If you are involved in the production or review of electronic evidence, you might have seen e-mail addresses that look a bit different than usual. For example:
/O=EXAMPLE/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERNAME
Have you ever wondered what these values are? The two scenarios we run into most frequently are as follows:
1) LegacyExchangeDN & X.500 Addresses
In an Ms Exchange organization, internal e-mails are routed using X.500 addresses instead of SMTP addresses. The X.500 address of each mailbox is stored in the legacyExchangeDN attribute in Active Directory, which is set when a mailbox is created and includes the name of the Exchange Administrative Group where the mailbox belongs. LegacyExchangeDN values typically look as follows:
/O=EXAMPLE/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USER
/O: Organization Name
/OU: Organizational Unit
/CN: Common Name
Starting with Exchange 2007, user-defined Exchange Administrative Groups were replaced by a single administrative group called “Exchange Administrative Group (FYDIBOHF23SPDLT)”. The value “FYDIBOHF23SPDLT” is actually an encoded version of the string “EXCHANGE12ROCKS” with each character replaced with the letter that follows it in the alphabet (E->F, X->Y etc.).
When an e-mail that was sent within the Exchange organization is taken outside (i.e. for e-Discovery processing or digital forensic analysis), the SMTP e-mail address for the user (e.g. firstname.lastname@example.org) can no longer be resolved and the only available address would be the legacyExchangeDN value. In this scenario, the e-Discovery processing output may look similar to the example image in Figure 1.
Figure 1 – E-mail with X.500 Addresses
2) IMCEA Encapsulation
Another common scenario is IMCEA encapsulated addresses. The sender and recipient addresses for each message are looked up in the Global Address List (GAL) before the message is sent. If the SMTP addresses cannot be resolved (e.g. they are hidden from the GAL), the look-up fails and Exchange is forced to encapsulate the only address available (the X.500 directory name) using Internet Mail Connector Encapsulated Addressing (IMCEA). Addresses encapsulated in this manner would look as follows:
The string “EX” at the end of “IMCEAEX” indicates that the encapsulated non-SMTP address was an Exchange address. The encapsulation process replaces each forward slash “/” with an underscore “_” and each symbol with a plus sign “+” followed by its two-digit hexadecimal ASCII code (e.g. +20 for the space character).
In this scenario, the e-Discovery processing output may look similar to the example image in Figure 2. Please note that “domain.com” represents the SMTP domain that is used to encapsulate the non-SMTP address, which may not be the same domain where the original address belonged.
Figure 2 – E-mail with IMCEA Encapsulated Addresses