Searching the Store for Specific Content | Secure Messaging with Microsoft Exchange Server 2000

Sometimes it’s necessary to search your Exchange databases for particular content. For example, one client of mine, a law firm, was required to produce all messages containing a certain key phrase sent within a two-year window—not a trivial task. Apart from the obvious legal applications of these searches, it can be useful to be able to locate all copies of messages with keywords if you need to eradicate a macro virus, confidential document, or other piece of unwanted message content. First you have to find it.

If you only need to search one mailbox, that’s simple. Turn on Exchange’s content indexing, log on to the mailbox you want to search, and then perform your search. Of course, you have to log on to the mailbox to search it, which is inconvenient, and you can only search one mailbox at a time, but these are minor impediments. If you want to search multiple mailboxes, things get a little tougher.

Searching Mailboxes with Exmerge

You can use Microsoft’s free Exmerge tool (included on the Exchange 2000 product CD in the Support\Utils\I386\Exmerge\ directory, in the Exchange 2000 Service Pack 1 and later versions, or available directly from Microsoft’s Product Support Services organization) to find and remove messages by subject line or attachment name. This functionality was designed to ease the process of removing macro viruses, which often have fixed subject lines or predictable attachment names. Although this is not as useful as being able to keyword-search message bodies and attachments, it’s certainly better than nothing, and it is free.

Note

In Exchange 5.5, you could use Microsoft’s free Isscan tool to search for and remove messages. However, Isscan only understands the 5.5 priv.edb format, and it has no support for multiple message stores or storage groups. If you try to run it against Exchange 2000, you’ll find that it won’t work.

Exmerge has one significant drawback: when you use it to scan for messages, it removes any messages that it finds from the store and copies them into a personal folder file (.pst); after all, that’s what the tool is designed to do. Because you generally won’t want to tip off your search targets by making the critical evidence disappear from their mailboxes, the best solution is generally to work on a copy of the mailbox databases, scanning the copy and extracting the messages without touching the original data. This is the equivalent of doing an alternate-server disaster recovery. See Microsoft’s Exchange Web site (http://www.microsoft.com/exchange/) for information on the best way to accomplish this.

Follow the instructions in the Exmerge.doc file to install Exmerge. Once you install Exmerge on your Exchange server and run it, the Exmerge Wizard starts up. After the Welcome page, you’ll be asked whether you want to do a one-step or two-step Exmerge run. The one-step process exports messages and reimports them to the destination server. In this case, it would be better to leave the messages in their destination .pst file so you can inspect them. Accordingly, select Extract Or Import (Two-Step Process) in the Procedure Selection wizard page and click Next.

The first interesting wizard page for this task is the Source Server page (see Figure 9-4). Use this page to specify the mailbox server you want to scan, keeping in mind that Exmerge scans all databases on all storage groups of the server.

click to expand
Figure 9-4: Use the Source Server page to select which mailbox server you want to scan.

In the Source Server page, you’ll need to click Options to display the Data Selection Criteria dialog box, which has five tabs you can use to specify which messages to extract and what to do with them:

The Data tab lets you control which messages are retrieved. By default, only the User Messages And Folders check box is selected. You can optionally tell Exmerge to pull associated system messages or items from the deleted items retention cache, and you can force it to copy the permissions of individual items as it moves them.
The Import Procedure tab controls whether the messages are copied or merged into the target .pst file or mailbox. These options can make a big difference in the size of the target store when you’re moving lots of mail data, but for our purposes they are largely irrelevant.
The Folders tab lets you specify which folders are searched. You can choose to search or exclude any of the standard Outlook folders (Calendar, Contacts, Tasks, Journal, Notes, Inbox, Deleted Items, Outbox, and Sent Items), and you can specify whether subfolders of the selected folders should be searched or skipped. For more efficient message searches, you might want to select the Process Only These Folders option in this tab to limit searches to the Inbox folder and its subfolders.
The Dates tab lets you specify a date range for searching. If you’re retrieving items from the deleted items retention cache, note that they’ll always be retrieved, whether they fall into the specified date range or not.
The Message Details tab (see Figure 9-5) is where you tell Exmerge what to look for. You can specify one or more message subjects (which are matched according to the setting you pick from the Subject String Compare Criteria drop-down list) and one or more attachment names. If you specify subjects or attachments, any message that has a match to any of the specified items is extracted. If you provide lists of subjects and attachments, only messages that have a matching subject and at least one of the provided attachment names are extracted.

Figure 9-5: The Message Details tab gives you the ability to scan by subject line or attachment name.

Once you’ve filled out the tabs in the Data Selection Criteria dialog box, you might want to proceed to the Database Selection wizard page of Exmerge, depending on the configuration of your Exchange server. This page lists all of the databases and storage groups on the target server so you can select which databases you want to search. After you pick the databases, the next wizard page allows you to choose the mailboxes you want to scan. For both of these pages, there are handy Select All buttons that help you quickly scan everything.

The next interesting page is the Target Directory page, where you tell Exmerge where to put the .pst file containing extracted messages. If you’re scanning mailboxes for security reasons, this directory should be on a machine with appropriate security protections (including NTFS permissions on the extracted message file). Next comes a page in which you can save your Exmerge settings to a file for future use, and the next page actually starts the scan.