Searching large volumes of Outlook PST files with Enterprise Recon

Introduction

Enterprise Recon automatically detects Microsoft Exchange / Outlook PST and OST files stored in any file location and will search its contents and identify each unique email and associated attachments containing sensitive information based on the search configuration used. 

Within typical enterprise environments, large numbers of mailbox accounts can exist which when using conventional approaches may take an exorbitant amount of time to search. Using a feature unique to Enterprise Recon, enterprise customers have the ability to establish concurrent searches to rapidly scale the number of Outlook PST files that can be searched across multiple systems.

This article explains this concept further.

 

Prerequisites

  • Enterprise Recon (v1.x or 2.x)
  • Multiple Enterprise Recon agents deployed
  • Each Mailbox on your Exchange server exported to a PST file
  • Exported PST files located diversely across multiple hosts where an Agent has been deployed in consistent directories - e.g. D:\PSTs
  • No additional software or 3rd party modules are required

 

Exporting PST files

Depending on your version of Exchange, the command used to export mailboxes will differ. We've provided some articles for you to export depending on the version of Exchange used:

Exchange 2010+ - http://social.technet.microsoft.com/wiki/contents/articles/13908.bulk-export-mailboxes-to-pst-in-exchange-2010.aspx

Exchange 2007 - http://blogs.technet.com/b/exchange/archive/2007/04/13/3401913.aspx

Exchange 2003 - http://www.rackspace.com/apps/support/portal/6159

 

Once the PST files are exported, they should be spread across multiple hosts. Here is a recommended approach for distribution to achieve scanning of all mailboxes within 1 week. Average mailbox size is  based on 1gb:

100 files - 5 systems

500 files - 25 systems

1000 files - 50 systems 

2500 files - 125 systems

5000 files - 250 systems

10000 files - 500 systems

 

Scanning the PST files

 

1. Ensure PST files have been spread across known systems - ideally contained to the same group

2. Ensure all PST files are located in a consistent directory across all systems - e.g. D:\PSTs

3. Initiate a common scan across all systems containing exported mailboxes

 - Set directory to D:\PSTs

- If using Enterprise Recon V2.0, we recommend setting an automated notification to alert upon completion of each systems scan

4. Upon completion of the scans, review results either at group level, or individual host level to determine any sensitive data findings across the PST files scanned.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.