I'm trying to find out if the Page Zeroing function in Exchange 2013 will make deleted items totally non-recoverable, even at the forensic level?

I'm led to believe that the process involves the overwriting of any "white space" in the EDB with a pattern of characters and if that's the case I would imagine that this is non-recoverable?

We have a client that wants to be sure that when emails are fully deleted in their Exchange 2013 environment, there's no chance of them being recovered by any forensic methods?

Cheers for now

Russell

 

Well, the official documentation says it makes recovery more difficult, not impossible. I doubt you will ever get an official statement saying its impossible to recover the data, but from a practical standpoint, its probably not possible to recover the data once its zero'd out.

Andy,

That's what I was afraid of, although someone has said that the Zeroing makes it forensically impossible to recover the data in the following TechNet Blog but of course that's not necessarily the official Microsoft line:-

http://blogs.technet.com/b/timmcmic/archive/2013/05/20/exchange-2010-page-zeroing-and-vss-based-backups.aspx

Cheers for now

Russell

Andy,

That's what I was afraid of, although someone has said that the Zeroing makes it forensically impossible to recover the data in the following TechNet Blog but of course that's not necessarily the official Microsoft line:-

http://blogs.technet.com/b/timmcmic/archive/2013/05/20/exchange-2010-page-zeroing-and-vss-based-backups.aspx

Cheers for now

Russell

Well, Tim knows his stuff. That statement would be good enough for me!  :)

I guess it's a bit much to ask him to confirm this is still the case, assuming you know him?

Cheers for now

Russell

First and foremost I have no idea who this Andy guy is ;-)

@Russell...when it comes to page zeroing this is a great source of information:

https://technet.microsoft.com/en-us/library/gg549096(v=exchg.150).aspx

The short answer to your question is that page zeroing makes the pages within the database forensically not recoverable.  The caveats to this are documented in the link above - see process of ESE database page zeroing. The reason I say "caveats" is that the page zeroing operation is asynchronous to when a particular item removal may have occurred from the database.  The table does an excellent job of explaining how and when we zero.

The one piece of this conversation that is almost always missing from my customer conversations though - is how you handle the database overall.  For example, physical access trumps everything, are you securing your backups, have you considered bitlocker...etc.

TIMMCMIC

Tim,

Thanks for your reply, much appreciated and just what we were hoping you'd be able to confirm.

Thanks also to Andy...whoever he is :-)

Cheers for now

Russell