Problem solve Get help with specific problems with your technologies, process and projects.

Reconstructing all of a user's mailbox data

I need to recover all email sent and received by two employees who recently deleted the entire contents of their mailboxes (before being fired). Since we want ALL of the messages sent/received, a particular backup won't do, since it would essentially provide a glimpse of what the mailbox looked like when the backup was run.

We do, however, have all the log files from the time the Exchange server was installed. Is there a way to reconstruct these users' Inboxes and Sent Items entries (even for things that were subsequently deleted) from the log files only?

This is a great question. There is a field called "e-discovery" (electronic discovery) that applies to the kind of investigation you are performing. I have been doing a lot of thinking and writing in this area of late, as pretty well any investigation these days is touching on email.

I'm not positive I understand which log files you are referring to (I am assuming you mean transaction log files), but that said, there is no feasible way to re-construct a comprehensive view of all messages for these two employees. The only way you would have this information is if you had a compliance archive in place for the duration of these employees' tenures with your company; and if you had explicitly configured the compliance archive to bifurcate all messages sent/received by these mailboxes.

That said, I'll explain what I believe are the best steps, given the data you're working with. Essentially, you need to make sure you are addressing all email content from each of the following four "silos" of Exchange storage:

  1. Online data: Whatever is in their mailboxes and dumpsters today.

  2. Backup data: Whatever mailbox instances you have, for every generation of backup tape you possess that relate to the servers hosting these mailboxes.

  3. To manage these first two "silos," you may need to locate and recover mailbox instances for these two employees from all your daily, weekly, monthly and yearly tapes, spanning whatever number of months or years these employees worked for your company.

    This can be extremely costly and time-consuming, so you may want to look at third-party solutions on the market to assist in search-and-recovery, rather than building recovery servers corresponding to all these backups. Two solutions exist that I'm aware of, Quest Recovery Manager for Exchange (disclosure: I work for Quest Software) and Ontrack PowerControls.

    Numerous outsourcing companies also provide recovery services that you may wish to consider, depending on the priority of this content and the budget you have available.

    Silos two and three focus on stray data.

  4. PSTs: If you have access to any PSTs on the workstations these employees used, or on their network shares, search these as well.

  5. Offline data: Finally, if you're trying to be really thorough (which is my assumption), search computers and network shares associated with these accounts for .MSG files. You should also inspect any mobile devices (such as iPAQs, BlackBerrys, smartphones, etc.) that were used by these users to see if any additional messages exist that have gone under the radar.

Do you have comments on this Ask the Expert Q&A? Let us know.

Dig Deeper on Exchange Server setup and troubleshooting

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.