LEGAL DISCOVERY: The administrator needs a way to extract messages from multiple users’ mailboxes which contain certain keywords in the subject and/or body for Legal Discovery purposes. In this case, the content found should not be deleted, but only extracted to a single target mailbox. I will provide solutions for both Exchange 2007 and Exchange 2010.
Exchange 2007 Solution: In Exchange 2007, The administrator will need to use the Export-Mailbox task from the Exchange Management Shell with the –TargetFolder and –TargetMailbox parameters:
PS> get-mailbox –Database DB1 | Export-Mailbox –SubjectKeywords “Discovery Keywords” –TargetMailbox Administrator –TargetFolder ‘MyData’
This particular version of the command will search through all mailboxes on the Mailbox Database DB1 for messages containing the words “Discovery” and “Keywords” in the Subject field and copy these to a folder named MyData in the Administrator’s mailbox. A folder will be created for each user mailbox which had matching messages under the “MyData” folder, using the following naming convention: “Recovered Data – <MailboxAlias> – <Timestamp>”
Additional versions of the command:
Search for attachment filenames
Get-mailbox -database ‘DB1’ | export-mailbox –AttachmentFilenames “movie” -TargetFolder “MovieAttachmentData” -TargetMailbox NewMailboxForDiscovery
Search message body, subject and attachment contents
Get-mailbox -database ‘DB1’ | export-mailbox -ContentKeywords “SecretStuff” -TargetFolder “Secretstuff” -TargetMailbox NewDiscoveryMailbox
As part of a summary of research I compiled during a recent discovery situation I put together this resource covering searching and extracting content from all exchange mailboxes. I will add to this as I find additional helpful information for this topic.
Exchange 2010 Solution:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery ‘Subject:”Subject Im Looking For” AND (sent:07/01/13..07/02/13)’ -targetmailbox “administrator” -targetfolder “TargetFolderName” -deletecontent
Note: “TargetFolderName” was created in the root of the administrator mailbox
Resources (Exchange 2007):
Export-mailbox available options (Exchange 2007)
- Export mailbox content from a active mailbox to a folder inside another mailbox
- Filter content to be exported based on:
- List of included or excluded Folders (included using –IncludeFolders or excluded using -ExcludeFolders)
- Message subject (-SubjectKeywords)
- Message and attachments content (-ContentKeywords)
- Attachment file names (-AttachmentFilenames)
- Message locale (-Locale)
- “OR” search of Message subject, message content and attachment content (-AllContentKeywords)
- Date range (-StartDate and –EndDate)
- Delete content from source mailbox after exporting it to target mailbox
- Automatically exports dumpster items as regular messages in the target mailbox
Technet: https://blogs.technet.com/b/exchange/archive/2006/12/18/3397563.aspx
Resources (Exchange 2010):
Remove specific email from ALL mailboxes in Exchange 2010 SP1
I am looking for an expert (Exchange administrator), preferably but not exclusively from Canada, with the experience of responding to legal discovery requests. What is needed is some familiarity with the search all users mailboxes for specific content procedure and the assessment of its feasibility in various circumstances (MS Exchange 2007 and MS Exchange 2010 servers) and related costs.
Please respond either here or by email.
Thanks.
What are you need assistance with?
Greg, can I reach you by email? Mine is maslovan2@gmail.com. Anton