Litigation Support Tip of the Night

February 12, 2020

In MS Exchange, if you place a litigation hold on mailboxes to preserve email messages for a long period of time, keep in mind that modified or deleted Outlook items will be preserved in the Recoverable Items folder.  This may cause the data stored in this folder to exceed its default maximum size of 30 GB. 

Have the Exchange admin monitor the folder size, or sufficiently increase the default to deal with the accumulated data. 

January 27, 2020

After an email is deleted from the Deleted Items folder, or removed from the Inbox with SHIFT + DELETE, the email will be sent to the Deletions subfolder of the Recoverable Items Folder.   The Recoverable Items Folder is not visible to the user.  Each user's profile contains a deleted item retention period set by the admin.  The default is 14 days.  So, in most cases emails can be recovered for up to 14 days after a user has tried to delete them.  The 'Recover Deleted Items' command is on the Folder tab of Outlook.  

If an email is purged from the Recovered Deleted Items folder, or if the set retention period elapses, it is sent to the Purges subfolder of the Recoverable Items Folder.   However, the email will not be removed from the Purges folder until the mailbox assistant processes the folder.  A post on Microsoft's official site for Exchange states that:  "You can configure the Managed Folder Assistant to process all mailboxes on a Mailbox server within a certain period (known as a work cycle). The work cycle is set to one day by default."

January 26, 2020

Microsoft Exchange makes possible in place preservation of email messages.  The archiving of relevant emails involves significant costs because of the need for a user to manage the copying or because of the need to purchase software to implement the hold on the email messages. 

The LitigationHoldEnabled property of a mailbox will prevent any item in a mailbox from being removed. 

The alternate 'in-place hold' will only direct the retention of emails which come up in a search query.   A single mailbox can have multiple in-place holds, but no more than 500 search terms can be used.

  Using more than 500 terms in a query will cause all content in the mailbox to be preserved. The LitigationHoldEnable property is either set or not.   Either type of hold can be set to remain for a specific time period.  

Searches can be run on the messages that are subject to in-place holds.   While a hold is in place a user will retain the same rights to delete emails.  The admin has the option of informing the user that the mailbox is subject to a hold.  

Both types of holds use the Recoverable Items folder to preserve emails.  So even when SHIFT + DELETE is used or emails are deleted from the Deleted Items folder, the emails are transferred to the Recoverable Items folder.   The recoverable items folder is not visible to users.  Note that a user does have the option to recover deleted items on the folder tab. 

November 6, 2019

You can increase the maximum size of an attachment or attachments that can be sent in an Outlook email message by changing a setting in Registry Editor.  By default, Outlook will not allow you to send an email greater than 20 MB.   

In the menu under HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences 

With this folder selected, go to Edit . . . New . . . DWORD (32-bit) Value and name the new file as 'MaximumAttachmentSize'. 

Double-click this new field, so you can edit it.  With decimal selected, enter a limit in KB - so 100,000 for 100 MB. 

July 22, 2019

You may have noticed that the standard search tool in MS Outlook 2010 doesn't allow you to search for exact phrases in the body of email messages.    Instead a search for a phrase enclosed in quotes will find all emails that contain any of the listed strings.   Mircosoft says that this limitation can be overcome by making a change to the Registry Editor.  See this posting by Microsoft Support here.  

Follow these steps: 

1. In Registry Editor go to HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\xx.0\Outlook\Search

It may be necessary to create the Search folder.  Do so by right clicking on the 'Outlook' folder and selecting New . . . Key.  Then rename the folder 'Search'.   Note that Outlook 2010 is version 14.0.  

2. Next go to the Edit menu and select New . . . DWORD . . . and enter a new value. 

 3.  Input the value name as 'AllowPhraseMatch' and set the value data to 1. 

 You should now be able to search for exact phrases enclosed in quotes in Outlook 2010. 

In Outlook 2016 this problem has been solved, and you can search for an exact phrase without making the change to the registry. 

April 19, 2019

More than once I've come across email attachments in document productions for which the file name was 'winmail.dat' and the attachment had not been processed.  This problem stems from a well-known problem that Microsoft Support has addressed here.  Some email clients cannot process emails sent from MS Outlook that are in the rich text format.   The message is sent in plain text and the .dat file contains the rich text formatting, embedded images and file attachments.   This method is known as TNEF, Transport Neutral Encapsulation Format.   

This error causes a minor security breach as the sender's login user name, and .pst folder paths can be found if the file is opened in a text editor. 

See this example from the Enron Email data set. 

It's hard to say if the EDRM's own processing stripped out some of the original information, but we can see a file path and what may be a login ID. 

April 9, 2019

MFCMAPI is a free API (an application programming interface) for Outlook, which can be downloaded here.   MAPI (Messaging Application Programming Interface) allows Windows applications to interface with Outlook or other email clients such as Eudora and send emails.   MFCMAPI can be used  to investigate issues with Outlook and Exchange by accessing MAPI stores.  After MFCMAPI is installed, it should automatically detect your Outlook folders, address books, calendars, and notes. 

MFCMAPI has many useful functions but it should be used with caution, as it can corrupt the contents of your Outlook profile if mistakes are made. 

One of the useful features of MFCMAPI is that it can detect if an attachment has been blocked.  See in the Advanced menu . . . Is attachment blocked, and enter the name of the attachment you want to check. 

Going to Quick Start . . . Open Folder . . .will display the metadata for emails in a selected folder, including the Conversation ID.   You can right click and export messages with a common subject, or save all attachments in the folder.  

MFCMAPI is a great tool for helping to wrangle email data. 

December 28, 2018

A lady or gentleman with the handle IT4577 has posted VBA code on spiceworks which can be used to find how many emails in an Outlook folder contain received dates that are specified in an Excel worksheet.   The VBA code is copied below, but because of formatting issues with my Wix editor it may be necessary to copy the code from the spiceworks site.   

The code should be entered into a module in Visual Basic for Excel, not Outlook.  You need to have both Excel and Outlook open. 

You'll have to change this part of the code.  

On this line:

Set objFolder = objnSpace.Folders("Outlook Data File").Folders("Inbox").Folders("enron")

. . . specify the path to the folder in Outlook that contains the emails you need to review.   In order to get the correct path right click on the folder in Outlook and select 'Properties'.   On the General tab note the location of the folder being reviewed, in this example the one named, 'Enron'.   The path is ' \\Outlook Data File\Inbox', but you need to list each folder in the path separately like this:  Folders("Outlook Data File").Folders("Inbox").Folders("enron")

In an Excel file that has a worksheet named 'Sheet1' (as referenced in the VBA code) starting in cell A1 list dates in column A that you want to search for in the emails saved in the specified folder. 

Run the macro, and the count of the number of emails with a matching received date will be generated in column B.   It is not necessary for the received date field to be displayed in Outlook for this macro to work. 

Sub HowManyDatedEmails()
    ' Set Variables
    Dim objOutlook As Object, objnSpace As Object, objFolder As Object
    Dim EmailCount As Integer, DateCount As Integer, iCount As Integer
    Dim myDate As Date
    Dim arrEmailDates()
    ' Get Outlook Object
    Set objOutlook = CreateObject("Outlook.Application")
    Set objnSpace = objOutlook.GetNamespace("MAPI")
    ' Get Folder Object
    On Error Resume Next
    Set objFolder = objnSpace.Folders("Outlook Data File").Folders("Inbox").Folders("enron")
    If Err.Number <> 0 Then
        MsgBox "No such folder."
        Set objFolder = Nothing
        Set objnSpace = Nothing
        Set objOutlook = Nothing
        Exit Sub
    End If
    ' Put ReceivedTimes in array
    EmailCount = objFolder.Items.Count
    For iCount = 1 To EmailCount
        With objFolder.Items(iCount)
            ReDim Preserve arrEmailDates(iCount - 1)
            arrEmailDates(iCount - 1) = DateSerial(Year(.ReceivedTime), Month(.ReceivedTime), Day(.ReceivedTime))
        End With
    Next iCount
    ' Clear Outlook objects
    Set objFolder = Nothing
    Set objnSpace = Nothing
    Set objOutlook = Nothing

    ' Count the emails dates equal to active cell
    Do Until IsEmpty(ActiveCell)
        DateCount = 0
        myDate = ActiveCell.Value
        For i = 0 To UBound(arrEmailDates) - 1
            If arrEmailDates(i) = myDate Then DateCount = DateCount + 1
        Next i
        Selection.Offset(0, 1).Activate
        ActiveCell.Value = DateCount
        Selection.Offset(1, -1).Activate
End Sub

August 31, 2018

In the Tip of the Night for September 29, 2017, in the outline of the section of Craig Ball's Electronic Discovery Workbook on email, I noted that there are, "OLK system subfolders holding viewed attachments."    So how do you find these OLK folders?

1. Go to Start and Type in regedit.  Open Registry Editor. 

2. Browse to KEY_CURRENT_USER\Software\Microsoft\Office . . . and then select the number for the version of MS Office that you are using. 

3. In the Outlook directory, in the Security subfolder, you should find the location of the OutlookSecureTempFoler.   

In this example it is: C:\Users\SeanKOShea\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\291V0540

If you can't locate this directory in Windows Explorer, go to start and type in, "shell:cache".   This will open the 'Temporary Internet Files' folder and you should be able to find the 'Content.Outlook' folder. 

4. When Outlook opens attachments it will place them in this folder.   If you have opened an attachment, made some edits, and then your operating systems crashes, you should be able to find the attachments in this folder. 

If Outlook crashes while an attachment is open the file will remain in this folder indefinitely.  When Outlook is closed normally attachments which have been opened and put in this folder are deleted. 

This is a good tip for computer forensics professionals who are looking for files that a user may have intended to get rid of but inadvertently left on his or her computer.  

July 29, 2018

It's easy to find the header for an email message in Outlook.   Follow these steps.  (I'm working with Outlook 2016 in this example).

1. With a message open go to File . . . Properties

2. In the Properties dialog box the message's header information will be listed at the bottom.  

An email header may make reference to an IP address.  A forged email may use an IP address that does not match up with domain listed in the sender's email address.    If you get an email from which the header indicates came from the IP address, you can confirm that the sender is from the by checking its IP address with the tracert command in Windows.   The IP address is the number listed at the end of the line beginning, 'Tracing route to . . .' 

It's also a sign that an email has been forged if it's purports to be from a particular email client but its Mail User Agent format varies from the official pattern.  

A list of common MUA header formats can be found here.

Please reload

Please reload

Sean O'Shea has more than 15 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.


All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.


This policy is subject to change at any time.


Some elements on this page did not load. Refresh your site & try again.

Contact Me With Your Litigation Support Questions:

  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with