|
Written by Ryan Lerminiaux
|
|
Wednesday, 01 July 2009 07:26 |
|
The economy is still in bad shape, and one way companies are cutting costs is by opting to ship computers to their forensic vendors instead of paying for onsite work. This is a very economical alternative to paying a for a consultant's travel expenses (airfare, hotel, meals, etc.). That being said, there are several things one should consider when shipping computers to their forensic vendor's office.
- 1. Include the power supply. Most of the computers Jones Dykstra receives in the mail are laptops, and most are without power supply. Usually, this is not a problem because the computer's hard drive is removed and is then duplicated using one of the vendor's computers. This is not always the case, though, as we occasionally receive a hard drive that refuses to cooperate and must be forensically duplicated in its original computer. In such a case, the forensic vendor must be able to keep the computer powered on long enough to forensically duplicate the hard drive. Many times, vendors will have assorted spare power supplies on hand, but the best way to prevent this problem is to include the power supply when shipping the laptop to your vendor to ensure you receive the computer back as quickly as possible.
- 2. Pack the computer carefully. This sounds simple, but more often than not, computers show up at our office in a ratty box with minimal padding. FedEx will not insure a laptop unless it is shipped in one of their laptop boxes. You can insure the computer monetarily and if it is damaged during shipment you can have it replaced, but what about the data it contained? Is that information replaceable? If a hard drive is smashed and the plates are cracked or broken, even the best data recovery lab in the country is going to have trouble recovering the data, and it will be quite costly. So take the time to pack up your computers right, and it will pay off later when they arrive at your vendor's office safe and sound.
- 3. Include any additional information or instructions with the computer. This is especially important if you are looking for an expedited turnaround from your vendor. Occasionally, Jones Dykstra will receive a computer in the mail with little or no information regarding from which client it was sent, or to which matter it pertains. When this occurs it usually prompts phone calls and/or emails in order to hunt down answers about the miscellaneous computer. If a set of detailed instructions and information about the computer is included it makes for a much smoother process.
With the option for overnight shipping available almost anywhere in the country, a computer can be sent out Wednesday night for forensic duplication and be back in the user's hands by Friday morning, making shipping computers a very viable solution to your computer forensic needs. Just be sure to follow these 3 simple steps the next time you're shipping to ensure the least risk and the fastest turnaround possible. |
|
Written by Jason Briody
|
|
Tuesday, 23 June 2009 11:43 |
|
When a restaurant closes and the last customer walks out the door, the employees don't just call it quits and follow them out. There's a flurry of activity. Dishwashers are running, the "daily special" board is wiped clean, floors are mopped and tables are reset. But when some attorneys close a matter, they're just concerned with calculating their tips and clocking out. Here's why making sure you've cleaned up after yourself, at least as far as your collected ESI is concerned, is worthwhile.
It could be costing you money.
Many computer forensic and EDD consultancies charge a monthly fee to store your data after a period of time stated in your initial engagement contract. Those hard drives full of data are taking up hardware and space in these consultancies' secure rooms and safes. These recurring fees can add up, especially when you have a large amount of data sitting around that is no longer needed.
Your client will thank you for it.
Your client wants to know that their information is being handled with care. Once a matter is closed and the relevant data no longer needed, they want to know that their company information, employee records, and employee communications are destroyed and once again exclusively within their control. Custodians involved also sleep easier once they've been notified by their employers that the forensic duplications of their laptops have been disposed of securely.
It might come back to haunt you.
Are those forensic duplications and other data still hanging around? There are many cases in which an organization's lack of a document retention and data destruction policy (or the company's disregard for these policies) has resulted in a major negative impact for the company (see Murphy Oil USA Inc. v. Fluor Daniel Inc., or this article about Boeing's document retention mishap). In both these cases, the companies made the same mistake: they retained emails and backups for far longer than their document retention policies ordered. The files that they hung on to became discoverable, and they (or their cases) suffered for it. Is it possible your client's data will become discoverable for another matter if it's known that these forensic "backups" exist?
