From Susan Bradley’s blog(aka SBS Diva) comes…
I have rec’d an email from one of my clients saying that he needs to recover email from 2005 in regards to a lawsuit. There is barely a backup plan in place. It holds backups of everything for a few days only, written only to an external hard drive. I don’t think our users have any idea what pst files are. Is there anything inherent to SBS2003 that would help? Is there any products you recommend for the future?
There was never any requirement for archiving purposes in the past so no company policy was forwarded to me. So I don’t think there is anyway that I am liable.
First off you are not. Secondly, you are only required to do your best efforts to recover that email. In a typical SBS network here’s the forensic places that email will land.
First off when email comes into the server (assuming you’ve set it up so that the SBS holds the email and it grabs the email) and dumps it into the Exchange store. When your end users read their email and hit the delete key in their personal email boxes, it doesn’t really “delete” the email but rather it merely moves it to the deleted email folder. Unless you set a rule to delete that email, chances are, that email of 2005 might be there. If someone has deleted the email, then it sits on the server in the mail store for 30 days before it truly and utterly gets deleted.
If your clients use the default SBS mailbox setup, they don’t have pst’s but rather ost’s that the SBS box sets up automagically as part of it’s Cached mode setup. Outlook has a rule set up (I’ve forgotten when it kicks in) of prompting you every now and then “do you want to archive your email”. Once again, it won’t truly delete the email, but will move it to an archive folder.
You might find it easier to get onto their ‘exact’ profile to see the Outlook folder structures they have on the local system as well as the files on the server.
But last but not least, you are only required to make a reasonable effort to recover this. If your policy is to NOT store emails, then you can’t be liable if you can’t find them. Where you get into issues (as in Enron/Arthur Anderson) is when you have a policy regarding email (or any correspondence for that matter) and don’t follow it. If you say you are going to delete after 30 days and don’t, or retain all email regarding X client and don’t, that’s when it’s an issue.
Remember that the new Federal Rules of Evidence kick in when you get a lawsuit in Federal Court. At THAT time you need to ensure that all electronic documentation is maintained.
But need to have a long term need to archive? Check out Message Journaling (native), check out GFI (third party) http://www.gfi.com/mailarchiver/
Computers do add some nuances to rules of evidence and you can see in these articles – http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1253827,00.html and http://www.usdoj.gov/criminal/cybercrime/usamarch2001_4.htm
Link to Susan Bradley’s “Need to archive” article
[tags]security[/tags]