Are Mailboxes Enough?



Similar documents
E-Discovery for Backup Tapes. How Technology Is Easing the Burden

Recovering Microsoft Office SharePoint Server Data. Granular search and recovery means time and cost savings.

NightOwlDiscovery. EnCase Enterprise/ ediscovery Strategic Consulting Services

The Microsoft Large Mailbox Vision

Recovering Microsoft Office SharePoint Server Data

How To Restore From A Backup In Sharepoint

Solving.PST Management Problems in Microsoft Exchange Environments

Recovering Microsoft Exchange Server Data

ARCHIVING. What it is, what it isn t, and how it can improve your business operations

A Guide to PST Files How Managing PSTs Will Benefit Your Business

The Disconnect Between Legal and IT Teams

Exchange Mailbox Protection Whitepaper

WHITE PAPER ONTRACK POWERCONTROLS. Recovering Microsoft Exchange Server Data

Understanding Archiving and ediscovery in Exchange 2013

The evolution of data archiving

A White Paper. Archiving Implementation. Five Costly Mistakes to Avoid. By Bob Spurzem. May Mimosa Systems, Inc.

Document Storage Tips: Inside the Vault

Data Sheet: Archiving Symantec Enterprise Vault for Microsoft Exchange Store, Manage, and Discover Critical Business Information

ILM et Archivage Les solutions IBM

ARCHIVING FOR EXCHANGE 2013

Management in Today s Regulatory Environment

Archiving: Common Myths and Misconceptions

Enhancing Microsoft Exchange & Office 365 Archiving, Retention, and Discovery with Netmail

Planning a Backup Strategy

Eradicating PST Files from Your Network

10 Steps to Establishing an Effective Retention Policy

Waiting to Upgrade: Understanding Archiving and ediscovery Limitations in Exchange by Michael Noel and Rick Wilson

10 Reasons Why Enterprises Select Symantec.cloud for Archiving

Symantec Enterprise Vault and Symantec Enterprise Vault.cloud

State of Michigan Records Management Services. Frequently Asked Questions About E mail Retention

10 Point Plan to Eliminate PST Files

EXCHANGE TO OFFICE 365

Version: Page 1 of 5

Archiving and The Federal Rules of Civil Procedure: Understanding the Issues

Symantec Enterprise Vault for Microsoft Exchange Server

Sean Byrne Head of ediscovery Solutions Michael Lappin Director of Archiving Technology

Archiving, Retrieval and Analysis The Key Issues

Veritas Enterprise Vault for Microsoft Exchange Server

Exchange Brick-level Backup and Restore

Director, Value Engineering

Symantec Enterprise Vault for Microsoft Exchange

Symantec Enterprise Vault for Microsoft Exchange

What Am I Looking At? Andy Kass

Mosaic Technology s IT Director s Series: Exchange Data Management: Why Tape, Disk, and Archiving Fall Short

Intelligent Information Management: Archive & ediscovery

Addressing Archiving and Discovery with Microsoft Exchange Server 2010

Data Sheet: Archiving Symantec Enterprise Vault Store, Manage, and Discover Critical Business Information

Solve your PST headaches with or without Archiving

How To Preserve Records In Mississippi

EnCase ediscovery. Automatically search, identify, collect, preserve, and process electronically stored information across the network.

Dell Recovery Manager for Exchange 5.6. Product Overview

Integrated archiving: streamlining compliance and discovery through content and business process management

Microsoft Exchange 2010 Archiving and the Value of Third-Party Solutions

White Paper. Lepide Software Pvt. Ltd.

Death to PST Files. The Hidden Costs of

ARCHIVING: A BUYER S CHECKLIST

Spambrella Archiving Service Guide Service Guide

Elements of a Good Document Retention Policy. Discovery Services WHITE PAPER

Data Sheet: Archiving Symantec Enterprise Vault for Microsoft Exchange Store, Manage, and Discover Critical Business Information

Symantec Enterprise Vault.cloud Overview

How To Recover From A Disaster In An Exchange 5.5 Server

Reduce Cost and Risk during Discovery E-DISCOVERY GLOSSARY

W H I T E P A P E R. Symantec Enterprise Vault and Exchange Server November 2011

The Inevitable Extinction of PSTs

ediscovery: The New Information Management Battleground Developments in the Law and Best Practices

Data Sheet: Archiving Symantec Enterprise Vault Discovery Accelerator Accelerate e-discovery and simplify review

WHITE PAPER. Archiving and Sharing with Doclook Reach Extension to Microsoft Outlook

68% Meet compliance needs with Microsoft Exchange. of companies send sensitive data via .