Of course, you need to look at the legality of destroying your forensic duplications at a matter's close ("close" being the operative and ambiguous word), but barring any legal restrictions that compel you to hang on to the data from one of your matters, destroying it is more than just good housekeeping. It could be keeping that data from being used against you.
So how do I ensure the data's been destroyed?
Once your matter is closed and you no longer need the forensic duplications and data collected, ask your consultancy to securely destroy it. Ensure that you receive a "Certificate of Destruction" form that explains what data was destroyed, how, when, and by whom. Heck, you don't even have to get your hands dirty.
The guy who runs the restaurant dishwasher only wishes he could say that. |
|
Written by Ryan Meeks
|
|
Tuesday, 26 May 2009 19:28 |
|
While data collection may seem like a straightforward process, it rarely is. There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection. In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.
RAIDs
If the computer contains a RAID (Redundant Array of Inexpensive Disks), it is often necessary to run the collection through the computer without removing the hard drives. Many servers store data using a RAID. A RAID consists of several hard drives that are grouped together and (depending on the type of RAID) has saved data spread across all the drives. A RAID may be used for a number of reasons, but they are most commonly used as a way to create extra copies of data in case of a single hard drive failure; if one of the hard drives fails, the data that it contains can be recovered because it was replicated (using an algorithm) onto the other hard drives that were in that RAID.
If the hard drives are removed from the computer containing the RAID, they do not maintain the structure of how the data is stored and are therefore unusable. To help illustrate this, imagine that you cut out the words in a paper document and put them in a number of different boxes in a pattern that only you knew. If someone mixed up all of the boxes, you would never again be able to read the document unless the boxes were put back in the exact order that you had them. If the RAID hard drives are removed from the computer, they must be put back into the same RAID computer (which knows the pattern) using the exact hardware location that they were removed from. Mixing up a single cable will make the data unrecognizable. Inexperienced vendors sometimes pull these hard drives out of the system and don't keep track of how they were organized, and the data becomes unusable.
Exotic and Legacy Computers
It doesn't take long for technology to become outdated in today's world. It is difficult for all companies to keep all of their computers current, especially if the computers are still working and there is no reason to upgrade. While this may work well for the company, it can cause your EDD vendor serious problems. Older computers can cause problems for any of the following reasons:
- Computers might not have the proper connections to allow for the duplication of data.
- Older connections may only allow for very slow data transfers.
- Computers that have been running fine for fifteen years may inexplicably not turn back on after they've been shut down.
- Current forensic software may not read and process the data on the older computers, which would mean more hands-on (and more expensive) collection and processing work.
Despite the problems with exotic and legacy computers, there are sometimes work-arounds to get the necessary data, such as duplicating from back-up media such as tapes or other external media. This is useful when examiners are concerned about harming the target computer. Be sure to keep your vendor informed if your client has any exotic or legacy systems (and if backups of these systems exist) so that they can prepare as best they can.
An EDD firm that is informed of what a collection will entail (especially when dealing with the difficult items we've discussed here) will make for a much more successful and inexpensive collection.
Stay tuned for our next blog in this series, where we'll cover the people who can make collections difficult. |
|
Written by Jason Briody
|
|
Tuesday, 26 May 2009 19:24 |
|
While data collection may seem like a straightforward process, it rarely is. There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection. In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.
Magnetic Tapes
Tapes are an exception to normal collection and processing. While they can be very useful to an investigation, there are a few things that make collecting and processing tapes much more difficult and time-consuming than other media.
- Tape data must be pulled through the software used to create it, much like a database. If you try to merely copy a tape, it will come out looking like garbage, since the program that wrote it is not there to "interpret" and make sense of it.
- There are many different software applications that can write to tapes, so finding out which program wrote the data to the tape may be difficult.
