Hi Guys,
I am currently researching solutions that will allow my client to search PST files on remote computers and remove certain emails from the pst files( I do not want to delete the whole PST file).
I am open to your suggestions
I have looked at paraben network email examiner so far, but I do not think it allows you to remove emails in a PST file.
Please advise
By 'remove' do you mean extract,
or do you mean delete from the index (e.g. hide it),
or delete beyond recovery (e.g. delete and re-compact the entire PST file, or overwrite it).
By 'remove' do you mean extract,
or do you mean delete from the index (e.g. hide it),
or delete beyond recovery (e.g. delete and re-compact the entire PST file, or overwrite it).
Delete beyond recovery but have the PST remain intact.
I couldn't see any forensic tool having that sort of functionality as they are generally read only to stop just that type of thing from being done.
Personally I'd be highly suspicious of anyone who wanted to selectively delete emails from within an archive, screams of doing something very dishonest and I wouldn't touch it with a 10 foot pole.
Of course that is just my opinion but if a client asked me to do this regardless of whether I could or not my answer would be that I couldn't, thank you for contacting me and have a nice day. I would then make sure never to do any work for that client again. Protect myself and my business' reputation and integrity.
the user is aware of the activity, no issues doing this. The process is to rid of data that is highly sensitive.
As I said, just my opinion and who knows what may happen in the future some regulatory body may come looking and you have to explain how you helped delete these "sensitive emails"…but I know I wouldn't be involved. I was a Police officer too long and my suspicions are just too deeply ingrained to ignore now )
But back on topic, I'm not aware of any software that can do what you want. The only method I can think of would be to copy the PST archives out, open them with NUIX or Intella or select the emails you want to keep, then use NUIX or Intella to create a new PST archive. Delete the originals and replace them with the newly sanitized archive.
I'm not even sure that would work as my experience with creating PST archives with these tools has not always been successful and they have a nasty habit of splitting the PST archives. Plus that would leave a nice big obvious trail that the archives had been tampered with.
Good luck D
This can be a legitimate requirement. We have had to remove items from file systems, mailboxes and PSTs for valid reasons; either we didn't want certain information in our systems (3rd part intellectual property), or we were removing OUR intellectual property from a company we were selling off but who were retaining hardware.
We use Discovery Attender for Exchange, which is relatively cheap and allows you to move/copy/delete any messages/files which meet your search criteria.
Of course (a) the target PST has to be not in use, (b) you have to be able to either map to the remote drive or specify it as part of a path e.g. \\192.168.1.1\C$, and © you have to have the required level of access to the drive and the file. All of which assumes that the user(s) have an appropriate version of Windows to connect to.
If you're trying to do this covertly, you likely need some story-telling to get the user to get out of his email.
HTH
As Cults14 stated, this can be a legitimate requirement in both the civil and criminal arena (at least here in the US). When serving subpoenas (or even executing search warrants) on firms, there are often claims of attorney-client privilege, attorney work product, or data ouside of the scope of the warrant comingled with the data to be seized. This is especially common with email and shared network resources in the corporate environment.
In the case of email, there is often a need to review the contents of .pst's for taint or prvilege prior to producing it to the investigating officer/agent. Anything that is identified as privileged then may need to be redacted or removed.
There are several e-Discovery tools in the market that facilitate this process but they are pretty pricey. The suggestion of mounting the .pst, removing the "offending" emails, and then rebuilding a new .pst is an inexpensive method of meeting the requirements.
As Cults14 stated, this can be a legitimate requirement in both the civil and criminal arena (at least here in the US). When serving subpoenas (or even executing search warrants) on firms, there are often claims of attorney-client privilege, attorney work product, or data ouside of the scope of the warrant comingled with the data to be seized. This is especially common with email and shared network resources in the corporate environment.
In the case of email, there is often a need to review the contents of .pst's for taint or prvilege prior to producing it to the investigating officer/agent. Anything that is identified as privileged then may need to be redacted or removed.
There are several e-Discovery tools in the market that facilitate this process but they are pretty pricey. The suggestion of mounting the .pst, removing the "offending" emails, and then rebuilding a new .pst is an inexpensive method of meeting the requirements.
Hi Guys,
I appreciate all the responses. I am aware of the methods described by Cults, I think you guys are missing what I mentioned. The users are aware of the technicians going in and deleting highly sensitive emails from the exchange and pst files, they have no issue with this. This process is part of the procedure set out by the client.
My only concern is that we have a method to mount psts remotely and delete particular emails without disturbing the user from his or her duties.
We currently use the method Cults described but it does not work to well due to the distance of the user, size of pst, password protection, or possible corruption.
OK, sorry to have missed out what should have been part of my response. On our initial exercise some 6 years ago we suffered the same problems with users with PSTs pushing 8GB in remote offices in USA (we're in UK). We ended up installing our software (Discovery Attender for Exchange, aka DAE) on a PC in the same office and running it via RDP. So the limiting speed factor for search was LAN and not WAN.
In terms of the other problems you mention
* Size of pst - is this a concern because it takes so long to search/load? Or because of possible corruption?
* Password protection - if the users are aware, they're going to help out with this aren't they?
* Possible corruption - not sure there's much you can do short of using something like scanpst.exe
Are the PSTs in use? If so, IMO PSTs themselves appear to be the limiting factor. Size possibly (depending on Unicode or otherwise) and definitely the fact that if a PST is in use no other applications are going to be able to access it concurrently. If the users are aware of the exercise, surely they can co-operate by Closing the PST then Closing Outlook and going back in to Outlook again?
We still go through this exercise every year, meaning (a) we search computers for PSTs (b) document the location of all PSTs (helps users and us locate and add them back in later) © liaise with the users to either find a time when they can be competely out of Outlook or at least not have the PST(s) open (d) do the search (e) MOVE and matches to a quarantine area (f) notify any affected user of what's been moved (g) help them add the PSTs back in to Outlook (h) after (usually) 4 weeks we delete anything which hasn't been "reclaimed" by the users
VERY occasionally we've copied a PST, deleted stuff, then copied it back over the original.
I suspect though that you're looking for a miracle cure where none exists, I especially get the feeling that the PSTs in question are the main/sole repository for remote email users who are not on a network. In which case Remote Control (Webex or similar) is another otpion we took, even installing and uninstalling DAE on an ad hoc basis on the remote PCs
Any help?