Client Background

Every so often, you work with a client you’ll never forget. This was certainly one of them. A New Jersey law firm was defending their clients, a company and their union. The company ran their own email server on a platform name Microsoft Exchange Server. Years before, the Federal Bureau of Investigation served a warrant on the premises of the company. As part of evidence collection, the FBI captured forensic copies of the server’s disks and mail system database files. The FBI provided the raw email database files to the defense team during discovery. To defend the company in court, the law firm needed the information gathered by the FBI.

The Breakdown: FBI Seizure and eDiscovery

Because the FBI is on the prosecution side, they are only obligated to provide the law firm with the raw evidence copies collected. These copies of evidence are fairly simple for the FBI to reconstruct with sophisticated and sometimes expensive software. This is standard and expected, but it does put the defense team at a disadvantage to find usable and searchable copies of the evidence. After the evidence seizure, the Exchange Server disks were in an FBI forensics lab. Because of this, the systems administrator at the company created a new Exchange Server and recovered the email server from backup. Exchange Servers are complicated systems, and some minor decisions made by the systems administrator years before would come back to haunt the defense team’s eDiscovery efforts.

The normal process would be to simply copy the old database files to the Exchange Server and attach them. The second choice would be to purchase software to open the files and recovery the email. For some very technical reasons, and at the time the work was performed, these tools were lacking on many levels. As a result, neither of these options were available. The only choice was to reconstruct the original server as it was. The recovery choices and some significant changes to Exchange Server over the years, made this very complicated.

The Referral

The law firm had a dedicated IT consultant, however this skill set was beyond his technical realm. He knew about our background and reputation form a previous work relationship and brought us in to take over and complete the project. IT staff cannot know every solution, and this particular consultant was capable and gifted, but did not have the level of expertise in Exchange Servers required.

Our Work

  • Obtain non-destructive copies of the evidence on site
  • Capture all current settings of the Exchange Server
  • Interview the previous system administrator for clues about the old setup and obtain a full list of employees that were on the server
  • Build a new Exchange Server
  • Attach the Exchange Server databases to the new infrastructure
  • Export the email, calendar, tasks, and other components of the mailboxes into a usable format for the defense team

Why was the eDiscovery consulting work important?

The law firm and the IT consultant that worked with them were both in a very difficult situation. They could easily have lost their clients. eDiscovery, forensics, compliance and litigation intimidate even the most seasoned consultants. Our ability to think outside the box, with solutions to problems based on years of experience were the perfect mix to resolve this issue. While we never found out the result of the court case, it was satisfying to be able to resolve an extremely challenging task that baffled two previous technologists.

RELATED ARTICLES:

From Systoolsgroup.com: “Investigate Exchange Server Mailboxes with Exchange Forensic Tool” A tool that was not capable of resolving our issue at the time, but the write-up gives a good background on the ins and outs of the recovery.

Leave a Reply