exchange database format specification. Which should allow existing Open Source forensic tooling to be able to process this file type.

page i

Document information

Author(s): Joachim Metz

Abstract:

This document contains information about the Extensible Storage Engine Database File format

Classification: Public

Keywords: Exchange, Extensible Storage Engine, ESE, EDB

License

Copyright (c) 2009-2011 Joachim Metz Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.3 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".

Version

Version 0.0.1 0.0.2 0.0.3 0.0.4

Author J.B. Metz J.B. Metz J.B. Metz J.B. Metz

Date November 2009 May 2010 January 2011 January 2011

Comments Worked on initial version. Additional information about template tables. License version update Additional information about attachment data in streaming file based on input of S. Joshi.

page ii

Table of Contents

1. Overview..........................................................................................................................................1 1.1. Test version...............................................................................................................................1

2. Column names..................................................................................................................................1 2.1. Value type.................................................................................................................................1

3. Tables...............................................................................................................................................2 3.1. Folders......................................................................................................................................2 3.1.1. Exchange 2003..................................................................................................................2 3.1.2. Exchange 2007..................................................................................................................9 3.2. DeletedFolders........................................................................................................................16 3.2.1. Exchange 2003................................................................................................................16 3.2.2. Exchange 2007................................................................................................................16 3.3. Msg.........................................................................................................................................16 3.3.1. Exchange 2003................................................................................................................16 3.3.2. Exchange 2007................................................................................................................54 3.4. MsgFolderTemplate................................................................................................................56 3.4.1. Exchange 2003................................................................................................................56 3.4.2. Exchange 2007................................................................................................................69 3.5. Mailbox...................................................................................................................................84 3.5.1. Exchange 2003................................................................................................................84 3.5.2. Exchange 2007................................................................................................................86 3.6. MailboxTombstone.................................................................................................................88 3.6.1. Exchange 2003 and 2007................................................................................................88 3.7. ReceiveFolder.........................................................................................................................88 3.7.1. Exchange 2003 and 2007................................................................................................88 3.8. OofHistory..............................................................................................................................89 3.8.1. Exchange 2003 and 2007................................................................................................89 3.9. NeedRN...................................................................................................................................89 3.9.1. Exchange 2003 and 2007................................................................................................89 3.10. ReplState...............................................................................................................................89 3.10.1. Exchange 2007..............................................................................................................89 3.11. ReplSchedule........................................................................................................................91 3.11.1. Exchange 2007..............................................................................................................91 3.12. OwningFolders.....................................................................................................................91 3.12.1. Exchange 2007..............................................................................................................91 3.13. Sites Table............................................................................................................................91 3.13.1. Exchange 2007..............................................................................................................91 3.14. Secure Aging........................................................................................................................92 3.14.1. Exchange 2007..............................................................................................................92 3.15. Auto Moves..........................................................................................................................92 3.15.1. Exchange 2007..............................................................................................................92 3.16. Search Pending.....................................................................................................................92 3.16.1. Exchange 2007..............................................................................................................92 3.17. Cross reference table............................................................................................................93 3.17.1. Exchange 2003..............................................................................................................93 3.17.2. Exchange 2007..............................................................................................................93 3.18. DeliveredTo..........................................................................................................................93 3.18.1. Exchange 2003 and 2007..............................................................................................93 3.19. PerUserRead.........................................................................................................................93 3.19.1. Exchange 2003..............................................................................................................93 3.19.2. Exchange 2007..............................................................................................................94

page iii

3.20. Folder Tombstone.................................................................................................................94 3.20.1. Exchange 2003 and 2007..............................................................................................94

3.21. Message Tombstone.............................................................................................................94 3.21.1. Exchange 2003 and 2007..............................................................................................94

3.22. IndexAge...............................................................................................................................95 3.22.1. Exchange 2003 and 2007..............................................................................................95

3.23. Search Queue........................................................................................................................95 3.23.1. Exchange 2003 and 2007..............................................................................................95

3.24. TimedEvents.........................................................................................................................95 3.24.1. Exchange 2003 and 2007..............................................................................................95

3.25. NamedProps..........................................................................................................................96 3.25.1. Exchange 2003 and 2007..............................................................................................96

3.26. Syncronization table.............................................................................................................96 3.26.1. Exchange 2003 and 2007..............................................................................................96

3.27. Overflow List Table.............................................................................................................96 3.27.1. Exchange 2003 and 2007..............................................................................................96

3.28. Async Event Queue Table....................................................................................................97 3.28.1. Exchange 2003 and 2007..............................................................................................97

3.29. IndexQ..................................................................................................................................97 3.29.1. Exchange 2003 and 2007..............................................................................................97

3.30. MDB Event History Table....................................................................................................97 3.30.1. Exchange 2007..............................................................................................................97

3.31. MDB Event Watermark Table..............................................................................................98 3.31.1. Exchange 2007..............................................................................................................98

3.32. Global....................................................................................................................................98 3.32.1. Exchange 2003..............................................................................................................99 3.32.2. Exchange 2007............................................................................................................100

3.33. ReplidMap..........................................................................................................................101 3.33.1. Exchange 2003 and 2007............................................................................................101

3.34. LockLookup........................................................................................................................101 3.34.1. Exchange 2007............................................................................................................101

3.35. PerfMonRowsInTables.......................................................................................................101 3.35.1. Exchange 2007............................................................................................................101

3.36. #-X......................................................................................................................................102 3.36.1. 1-23.............................................................................................................................103 3.36.1.1. Exchange 2003....................................................................................................103 3.36.1.2. F3701 data...........................................................................................................104 3.36.1.3. J3701 data............................................................................................................105

3.37. S-1-X...................................................................................................................................105 3.38. I-#-#....................................................................................................................................107 3.39. SendQ..................................................................................................................................107

3.39.1. Exchange 2003 and 2007............................................................................................107 3.40. Content Indexing Property Store Watermark....................................................................107

3.40.1. Exchange 2007............................................................................................................107 Appendix A. References..................................................................................................................109 Appendix B. GNU Free Documentation License.............................................................................109

page iv

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download

To fulfill the demand for quickly locating and searching documents.

It is intelligent file search solution for home and business.

Literature Lottery

Related download
Related searches

©2024 5y1.org, Inc. All rights reserved.