- Tapes come in many shapes and sizes. A tape drive is needed to "run" a tape, and different tapes require different tape drives.
- Tapes may contain data that is part of a series. The series must be reconstructed for the data to be properly viewed.
- When poorly labeled or unlabeled, finding the right sequence may be difficult or impossible.
Try to enlist the help of your client's IT to ensure you have the most information you can get (such as the info above) about any tapes you will be collecting.
Databases
Databases such as Oracle and Microsoft SQL aren't necessarily difficult to collect, but they are difficult to search and review once collected, especially if they are collected improperly. Databases are stored in such a way that it is nearly impossible for a human to discern any information from them without the source (database) software to interpret it.
To help illustrate why one can't merely review a "duplication" of a database, imagine a several hundred page spreadsheet. Now cut out the individual cells of that spreadsheet and mix them up with your eyes closed. What you end up with (a jumble of random cells and numbers) looks a lot like the data that a database has stored. The database software knows how to link the separated cells back together so that when you ask for certain cells it can retrieve them, but you cannot just print the database and look it over; it will look like a jumble of computer code.
Databases must be collected and reviewed a very specific way, so be sure to talk to your EDD vendor for advice on what to do after they've done the collection.
Read more about items that can make your collections difficult in part 3 of our "Data Collection Pitfalls" blog series. |
|
Written by Ryan Lerminiaux
|
|
Tuesday, 26 May 2009 19:15 |
|
While data collection may seem like a straightforward process, it rarely is. There are an innumerable amount of unforeseeable circumstances, computer technologies, and people that can cause problems during an on-site collection. In this multi-entry blog series, we'll be discussing the most common items and the people that can make data collection more difficult for you so that you can make more informed decisions during your collections and collection prep.
Computers Using Full-Disk Encryption
Encryption is basically a method of scrambling information in a way that only the correct passphrase can unscramble it. Full disk encryption is a security feature that encrypts an entire hard drive, instead of "standard" encryption, which usually refers to encrypting a single file or partition. As the world becomes more and more mobile, full disk encryption is gaining in popularity because of the security it provides for a computer's entire hard drive.
Handling the collection of an encrypted hard drive can take more time and money than an unencrypted hard drive. The safest way to handle full disk encryption involves a good deal of time and duplication, as follows:
1. The drive must be duplicated while encrypted.
2. The encryption software must be removed (so the drive is no longer encrypted when it is turned off).
3. The drive must be duplicated again.
4. The encryption software must be re-installed and the drive re-encrypted.
The above process takes many hours with a standard-sized hard drive. However, this process may not be necessary for all e-discovery purposes. If a company is using full disk encryption and cost is a major concern (as it often is), the encryption software could be removed by the company's system administrator prior to the EDD vendor's arrival on-site. If you decide on this course of action, removing encryption software can take several hours so it is best not to wait until your vendor arrives. If the laptop is being sent to your vendor and you want keep it encrypted while it is en route, you might be able to have your vendor remove the encryption, but it will likely add to your cost.
The methods mentioned above assume that you, your client, or the EDD vendor has the encryption key. Most companies that use full disk encryption have an administrator's key to use, so even if an employee will not give up their key, the disk can still be decrypted. Without any key, however, "cracking" encryption ranges from relatively time-consuming to extremely time-consuming; strong keys could take several months or years to crack.
Cell Phones
The fact that there are lots of different manufacturers with lots of different phone models make collecting cell phone data very difficult. At this point, there is no standardization to how data is stored by cell phones, and storage algorithms can vary from one model to the next. This makes it very difficult for forensic software vendors to keep up. This is not to say that the data is not attainable, but don't be surprised if you cannot get everything you would expect to get (all deleted files, for instance), or if what is collected turns out to be not as easy to review as you would like.
The more common a phone is (a common BlackBerry model, for instance) the more effort forensic hardware and software companies put into making that phone simple and clean to collect and review. Obscure phones are usually more difficult to collect, and the data that is collected is more difficult to review.
