POP! Goes the Evidence.

chris.chalmers — Fri, 18 Jul 2008 07:30:00 GMT

Who could resist a catchy title like this: "Court-ordered forensic search of CEO's laptop?" When I first saw that, I immediately wondered, "Just how many Michael Bolton MP3s were on there?" But if you read the tale of Treppel v. Biovail on the K&L Gates E-discovery blog, you'll discover a far less insidious finding (unless "This is the Time: The Christmas Album" was involved).

The Judge ordered the defendants to produce documents (email) in "native format," and wouldn't you know it, the documents weren't forthcoming - even after a couple of trips to the backup tapes. The court noted that the “unique procedure” by which the CEO’s email was downloaded to his personal laptop and then deleted from Biovail's servers resulted in his email not being preserved on the backup tapes. The forensic scan was ordered in an attempt to retrieve the emails, since they weren't available by less onerous means. See the original post here: (http://www.ediscoverylaw.com/2008/04/articles/case-summaries/inadequate-preservation-efforts-necessitate-restoration-and-production-of-email-from-backup-tapes-and-forensic-search-of-ceos-laptop/)

Intentionally configuring your email system with a "unique procedure" so messages don't get backed up?

This should be interesting. Setting aside the legal implications of a "shred all" retention policy for the moment, let's see how that would work in Exchange 2007. Since I have absolutely no knowledge of which email server the defendant actually used, let's take the generic case of Contoso Corporation, our make-believe company running a very real Exchange 2007 server.

If you want to copy the email off the server to read later, you need to copy it on to the client laptop. There are three protocols for clients to retrieve email from Exchange servers: POP3 (Post Office Protocol), IMAP4 (Internet Message Access Protocol), and MAPI (Messaging API, sometimes called MAPI/RPC).

By default, Outlook uses MAPI to retrieve email: Email is always on the server, the Outlook client merely provides an easy way to manage and control it. If the Outlook client is using "Cached Exchange Mode," then there are two copies of each email: one on the laptop, and one on the server. (Outlook has technology to keep the two copies in sync).

POP is different. The email client has the option to "leave email on the server" which is a lot like MAPI or IMAP. But if the client hasn't chosen to "leave email on the server," then it is deleted as soon as the client has downloaded it.

Is it hard to do?

Not in the least. The Exchange Administrator needs to do two things: 1) Enable the Client Access servers to support POP (it's turned off by default), and 2) enable the user's mailbox to allow POP access.

1) Here's the instructions for enabling POP3. As usual, it's a one-liner in PowerShell: (http://technet.microsoft.com/en-us/library/bb124934(EXCHG.80).aspx)

Set-service msExchangePOP3 -startuptype automatic

2) And here's the instructions for enabling a user for POP. Another one-liner:

Set-CASMailbox -identity "Don Hall" -Popenabled $true

The only gotcha is having to restart the POP service each time you enable new users (yet another one-liner) (http://technet.microsoft.com/en-us/library/bb124578(EXCHG.80).aspx)

Did the forensic scan of the CEO's laptop find anything?

It's not clear from the K&L Gates blog post, but it's quite possible something incriminating was uncovered. Craig Ball, a certified computer forensic examiner, lays out some concrete steps for a client-side email scan in his "4 on Forensics: 4 Articles on Computer Forensics for Lawyers" at http://www.craigball.com/CF4_0807.pdf. Favorite spots on the laptop to search include Microsoft Outlook caches like the .ost file and .pst files, as well as other email clients' equivalent folders.

And in the ultimate irony, the server may STILL have copies of the email, even after configuring it for POP. Exchange 2007 has a "Deleted Items Retention" feature, where emails that users have deleted aren't really erased for another 14 days. This feature is designed to keep sys admins from pulling their hair out when end users call looking for email they accidentally erased.

In the end, POP3 works like an actual magic trick. It provides the illusion of making something disappear, but in actuality it's just hidden behind another curtain.

E-Discovery and Microsoft Technology : POP3

POP! Goes the Evidence.