• Facebook
  • RSS Feed
  • Instagram
  • LinkedIn
  • Twitter
Sep 012012
 

Introduction

Following from a question raised on the Symantec Connect Forums this article aims to outline the different techniques that you can use to determine how a particular mail got archived, and by whom.  It is not a perfect science, but hopefully the steps outlined in this article – in no particular order – will help if you ever need to do this job yourself.

Problem Description

Let’s assume that a user comes to you, the Enterprise Vault administrator, and says :

This mail here..  it’s archived.. and I am sure I didn’t do it.  Who did it?

When?

Perhaps one of the first things that you need to do is work out WHEN the item was archived.  There are at least two ways to do this :

* Check the shortcut

* Use browser search

Check the shortcut

This is perhaps one of the easiest ways of finding out when an item was archvied.  It’s no good to you though if your policies don’t create shortcuts for archived items.  However, if you do create shortcuts, simply find the shortcut and use Outlook Spy, or MFMAPI and look for the attributes :

Archived Date

forensic1

So in the above example this item was at 1:28AM.

Use Browser Search

An alternative, and perhaps the only way, if you don’t use shortcuts is to to use Browser Search to locate the item.

Using Browser Search with the Advanced=3 parameter you can include some search criteria to hopefully locate the item that the user is referring to, and, you have the additional option of including “other result attributes”.  In that space you put “adat” which is the indexed attribute for the date/time that the item was archived.

adat

The output will look something like this :

adat2

So, now, hopefully you know the DATE and TIME that the item was archived.

Check Task Schedules

In the first example the archiving took place in the early hours of the morning, in the second example it took place at mid-day.  At this point you can check the schedule for the archiving task associated with this mailbox.

Perhaps if the item was archived in the middle of the night, and, it coincides with the archiving schedule, the way that this item was archived is by the archiving task?

If it was the archiving task, you then refer back to your archiving strategy in terms of age, quota or age and quota, and decide which of these caused the item to be archived when it did.

A Run Now?

Unfortunately if an administrator did a Run Now on the users mailbox on the server, then nothing is logged to the event log.  Neither is anything logged if an administrator did a Run Now against all of the users on the system.

You can still perhaps use the next section in order to work out what happened.

Anything else on the task?

You can also look for other items which were archived at around the same time.  You can do this manually in the users mailbox, but it might be messages in random folders, and the user might have moved things around since the incident.  You can also use browser search as outlined above, and search for everything archived on that day, or that day +/- one day.

Delegates

Does the user you are looking at have any delegates?  Any people with permission to their archive that might have archived the item?  You can check this in the Vault Admin Console.  If they do, then you may want to look through the Enterprise Vault servers IIS logs, for calls to clientaction.asp at the time that the item was archived.

A delegate who has permissions to an archive, when manually archiving an item in the “other” person’s mailbox would always operate in HTTP client mode (regardless of whether or not they have got the DCOM or HTTP clients installed and operating).  So, it will always result in an clientaction.asp request.

User dragging and dropping to Virtual Vault

If your user has Virtual Vault enabled perhaps they deliberately or accidentally dragged and dropped the item to Virtual Vault?  You can look in the IIS logs for calls to UploadItem.aspx.  Remember delegate virtual vaults are always read only, so, it can’t be a delegate doing this, it would only be the end-user themselves.

Client Tracing

The Enterprise Vault Outlook Addin produces log files, of varying levels, and you can access them on the end users machine :

C:Documents and Settings<Username>Local SettingsTempev_client_*.log (Windows XP)
C:Users<Username>AppDataLocalTempev_client_*.log (Windows 7)

an entry in the client log for a manual archive will look like

07/06/2011 12:32:11.214[2324]: User initiated manual archive action

It won’t tell you WHICH item they manually archived, but it will help if you get a time-match.  The above is logged if you have the logging level set to Information or higher.

Conclusion

It can often be difficult to work out how a particular item was archived, and by whom.  Auditing alone is not a perfect solution, and hopefully some of the steps covered in this article will help people wishing to work this out.

If you enjoyed this post, please consider leaving a comment or subscribing to the RSS feed to have future articles delivered to your feed reader.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)