How To Write A Hit Report On A Lawsuit Against A Company

Lowering E-Discovery Costs Through Enterprise Records and Retention Management. An Oracle White Paper March 2007

Administration GUIDE. Exchange Database idataagent. Published On: 11/19/2013 V10 Service Pack 4A Page 1 of 233

MIGRATING YOUR EMC SOURCEONE ARCHIVE

Veritas Enterprise Vault.cloud for Microsoft Office 365

ediscovery Policies: Planned Protection Saves More than Money Anticipating and Mitigating the Costs of Litigation

Exchange Server 2010 & C2C ArchiveOne A Feature Comparison for Archiving

Archiving Compliance Storage Management Electronic Discovery

Transcription:

Forensically Sound Preservation and Processing of Exchange Databases Microsoft Exchange server is the communication hub for most organizations. Crucial email flows through this database continually, day and night; business agreements, negotiations, and conversations. User mailboxes are maintained within the Exchange server environment. As the system of record for email within most organizations, the Exchange server environment is at the core of most ediscovery activities. As such, the core of electronically stored information (ESI) collected to support litigation is typically email extracted from Exchange. This paper will provide an overview of the current process of ESI preservation and collection from Exchange servers, and propose a more forensically sound approach. ESI Collection Challenges Exchange server repositories, including Exchange databases (EDB s), STM s and log journals, are large and complex. The challenges in performing ESI collection from Exchange are well known. The first is the fact that Exchange is in constant use. For large organizations obtaining access to a live mail server is next to impossible, as most IT organizations protect it vigilantly. Shutting down the database or interrupting it in any way is typically out of the question. This would jeopardize delivery of critical email communication. Another challenge in dealing with Exchange repositories is the sheer size of the database. Most organizations have traditionally let user mailboxes grow quite large. The current trend is to implement email archives where older, important email is migrated for long term storage. However this is an emerging trend, and as a result users have older emails archived in their mailboxes on the server, and even local mailboxes on their desktop. An unconstrained user mailbox can easily grow to 10-15 GB. Each gigabyte contains approximately 10,000 emails. Multiply this volume by the number of users in the organization you quickly find that an EDB can contain millions or billions of objects. Finding specific emails and files in an Exchange repository requires the sorting and culling of these objects, a task that has traditionally been cost prohibitive. Additionally, Exchange repositories are not designed for streamlined ESI collection. They are a built to manage and protect email, not for easy access and discovery. User data is contained in mailboxes but can also be scattered across the database, according to typical user communication patterns. The user mailbox is simply a starting point. Other repositories, such as other user s mailboxes, deleted items folders, the Dumpster/Tombstone as well as the logs (or journals) also contain valuable information. No single location, mailbox or folder, will produce everything required as email is typically spread throughout the Exchange repository hidden away in various nooks and crannies. ESI Collection Today To understand the complexity of ESI collection from Exchange, we will review today s typical practices. Due to the complexity, size and inaccessibility of the live Exchange repository, the collection process is usually narrowed in scope to make it more manageable. A typical request for custodian data focuses on only the email residing in their mailbox folder. Tools exist that will extract these user mailboxes from either the live Exchange server or directly from the EDB (ripping it from the database). The most commonly used tool is ExMerge, which was designed to copy (or move) messages from an Exchange mailbox into an Outlook PST file. If a request is made for a dozen user mailboxes, ExMerge will extract these mailboxes from the server, and isolate all the content so that ESI discovery can begin. Using this approach you will no longer be dealing with thousands of users mailboxes, just those that were requested. The scope of collection has been significantly narrowed. ExMerge reduces the volume of data, simplifying the sorting and culling process significantly. But collection speed is still a concern. In real world scenarios ExMerge collects approximately 1 GB of email per hour. If there are 100 GBs of email to collect, this one step can take 4 days alone. Fortunately ExMerge collects from the live environment, so

