Large-Scale Exchang...
 
Notifications
Clear all

Large-Scale Exchange Mailbox Collections

13 Posts
9 Users
0 Likes
1,197 Views
(@fasita)
Posts: 6
Active Member
Topic starter
 

Hello,

Looking for some thoughts from anyone who may have addressed this before. I'm working on a POC for a large corporation that uses Exchange and has about 70,000 mailboxes, probably across multiple Exchange servers.

We would be requested to export various mailboxes on a per-matter basis for preservation and possible production. What is the most efficient way to do this? I read elsewhere that mounting the .edb files locally using F-Response and then parsing/exporting with NEMX has worked in the past. Anyone have success going this route? Or have other suggestions as to how to accomplish this? Thanks!

 
Posted : 14/04/2015 8:00 pm
nightworker
(@nightworker)
Posts: 134
Estimable Member
 

i used paraben network email examiner to do this before it is so good
or you can use mairix to index and export in linux

 
Posted : 14/04/2015 8:03 pm
(@dacorr)
Posts: 8
Active Member
 

This depends on money available and how mailboxes are set up including the wider exchange estate, for example what is the retention and does it archive to a third party solution.

If this is part of a disclosure (ediscovery) exercise and the request is targeting specific mailboxes I have encountered multiple issues in the past with this in that Exchange is not the best solution for indexing mailbox data and was prone to missing things. Exchange had an ediscovery module attachment that allowed a clone of the mailbox to be utilised but was still poor at indexing.

Also if a solution was present to archive specific mailboxes this would generate duplicates or STUBS pointing to the archived location which made review problematic as they all had to be connected togeather again.

You would also need to identify what the dumpster retention is also and the tool will need to pull dumpter data for each mailbox.

I have also found that if active directory was in use and an account deleted it may not have actually deleted the mailbox object so mail was present for deleted AD accounts.

You can use mailmerge to export mailboxes but depending on the organisation if the user has moved countries supported by different exchange servers there maybe multiple mailboxes in existance and you would need to check each one which can be problematic if permisisons are different on each server. Also while using mailmerge to export to PST can cause the file to become corrupt or not every item could be exported due to forms or the source email was encrypted.

Unless you utilised somthing like Accessdata end to end and had agents you may need to use powershell and a service account that had exchange admin rights. I should point out that the above may not be suitable for court and it would take a script or the use of the ediscovery module to allow these type of requests to be completed more efficiently. I should also highlight that as many users operate a mailbox as a document store some of these exports may be huge and there may not be enough free space on the server to export them.

Dac

 
Posted : 14/04/2015 8:24 pm
(@paraben)
Posts: 47
Eminent Member
 

Since you already have NEMX, you may want to look into CyFIR. This is Paraben's former network forensic tool so it's fully compatible with NEMX and you can perform live examinations, exporting, etc. of Exchange files.

 
Posted : 14/04/2015 9:29 pm
(@eyez0n)
Posts: 29
Eminent Member
 

DISCLAIMER I work for Nuix.

Nuix easily handles .edb's and allows an examiner to "pre-filter" .edb's and only select those mailboxes, folders, and/or email messages he/she wishes to ingest and process.

In the video below, the pre-filter pane is shown but all mailboxes were selected for that demo. The user has the opportunity to change that default behavior with a simple click of the mouse and only select those items of interest. This is a great way to conduct targeted ingestion of data.

[video width=250 height=200]https://www.youtube.com/watch?v=5dQVtzgSrpM[/video]

 
Posted : 15/04/2015 12:53 am
(@shep47)
Posts: 51
Trusted Member
 

Disclaimer I work for Kroll Ontrack

Kroll Ontrack Power Controls handles EDBs and you can export to PST.

As well as having a GUI, Power Controls has full scripting capability so multiple tasks can be set up and run. For instance, with a little scripting knowledge (included in the manual) you can trawl multiple EDBs and recover single/multiple custodians PSTs to a location of your choice.

I have used this to search over 20TB of backup EDB's with over 1.5m mailboxes and extract the selected custodians to individual PSTs.

http//www.krollontrack.co.uk/software/powercontrols/

Some of the capabilities are detailed in these videos

http//www.krollontrack.co.uk/flash/demo-opc/index.html

If you would like to know more about the scripting please PM me.

Regards

 
Posted : 17/04/2015 12:09 am
Adam10541
(@adam10541)
Posts: 550
Honorable Member
 

If you are going to work with the EDB directly then you need to figure out if you are going to do it live or static.

Depending on how the network is setup you may be able to work with archive/backup versions of the EDB (nightly, hourly backups depending on their setup) then you don't have to worry about working with a dirty EDB. My experience is that plenty of tools claim they can work with an active EDB, but the reality is most can't despite their claims.

If you have a static EDB then any of the aforementioned tools will work, my preference is Systools Exchange Recovery, not because it's the best but because it's simple and it works, allowing me to extract out PST archives for each individual user then I can work with them in my email tool of choice.

 
Posted : 17/04/2015 5:46 am
(@fasita)
Posts: 6
Active Member
Topic starter
 

Thank you to everyone who responded. Adam10541 to your point, there are no backups so we'd be mouting the .edb's active. I'm int he process of testing some of the tools mentioned here in our own environment. Thank you for the suggestions and shared knowledge, much appreciated!

 
Posted : 17/04/2015 6:50 pm
(@patrick4n6)
Posts: 650
Honorable Member
 

I am wondering if you're using a sledgehammer to crack an egg here. Is this for eDiscovery, or for Forensics? If it's for eDiscovery, you can collect live from Exchange which is how the vast majority of corporations do this. Lots of eDiscovery tools will communicate with Exchange to collect this data for you. There's not necessarily a requirement for you to directly parse the data structure behind the Exchange servers. You really need to understand the requirement before looking at a solution.

 
Posted : 17/04/2015 8:08 pm
(@cults14)
Posts: 367
Reputable Member
 

Am tending to agree with Patrick4n6. 70,000 sounds like a scary number but how many do you need to deal with simultaneously in terms of preservation and production (per matter)? And when you say "preserve" what do you really mean?

Litigation Hold feature in Exchange will do the preservation job for you won't it? And Exchange Management Shell (EMS) can provide tools (to a certain degree) to kick off the route to production. We tend to use EMS to cull by custodian and by date range provided by external counsel (and create a logfile), then (optionally) weed out clear false positives using Sherpa's Discovery Attender (other products are of course available)

Hope that's not off the mark?

 
Posted : 20/04/2015 2:53 pm
Page 1 / 2
Share: