1

The procedure suggested by forensics companies to make a copy of a users's mailbox in a forensically sound manner is to use New-MailboxExportRequest.

What information is modified (if any) by the use of this command?

My understanding is that the action is logged but was under the impression that the mailbox data themselves were not modified.

I would appreciate technical references if possible (I did not find any)

WoJ
  • 8,957
  • 2
  • 32
  • 51

1 Answers1

1

Mailbox export request is the industry standard way to export data from Exchange for compliance, audit, and compliance purposes.

No data is modified, BUT it is possible to constrain the output to a certain date range, search for specific content, or include/exclude different folders.

If the archive parameter is set, then data will be removed from the mailbox.

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • I know that this is the command which is used - I was more looking for either references from forensics SOPs or technical information about the modifications (or lack of) this command does when run against a mailbox (and an Exchnage server) – WoJ Sep 23 '15 at 13:54
  • @WoJ At a minimum, the server will log that an export was done in the Event log and a few other places – makerofthings7 Feb 20 '16 at 18:07