Collecting The Exchange Dumpster
Forensic Email Collector allows you to acquire the emails found in the Recoverable Items folder (also known as the dumpster in earlier Exchange versions). The Recoverable Items folder contains the following subfolders:
- Deletions (contains items deleted from the Deleted Items folder)
- Versions (contains the original and modified copies of the deleted items if in-place hold or litigation hold is enabled)
- Purges (contains all items that are hard deleted if litigation hold or single item recovery is enabled)
- Audits (contains the audit log entries if mailbox audit logging is enabled)
- DiscoveryHolds (contains hard deleted items that meet hold query parameters if in-place hold is enabled)
- Calendar Logging (contains calendar changes that occur within a mailbox)
These folders, to the extent available, can be found at the end of the folder tree in an Exchange acquisition. The screenshot below shows 19 items that were deleted from the Deleted Items folder, which can be acquired by FEC:
Exchange terminology concerning deletions is as follows:
- When an item is deleted, it is removed from any folder and placed inside the Deleted Items folder in the mailbox.
- If an item is deleted from the Deleted Items folder, and placed in the Recoverable Items folder, that item is soft deleted. The end user can cause an item to be directly soft deleted (i.e., bypassing the Deleted Items folder) by using the Shift+Delete key combination.
- When an item is marked to be purged from the mailbox database, that item is hard deleted (aka store hard delete).
For details on the Recoverable Items folder, see Microsoft's documentation: Recoverable Items folder in Exchange 2016