I have looked and tried to find a good tool that I can point at a live exchange server and collect by custodian by date/keyword to PST files. I read a couple threads here that says Paraben NEMX can do it, but I just heard directly from Paraben that they don't support live exchange collections. Their reply.
"NEMX will not be able to access a live Exchange server. The problem is the data will corrupt as it is processed and accessed live. Unfortunately you are limited to only be able to look at the Exchange files when the server is not being accessed."
What out there will support this type of targeted collection?
Thanks,
Please checkout
Aid4Mail (http//
Forensic version is US $299,00.
Also, you could use a fresh install of Thunderbird configured to download a copy (leaving the original email intact on the Exchange server).
Thunderbird downloads email as an MBOX file I believe.
One downloaded, you could work with a copy of the MBOX file or convert the MBOX file to PST format using Aid4Mail or Emailchemy Forensic (http//
Some options/thoughts
* Collect an OST file from custodial workstations.
* Identify and collect PST file archives created by the custodians (from workstations/personal Home directories/DVD archives).
Preaching to the choir I am sure, but one does not want to export large numbers of PST files from a live Exchange environment at one time, lest one bog down the whole system and incur the wrath of all the other employees.
So, perhaps your client has a recently created Exchange Database File (EDB) that can be restored from archive for you to collect using FTK Imager, for example.
Then you could use Nemex or other tools to convert the EDB file into custodial PST files.
Other considerations
People change names over time such as through marriage and divorce, so please make sure to confirm that you are identifiying and collecting all associated email boxes for a given custodian; for example, you may need to collect both jsmith@abccorp.com PLUS jsmith-johnson@abccorp.com (single email account and married email account).
Regards,
Larry
We have a copy of Aid4Mail eDiscovery edition, but it can't process EDB files. Can the forensic edition be pointed at EDB files?
I love Aid4Mail, and just wish I could point it at an EDB file instead of having to get PSTs. That's essentially what I'm looking for, an Aid4Mail type tool that can process EDB files.
The other solutions that you've presented is essentially what we're doing, but we have many clients who don't want us going from custodian computer to custodian computer, want us to leave the custodians and their workstations alone and just go for the exchange server. I had not thought to essentially create my own "custodial workstation" though with Thunderbird or Outlook though, that may be an option if there isn't a tool like Aid4Mail that can do the keyword and date filters directly on an EDB file.
You could always use the tools built into Exchange
or
Exchange Server 2016 -