For the future make sure that you have deleted mail retention enabled and set to something reasonable like 7-14 days days. That way even if they delete it is still on the server and recoverable by the user or admin for up to that amount of time (or slightly longer if the full backup has not occurred, see the options on it for full details).
What you can't track is if they opened it, cut and pasted (or right clicked and saved/exported it out) then attached it into another e-mail program like a gmail account, etc and sent it along that way. Without knowing your office security procedures I can think of many ways to get a copy sent out unless somebody was smart enough to close those loopholes (gmail, yahoo, msn, etc). A SSH session can be setup to allow tunneling so if ssh is allowed out I can get almost anything out to a linux box and then reconnect that to anyplace else without you knowing. Take exported message and put it on a thumb drive? Attach to the mail server with a imap account which will show it being read but then save it off and send it along another route, etc... Zip/winrar it with a password and upload it to a site like pastebin, or megaupload.com, very many ways to get things out if you are hell bent on doing it. (and before somebody say's can't attach bin to pastebin, if it's small enough use bin2hex, uuencode, etc. type program to convert to text). -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Braun, Charles Sent: Tuesday, September 16, 2008 11:54 AM To: Exchange Discussions Subject: RE: Advanced tracking of messages I thought about restoring the mailbox. That would not show me much more though than if the person had forwarded the message (find in sent items) and even that is not 100% accurate as the person could possibly have deleted it from sent items. It doesn't seem that I am going to be much help to the investigation process this time around. Is there any sort of advanced logging or tracking that I might be able to turn on in the event I get a request like this in the future? I know that if there is such a thing, that it would be a huge resource hog, but I am sure that the question will at least be asked by those in charge when I break the news to them that I can't provide much in this case. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] t.com Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/read/?forum=exchange To subscribe: http://e-newsletters.internet.com/discussionlists.html/ To unsubscribe send a blank email to [EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] To unsubscribe via postal mail, please contact us at: Jupitermedia Corp. Attn: Discussion List Management 475 Park Avenue South New York, NY 10016 Please include the email address which you have been contacted with.
