Single Item Recovery (Part 3)

by [Published on 22 Sept. 2011 / Last Updated on 22 Sept. 2011]

Finishing a look at Single Item Recovery in Exchange 2010, covering discovery searches and the MFCMAPI tool.

If you would like to read the other parts in this article series please go to:

Introduction

This is the third and final part of an article looking at the Exchange 2010 feature called Single Item Recovery. In the first two parts we started by discussing what Single Item Recovery is and how the feature works. We then went on to showing how enabling the feature adds an overhead to the size of the mailboxes on disk and ended up enabling the feature for a mailbox.

Now that Single Item Recovery has been enabled for a mailbox, we will complete this article by looking at the process of performing a discovery search after a user has purged specific contents of their mailbox in an attempt to hide information. We will then finish with a deeper look at how tools such as MFCMAPI can be used to view the contents of the Purges folder in a mailbox.

Administrator Actions

Now that Single Item Recovery has been enabled for a mailbox, let’s look at how this affects the user who owns that mailbox. Let’s consider the case where the user called Neil sends an email that he later wishes he hadn’t. The email that Neil has sent is shown in Figure 3-1; we will be using the contents of the message body to use in a search later on.


Figure 3-1: The Email to be Recovered

Neil then decides to delete the email from his Sent Items and Deleted Items folders, and then proceeds to remove the email from the dumpster; this is shown in Figure 3-2. As far as Neil is concerned, he has done all that he can to remove this message. However, with Single Item Recovery enabled, things aren’t as straightforward for this particular user as we shall see.


Figure 3-2: Email Purged From Dumpster

Discovery Searches

Single Item Recovery allows a compliance officer to perform a discovery search and find the offending item. To do this, let’s look at the steps required. First of all, it is assumed that the compliance officer has the correct permissions in Role Based Access Control (RBAC) to perform discovery searches. Specifically, the compliance officer’s user account needs to be a member of the Discovery Management role group. This is achieved by using the Add-RoleGroupMember cmdlet. An example command to use is:

Add-RoleGroupMember ‘Discovery Management’ –Member compliance

In this example, the user account named compliance is added to the Discovery Management role group. Performing this action grants the user account the Mailbox Search management role which is associated to the Discovery Management role group. The Mailbox Search management role allows this user account to perform searches using the Exchange Control Panel from within Outlook Web App. Let’s now look at the steps required for the compliance officer to perform the mailbox search.

  1. Launch OWA and navigate to the Exchange Control Panel.
  2. Ensure that My Organization is chosen from the Select what to manage drop-down box.
  3. In the resulting screen, select the Mail Control tab which will reveal the Discovery option as you can see from Figure 3-3. Here it is possible to perform multi-mailbox searches.


Figure 3-3: Multi-Mailbox Search Screen

  1. Click the New… button to create a new multi-mailbox search. This brings up the New Mailbox Search window as you can see from Figure 3-4.
  2. In the Keywords field, you can search for individual keywords, multi-word phrases or wildcards. In our example, we are looking for the multi-word phrase of “single item recovery”, hence the need to wrap these words in double quotation marks as you can see.


Figure 3-4: Keyword Selection

  1. In this particular example, the compliance officer has reason to believe that the user Neil has sent the offending message. Therefore, the compliance officer can click the Mailboxes to Search link and choose to search specific mailboxes as you can see from Figure 3-5.


Figure 3-5: Choosing Mailboxes to Search

  1. Next, the compliance officer clicks the Search Name, Type and Storage Location link and gives this search request an identifying name. The compliance officer can also choose the other options that you can see from Figure 3-6, such as estimating the search results or choosing to store the results in a particular destination mailbox. In this example, the compliance officer has elected to store the search results in the Discovery Search Mailbox. Being a member of the Discovery Management role group will give the compliance officer the permissions required to open this discovery search mailbox.


Figure 3-6: Defining Search Name, Type and Storage Location Options

  1. The compliance officer then saves the search query and is returned back to the multi-mailbox search screen. In Figure 3-7, you can see that the status of the search is Search Succeeded.


Figure 3-7: Discovery Search Succeeded

  1. It is possible to use the scroll bar on the far right-hand side of Figure 3-7 to see the keyword statistics. These are shown in Figure 3-8 where it can be seen that the phrase that the compliance officer searched for appears once within the mailbox that was searched.


Figure 3-8: Keyword Statistics

  1. You will also notice the [open] link in Figure 3-8 that allows the compliance officer to view the contents of the Discovery Search Mailbox. If this link is selected, the discovery mailbox is opened via OWA. Of course, the compliance officer can also use Outlook to open the additional mailbox as you can see in Figure 3-9.


Figure 3-9: Opening the Discovery Search Mailbox in Outlook

  1. In Figure 3-9 you can clearly see the email that Neil sent, even though Neil had purged both his Deleted Items folder as well as the dumpster.

Of course, here we have demonstrated that Single Item Recovery is useful for discovery searches but at the same time you can see that it is possible to recover individual messages that users may have mistakenly deleted and purged from their dumpster.

Using MFCMAPI

In part one of this article, we briefly looked at the MFCMAPI tool saw how it can display the contents of the Recoverable Items folder. Let’s have a deeper look at the tool as we finish this article series. First, though, please note that this tool should be used very carefully as it is extremely powerful. If you’re learning about Single Item Recovery, you should only be using MFCMAPI in a test environment.

MFCMAPI can be downloaded from this link.

Once downloaded and installed, here’s what to do to examine the dumpster in Exchange 2010:

  1. Run the MFCMAPI.exe program.
  2. Click OK at the opening display screen to dismiss this window.
  3. The main MFCMAPI screen will now be displayed as shown in Figure 3-10.


Figure 3-10: The Main MFCMAPI Window

  1. Click the Session menu option and from the resulting menu presented, choose the Logon and Display Store Table option
  2. Choose the relevant Outlook profile to log onto. The assumption here is that the profile exists to open Neil’s mailbox so that we can see the contents of the Recoverable Items folder in this mailbox.
  3. At this point Neil’s mailbox will now be displayed within the main MFCMAPI window as can be seen in Figure 3-11.


Figure 3-11: Mailbox Displayed in MFCMAPI

  1. Right-click Neil’s mailbox within the main window and choose the Open Store option from the menu.
  2. In the resulting window, expand the Root Container node and the mailbox structure and contents are displayed as shown in Figure 3-12. In my experience, the Recoverable Items folder will only be seen when the mailbox profile is not in cached mode.


Figure 3-12: Mailbox Structure in MFCMAPI

  1. Expand the Recoverable Items folder to reveal the Deletions, Purges and Versions sub-folders.
  2. Right-click the Purges folder and choose Open Contents Table from the menu. The result is shown in Figure 3-13.


Figure 3-13: Opening the Contents Table in MFCMAPI

  1. It can therefore be seen that the message in question is in the Purges folder of the dumpster. The message can then be opened and examined as normal.

Summary

That completes the third and final part of this article series on the Single Item Recovery feature in Exchange 2010. This is a very useful feature of the product and one worth understanding, so hopefully this article series has helped you learn more about the feature.

If you would like to read the other parts in this article series please go to:

Advertisement

Featured Links