The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer. All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information. This policy is subject to change at any time. The owner is not an attorney, and nothing posted on this site should be construed as legal advice. Litigation Support Tip of the Night does not provide confirmation that any e-discovery technique or conduct is compliant with legal, regulatory, contractual or ethical requirements.
Running the regular expression search:
\S+\s*$
. . . in a text editor like NotePad++ will generate a count of the number of non-empty lines in a text file. The number of hits will be shown in the results pane below the transcript.
In order to get a count of the number of empty lines you can run this RegEx search: ^\s*$
. . . but note that it will count consecutive lines with only whitespace as a single line.
Don't miss that in Windows Explorer you can find any file names which beginning with a string by preceding the search with ~<.
So for example a search for: ~<fire
. . . will find any files which begin with the word, 'fire'.
Microsoft Exchange limits the number of emails that can be simultaneously deleted from a single mailbox with one command to 10. While it’s possible to delete one email from thousands of mailboxes, the same command used to search for and delete messages across user accounts has a built in limitation on how many emails it will delete at once.
New-ComplianceSearchAction is a cmdlet (a PowerShell script or operation) which an admin can implement on Exchange that can search through the subject line, body, and metadata fields for certain key terms.
The cmdlet is designed to respond to cyber security breaches (such as purging a phishing email) not help businesses comply with the need to remediate data pursuant to a protective order.
See confirmation on this limitation for the purge switch here: https://learn.microsoft.com/en-us/powershell/module/exchange/new-compliancesearchaction?view=exchange-ps
The PowerShell script to delete emails will specify a named search:
New-ComplianceSearchAction -SearchName "Remove Phishing Message" -Purge -PurgeType SoftDelete
Not any Exchange admin can run this cmdlet. The admin needs to have Discovery Management rights.
The cmdlet transfers emails to the Deletions folder of a user account’s Recoverable Items. (When an Outlook user holds down the SHIFT key and presses DEL the message is not gone forever - it goes to Recoverable Items.). On Exchange, users’ Outlook data is divided between Recoverable Items, Interpersonal Messaging (IPM - all of the data visible to the user), and non-IPM data (operational data). Recoverable Items contains additional folders:
Purges - items hard deleted when a litigation hold is in place. Emails sent here won’t be deleted until the period set for retention ends. But even then it will only be deleted until the mailbox is processed by the Managed Folder assistant, which can be set to run once every 1 to 7 days.
Audits - logs activity in the account.
DiscoveryHolds - items subject to an Office 365 litigation hold that are hard deleted.
Versions - this folder will retain multiple versions of Outlook items that have been modified.
Note that when rerun the cmdlet will include messages in the Recoverable Items folder in the results, so the total count in the results will not change as successive searches are run.
Microsoft has posted a PowerShell script which can be used to delete multiple batches of 10 emails automatically:
. . . but it notes that this is not a supported script, and it cannot be run on multiple mailboxes.
Exchange will retain deleted items by default for up to 14 days but this period can be increased to 30 days.