Mailbox Collection ...
 
Notifications
Clear all

Mailbox Collection from Office 365

11 Posts
9 Users
0 Likes
1,368 Views
 jm25
(@jm25)
Posts: 29
Eminent Member
Topic starter
 

Does any one have a recommended strategy for conducting a forensic copy of data maintained in an office 365 exchange environment. We have the admin user name and password, but ideally, would not like to have to get each individual users account details.

The company does not have the In-place eDiscovery & hold module activated with their current license.

Any recommendations would be welcome.

 
Posted : 22/09/2014 7:20 pm
(@kbertens)
Posts: 88
Trusted Member
 

I know F-response has Office 365 support but to be honest never tried it. Maybe have a look at it and let us know how it worked.

 
Posted : 23/09/2014 1:19 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

Uncanny timing as I'm just attempting one now.

Intella has the ability to directly import via IMAP from Office365 (and others) however there are timeout issues that are not resolved yet as the online hosts appear not to like these lengthy connection times to download the mail, in addition some hosts have daily size limits on what can be collected.

The simplest way appears to be via Outlook and using this to sync with Office365, you can then export to PST from Outlook and index in your tool of choice.

I did have some issues getting Outlook to work with Office365 but there are instructions via the Office365 Options section on how to get it working with Outlook.

At the moment Outlook doesn't appear to completely export all the emails so I'm on my second try to see if I can get a complete export this time.

There is also and app from Message Ops that claims to do the job, I haven't used it before but will consider buying it if I have no joy with my current method.

Edit Just remembered I have an F-Response license…will try that now roll

 
Posted : 23/09/2014 1:23 pm
(@redfish76)
Posts: 1
New Member
 

I would try Aid4Mail http//www.aid4mail.com
I have used it before to pull down Office365 accounts. You can pull into multiple formats (PST, MBOX, etc). It is very easy to use and works quite well.

 
Posted : 23/09/2014 9:08 pm
KungFuAction
(@kungfuaction)
Posts: 109
Estimable Member
 

There is a 'Litigation Hold' option in the Office365 Exchange settings under Administration. Hit that first.

 
Posted : 03/10/2014 9:31 pm
(@cults14)
Posts: 367
Reputable Member
 

I have a feeling that Discovery Attender for Exchange (DAE), from Sherpa Software, may be able to retrieve emails in a defensible manner i.e. audit trail - if that serves as forensic collection?

I use DAE often - but we have no Office 365 ergo can't directly answer the question

HTH

Cheers

 
Posted : 07/10/2014 7:09 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Let's not confuse forensics and e-Discovery.

It's like apples and salmonella poisoning.

 
Posted : 07/10/2014 10:44 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Let's not confuse forensics and e-Discovery.

It's like apples and salmonella poisoning.

You talk of it like it was an airborne disease 😯 .

jaclaz

 
Posted : 08/10/2014 12:36 am
(@cults14)
Posts: 367
Reputable Member
 

Isn't there an element of forensics in eDiscovery? i.e. preservation of material in a manner that's defensible in court?

Sure sometimes in preservation or examination we might not be able to preserve absolutely everything in its original state, but if we document what we've done and can accurately describe any changes that may have been made - or anything that may have been missed - then we're in reasonable shape?

Cheers

 
Posted : 08/10/2014 1:06 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

The main difference is that eDiscovery is really document (including email) based whereas Forensics includes operating system artifacts, file system artifacts, etc.

Data for eDiscovery should be collected in a forensically defensible way. You collect all metadata with the document. What may not happen in eDiscovery is data carving, or examination of non-documentary evidence. You generally don't have to do full hard drive imaging unless you think your custodian was hiding the ball.

Frankly, there's no difference to the requirements to collect cloud email between forensics and eDiscovery. In both cases, you're not getting access to the raw source data since you're not walking into their data center, so you're relying on a solution like MAPI or some vendor exposed interface instead.

 
Posted : 08/10/2014 7:03 pm
Page 1 / 2
Share: