Track Email Message and User

Good Day,

We run an exchange 2007 environment that consist of 2 servers.
An Edge server, and another server that has the CA, HT and Mailbox roles configured.
All of our users run Outlook 2007.

We suspect that a message was sent illegally from one of the users within our organization.
How do we search for that message or track it using certain words (or a string of words)? And can run the search under one particular user or will it just search entire mailbox database for messages that include those words or string of words?
Treadstone21Asked:
Who is Participating?
 
sven_jamborConnect With a Mentor Commented:
Assuming that message tracking is enabled for your organization, then this tutorial should get you all the info you neeD: http://www.msexchange.org/tutorials/Exchange-2007-Message-Tracking-Part1.html (also read part 2)
0
 
MesthaConnect With a Mentor Commented:
Message tracking will only give you information on the subject line, to and from. Nothing about the body.
For body type searches you will need to use export-mailbox.

This article from the MS Exchange team pretty much explains the scenario.
http://msexchangeteam.com/archive/2006/12/18/431934.aspx

Simon.
0
 
bitMASTERSConnect With a Mentor Commented:
This will only work for messages that are still in existence in some form in an inbox, sent items, deleted folder etc.  So, if your user is semi-savi and knows to delete messages from all folders then it's gone.   In order to guarantee you can track all messages in the future, you can use journaling.  Here's a good article. http://technet.microsoft.com/en-us/magazine/2006.12.journaling.aspx?pr=blog

I recommend using journalling with a 3rd party product such as arcmail that accepts the journalled email and indexes it for fast retrieval. Read the "Now where did that email go?" blog at  http://arcmail.bitmasters.com for info.

0
 
Treadstone21Author Commented:
The journaling suggestion is very helpful
0
 
sven_jamborCommented:
btw, I just implemented a great archiving tool: Mimosa NearPoint. It's got its quirks, but the great thing about it is that it archives all items in your Exchange enviroment - no matter what, at zero impact to your Exchange servers (contrary to what journalling does). The way they're dealing with mail makes it useful for forensic purposes - which, in effect, is what you're doing here. Plus, of course, it allows you to slim down your Exchange db's by archiving to the archive and the deleting online content.  and no, I don't own any of their stock :-)
0
All Courses

From novice to tech pro — start learning today.