Many cases hinge entirely around the contents of e-mail and attachments.  Because of this it's important to have a basic understanding of the structure of the most common enterprise e-mail applications.

Types of E-Mail Servers
     Microsoft Exchange
     IBM Lotus Notes
     Novell GroupWise
E-Mail is Boxes within Boxes
Where is the E-Mail Located?
     Server-Based
          Microsoft Exchange with Outlook
          IBM Lotus Notes
          Novell GroupWise
     Webmail
     Webmail through Outlook
     Outlook Express
     Windows Mail
Other Strange Sources of E-Mail
     E-Mail Backups May Be Your Friend
     E-Mail Appliances
 

Types of E-Mail Servers

In most environments, there are three types of e-mail or messaging server commonly in use.  Typically these are Microsoft Exchange, IBM Lotus Notes or Novell GroupWise.  It is not unusual in large enterprise environments to have any combination of these e-mail servers in use.  This is particularly common in situations where a company has acquired many smaller companies over a period of years.

• Microsoft Exchange - Microsoft Exchange is the most commonly encountered mail server in most corporate environments. Extraction of individual user mailboxes, referred to as PST files, from a Microsoft Exchange server is easily accomplished with a Microsoft provided tool called EXmerge.
• IBM Lotus Notes - Lotus Notes is the second most commonly encountered mail server. Extraction of individual user mailboxes, referred to as NSF files, is easily accomplished.
• Novell GroupWise - Novell GroupWise is an older mail server package no longer found is commonly in most environments. Novell GroupWise is known for its reliability and ease of maintenance, which keeps it from being replaced by newer systems. Extraction of individual user mailboxes, referred to as simply mailboxes, is notoriously difficult. Extraction of GroupWise mailboxes requires network access to the GroupWise server, GroupWise administrator permissions and expensive third-party software.

The bottom line on mail servers is, Microsoft Exchange and Lotus Notes are easy, Novell GroupWise is hard.

E-Mail Is Boxes within Boxes 

Modern e-mail servers and e-mail clients such as Microsoft Outlook and Exchange do not store e-mail on hard drives and in simple formats like text.  Modern e-mail systems store e-mail in a proprietary database within other proprietary databases, the box within a box.  For example: Microsoft Outlook stores e-mail in a PST or OST file, which are actually containers for the e-mail messages and attachments.

In short, without the proper viewer (in this case, Microsoft Outlook) we cannot actually view the contents of a PST or OST file.  If we were to attempt to open an individual's PST file without the proper viewer it would simply look like machine garble.

To make matters more complicated, individual user mailboxes are stored in yet another database on the server.  In the case of Microsoft Exchange, user mailboxes are stored in an Exchange Database file called an EDB file.  To complete our box within a box analogy; a users e-mail is stored in a Microsoft Outlook PST file that is the first box, which is then stored in a Microsoft Exchange Database file, which is the second box.

There are a number of E-Discovery ramifications to the storage of e-mail databases within databases:

• The server e-mail database may actually be several databases, none of which can be copied or forensically acquired while the mail server is running.
• Some mail servers do not store all of the users e-mail on either the server or on a user's computer; rather some of the users e-mail is stored in both locations.
• Some e-mail systems utilize complicated security structures to protect user's mailboxes. This security can make the acquisition of e-mail for authorized E-Discovery purposes very difficult.
• In some environments, System Administrators make extensive use of mailbox encryption and compression features. Encrypted mailboxes require additional processing time, while the mailboxes are decrypted or passwords recovered. Compressed mailboxes may result in unrealistic collection expectations as the amount of e-mail, a compressed mailbox may be up to 10 times the size of the compressed mailbox.

Where Is the E-Mail Located?

Depending on which e-mail solution is used, and individual users e-mail can reside only on their local computer, only on the e-mail server or a combination of both.  By default, each e-mail solution has its own way of handling individual user e-mail storage; however, it is important to keep in mind that an e-mail administrator can configure user e-mail storage however he likes.  E-mail is usually stored as follows:

Server-Based: 

