In recent incident response investigations Northwave has experienced an increasing number of companies which use Office 365 as their e-mail environment. From a company’s point of view, Office 365 brings great improvements to end users, including ease of maintenance, high availability and collaboration. From the perspective of a forensic investigator however, cloud services such as Office 365 have their challenges when it comes to acquiring contents.
An obvious place to look for e-mail contents is by to use the Microsoft eDiscovery portal within Office365. The eDiscovery portal contains an easy-to-use frontend to perform search queries within Office365 environments. Although this suits most cases, there are some drawbacks, such as licensing requirements, search query adaptability and lead time of some search queries.
As an alternative to Microsoft eDiscovery, Northwave has developed a simple, low-level toolset to acquire contents from Office 365 in a targeted way. By speaking directly to the Office365 API, the toolset is able to acquire specific e-mail contents using pre/post-filtering. The toolset allows Office365 contents to be collected in an efficient way and can be easily adapted to new use cases.
In this blogpost we introduce the toolset by showing its building blocks and by explaining its use in Office 365 investigations. We start by showing how to prepare the toolset for acquisition by setting up an App Registration in Office 365. After that, we show how the toolset can be used by looking at different examples with varying options.
Office 365 API
The toolset developed by Northwave is programmed in Python and uses the Python Office 365 library python-o365, which provides communication with the Microsoft Graph API and the (now deprecated) Office 365 Rest API. In order to use the API’s within Office 365 for content acquisition, a custom App Registration must be setup first within the Office 365 Azure Active Directory. These App Registrations allow a third-party application (in this case the acquisition toolset) to communicate with the Office 365 API.
Setting up an App Registration
First of all, we need to enter the Azure Active Directory portal in order to create our custom App Registration. The App Registration section can be directory found within the main menu.
New App Registrations can be given an arbitrary name and are identified by a Tenant ID and a Client ID (shown below). At creation, a Client Secret (not shown below) is generated for the App Registration and is used for authentication.