Read more about items that can make your collections difficult in part 2 of our "Data Collection Pitfalls" blog series. |
|
|
Written by Jason Briody
|
|
Tuesday, 21 April 2009 17:46 |
|
As an attorney, you're fluent in legalese, but many of the folks you work with during e-discovery seem to only speak "IT." This second entry in the EDD Dictionary is set up just like the first (found here); each common, EDD-related word is followed by its definition, the "attorney equivalent," and an example sentence.
locally (LOH-kuh-lee)
-adverb: regarding an action that takes place on a specific device without other devices getting involved; the opposite of "remotely"
Attorney equivalent: on their computer; on that server (context-dependent)
Examples:
1. You should search the custodian's hard drive; those user-created files are usually saved locally. (meaning they are saved on the custodian's hard drive)
2. Once that computer receives the data, it's all processed locally. (meaning the data is processed on that computer alone)
PST file (pee-ess-TEE fil)
-noun: also known as a personal storage folder, this file stores e-mail messages, contacts, and calendar appointments from a Microsoft Outlook user's profile and is usually located on a user's hard drive. (Note: whether or not a user will have a PST file depends on how Outlook is set up.)
Attorney equivalent: Outlook mailbox; Outlook messages, contacts, and calendar
Examples:
1. The company wasn't using an Exchange Server; were you able to find a PST file on the custodian's hard drive so we can extract the mail items?
machine (muh-SHEEN)
-noun: synonymous with "computer;" an electronic device that performs mathematical and logical calculations and which stores digital data
Attorney equivalent: computer
Examples:
1. That machine always seems to give me problems.
ESI (spoken as individual letters)
-acronym: short for "Electronically Stored Information;" any information that is digitally created, manipulated, communicated, or stored
Attorney equivalent: computer data
Examples:
1. This is the attorney who will be directing the ESI collection in Denver next week.
Check out the first entry in the EDD Dictionary, where we cover "acquisition," "dupe," "image," and "user-created files." |
|
Written by Jason Briody
|
|
Tuesday, 10 March 2009 13:44 |
|
Welcome to the first post from JD&A's "EDD Dictionary." I've created a short list of words that I hear used in certain EDD situations which attorneys might not be familiar with. This entry is set up like an excerpt from a dictionary. Each word is followed by its definition, "attorney equivalent," and examples of the word being used in everyday language.
We'll be adding to the EDD Dictionary in future posts. (If you'd like, you can stay updated with our RSS feed!)
acquisition (ak-wuh-ZISH-uhn)
-noun: the act of gaining possession of the data that is stored on an electronic medium
Attorney equivalent: collection
Examples:
1. Tom did not answer his phone because he was in Texas on an acquisition.
dupe (doop)
Primary use:
-verb: to create a duplicate copy of an electronic medium
-noun: a duplicate copy of an electronic medium
Attorney equivalent: bit-stream copy, bit-for-bit copy
Examples:
1. We need to dupe Mr. Craig's laptop before 2pm. (verb)
2. Here is the dupe we made of Ms. Johnson's external drive. (noun)
Alternative use:
-noun: a duplicate copy of a file
Attorney equivalent: duplicate, copy
Examples:
1. I'll bet more than half of these emails are dupes.
image (IM-ij)
see "dupe" (primary use)
user-created files (YOO-zur kree-EYT-ed filz)
-noun: files, usually selected by file type, that are typically created by a user instead of by the operating system or an automated process
Attorney equivalent: files created by a custodian (Word documents, Excel documents, PDFs, etc.)
Examples:
1. I gave the attorney a list of the user-created files that were on the system.
Check out the second entry in the EDD Dictionary, where we define "locally," "PST file," "machine," and "ESI."
|
|
Written by Ryan Lerminiaux
|
|
Wednesday, 25 February 2009 12:30 |
|
In a recent article by Jessica Mintz, Guidance Software gets blasted for botching an internal E-Discovery request. It is not uncommon for companies to make mistakes when providing Electronically Stored Information (ESI) for an E-Discovery request. It is a relatively new concept, and companies are struggling to adapt. This issue is ironically highlighted when is happens to the developers of EnCase, which is one of the most widely used computer forensics software packages.
