Working with mounte...
 
Notifications
Clear all

Working with mounted EDB archives

11 Posts
5 Users
0 Likes
1,478 Views
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

I'm just wondering if anyone here has recent experience working on a mounted EDB archive?

I have had a couple of jobs in the past working on Exchange servers but I've been able to unmount the EDB then use Systools exchange recovery to pull out the mail boxes I need, or use Exmerge in some cases.

I have a couple jobs that look likely in the not too distant future and I strongly suspect they will be on newer Exchange versions and unmounting the EDB may not be an option (although I will push for this as the fastest and best solution).

Any thoughts on ways to extract mailboxes from a mounted EDB archive?

 
Posted : 04/04/2013 8:08 am
(@chrism)
Posts: 97
Trusted Member
 

I believe you have two options

- Take an image of the exchange database live (not shut-down) and apply the transaction logs post-acquisition to bring the 'dirty' database back into a clean status - you can use the 'eseutil' command for this. Make sure you image both the database files (.edb) and the transaction logs, they are usually located on two different disks for performance reasons. You can then parse the database using X-Ways, FTK or my favourite "Kernel for Exchange Server". Kernel will even parse dirty .edb databases )

- Take the data live. I've used the "Export-Mailbox" cmdlet in the Exchange Management Shell before with good results. You can get more information in regards to this approach here
http//technet.microsoft.com/en-gb/library/bb266964(v=exchg.80).aspx

Watch out in regards to Exchange 2010, I believe they have significantly changed the file structure of the .edb database with this release so all of the forensics tools are now starting to catch up. I believe the latest Paraben's Network Email Examiner tool and the latest X-Ways support the new format.

Although there are other approaches these are the two I've done before in the past.

 
Posted : 04/04/2013 5:22 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Thanks Chirsm, just looking at the Technet article you linked to but it seems to suggest that this command only exports from one mail box to another rather than exporting the selected mailboxes direct to a .PST (although in the section referring to dumpster files it does allude to a .PST). Have you used this method to export mail boxes direct to .PST?

With regards to imaging the dirty EDB I have Systools Exchange Recovery which I believe will parse the EDB in that state as well (not tested yet), I may see if my IT guy will let me test on our server first. There may also be privacy concerns with me imaging the entire EDB archive, but I can probably talk them around if I need to.

 
Posted : 05/04/2013 5:28 am
(@chrism)
Posts: 97
Trusted Member
 

Hi Adam,

I've used the cmdlet to export to a PST. You can see some examples here
http//technet.microsoft.com/en-us/library/cc535123.aspx

One of the examples is

Export-Mailbox -Identity john@contoso.com -PSTFolderPath C\PSTFiles\john.pst
You can also use it to filter on date ranges and to conduct keyword searches on-the-fly (have not tested this function yet) by using

Export-mailbox -Identity john@contoso.com -PSTFolderPath D\PSTs -StartDate 1/1/07 -EndDate 12/1/07 -SubjectKeywords'review' -ContentKeywords'project','alpha'

 
Posted : 05/04/2013 4:16 pm
Adam10541
(@adam10541)
Posts: 550
Honorable Member
Topic starter
 

Thanks chrism that's precisely what I needed.

I think I'd rather just export the mbox to PST then let forensic tools do the keyword searches, I have more confidence in them that MS for that process )

 
Posted : 09/04/2013 5:37 am
(@chrism)
Posts: 97
Trusted Member
 

I would do the same thing! It would be quite interesting to do a like-for-like comparison to see what method is more effective.

 
Posted : 09/04/2013 3:10 pm
 isth
(@isth)
Posts: 65
Trusted Member
 

Be sure that the account you're using to run the exchange cmdlet has administrative access to the share you are exporting the PSTs to, else it won't work.

 
Posted : 09/04/2013 9:20 pm
(@cults14)
Posts: 367
Reputable Member
 

I use export-mailbox all the time to do just what you describe e.g. export all mail form specific accounts within specific dates and then do searches thereafter.

Export-mailbox grabs anything in Dumpster by default (which I love), although it doesn't give you the low-down on WHEN items were Emptied from Deleted Items (or hard deleted from the original folder).
I usually try and have a look at the suspect mailbox in Outlook (documented of course) and have a look at what's sitting in Recover Deleted Items for each folder; if there's mass deleting around what may be significant dates I take screen-shots of the whole lot (time-consuming, but useful).

One thing to be aware of, make sure that that the account you use to run Exchange Powershell has sufficient access to the target Exchange account(s) - Domain Admin by default DOESN'T have sufficient access.

One other thing, if you have to export from multiple accounts, you can run Powershell scripts which refer to a CSV file which contains the names of all the accounts you need, saves hanging around to wait till one export is finished before you start the next one.

HTH

 
Posted : 15/04/2013 8:14 pm
(@jonathan)
Posts: 878
Prominent Member
 

Agree with above re Export-Mailbox command for the Exchange Shell; it's very handy. With regard to sufficient admin rights this TechNet entry http//technet.microsoft.com/en-us/library/dd285510(v=exchg.80).aspx states that your user account must have the following

- Exchange Server Administrator role for the source server and the target server
- Local Administrators group for the source server and the target server
- Full access to the source mailbox and the target mailbox

Plus… if you're extracting from Exchange 2007 the Exchange Shell must be run from a computer/virtual machine with Outlook 2003 SP1 or above, plus, and get this, the computer/VM must be running 32-bit Windows. No 32-bit lmitaiton with Exchange 2010 or 2013 though.

 
Posted : 05/08/2013 4:31 pm
(@cults14)
Posts: 367
Reputable Member
 

Thought I'd report some initial feedback having played with Exchange Management Shell for Exchange 2010 in the last week or so.

1. Commands are different - so Export-Mailbox becomes New-MailboxExportRequest, the -identity parameter becomes -Mailbox, and -pstfolderpath becomes -Filepath (and you specify the filename for the PST whereas you didn't before.
2. You MUST give the account "Exchange Trusted Subsystem" full access to the network share where you want to save your PSTs. Otherwise it won't work.
3. In our corporate environment, log files don't seem to be saved anywhere obvious. They should be somewhere in C\Program Files\Microsoft\Exchange Server\V14\Logging - but there's no sign of them either on the local workstation where EMS is installed, or on the server
4. You can get stats and progress on your request using Get-MailboxExportRequest and get-MailboxExportRequestStatistics respectively. BUT in all tests so far, the request persists for a random period of time before falling off a cliff somewhere. e.g. run an export request overnight, and the request doesn't exist when you try to Get it. Which, in the absence of logs, is a nightmare for compliance and auditing.
5. End-dates and start-dates are causing me all kinds of problems. We're global, so date formats naturally are an issue. However it seems on all tests , and I'm not alone.

I have a meeting with our Exchange Architect later ths week, will try to get back with some good news.

Meantime, these links may help
http//technet.microsoft.com/en-us/library/bb124413(v=exchg.141).aspx
http//social.technet.microsoft.com/wiki/contents/articles/1823.exchange-2010-powershell-scripting-resources.aspx

And of course there's the new Litigation Hold feature which SHOULD be useful, see here
http//www.msexchange.org/articles-tutorials/exchange-server-2010/compliance-policies-archiving/exchange-2010-litigation-hold-part1.html

Happy exporting!!

 
Posted : 07/08/2013 7:57 pm
Page 1 / 2
Share: