Searching Exchange Journal Messages

As discussed in one of my previous articles, Exchange journaling gives administrators the ability to record all email communications within an organization.  If the sender or recipients (including those on a distribution list) have their journaling setting enabled, the email is captured by the designated journal mailbox.  It does so by sending an email to that mailbox and envelopes the original message as an attachment.  These messages can cause issues when you need to perform e-Discovery searches since several key pieces of data are changed, including:

  • The journal message modifies the sender (e.g. the sender is converted to “Microsoft Outlook on behalf of Jane Doe”)
  • The original message is now an attachment, not the source message
  • The original message does not include any BCCs or expands distribution lists
  • Not all processing tools support source envelope journal reports

Sherpa Software’s Discovery Attender has supported searching the source journal messages for many versions.  In the most recent release, Discovery Attender v3.8 includes a complementary PreSearch Tool and a new set of features have been introduced to help address the envelope formatting issues.

Within Discovery Attender, you now have the choice to natively search and export the original message that has been journaled as an attachment.  Using this new option, the envelope (aka source journal report) is ignored, and you will target the original message only.  To do so, it is simply a matter of changing the Discovery Attender settings:

Even if the journal messages have been copied to a PST file or moved to a different mailbox, you can still search and export the original message with Discovery Attender.  Because you are now searching the original message, the sender is searched and represented as it was sent.  However, if you would like to search and export the messages as they are stored in the system (i.e. source journal report), you still may do so.  Simply change the above setting and the original message will remain as an attachment.

In addition to the core functionality, Discovery Attender’s PreSearch Tool can also be used to export original messages.  Users have the option to export journal formatted messages from a mailbox or PST files into a PST file that contains only the original messages.  This is very helpful if you want to export the original message for all journal items in an email store or just messages based on a date range.

Additionally, Sherpa is working on functionality in the PreSearch Tool that will allow you to reformat (or transform) the original message to include the address data that is stored in the body of the envelope journal report.  This means you will be able to add the BCC or an expanded distribution list (if internal) back into the original message.  Keep an eye out on the newsletters for more information on the availability of this feature!

For more information, contact Sherpa support.

Leave a Reply

Your email address will not be published. Required fields are marked *