In Pearl had this to say:
My reply is at the bottom of your sent message:
How does Outlook 2000 and 2003 handle metadata information? In other
words, if an email is copied to another location, is the metadata
altered? How about if the email is merely "previewed"? We are
involved in an investigation and must supply mailbox contents to the
court but the attorneys want to be sure that they can expunge
"confidential" information from the mailbox and only provide those
emails that are pertinent to the case so they want to copy appliable
messages to another location or PST file. The question becomes: how
can that be done and ensure te integrity of the metadata?
I am personally reluctant to answer this question. So I will not directly
answer it but rather will give you some insight.
First I do not think I'm an authoritative source and suggest that you seek
local high-end professional consultation before continued involvement as
this is a legal case. Any modification to the files can and will run the
risk of having it removed as evidence and that likely includes the
pre-emptory filtering out of confidential material when a writ could just as
easily be established to have the evidence submitted to the courts for
review and any confidential material both stricken from the record and the
courtroom emptied for. I'd suggest finding, as well, a specialist in the law
field.
Now, from a layman's view... You can move the data about (I would do my best
to ensure that it remained on the same disk as a matter of principle) and
the metadata should remain intact. Moving the file from disk to disk means
tampering with permissions as NTFS file structures aren't retained (for one
SMALL example) when data is burned to CD for instance. Remit the entire
drive to evidentiary proceedings and request special permissions from the
Judge (or Magistrate, or what-have-you) for specific agreements and an empty
courthouse. When the data has been moved there is room to provide reasonable
doubt. When the last-access-time (NTFS) has been altered there's room for
reasonable doubt. Without corroborating evidence there's a hole for the
defense (or prosecution depending on which side you're on) to establish
doubt. Doing so is not in your best interest in my LAYMAN'S opinion.
Continued access of the data without a court approved expert is a risk you
might not want to take.
So... I'd say, again in a LAYMAN'S view, that you're best off leaving it as
it is, where it is, and leaving it to a professional. If you HAVE to ask
this question you should, again in my humble opinion, NOT touch the drive or
account again. Provisions for confidentiality will be afforded by the courts
in most cases.
Having been there and done that as a SysOp for a data/call center...
Really... Don't take my opinion for it - go get a professional's opinion
ASAP.
--
Galen - MS MVP - Windows (Shell/User & IE)
http://dts-l.org/
http://kgiii.info/
"We approached the case, you remember, with an absolutely blank mind,
which is always an advantage. We had formed no theories. We were simply
there to observe and to draw inferences from our observations." -
Sherlock Holmes
