We do, however, have all the log files from the time the Exchange server was installed. Is there a way to reconstruct these users' Inboxes and Sent Items entries (even for things that were subsequently deleted) from the log files only?
I'm not positive I understand which log files you are referring to (I am assuming you mean transaction log files), but that said, there is no feasible way to re-construct a comprehensive view of all messages for these two employees. The only way you would have this information is if you had a compliance archive in place for the duration of these employees' tenures with your company; and if you had explicitly configured the compliance archive to bifurcate all messages sent/received by these mailboxes.
That said, I'll explain what I believe are the best steps, given the data you're working with. Essentially, you need to make sure you are addressing all email content from each of the following four "silos" of Exchange storage:
- Online data: Whatever is in their mailboxes and dumpsters today.
- Backup data: Whatever mailbox instances you have, for every generation of backup tape you possess that relate to the servers hosting these mailboxes.
- To manage these first two "silos," you may need to locate and recover mailbox instances for these two employees from all your daily, weekly, monthly and yearly tapes, spanning whatever number of months or years these employees worked for your company.
This can be extremely costly and time-consuming, so you may want to look at third-party solutions on the market to assist in search-and-recovery, rather than building recovery servers corresponding to all these backups. Two solutions exist that I'm aware of, Quest Recovery Manager for Exchange (disclosure: I work for Quest Software) and Ontrack PowerControls.
Numerous outsourcing companies also provide recovery services that you may wish to consider, depending on the priority of this content and the budget you have available.
Silos two and three focus on stray data.
- PSTs: If you have access to any PSTs on the workstations these employees used, or on their network shares, search these as well.
- Offline data: Finally, if you're trying to be really thorough (which is my assumption), search computers and network shares associated with these accounts for .MSG files. You should also inspect any mobile devices (such as iPAQs, BlackBerrys, smartphones, etc.) that were used by these users to see if any additional messages exist that have gone under the radar.
Do you have comments on this Ask the Expert Q&A? Let us know.