When investigating Microsoft Exchange Server, which files should an incident handler primarily focus on?

Focusing on .edb database files and .stm database files is crucial when investigating Microsoft Exchange Server because these files contain the primary databases that store email messages, calendar entries, contacts, and other vital user data.

The .edb file serves as the primary database file for the Exchange Server, which includes all the mailbox information and is essential for understanding the contents and the state of user mailboxes. The .stm file is used in conjunction with the .edb file to store streaming content, such as attachments and larger items, which are not suitable for direct storage in the .edb file due to size constraints.

Analyzing these files provides insights into user activities, email transactions, and any anomalies that may indicate malicious activity or incidents. This focus allows incident handlers to effectively reconstruct events leading up to and following an incident, making these files integral to the investigation process.