Me and my team were hired by a corporate firm to audit certain activities by officers. The team instantly started looking for corroborative evidence inside the Exchange mailboxes. We got stuck when it came to searching of evidence inside EDB files. Unfortunately, Microsoft does not offer any such API.

We tried carrying out analysis of the Exchange mailboxes via Exchange Management Shell but the results were not much convincing. 

We found some useful resources through google such as 

http://www.mailxaminer.com/blog/search-unmounted-edb-file/

and http://blogs.msdn.com/b/webdav_101/archive/2008/09/03/howto-read-unmounted-exchange-edb-files.aspx

Actually we are basically trying to search for some evidence inside EDB. But still we are not sure how to proceed further.

Can anyone help?

Regards

Shweta@G

 

Me and my team were hired by a corporate firm to audit certain activities by officers. The team instantly started looking for corroborative evidence inside the Exchange mailboxes. We got stuck when it came to searching of evidence inside EDB files. Unfortunately, Microsoft does not offer any such API.

We tried carrying out analysis of the Exchange mailboxes via Exchange Management Shell but the results were not much convincing. 

We found some useful resources through google such as 

http://www.mailxaminer.com/blog/search-unmounted-edb-file/

and http://blogs.msdn.com/b/webdav_101/archive/2008/09/03/howto-read-unmounted-exchange-edb-files.aspx

Actually we are basically trying to search for some evidence inside EDB. But still we are not sure how to proceed further.

Can anyone help?

Regards

Shweta@G

 

I would explore 3rd party Exchange Recovery software if you want to search the offline edb.

There are really 3 great products on the market that provide  the type of desired functionality and our DigiScope product http://www.lucid8.com/product/digiscope.asp is one of them, the other two are OnTrack PowerControls and Quest/Dell Recovery Manager for Exchange.  Now I am biased since I work for Lucid8 the creators of DigiScope, however I can tell you that if you want to achieve accuracy and completeness then look at one of the above 3 and avoid, better yet run from the other entries in the market  

• As for the other product posted its not one of the 3
• As to the article alas there are several entries in the market place that do a horrible to mediocre job of accessing and extracting data from offline EDB's.  On the surface it looks like there are doing the job, however when you look close you will find that they are inaccurate and incomplete in terms of finding and recovering data which really leaves you with a huge mess
  

Hi Andy David,

Are all the available Exchange Recovery tools listed have the search feature inbuilt. The puzzle still remains the same. The team wants to go with a solution that has search mechanism for us to dig in 1000 of emails. 

Hi Troy Werelius,

Can you please put some light on the features of your tool? What are the options if the acquired email evidence need to presented the court of law?

Regards

Shweta@G

Having equipped with various enriched features, you can have a look on Lepide exchange recovery manager that would also be a nice alternative approach in order to fulfill your needs without any further interruption.

1. DigiScope provides powerful Search/eDiscovery capabilities allowing you to run precise searches across multiple Mailbox or Public EDB files at the same time to find, recover, or export specific Mailboxes, Folders, Public Folders, Messages, Appointments, Contacts, Journal Entries, Notes, Tasks, or entire conversation threads.

2. There are way too many ways to search for the desired information, i.e.Search

• For specific words, phrases that occur within the subject line, the body or exact fields
• Using Regular Expressions for complex searches such as find anything that looks like a social security #, words within proximity of other words
• inside documents, zips etc,
• by item creation, modification dates
• message state, i.e. read, unread
• with/without attachments
• Message ID's
• By message type, i.e. email, contact, note, calendar item etc
• From, TO, CC, BCC
• by flagged importance, category etc.
• etc etc

For more about the ways to search read this http://www.lucid8.com/download/documentation/DSWebHelp/DigiScopeHelp.htm#MNG/Find_Searching_eDiscovery_Overview.htm

3. Once items are found you can Export them to PST or MSG and provide them to counsel for use in a court of law.

Hope the above helps and if you want to share more of your specific needs on this you can email me via TroyW at Lucid8 dot com