Strange Exchange E-mail Addresses in e-Discovery

By May 18, 2012Articles

If you are involved in the production or review of electronic evidence, you might have seen e-mail addresses that look a bit different than usual. For example:

/O=EXAMPLE/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USERNAME

Have you ever wondered what these values are? The two scenarios we run into most frequently are as follows:

1) LegacyExchangeDN & X.500 Addresses

In an Ms Exchange organization, internal e-mails are routed using X.500 addresses instead of SMTP addresses. The X.500 address of each mailbox is stored in the legacyExchangeDN attribute in Active Directory, which is set when a mailbox is created and includes the name of the Exchange Administrative Group where the mailbox belongs. LegacyExchangeDN values typically look as follows:

/O=EXAMPLE/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=USER

/O: Organization Name
/OU: Organizational Unit
/CN: Common Name

Starting with Exchange 2007, user-defined Exchange Administrative Groups were replaced by a single administrative group called “Exchange Administrative Group (FYDIBOHF23SPDLT)”. The value “FYDIBOHF23SPDLT” is actually an encoded version of the string “EXCHANGE12ROCKS” with each character replaced with the letter that follows it in the alphabet (E->F, X->Y etc.).

When an e-mail that was sent within the Exchange organization is taken outside (i.e. for e-Discovery processing or digital forensic analysis), the SMTP e-mail address for the user (e.g. abc@cde.com) can no longer be resolved and the only available address would be the legacyExchangeDN value. In this scenario, the e-Discovery processing output may look similar to the example image in Figure 1.

Email with X500 Exchange E-mail Addresses

Figure 1 – E-mail with X.500 Addresses

2) IMCEA Encapsulation and Exchange E-mail Addresses

Another common scenario is IMCEA encapsulated addresses. The sender and recipient addresses for each message are looked up in the Global Address List (GAL) before the message is sent. If the SMTP addresses cannot be resolved (e.g. they are hidden from the GAL), the look-up fails and Exchange is forced to encapsulate the only address available (the X.500 directory name) using Internet Mail Connector Encapsulated Addressing (IMCEA). Addresses encapsulated in this manner would look as follows:

IMCEAEX―_O=EXAMPLE_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP_CN=RECIPIENTS_CN=CUASUENA@domain.com

The string “EX” at the end of “IMCEAEX” indicates that the encapsulated non-SMTP address was an Exchange address. The encapsulation process replaces each forward slash “/” with an underscore “_” and each symbol with a plus sign “+” followed by its two-digit hexadecimal ASCII code (e.g. +20 for the space character).

In this scenario, the e-Discovery processing output may look similar to the example image in Figure 2. Please note that “domain.com” represents the SMTP domain that is used to encapsulate the non-SMTP address, which may not be the same domain where the original address belonged.

E-mail with IMCEA Encapsulated Exchange E-mail Addresses

Figure 2 – E-mail with IMCEA Encapsulated Addresses

Arman Gungor

About Arman Gungor

Arman Gungor is a certified computer forensic examiner (CCE) and an adept e-Discovery expert with over 21 years of computer and technology experience. Arman has been appointed by courts as a neutral computer forensics expert as well as a neutral e-Discovery consultant. His electrical engineering background gives him a deep understanding of how computer systems are designed and how they work.