Thursday, 28 April 2016

ESEDB & ESE Transaction Log Files- A Prominent Strand


ESEDB stands for “Extensible Storage Engine (ESE) Database” or EDB. It is a database file created by Exchange Server, which is used to store complete information like mail messages, attachments, etc. This database having single client-server architecture make use of ESE. The entire communication made by Exchange Server in an organization is stored in Exchange Database File (EDB).The data from these files are accessed by Extensible Storage Engine (ESE), which in turn provides the data to Exchange Server. The ESE and database file combines to form a client-server application.

The MIME Type of EDB File is unspecified and the File Signature is a hexadecimal value: ef cd ab 89(offset 4).

Structurally, an ESEDB file is made up of a data structure known as B-tree that is a data structure further divided into pages. It allows sorting of data, sequential access, deletion, and eases the data searching procedure.

Exchange Server 2010 Default ESEDB Location

1.) C:\ProgramFiles\Microsoft\ExchangeServer\V14\MailboxDatabase\Mailbox Database.edb
2.) C:\Program Files\Microsoft\Exchange Server\V14\Public Folder Database\Public Folder Database.edb

    EDB JET Technology

    Microsoft uses a JET (Joint Engine Technology). There are two types of JET available:

    1.) JET Red: It supports a single-user database and is not suitable for multi-purpose access. This technology is generally used in Microsoft Access.
    2.) JET Blue: It supports multiple users thus, is commonly used in Exchange Server.

    ESE is also termed as JET Blue and is usually used to retrieve and store data into database through sequential and indexed method, also known as Indexed Sequential Access Method (ISAM).

    ESEDB Data Store and Files

    Microsoft in Server 2000 version and was used to store streaming files (STM) like videos audio, images, and other multimedia messages. These are generally used in databases.

    The EDB files are written in following different files:

    1.) Priv.edb: These files are generally used to store the personal information of the user.
    2.) Pub.edb: These files are used to store shared information in user’s mailbox.
    3.) STM (Exchange Streaming Media files): These are generally used to store attachments, videos, audio, images, and other multimedia messages.

    When you install the server, there exist two data stores: Mailbox Store and a Public Data Store. The former consists of the private files in priv.edb and priv.stm while the latter consists of the public files, which is stored in pub.edb and pub.stm. This file was excluded from 2003 version onwards and the following files were used as a replacement:
          1.) .edb - These are used to access the data of the mailbox.
          2.) .log - These are used to store details on the modification and operations on database. When the   transactions are committed, they are stored into .edb. They are useful during interruptions.
          3.) .chk - These check whether data is saved into database present in hard disk or not.


    ESE Transactions are one of the important features of Exchange server. They are records of the background operations performed on a database. Since the client cannot directly Query the database hence, transactions are performed by the server like manipulating data, read or write data into database.
    All the ESE transactions made must end with COMMIT operation. If there are any interruptions in transaction then Commit operation will not work and modifications will not be done on the database. No changes are made directly to the database but transaction logs are used by Exchange server to write changes to these logs, which are later made to the database.
    ESE Transaction log is highly useful during disaster recovery or during database crash as when the database stops the exchange scans the log files to reconstruct the database. This process is known as replaying log files. When a ESE Transaction log file fills completely and reaches a limit of 5 MB, a new transaction log file is created automatically with a sequential number used as a prefix (like E00, E01, E02...)

    Reasons Behind Corruption of ESEDB Files

    1) If you do not shut down your system properly or in a proper procedure you can indirectly call for the corruption of EDB file
    2) Improper termination of these files can also cause corruption in them and you may never be able to open the file
    3) The failure of hard drive may also cause crashing of EDB file
    4) Virus attacks can cause the corruption of your files
    5) If the database objects are missing or due to low storage, chances of failures become high

    Software to View ESEDB Files

    You can approach some third-party software available in market that can easily solve your problem by providing access to your database despite corruption. One such software is Exchange Mailbox Reader, which has simplified user needs as well as challenges faced in the field of Forensics. It is highly beneficial to scan Exchange database instead of mailboxes. It may help recover just in case any part of the file is found corrupted.
    One such approach to find out forensically significant data is to collect all the EDB files and make use of the following features:

    1) Scan, recover & view corrupt EDB
    2) Open and View EDB Files
    3) Scan Corrupt file and recover EDB
    4) Dual File Recovery Modes
    5) Preview Items with preview pane
    6) Search items within EDB files
    7) Options to apply Mail Filter
    8) Export Selective Items as PDF
    9) Multiple File Naming Options


    Post a Comment