Guidance Software has been around since 1997, and is a leader in the computer forensic software market. Its flagship product, EnCase Forensic Edition, is probably the most widely used piece of software by computer forensic specialists. The main use of the software is recovering and reviewing data found on digital media. Guidance has apparently failed to produce emails relevant to the wrongful-termination case of ex-marketing director Cassondra Todd. After several months of searching, Guidance has reportedly been unable to locate the emails in question. So what happened to the emails in question? Here are 4 hypothetical scenarios that may explain the absent emails:
- EnCase software failed to find the relevant documents. This is very unlikely as EnCase is recognized as an industry standard and used by computer forensics specialist worldwide.
- Guidance employees are withholding the relevant emails. Again this scenario is also highly unlikely as failing to do so could result in dire consequences (just ask Qualcomm).
- Guidance Employees lack the talent to identify and pull the data with the right tools. Also highly unlikely; Guidance developed the tool. It's safe to say they know how to put it to good use.
- Guidance lacks a proper data retention policy, and the emails have been inadvertently lost or destroyed. While hopefully not the case, it has the potential of being the most realistic scenario of the four (speculative) possibilities; in our experience, many companies lack an adequate data retention policy.
It is very important for companies to have an up to date data retention policy in place, since even the best piece of forensic software will not be able to recover an email if it no longer exists within a companies' infrastructure. A study (How Much Information? 2003) done in 2002 showed that 92 percent of the new information created that year was stored on magnetic media such as hard drives and tapes. ESI is playing a growing part in both civil and criminal cases, so it is crucial for a company to preserve new information it creates. A solid retention policy helps to keep track of and preserve the 90 plus percent of information stored electronically. Data retention is especially important when it comes to legal holds, at which point any user created documents such as emails and Word documents should not be deleted.
In the end, having the proper software and hardware is only half the battle. The best forensic software is only helpful if used properly by well-qualified individuals and, if the underlying data is maintained pursuant to an up to date document retention policy. |
|
Written by Ryan Meeks
|
|
Friday, 13 February 2009 11:13 |
|
Many cases hinge entirely around the contents of e-mail and attachments. Because of this it's important to have a basic understanding of the structure of the most common enterprise e-mail applications.
Types of E-Mail Servers
Microsoft Exchange
IBM Lotus Notes
Novell GroupWise
E-Mail is Boxes within Boxes
Where is the E-Mail Located?
Server-Based
Microsoft Exchange with Outlook
IBM Lotus Notes
Novell GroupWise
Webmail
Webmail through Outlook
Outlook Express
Windows Mail
Other Strange Sources of E-Mail
E-Mail Backups May Be Your Friend
E-Mail Appliances
Types of E-Mail Servers
In most environments, there are three types of e-mail or messaging server commonly in use. Typically these are Microsoft Exchange, IBM Lotus Notes or Novell GroupWise. It is not unusual in large enterprise environments to have any combination of these e-mail servers in use. This is particularly common in situations where a company has acquired many smaller companies over a period of years.
- Microsoft Exchange - Microsoft Exchange is the most commonly encountered mail server in most corporate environments. Extraction of individual user mailboxes, referred to as PST files, from a Microsoft Exchange server is easily accomplished with a Microsoft provided tool called EXmerge.
- IBM Lotus Notes - Lotus Notes is the second most commonly encountered mail server. Extraction of individual user mailboxes, referred to as NSF files, is easily accomplished.
