312-49 · Question #540
312-49 Question #540: Real Exam Question with Answer & Explanation
The correct answer is A: PRIV.STM. In Microsoft Exchange Server, the private mailbox store consists of two paired files: PRIV.EDB and PRIV.STM. PRIV.EDB is a JET database that stores MAPI-formatted message properties and metadata (headers, sender, subject, etc.). PRIV.STM (Streaming Media file) stores the raw MIME
Question
Adam, a forensic investigator, is investigating an attack on Microsoft Exchange Server of a large organization. As the first step of the investigation, he examined the PRIV.EDB file and found the source from where the mail originated and the name of the file that disappeared upon execution. Now, he wants to examine the MIME stream content. Which of the following files is he going to examine?
Options
- APRIV.STM
- Bgwcheck.db
- CPRIV.EDB
- DPUB.EDB
Explanation
In Microsoft Exchange Server, the private mailbox store consists of two paired files: PRIV.EDB and PRIV.STM. PRIV.EDB is a JET database that stores MAPI-formatted message properties and metadata (headers, sender, subject, etc.). PRIV.STM (Streaming Media file) stores the raw MIME stream content — the actual internet-formatted message bodies and attachments. Since Adam already examined PRIV.EDB to identify the mail source and filename, examining PRIV.STM is the logical next step to analyze the MIME body content. PUB.EDB and gwcheck.db relate to public folders and GroupWise, respectively.
Topics
Community Discussion
No community discussion yet for this question.