Skip to main content

Exchange EWS eDiscovery Powershell Module

eDiscovery is one of the more useful features introduced in Exchange 2013, and offers a quick and powerful way of Searching and reporting on Items in a Mailbox or across multiple mailboxes on an Exchange Server or in Exchange Online. In this post I wanted to rollup a few eDiscovery scripts I posted in the past to a more user friendly and expandable PowerShell module.

eDiscovery uses KQL (Keyword Query Language) to search indexed properties which are listed on https://technet.microsoft.com/en-us/library/dn774955(v=exchg.150).aspx . For doing quick reporting with eDiscovery you can tell Exchange to only return the number (and size) of the items that match your KQL query. Otherwise Exchange will return preview items (200 at time) which means the query can take some time to complete if your enumerating though a large result set.

I've tried to take a very modular approach with the code in this module to make it easier to extend

Permissions - The eDiscovery parts of this module requires the account that is running the script be a member of the Discovery Search RBAC role see . The code that gets the FolderPath does require the user running the script have rights to the Mailbox or EWS Impersonation rights.

Here are what the cmdlet's in the Module can do at the moment

 Get-MailboxItemStats

This is just a generic cmdlet you can either enter in some KQL to make a query or entering in a Start and End Date to create a report of Items in a particular Date Range eg to show email from the Last month

Get-MailboxItemStats -MailboxName Mailbox@domain.com -Start (Get-Date).AddDays(-31) -End (Get-Date)

this will show results like



If you use the FolderPath switch this will instead show a folderlevel view of the results to get the folder list it must use the previewItems which are slower to retrieve eg

Get-MailboxItemStats -MailboxName Mailbox@domain.com -Start (Get-Date).AddDays(-31) -End (Get-Date) -FolderPath

would yield a results like


 Get-MailboxItemTypeStats

This is from one of my previous posts and returns a list of ItemTypes in a Mailbox, I've added a parameter so you can do a query on just one itemtype as well. So running it like this would yield a report of the Contacts in a Mailbox and where they are located


 Get-MailboxConversationStats

This lets you report on the From,To,CC and BCC fields of a message with Exchange these fields are indexed in the Participants property (as well as there own keywords for Recipients, to etc). Some cool things you can do with this is query Mailbox Traffic to and from a particular domain eg


If you then want to know more about one particular recipient type you can take the value in the Name property and use that in Get-MailboxItemTypeStats eg



Attachments

One of the more useful things that you can do with this module is search and download attachments from a Mailbox using eDiscovery which you can't easily automate in the eDiscovery Console. So I've got a few different options for this. First I have

Get-AttachmentTypeMailboxStats

This works like the ItemType cmdlet in that it makes use of doing multiple OR queries on a list of attachment types. By default if you don't pass in an array of Attachmenttypes to query I have a list of 8 common types so it will produce a report like this



If you want to run a query based on one AttachmentType across folders you can use something like the following


Or limit it to one particular Attachment Name


Get-MailboxAttachments 

You can download attachments using this cmdlet eg



If Exchange online if you have reference Attachments located in One Drive the module does have code to detect and download those using the sharepoint client libraries. You do need to change the version in

$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2013_SP1

to

$ExchangeVersion = [Microsoft.Exchange.WebServices.Data.ExchangeVersion]::Exchange2015

I've put the Module up on GitHub https://github.com/gscales/Powershell-Scripts/tree/master/eDiscovery

You can download a copy of the script from here I've include a compile version of the latest version of the Managed API which include the update to process reference attachments.

Popular posts from this blog

Testing and Sending email via SMTP using Opportunistic TLS and oAuth in Office365 with PowerShell

As well as EWS and Remote PowerShell (RPS) other mail protocols POP3, IMAP and SMTP have had OAuth authentication enabled in Exchange Online (Official announcement here ). A while ago I created  this script that used Opportunistic TLS to perform a Telnet style test against a SMTP server using SMTP AUTH. Now that oAuth authentication has been enabled in office365 I've updated this script to be able to use oAuth instead of SMTP Auth to test against Office365. I've also included a function to actually send a Message. Token Acquisition  To Send a Mail using oAuth you first need to get an Access token from Azure AD there are plenty of ways of doing this in PowerShell. You could use a library like MSAL or ADAL (just google your favoured method) or use a library less approach which I've included with this script . Whatever way you do this you need to make sure that your application registration  https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-

How to test SMTP using Opportunistic TLS with Powershell and grab the public certificate a SMTP server is using

Most email services these day employ Opportunistic TLS when trying to send Messages which means that wherever possible the Messages will be encrypted rather then the plain text legacy of SMTP.  This method was defined in RFC 3207 "SMTP Service Extension for Secure SMTP over Transport Layer Security" and  there's a quite a good explanation of Opportunistic TLS on Wikipedia  https://en.wikipedia.org/wiki/Opportunistic_TLS .  This is used for both Server to Server (eg MTA to MTA) and Client to server (Eg a Message client like Outlook which acts as a MSA) the later being generally Authenticated. Basically it allows you to have a normal plain text SMTP conversation that is then upgraded to TLS using the STARTTLS verb. Not all servers will support this verb so if its not supported then a message is just sent as Plain text. TLS relies on PKI certificates and the administrative issue s that come around certificate management like expired certificates which is why I wrote th

The MailboxConcurrency limit and using Batching in the Microsoft Graph API

If your getting an error such as Application is over its MailboxConcurrency limit while using the Microsoft Graph API this post may help you understand why. Background   The Mailbox  concurrency limit when your using the Graph API is 4 as per https://docs.microsoft.com/en-us/graph/throttling#outlook-service-limits . This is evaluated for each app ID and mailbox combination so this means you can have different apps running under the same credentials and the poor behavior of one won't cause the other to be throttled. If you compared that to EWS you could have up to 27 concurrent connections but they are shared across all apps on a first come first served basis. Batching Batching in the Graph API is a way of combining multiple requests into a single HTTP request. Batching in the Exchange Mail API's EWS and MAPI has been around for a long time and its common, for email Apps to process large numbers of smaller items for a variety of reasons.  Batching in the Graph is limited to a m
All sample scripts and source code is provided by for illustrative purposes only. All examples are untested in different environments and therefore, I cannot guarantee or imply reliability, serviceability, or function of these programs.

All code contained herein is provided to you "AS IS" without any warranties of any kind. The implied warranties of non-infringement, merchantability and fitness for a particular purpose are expressly disclaimed.