Summary: Instant Search is a built-in function in Microsoft Outlook that can be used to search for particular emails and items in a mailbox. When a company faces litigation, they are not comfortable with sharing business emails with third-party investigation agencies due to the risk of a data leak. In such a scenario, they try for an in-house evidence collection. Outlook Instant Search is not designed to help in such cases. It is best to use an advanced email forensic tool with all the essential features for an in-depth and accurate examination of mailboxes.
When a company faces litigation that involves the investigation of business emails, it may panic and make critical mistakes. In addition, many companies are uncomfortable sharing business emails with third-party investigation agencies due to the risk of data leaks. In these circumstances, they may try to do as much evidence collection as possible in-house.
To IT staff with little to no experience in email forensics, the Instant Search feature of Outlook may appear resourceful enough. The Outlook Instant Search utility can find a particular message or item in a mailbox and help get the correct outcome of an investigation. After all, it can search a mailbox just fine and assist in collecting relevant messages. Right? Well, not really.
A Closer Look at Outlook Instant Search
Instant Search is a built-in function in Microsoft Outlook that can search for particular emails and items in a mailbox.
Since Instant Search borrows most of its functionality from Windows Search Service, it can be powerful when used with custom software code. You can use query languages such as Advanced Query Syntax offered by Microsoft Windows Desktop Search to run these queries with Instant Search. The function DemoInstantSearch() described on the source page can process your queries and return results in different objects, including the Search object, Table object, and Items collection.
The above-outlined features and provisions highlight the capabilities of Outlook Instant Search in comprehensive email scanning. However, Instant Search is still not recommended for e-discovery and forensic email investigations for reasons shared below. Sure, an IT executive can use the function to run a search on a custodian?s mailbox and export the relevant emails to a new PST file. However, this approach, as simple and convenient as it is, can leave out many important details in the process and jeopardize the case. The following are a few aspects that highlight the limitations of Outlook Instant Search with regard to using it as a formal email investigation tool:
1. Scanning Limitations
Searching for emails on all users’ computers is time-consuming and even impractical if the staff is enormous. Also, you may not find every single email in an Outlook application of a user. Some emails that are not downloaded on a machine may remain on the server. Others might exist in backup files, mobile devices, etc. Since Instant Search will only scan emails in the Outlook application, many emails will be left out.
Outlook Instant Search is also limited to the search for visible data. If smoking guns exist in emails that a custodian deletes, you cannot extract them with the function. It would be best if you had an enterprise-grade forensic email investigation software like Stellar Email Forensic to provide that functionality.
2. Chances of Inaccuracy and Discrepancy
Email investigation task comes with a massive responsibility. You must conduct an in-depth analysis of appropriate mailboxes and document the critical emails with their time-stamps and metadata. However, when you use the Outlook Instant Search function, you may not get accurate results. For instance, when you scan a mailbox that is not fully indexed, Outlook warns that the results may be incomplete. However, there is no warning for files that the Windows Search Service (which Outlook Instant Search relies on) cannot index. This leads to inaccuracies and discrepancies ? a big red flag in eDiscovery cases and criminal investigations.
3. File Format Limitations
Instant Search Outlook can index contents of all common file types such as .PDF, .DOC, .JPG etc. However, it may fail to index certain file types that aren?t supported, such as .RAR, .CAD, etc. You may install third-party tools to improve the indexing capacity as these interfaces allow Windows Search Service to extract text and properties from documents. But, even then, 100% coverage isn?t guaranteed ? files with unrecognized extensions like a text file with .abc extension may not get indexed in the search results.
4. Lack of Reporting and Case Management Functions
Outlook isn?t designed for email investigation. So, you can?t generate reports, logs, case files, etc. You can?t tag emails, export multiple PST files for different keywords, or even save evidence in convenient formats like PDF. When you have to scan multiple mailboxes, you may fail to collect and record all the important emails in an organized fashion. Sure, you can use spreadsheets and documents to keep track of the emails, but that is prone to human error and can make complex investigations a nightmare.
Conclusion
Email forensics is an important practice in criminal investigations involving specialized tools and techniques for identifying, collecting, and preserving digital evidence. Most professionals agree that Outlook Instant Search is not designed to help in such cases. Instead, it is best to use an advanced email forensics tool with all the essential features for an in-depth and accurate examination of mailboxes.
You can start by evaluating our email forensics software that is presently available for a 60-days free trial. The software supports more than 25 file formats such as EDB, PST, OST, DBX, NSF, MBOX, OLM, and more. In addition, it offers a case management facility for bulk email forensics and allows to perform forensic investigation via granular search across emails.