- Novell GroupWise - Novell GroupWise is an older mail server package no longer found is commonly in most environments. Novell GroupWise is known for its reliability and ease of maintenance, which keeps it from being replaced by newer systems. Extraction of individual user mailboxes, referred to as simply mailboxes, is notoriously difficult. Extraction of GroupWise mailboxes requires network access to the GroupWise server, GroupWise administrator permissions and expensive third-party software.
The bottom line on mail servers is, Microsoft Exchange and Lotus Notes are easy, Novell GroupWise is hard.
E-Mail Is Boxes within Boxes
Modern e-mail servers and e-mail clients such as Microsoft Outlook and Exchange do not store e-mail on hard drives and in simple formats like text. Modern e-mail systems store e-mail in a proprietary database within other proprietary databases, the box within a box. For example: Microsoft Outlook stores e-mail in a PST or OST file, which are actually containers for the e-mail messages and attachments.
In short, without the proper viewer (in this case, Microsoft Outlook) we cannot actually view the contents of a PST or OST file. If we were to attempt to open an individual's PST file without the proper viewer it would simply look like machine garble.
To make matters more complicated, individual user mailboxes are stored in yet another database on the server. In the case of Microsoft Exchange, user mailboxes are stored in an Exchange Database file called an EDB file. To complete our box within a box analogy; a users e-mail is stored in a Microsoft Outlook PST file that is the first box, which is then stored in a Microsoft Exchange Database file, which is the second box.
There are a number of E-Discovery ramifications to the storage of e-mail databases within databases:
- The server e-mail database may actually be several databases, none of which can be copied or forensically acquired while the mail server is running.
- Some mail servers do not store all of the users e-mail on either the server or on a user's computer; rather some of the users e-mail is stored in both locations.
- Some e-mail systems utilize complicated security structures to protect user's mailboxes. This security can make the acquisition of e-mail for authorized E-Discovery purposes very difficult.
- In some environments, System Administrators make extensive use of mailbox encryption and compression features. Encrypted mailboxes require additional processing time, while the mailboxes are decrypted or passwords recovered. Compressed mailboxes may result in unrealistic collection expectations as the amount of e-mail, a compressed mailbox may be up to 10 times the size of the compressed mailbox.
Where Is the E-Mail Located?
Depending on which e-mail solution is used, and individual users e-mail can reside only on their local computer, only on the e-mail server or a combination of both. By default, each e-mail solution has its own way of handling individual user e-mail storage; however, it is important to keep in mind that an e-mail administrator can configure user e-mail storage however he likes. E-mail is usually stored as follows:
Server-Based:
- Microsoft Exchange with Outlook - Current Microsoft Exchange e-mail can always be acquired directly from Microsoft Exchange server. In most environments users also have an Outlook PST file on their computer that may contain more information than what is stored on the Microsoft Exchange server. Microsoft Outlook users also frequently have OST files on a computer. OST files, also known as Off-Line Folder files. The OST file makes it possible for the user to work within Outlook while disconnected from a Microsoft exchange server and then synchronize next time their online. Because PST files and OST files may contain differing information is important to acquire both. It is also quite common for users to archive old e-mail by creating additional PST files. This means on a user's computer there could be several PST files and OST files that may all contain different relevant e-mail information. The default location of a PST file in Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook. For Windows Vista, it is C:\Users\user\AppData\Local\Microsoft\Outlook. (Replace user with the user name specific to the computer)
- IBM Lotus Notes - Lotus Notes e-mail is stored in NSF files on the user's local system, as well as on the Lotus Notes or Domino server. Processing of Lotus Notes e-mail may also require the names.NSF and user.ID files from the user's computer. These two additional files contain security information that may be required to properly process the e-mail. Frequently, Lotus Notes and NSF files are simply converted to Outlook PST files to make them easier to process. The default location of a NSF file in Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Lotus\Notes\Data. For Windows Vista, it is C:\Users\user\AppData\Local\Lotus\Notes\Data. (Replace user with the user name specific to the computer)
- Novell GroupWise - Novell GroupWise e-mail is stored in a series, typically five, database files on the Novell GroupWise server. Expensive third-party software must be used with administrator rights to extract user mailboxes from Novell GroupWise servers. Once acquired, Novell GroupWise mailboxes are also typically converted to Outlook PST files to make them easier to process. GroupWise does not create any storage on a users machine unless the user initiates it. In this case the user specifies where the file is saved and it receives and MLM extension.