the user community is only minimally impacted. To keep the process more manageable and auditable, typically each mailbox is collected separately. However, if the collection is time sensitive, this could mean the collection effort must be monitored 24 hours a day to get the job done. Another issue is that ExMerge was not designed for litigation preservation purposes and it has not been upgraded from its Exchange 2000 heritage. The majority of organizations have already moved away from Exchange 2000 and thus ExMerge s weaknesses are even more pronounced. Specifically, ExMerge can only create a PST file compatible with Outlook 2000. There are two limiting factors that must be explicitly considered each time this tool is used. First an Outlook 2000 PST is limited to 2GB. If a mailbox being collected is larger than 2 GB, then ExMerge will truncate the collection without any obvious indication that the collection was partial. By looking at the detailed logs, truncation can be identified, but review of these logs then becomes a crucial part of the email collection process. Given that many mailbox collections are self collected by the organizations IT staff, this attention to detail often does not take place. Additionally, the PST files ExMerge creates can only contain ANSI based emails. Unicode emails are corrupted during collection. As an event matures, legal teams may decide that Unicode is irrelevant to the matter at hand, but during the preservation stage, it is highly problematic to use a preservation tool that is known to corrupt an entire class of emails during the collection phase. An alternative approach to using ExMerge is working with recent backups of the Exchange server. Backups are performed by the IT organization on a regular basis. These backups are often stored on offline tapes and kept offsite for safe keeping. Getting access to these tapes is easier that getting access to the live mail server environment. Therefore many collection efforts are performed on data from backup tapes. The added challenge here is that traditionally the database must be restored back online before tools which extract mailboxes directly from EDBs can be deployed. This process reintroduces the issue of scale and complexity. However, when collection is mandated by the courts this approach has been the widely accepted practice. The majority of ESI collection from EDB s is performed by specialists; service providers that leverage tools such as ExMerge, or similar utilities such as Ontrack s PowerControls, to get the job done. This work is time consuming and expensive. Separating the custodian mailboxes from an EDB is no easy task; however it is performed more and more frequently due to new regulations that are attacking the undue burden argument for ESI collection. A sample of recent ESI case law can be found at: http://www.indexengines.com/case_law.htm Are Mailboxes Enough? Does ESI collection focused on user mailboxes preserve everything that is required? Will searching only those mailboxes find everything that the courts may eventually request? If a user is acting covertly they might not leave critical evidence in their mailbox. They might be smart enough to remove it or even hide it. In that case collection that is narrow in focus will not be enough to ensure all appropriate ESI is preserved. There is an alternate approach to preserving and searching email that exists outside the limited scope of a user s mailbox. The most obvious location of objects that are no longer in the user s mailbox is deleted email. When a user deletes an email it temporarily resides in the user s deleted items folder. This folder is typically set to purge after a short period of time. After this period the email then moves to the Exchange dumpster. The dumpster is an independent component from the user s mailbox. The email will live in the dumpster for a set number of days and is then purged. Therefore any email that a user deletes could be accessible in their deleted items folder for a short period of time. Then it would move outside their mailbox, and outside their control, to the dumpster and thus not included in the custodian s mailbox. Therefore, ESI collection that is focused on user mailboxes would not see any content residing in the dumpster.

Another alternate source of valuable email information is the Exchange Server transaction logs. These can be quite convoluted because they often have internal references to the specific EDB for which transactions are logged. By carefully parsing a full EDB and the subsequent log files it is possible to recreate all the emails that came in or out of the Exchange Server. Simple collection and preservation of Mailboxes via ExMerge or a tool that parses just the EDB will always miss this important secondary source of emails. Most importantly, the user has no ability to influence the content of the Exchange server logs. Thus, in an environment where the user is somehow bypassing the dumpster, the logs will still contain many of the emails. Other valuable content that would not be captured in user mailboxes are email communications with other users. For example, user A, who is under investigation, initiates an email string that is relevant to the case at hand. The email was sent to user B, who is not under investigation. User A then deletes the email, and purges it from their deleted folder, and also over time it will be deleted from the dumpster. So from the perspective of user A s mailbox, the email no longer exists. However, the email could still reside in user B s mailbox if they did not delete it. When user A s mailbox is collected the smoking gun email will be left behind even though it exists in the mail server. This scenario is common in the world of Exchange and it exposes an additional major flaw in the use of custodian mailboxes for collection, preservation, and searching purposes. Forensic Images of EDB s A more forensically sound collection process is available when dealing with Exchange. It is possible with a Microsoft Windows 2003 or 2008 server to capture an exact, bit for bit, point-in-time snapshot of the content of the full Exchange Repository including the EDB, STM and all logs/journals. This coherent copy can be created with negligible downtime to the organization s users. Obtaining this forensically sound point-in-time snapshot of an Exchange server repository is easier than you think. Microsoft has provided IT departments using a Windows server 2003 or later with tools for backing up Exchange servers. The backup process makes a bit for bit copy of the entire Exchange repository including all user mailboxes as well as the dumpster. Asking IT for a backup or a snapshot of an Exchange repository is often much less of a burden than requesting permission to get access to the live server for the extraction of a user mailbox. Generating a snapshot takes only a few minutes, and once it is created, the Exchange server can be returned to normal operation. Using the snapshot the collection process can occur in the background, without any further impact on the live Exchange environment. After the collection from the snapshot is complete, the snapshot can be deleted. In fact IT may already have thousands of point in time snapshots available - contained in a company s backup tapes. IT may have thousands of tapes stored offsite that contain bit for bit images of the Exchange Repository on the date of the backup. If a specific timeframe is in question you can most likely find a backup tape with an Exchange image within this date range. Once you have access to this backup tape you still have the challenge of finding the relevant email and content. Automated Collection from EDB Images Tools such as ExMerge are ripping tools that get you access to pre-defined chunks of data or mailboxes. New tools allow for complete scanning of EDB images on tape or disc. The scan produces a searchable index of all the content, even the dumpster. This technology sees even email that has been purged from the dumpster and not written over. These emails can then be reclaimed allowing discovery to go well beyond the dumpster. This detailed forensic approach delivers a far more comprehensive collection of ESI versus the limited approach provided by mailbox extraction. One may argue that those emails are inaccessible for production purposes, but the fact that technology exists to recover these emails means that the duty to preserve is in effect regardless of inaccessibility arguments.

