Let’s go through why one would need to recover emails.
- During configuration of retention or archive rules, mistakes are made, and important emails are deleted for the user.
- Emails have been mistakenly deleted during cleanup or by mistake.
- The user created rules in Outlook and emails where being purged.
- Malicious scripts or hacked mailbox.
There are two places where a user can recover emails. The first being the Deleted Items folder of the user’s mailbox. If the Deleted Items folder is emptied by the user by right clicking and clicking on Empty folder, these items are not deleted but will be moved to the Recover items deleted for this folder which can be accessed from the Deleted Items folder as the below screenshot.
Once the user clicks on the Recover items deleted from this folder, they can have one last chance to recover items before these are completely purged.
From here the user will be able to restore the file to either its original location or a new one. The drawback of the Recoverable Items folder is that one cannot search through it and there is no indication of where the item was prior to being purged.
This is where the user will be empowered and able to recover the deleted and purged items. But what happens when the emails are not there deleted from the Recoverable Items folder? Are these completely lost?
If there is a litigation hold set on the mailbox or server, the items can be recovered by the Exchange Server Administrator, manually from the Exchange Server using the Compliance part of the server and do a Discovery Search for the mailbox. These can then be exported to PST and given to the user. Let’s go through the process if the deleted items cannot be found in the Deleted Items folder or the Recoverable Items folder.
Discovery Search Requirements
To recover the items from the purged items, we need to run a discovery search in our Exchange Server. To do this, we need to make use of the commands Search-Mailbox and New-MailboxExportRequest in the Exchange Management Shell (EMS). We need the right roles and permissions to run the commands.
For each command we need to run the following to get what roles and permissions are needed to run the commands.
Then we need to run the following command to get the management role type and assignment.
$Permissions = Get-ManagementRole -Cmdlet
$Permissions | foreach {Get-ManagementRoleAssignment -Role $_.Name -Delegating $false | Format-Table -Auto Role,RoleAssigneeType,RoleAssigneeName}
Once this is done and the roles/permissions are set on the user who will be executing the command, we can continue the process.
Searching for the deleted items
Before we can recover any data from the server, we need to search for it in the database. This can be done with the first command Search-Mailbox. Below is an example of a search from the user’s mailbox. There might be cases where the user might have misplaced the email and from the search in Outlook, the emails were not found.
The search query in the SearchQuery option is the standard Keyword Query Language (KQL) which can be used in several combinations.
The command above will search in the in the source mailbox administrator@company.lan. It will search for emails sent from user@othercompany.lan with the keyword importantstuff. If the items are not found, we can try to look in the Search Dumpster using the option SearchDumpsterOnly as the below example.
Restoring the data to PST
Now that we got the results from the compliance search, we need to extract the data to give to the user. To extract the found data to a PST we need to use the New-MailboxExportRequest command in the Exchange Management Shell (EMS).
The command will export into a PST file all the emails from the folder specified and with the filter specified. You can also filter by date from, date to, date range, recipient, or sender. If you would not wish to use the filter, which will export all the emails, you would need to remove the ContentFilter part.
Once ready, one can copy or deliver the PST file to the user requesting the recovery.
Considerations
In this part we will talk about the considerations and limitations of this method. Using the commands, we need PowerShell and KQL language skills apart from the right permissions to the matter. Apart from this one would need to have the database online and working with a fully working Exchange Server. The search can only be done with one mailbox at a time and it can only search through active/mounted databases.
The biggest challenge is that if the retention period has passed (the default retention period in Exchange is of 30 days), although the emails can still be recoverable from previous database backup, it’s a challenge to restore. As one would need to restore the entire EDB file, run the ESEUtil to scan and fix the database, mount the database and search through it. You will need to restore from multiple sources until you find the exact location where the deleted items can be found, as the user would not remember when the emails where deleted. This would incur an expense in resources and administrative effort.
Other ways to recover deleted items
Although the restore of deleted items from the Exchange Server can be done and it’s possible to do only if the databases are mounted and if the retention period has not passed, one should note that it’s a lengthy process. It would be possible to overcome the limitations and administrative effort of the process while keeping it simple. With specialized EDB Recovery Software like Stellar Repair for Exchange, you will be able to export/migrate from any version of Exchange Server database being corrupted or not and granularly export to PST and other formats. You can also export directly to a live Exchange Server or Office 365 tenant, any user mailbox, archive, disabled mailbox, shared mailbox, and even public folders. You can also simplify the recovery of deleted items by using the Recoverable Items Folder button and select to recover version, purges, deletion, and other items.
After the selection is ready, you will get an updated tree of the structure in the application where you will find the Unknown folder under each mailbox. You will be able to browse through the recovered items and preview the items in full HTML view.
From here you can selectively get the messages and folders needed and restore them to the mailbox, different mailbox, PST, public folder, live Exchange Server database or Office 365 tenant.
The tool can also be used to recover or migrate that from any version of Exchange Server database being online or offline, any size, and in any state i.e. healthy or corrupted. You can granularly process user mailboxes, shared mailboxes, user archives, disabled mailboxes and even public folders and export them to live Exchange Server databases and Microsoft 365 tenants with ease and with minimal effort.
Conclusion
We have seen the importance and why we would need to recover deleted items as well as the procedure on how to do it. We have also seen how it is important to have a simplified method when it comes these requests, which can lower the restore time as well as guarantee the least number of resources needed to do the restore job.