Just wanting to get some thoughts on this and I know there is no definite answer until I actually do it, but I've been asked to image off an exchange server and recover some deleted emails. This usually shouldnt be a problem until the client told me that the emails were deleted over 2 years ago by a then employee. I've yet to get more details about it but im thinking about the number of emails that would've come and gone since then and if theres anything left of it.
Thoughts??
Bluepep,
It doesnt sound too promising. 2 years ago is a long time and a corporate server isnt likely to be blessed with masses of spare hard disk space so the chances of something else having overwritten the data is high.
A couple of things you might consider is whether there is any chance the firm retains long term tape backups. Also is there any chance the workstation(s) used by the suspect could have contained an archive of his mail account.
Steve
Steve,
I was thinking exactly the same thing.
I've prepared a list of questions to send to the client which includes those that you have mentioned as well as questions to do with their current network setup.
I've been informed that the pc is no longer available so Im hoping they may have had roaming profiles enabled (if on A.D) so a copy of the PST may be on their domain server.
I guess ultimately, I may have to tell the client the bad news before I've even begun.
Just an observation It is rather strange that you're being to look at this some 2 years after the event. Regarding the emails - how does the comonay know that they existed & were deleted? If they know the emails existed - then is it not possible that someone else may still have a copy of these emails in their own personal archives? Do they have any proof that the emails in questions actually did exist?
Something not quiet right about this, perhaps someone is trying to show 'due diligence' by calling in an investigator long after the fact? Maybe I've just had too much coffee already 😉
Good Luck.
Your most viable option may be from backup tapes. I would ask for all the information about the backups/archives.
Inquire about software upgrades as well. SA's often perform Level 0 dumps prior to any major application fixes.
Also, check for the possibility of backup harddrives [ hot swap] configurations. SA's are known to hide things like this for CYA events. Especially exchange administrators. Nothing can be as devastating as losing a corporate exchange server data store. I've known SA's to create monthly hot swap drives of mailbox stores.