Hello all
I was posed this question a couple of days ago - have spent a lot of time trying to find a decent answer. So far no dice (
Scenario
- Company uses MS Exchange 2003 with Outlook 2003 or 2007 clients.
- Company needs to identify emails that meet certain keywords given by their legal team. (this can be achieved with DTSearch).
- Once the emails have been identified, they want the IT guy to delete those emails from the corresponding user's exchange database.
The IT guy is planning on accessing each user's email account and doing a search for those responsive emails and then doing a double-delete or a permanent delete on them.
I have a feeling that the number of emails I find is going to be HUGE.
Is there a way to do this without making that poor sap log into each user's email account to delete those emails? I know ExMerge has some capability of deleting certain emails - from what I read it is probably more time consuming than what the IT guy wants to do.
Thanx in advance for any and all suggestions.
Have a good weekend )
-=Art=-
The only issue I have with complete automation on something like that is quality checks. Conversely you are then relying on a human not to mess up.
Plus any program I can think of is for forensics and specifically designed NOT to be able to do what you want!
You might have to find a coder that can write some sort of script to be able to parse the EDB file(s) and extract and remove those messages.
Also, what about the client OST and PST files?
Thanx Douglas. It's not so much of a "forensic" job as it is a "due diligence" thing. The legal team wants to make sure that there are no documents with certain terms from a previous project left over on anyone's emails.
You're right - absent a tried and true method, they will either be relying on the IT person or a new code.
-=A=-
I don't know that there would be a shortcut or easy way to do this, I sure wouldn't rely on any code as previous jobs like this tend to be to the point of needing all remnants of a word or phrase gone and then an affidavit signed stating that they are gone and how they were removed.
Might just be a weekender and have to go box by box.
What about if someone exported an email out to another folder or did something like a print email with pdf995 or another program which prints to adobe, that file will be floating around. I've had that happen. Ended up they just had the drives all imaged and then each instance found was noted and the root of that was found and deleted, then a wipe of file/slack space, and a re image to look for the remnants.
Lots of work, but if the client wants it in a specific manner then fire away.
Forensicakb Thanx. We have imaged the user computers and are looking through them too. The legal team is not so much concerned about UA space as they are of active files. We will be deleting files from those computers as well. As it stands, there is no legal request from any side - the company is just doing a good-faith procedure of tracking down the files.
I was hoping there was some method where the IT guy would not have to individually delete each email. It looks like that is going to be the case - c'est la vie.
Appreciate the input folks!
-=Art=-
So what about the backups? Considering that email servers are often classified Tier 1 on the DR scale, it's extremely likely that there's backup for an Exchange server.
Exactly the kind of thing I do regularly using Sherpa Software's Discovery Attender for Exchange (DAE)
* Point DAE at the mailboxes
* Give it the search terms
* Run the search (not indexed, so not quick, best to have the machine running the search on the same LAN as the target) inlcuding Dumpster
* Check results for False Positives and mark as Ignore
* Delete all the True Positives in one fell swoop
* Document by exporting to CSV
List of all searches carried out
List of Mailboxes searched and summary of results and errors per Mailbox
Full list of matches and status (Ignored, Deleted)
* Also capture the full Search Criteria screen - includes date/time created/started/finished, machine name carrying out the search, logged-on user
If you really want to you can point DAE at filestores (including servers and PCs/laptops) and run the same search but replace Mailboxes with Drives/Folders. You might want to restrict filetypes to msg/eml/rtf etc. And can find and search in PSTs as well.
The only places I can think you'll miss out are (a) non-text files (e.g. if someone's scanned or photo'd the original doc) and (b) unallocated space.
Solution to (a) is to do manual search for (e.g.) *.PDF and manually review, (b) I don't have a quick and easy solution. Software's not free - but not expensive in the grand scheme of things, and I use it for a bunch of other things e.g. search a mailbox or PST and extract all email addresses to give to the people who are asking, see if they recognise any names for re-use in targeted searches.
100% forensically sound? Prob not. But satisfied opposing council in multi-£M suit. If someone's determined to be evasive then they'll probably succeed. But the Company did due diligence i.e. showed good faith by developing processes and investing in software and people.
My 2p-worth, HTH
Thanx Tony. We've thought of that. They do not have a long retention period. The tapes they currently have will be given to Corporate Counsel. Once they get to the point where those tapes would go back into rotation, they will be destroyed instead of being reused.
Any requests for recovery from tape will be vetted on a case-by-case basis.
Appreciate the headsup though.
-=Art=-
So what about the backups? Considering that email servers are often classified Tier 1 on the DR scale, it's extremely likely that there's backup for an Exchange server.
@CULTS
Thanx for the info. This one is well on its way - luckily it was not as much work for the IT guy as everyone thought.
The DAE software sounds interesting. Went to their site but could not find any pricing information. Will scrounge around some more.
-=A=-
To Cults14's recommendations I would add compressing the database. Without that, deleting the messages on most versions of Exchange would simply remove the pointer to the message leaving it in the database. This is the basis for firms offering e-mail recovery services.
Same goes for archive files. After you delete them, compress them.
If you REALLY wanted to be thorough, delete the e-mails from Exchange, then export the mailboxes and import into a new instance of Exchange. Of course, that is bound to be a money maker for someone.
Of course, after three decades in the business, Microsoft is starting to get serious about privacy, so the newest versions of Exchange might actually overwrite the deleted messages, but I can't be sure and I wouldn't rely on it.