Our thinking

Keyword Searches for Email Discovery in Kerio Connect mailserver

I recently had a client with a huge amount of email stored in Kerio Connect and they needed to perform discovery against some mailboxes with a lot of email in them. It was desirable to retain the folder structure, however the emails were spread across a large number of folders across 3-4 different user accounts.

I resorted to searching and gathering the raw .eml files from the Connect mail store. The limitation of this is that it’s a raw text search, I’m not doing any Base 64 decoding nor am I decoding any file formats in attachments, so it’s really only searching the headers and body of the email, not any attachments.

First, I created a text file with a list of the keywords – one per line. Then, I used this as a list of search terms for grep and passed the filenames that matched to rsync to copy them to another folder, retaining the existing folder structure.

21 GB of results later, someone who isn’t me now has their work cut out for them to go through the emails.

The command I came up with to to this is (all on one line)

grep -i -I -Z -r -l -f /Users/admin/Desktop/grep-patterns.txt /Volumes/Data/kerio/mailserver/store/mail/example.com/user.name/ | xargs -I{} rsync -Rv {} /Volumes/Data/Email\ Discovery/201707/

If you’ve got a better way to do this, please let me know! I’m aware that you can run searches in the Kerio Connect Client (aka webmail) however this doesn’t provide any way to export the emails as .eml files nor does it handle large amounts of results very well (the list of emails are paginated). You can also search in Mail.app or Outlook however again, this is a manual process and exporting the emails and retaining the folder structure is difficult. Exchange (and, by extension, Office 365) has legal discovery and litigation hold features, but all of this email is in Kerio Connect.

Leave a Reply