Tuesday, August 5, 2014

Exchange 2010 Search and Restore deleted email

Story goes something like this...  (we'll use a fictitious name of Mary Lost to protect the innocent here)
Mary: "I never got super important email".
Me: "Are you sure they sent it?"
Mary: "Definitely"
Me: Type the send or subject in the search and click "all outlook items"
Mary: "Can't, I never got it at all"
Me: "Okay, let me see what I can find, who sent it"

And so my quest began to find the "missing" email that was never received but definitely had been sent.

To start I do the simple search the users mailbox.  Attach mailbox, search, nothing...

Now we can look to see if the system ever received it.  In my case we use MXLogic (now McAfee) so to start with I could run a message audit at that level.  Yep, mxlogic shows it being delivered to the Exchange server.  Don't use MXLogic?  No problem, just go straight to the Exchange server to look.
Check Exchange for receipt:
  1. Open the EMC
  2. Toolbox
  3. Tracking Log Explorer
  4. Enter recipient, Subject, dates and look for the email.
  5. Note: I found it best to do this from the Exchange server itself.  Otherwise you have to properly populate the "server" field, and even then I got mixed results.
Once you've found the message you can see the EventID which will likely be "RECEIVE".  If you can't find it here then likely the message was never sent.

Great, now I KNOW it was delivered, perhaps it was deleted?  After some research I found that it may not be easy to tell if it was deleted, etc unless audit logging is turned on before hand.  Bleh, we don't need to know that bad.  But can we restore it...?  That's what is really important here. 

So we know:
  1. It was delivered to the mailbox
  2. It's no longer there
  3. Thus it was likely deleted
  4. Since it's not in the deleted items folder, it was either SHIFT Deleted or also deleted from deleted items or the computer monster ate it. 
  5. All that really matters is it's gone and we want it back.

Fire up the EMS (powershell)!
In this case I'm going to search Mary Lost's mailbox for the SearchQuery string (subject, from, etc) and then give it a TargetMailbox that is my mailbox so that when it's restored it goes into my email instead under a TargetFolder named "recovery".  (Targetfolder will be autocreated if it doesn't already exist)

Search-Mailbox mlost -TargetMailbox Me -TargetFolder "Recovery" -SearchQuery "from:important@dude.com" -LogLevel Full

Now Mary's missing email is in my mailbox under a folder called "Recovery".  Copy it back to her inbox and all done :)


No comments:

Post a Comment