• Microsoft Exchange with Outlook - Current Microsoft Exchange e-mail can always be acquired directly from Microsoft Exchange server. In most environments users also have an Outlook PST file on their computer that may contain more information than what is stored on the Microsoft Exchange server. Microsoft Outlook users also frequently have OST files on a computer. OST files, also known as Off-Line Folder files. The OST file makes it possible for the user to work within Outlook while disconnected from a Microsoft exchange server and then synchronize next time their online. Because PST files and OST files may contain differing information is important to acquire both. It is also quite common for users to archive old e-mail by creating additional PST files. This means on a user's computer there could be several PST files and OST files that may all contain different relevant e-mail information. The default location of a PST file in Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Outlook. For Windows Vista, it is C:\Users\user\AppData\Local\Microsoft\Outlook. (Replace user with the user name specific to the computer)
• IBM Lotus Notes - Lotus Notes e-mail is stored in NSF files on the user's local system, as well as on the Lotus Notes or Domino server. Processing of Lotus Notes e-mail may also require the names.NSF and user.ID files from the user's computer. These two additional files contain security information that may be required to properly process the e-mail. Frequently, Lotus Notes and NSF files are simply converted to Outlook PST files to make them easier to process. The default location of a NSF file in Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Lotus\Notes\Data. For Windows Vista, it is C:\Users\user\AppData\Local\Lotus\Notes\Data. (Replace user with the user name specific to the computer)
• Novell GroupWise - Novell GroupWise e-mail is stored in a series, typically five, database files on the Novell GroupWise server. Expensive third-party software must be used with administrator rights to extract user mailboxes from Novell GroupWise servers. Once acquired, Novell GroupWise mailboxes are also typically converted to Outlook PST files to make them easier to process. GroupWise does not create any storage on a users machine unless the user initiates it. In this case the user specifies where the file is saved and it receives and MLM extension.

Webmail:

Webmail is a type of e-mail that is hosted on an outside company's website and accessed through an internet connection.  The most common webmail providers are Yahoo, Google (gmail), AOL, and MSN (hotmail).  Although webmail is more commonly used as a personal e-mail account, it is not uncommon for employees to use it for business as well, especially for smaller companies that don't have the need for an e-mail server.

In its rawest form, all e-mail is stored on the provider's server (i.e. Yahoo mail is stored on a Yahoo server).  The only trace of the e-mail that will be found on the user's computer will be in their temporary internet files.  While it is possible to sometimes see full messages in these temporary files, they are typically only crumbs compared to the full content of their mailbox.  If discovery requires access to all of the mail from a webmail account, the webmail provider will usually release it with a proper subpoena.

Webmail through Outlook:

It is possible for a user to setup Outlook to download webmail so that it can be accessed without using the web interface and can be viewed while offline.  By default, Outlook will only download the titles of the e-mail.  Once the user clicks an e-mail to view it, it will download the content.  Any downloaded information is stored in a local PST file.  This PST file and its contents are easily accessible for discovery off of the user's machine but it will only contain the mail that has been accessed through Outlook.

Outlook Express:

Outlook Express is similar to Outlook but it has less features.  It is usually more common for personal use as it comes preinstalled on most computers.  Outlook Express stores the e-mails in separate, folder-named DBX files such as Inbox.dbx.  Usually DBX files need to be converted to PST in order to be processed.  The default location of DBX files on Windows XP is C:\Documents and Settings\user\Local Settings\Application Data\Identities\{###}\Microsoft\Outlook Express. (Replace user with the user name specific to the computer and ### will be a long string of random letters and numbers.)

Windows Mail:

Windows Mail is the Vista replacement for Outlook Express.  It has now been replaced by Windows Live Mail.  Unlike Outlook Express, both versions of Windows Mail use individual files to save your e-mail messages instead of container files.  Mail items are saved as EML files.  The default location for EML files in Windows Vista is C:\Users\user\Local Settings\Microsoft\Windows Mail\Local Folders.  (Replace user with the user name specific to the computer)

Other Strange Sources of E-Mail

E-Mail Backups May Be Your Friend:

The availability of e-mail is considered to be business-critical in most environments.  Because of this most IT departments make regular backups of user mailboxes and mail server databases.  It is important to find out how e-mail is backed up, and how often e-mail is backed up.  Some IT departments will regularly backup individual user mailboxes, while others simply pack up the entire mail server database.  In either case, it may be preferable to acquire a copy of a recent e-mail backup rather than interrupt a business-critical system.

Another advantage of e-mail databases and user mailboxes recovered from backups such as magnetic tape is that the backups may contain older e-mails that are no longer available on either the mail server or the individual user's computer.  This can be a very important distinction as many IT departments enforce strict mailbox size and age limits on "live" e-mail (email still on servers) that would not apply to backups. 

E-Mail Appliances:

In most large enterprise environments local delivery of e-mail to users is handled by an e-mail server such as Microsoft Outlook or IBM Lotus Notes.  Incoming and outgoing organizational e-mail will often pass through a high-performance e-mail appliance and commonly a spam/antivirus filtering appliance.  These appliances are sometimes known as mail gateways or Mail Transfer Agents (MTA).  E-mail appliances are purpose built computers designed to handle e-mail at speeds and volumes that a normal computer could not handle.  E-mail appliances do not usually keep copies of incoming or outgoing e-mails, but they do often log the sender and destination e-mail addresses.  This may be helpful in cases where the knowledge of the communication is more important than the content.