New technology allows access to a fully indexed Exchange image for deeper discovery and a more cost effective approach. Not only are full user mailboxes searchable, but also complete conversations that may reside in other user s mailboxes and not with the custodian in question can be uncovered. Additionally the entire dumpster can be accessed and searched, making email available that was thought to be long gone. Case Study Norcross Group Norcross Group, a service provider and forensics specialist, has implemented Index Engines for ESI collection and discovery. Norcross has proven experience with this new approach for Exchange discovery. Prior to using Index Engines they went onsite to collect custodian mailboxes. This was a very invasive process, and typically took about one hour per GB of mailbox data collected. For example, a collection of six user mailboxes may require 12 hours or more of onsite time depending on the mailbox size. Using the approach discussed above Norcross Group is now able to reduce the time spent at their customer sites, and also benefits from a more comprehensive and legally defensible collection process. Norcross can now request a snapshot of an entire EDB. This can either be provided by the client by creating a standard full backup tape, or with Norcross Group's assistance in the snapshot creation and preservation process. Using this snapshot they can typically index the entire database in a few hours and then begin the discovery and culling process. This approach allows them to process more data, deliver more forensically sound results, and bypass all the limitations of ExMerge and the complexities of Exchange. Working with the full Exchange repository allows Norcross Group to not only perform more comprehensive collection, but also speed up processing times and thus reduce costs. What makes this possible is technology that has cracked the backup formats. Since backup software is used to generate the snapshot of the Exchange server on tape, getting inside this backup format or container is the key to making this scenario possible. Index Engines technology has achieved this task and can perform a scan of an Exchange image on tape or disc and make it searchable without restoring the data. Once the search is refined and finalized, individual email can then be extracted from mailboxes and dumpsters. This approach eliminates the constraint of the mailbox and performs a significantly more sound collection. In fact, using this new approach tends to find more relevant email versus traditional methods. Included in the results is content that is typically passed over including email that is truncated, restructured by virus software, corrupt or inconsistent. Since Index Engines performs a bit for bit scan of the EDB this corrupt email is processed and is discoverable. Using this technology nothing is ignored or left behind. Conclusion The challenges of collecting and searching email for litigation are many; disruption of live Exchange servers, tremendous volumes of email data, locating pertinent email through the communication stream, and collection tool limitations are just a few. Forensic experts working with new technology have implemented a new process to overcome these obstacles. By using backup tape or mail server snapshots as a forensically sound image of the Exchange server, the Norcross Group is able to employ Index Engines Tape Engine to quickly, efficiently and defensibly find all the data requested. The enterprise email server is not disrupted, and even the email residing in deleted folders, journals and dumpsters is indexed and searched. By moving away from tools never meant for ediscovery in the first place, these forensic experts have been able to provide their clients more effective, thorough and cost conscious support. About Index Engines The patent-pending Index Engines discovery platform is the only solution on the market to offer a complete view of electronic data assets. Online data is indexed in-stream at wire speed in native enterprise storage protocols, enabling high-speed, efficient indexing of proprietary backup and transfer formats. Index Engines unique approach

to offline records scans backup tapes, indexes the contents and extracts relevant data, eliminating the timeconsuming restoration process. Index Engines provides the only comprehensive discovery platform across both online and offline data, saving time and money when managing enterprise information. For more information on Index Engines, please visit http://www.indexengines.com. About Norcross Group Norcross Group provides a full range of electronic discovery services for litigation support and subpoena compliance, including complex digital forensics, all in accord with the recent Electronically Stored Information (ESI) amendment to the Federal Rules of Civil Procedure. The firm s deep knowledge of digital investigation and discovery helps organizations simplify and streamline the retrieval and retention of critical information, whether in paper or digital format, including misplaced, erased, or damaged data. For more information on the Norcross Group, please visit: http://www.norcrossgroup.com.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information