I have noticed when collecting data from Hotmail accounts that there is a recoverable items root\purges folder. As I understand it this is used for litigation hold matters on a M365 business account.
Is this a lazy architect residing from when Microsoft ported over Hotmail to its Outlook exchange. I can see this contains oddities such a sent items which still exist in the sent folder and have yet to be deleted.
Looking at the online Microsoft docs it all seems to point to business accounts!
I see the following in our testing of Microsoft consumer accounts:
Starting with 0 items in the Deletions and Purges folders.
End-user deletes a message. The deleted message is moved to the “Deleted Items” folder. Still accessible through the Outlook.com web interface.
End-user deletes the message in the “Deleted Items” folder. The message is now moved to “Recoverable Items\Deletions”. “Recoverable Items\Purges” remains empty. The user can still access the deleted item via the “Recover items deleted from this folder” hyperlink within the “Deleted Items” folder.
The end-user clicks on the “Recover items deleted from this folder” hyperlink and deletes the message from the list of recoverable items. The message is now moved from “Deletions” to “Purges”.
If you review the modification timestamps FEC captures from the acquired messages, you can often date these actions and determine when a message was likely deleted.
I suspect that the availability of the Recoverable Items Folder for consumer accounts has to do with Microsoft’s unification of API access to its consumer accounts and M365 Exchange accounts via Graph API. I personally find the additional artifacts and investigative capabilities helpful
Thanks for the quick reply and your observations on your testing.
Interestingly when i looked at my won personal Hotmail account I could see a sent email still present in my sent folder also duplicated in the recoverable items\purges. I can see some me performing some more testing
Sounds good! Let us know if you find anything interesting, @Azad!
Regarding the sent emails showing up within the Recoverable Items Folder—this may depend on composition time. I’ve run into scenarios where partial, draft copies of sent emails (e.g., missing the sender) turned up in the Recoverable Items Folder.