Webmail:
Webmail is a type of e-mail that is hosted on an outside company's website and accessed through an internet connection. The most common webmail providers are Yahoo, Google (gmail), AOL, and MSN (hotmail). Although webmail is more commonly used as a personal e-mail account, it is not uncommon for employees to use it for business as well, especially for smaller companies that don't have the need for an e-mail server.
In its rawest form, all e-mail is stored on the provider's server (i.e. Yahoo mail is stored on a Yahoo server). The only trace of the e-mail that will be found on the user's computer will be in their temporary internet files. While it is possible to sometimes see full messages in these temporary files, they are typically only crumbs compared to the full content of their mailbox. If discovery requires access to all of the mail from a webmail account, the webmail provider will usually release it with a proper subpoena.
Webmail through Outlook:
It is possible for a user to setup Outlook to download webmail so that it can be accessed without using the web interface and can be viewed while offline. By default, Outlook will only download the titles of the e-mail. Once the user clicks an e-mail to view it, it will download the content. Any downloaded information is stored in a local PST file. This PST file and its contents are easily accessible for discovery off of the user's machine but it will only contain the mail that has been accessed through Outlook.
Outlook Express:
Outlook Express is similar to Outlook but it has less features. It is usually more common for personal use as it comes preinstalled on most computers. Outlook Express stores the e-mails in separate, folder-named DBX files such as Inbox.dbx. Usually DBX files need to be converted to PST in order to be processed. The default location of DBX files on Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Identities\{###}\Microsoft\Outlook Express. (Replace user with the user name specific to the computer and ### will be a long string of random letters and numbers.)
Windows Mail:
Windows Mail is the Vista replacement for Outlook Express. It has now been replaced by Windows Live Mail. Unlike Outlook Express, both versions of Windows Mail use individual files to save your e-mail messages instead of container files. Mail items are saved as EML files. The default location for EML files in Windows Vista is C:\Users\user\Local Settings\Microsoft\Windows Mail\Local Folders. (Replace user with the user name specific to the computer)
Other Strange Sources of E-Mail
E-Mail Backups May Be Your Friend:
The availability of e-mail is considered to be business-critical in most environments. Because of this most IT departments make regular backups of user mailboxes and mail server databases. It is important to find out how e-mail is backed up, and how often e-mail is backed up. Some IT departments will regularly backup individual user mailboxes, while others simply pack up the entire mail server database. In either case, it may be preferable to acquire a copy of a recent e-mail backup rather than interrupt a business-critical system.
Another advantage of e-mail databases and user mailboxes recovered from backups such as magnetic tape is that the backups may contain older e-mails that are no longer available on either the mail server or the individual user's computer. This can be a very important distinction as many IT departments enforce strict mailbox size and age limits on "live" e-mail (email still on servers) that would not apply to backups.
E-Mail Appliances:
In most large enterprise environments local delivery of e-mail to users is handled by an e-mail server such as Microsoft Outlook or IBM Lotus Notes. Incoming and outgoing organizational e-mail will often pass through a high-performance e-mail appliance and commonly a spam/antivirus filtering appliance. These appliances are sometimes known as mail gateways or Mail Transfer Agents (MTA). E-mail appliances are purpose built computers designed to handle e-mail at speeds and volumes that a normal computer could not handle. E-mail appliances do not usually keep copies of incoming or outgoing e-mails, but they do often log the sender and destination e-mail addresses. This may be helpful in cases where the knowledge of the communication is more important than the content. |
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 Next > End >>
|
|
Page 1 of 6 |
