I am being tasked with acquiring a suspect's mailbox including deleted emails from the mailbox. The exchange server is 2007. Is there a way to acquire the deleted emails covertly without using the recover deleted items option in outlook? When using the recover deleted items option, the user will be alarmed that someone is in their mailbox.
I am being tasked with acquiring a suspect's mailbox including deleted emails from the mailbox. The exchange server is 2007. Is there a way to acquire the deleted emails covertly without using the recover deleted items option in outlook? When using the recover deleted items option, the user will be alarmed that someone is in their mailbox.
Use Exmerge at the server and export the guys mailbox to a PST file with deleted messages included.
(will require administrator access and rights to the guys mailbox)
Use F-Response in conjunction with Paraben's Network Email Examiner.
Restore from most recent back up and image/analyse at your leisure.
Paraben's P2 Shuttle Pro will also allow you to acquire a single mailbox, including deleted email, from an Exchange server without interruption of service to the Exchange server or the end user.
Sorry, know this is a bit late but I've been out of it for a couple of weeks.
Does ExMerge still work in Exchange 2007? You maybe have to use the Export-Mailbox commandlet from within Exchange PowerShell. There's a suggestion out there that the PS cmdlet doesn't support Dumpster, but someone somewhere must have protested from the roof-tops as I can verify that recent operations I’ve carried out did export Dumpster. I can't remember though whether it was clear in the target PST which items had come from Dumpster.
If you need to show that the items were in Dumpster AND when they were put there, I have a couple of suggestions. Firstly, add the target mailbox to an existing Outlook Profile, go through the Recover Deleted Items folder by folder and screen-shot the contents, ensuring that you have all columns showing all details. Is not pretty, but has worked for me in the past as it shows WHEN something was deleted. And then you run ExMerge or Export-Mailbox. User need never know
Second option, Discovery Attender for Exchange has the option to search in Dumpster and will export to all relevant {Recovered Items} (or similar, can't remember exactly wording). So search for all items between specific dates. Options for exporting CSV reports will list all locations so some simple Excel filtering and sorting can save a bunch of time depending on how complex the structure of the mailbox is. And the user need never know. Still doesn't give you WHEN the items were deleted though, which IMO can be pretty telling when added into a timeline of events
Do any of the other solutions suggested here (a) put deleted stuff into easily identifiable folders and/or (b) record when items were deleted?
HTH
Cheers
Does ExMerge still work in Exchange 2007?
It does but is restricted to 2GB per mailbox(PST).
Export-Mailbox seems to be the best solution these days.