When faced with eDiscovery requests, organizations need to be able to preserve email records, search relevant records and produce them for review.
In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions.
Using Multi-Mailbox Search, also new in Exchange 2010, delegated legal, human resources or IT personnel (referred to as discovery managers because they need to be assigned Discovery Management permissions) can search mailbox content across their entire Exchange 2010 organization. Messages returned from a search can be copied to a Discovery mailbox, which is a special type of mailbox with higher mailbox quotas and no capability to send or receive messages.
Since the release of Exchange 2010 and Office 365, we have received a lot of feedback from organizations of all sizes about the messaging policy & compliance features, including archiving, eDiscovery & hold. When planning the evolution of compliance features, we’ve kept your feedback front and center. Let’s take a look at what has changed.
Integration with the New SharePoint Exchange offers an integrated eDiscovery & Hold experience with the new SharePoint. Using the eDiscovery Center, you can search and hold in-place all content related to a case -– SharePoint web sites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync content from a single location. You can export content associated with case, including files, lists, web pages and Exchange mailbox content. Mailbox content is exported as a .PST file. An XML manifest that complies with the Electronic Discovery Reference Model (EDRM) specification provides an overview of the exported information.
To search Exchange content, SharePoint uses Exchange’s Federated Search API. Regardless of whether you search Exchange content from the EAC or using SharePoint, the same search results are returned. The new SharePoint and Exchange both use the same underlying indexing and querying engine – Microsoft Search Foundation, which allows you to use the same search query for both SharePoint and Exchange content.
Let’s take a look at how one discovery manager performs an In-Place eDiscovery search.
Robin works on the legal team at marketing firm Contoso. Contoso receives a request from a company called Tailspin Toys to assist with a marketing campaign for a new toy they are producing. Contoso is known for doing great toy marketing campaigns since they do a lot of work in the toy industry. This is great for business but they also have to be careful because many of the toy companies with which they work are competitors. Contoso just finished a highly successful marketing campaign with another toy company called Wingtip Toys and Robin wants to ensure that there's no confidential information that may accidentally get past from one customer to another through his team. To that end, Robin wants to search through her company's email and documents with the help of her legal team to make sure there are no potential issues.
To use In-Place eDiscovery, a user must be delegated the Discovery Management role group. You can delegate the role to authorized legal, compliance management or human resources personnel. Robin is one of those legal team members. This ability to have scoped roles in the new Exchange 2013 allows IT Pros to delegate compliance responsibilities to folks like Robin without giving them full access to all Exchange server functionality.
Robin starts by navigating to the Exchange Administration center Center. The EAC’s Compliance Management tab is where you can manage compliance features in the new Exchange. Because Robin doesn’t have any other Exchange administrator roles, she only sees the interface relevant to the Discovery Management role group. On the compliance management tab, she can only see In-Place eDiscovery & Hold.
Figure 1: In-Place eDiscovery and Hold tab is accessible to users with delegated Discovery Management permissions
She clicks on the Add button to start the New new In-Place eDiscovery & Hold wizard and enters a name and an optional description for the search.
Figure 2: Create an In-Place eDiscovery search using the new In-Place eDiscovery & Hold wizard in EAC
Robin can search all mailboxes in the Exchange organization or select the mailboxes she wants to search.
Figure 3: Specify mailboxes (to search or search all mailboxes)
On the Search query page, Robin can select the option to return all mailbox content or just specific content. Robin wants to find specific content related to work done between hers team members and WingTip Toys. She has the option to perform a simple search by just entering in a few key words or more complex search if she wants with Boolean operators like ANDs, ORs, parenthesis, etc. so she can be very specific as to what she is looking for. This can be a big time and cost savings for her since multiple gigabyte mailboxes are very common and she wants to reduce that set of content down to the minimum amount she needs to look at to find what she wants.
Figure 4: Specify a search query, including keywords, start and end dates, sender and recipients
In addition to using Boolean logic she’s also using the proximity operator (NEAR), which allows her to find words that are close to each other. You can also see her using a wildcard character so in this case she is looking for the word wingtip within three words of toy, toys, toymaker or anything similar.
In this particular case, Robin wants to look for these keywords anywhere in a given email, but if she wants to be more specific, for example search for a phrase only in the message subject, she could type in Subject: and then her phrase right after it. Depending on how specific she wants to be, she can create complex queries. You can use several hundred keywords in a query.
She can also choose specific types of messages. An Exchange mailbox has email but also calendar items, tasks, notes and other items related to personal information management. The new Exchange allows her to search all of those items or she can narrow the query down to specific types of items. She selects email and also meetings so she can track which ones of her employees met with Wingtip and read the meeting invites to find out what was discussed.
Figure 5: Select all message types or specify the message types to search
Once Robin has created hers query to define what content is important to her, she has a few options in terms of what to do with the results. If she feels it's important to protect this content she has the option to place it on hold. When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later.
Figure 6: Placing search results on an In-Place Hold
We will talk more about In-Place Hold in Part II of this post.
Robin clicks Finish. The search is running against Exchange 2013 mailboxes and placing items on hold.
When the search is complete, Robin takes a look at the total size and item count to see if it’s manageable. If there are a million items, her query is likely too broad;, if there are no items, it may be too narrow. If she wants to dig into the details, she can view the search statistics to see exactly how each keyword contributed to the overall result set. That lets her really be targeted about the way she's tweaking her queries so she can quickly get a result set down to a manageable size.
Figure 7: Use search estimate and keyword statistics to fine-tune search queries
Once she is done tweaking her query, she can stop the search and discuss with her team or legal counsel whether the query is correct. She can also create additional eDiscovery searches and use different query parameters.
She can also choose to preview messages returned in the search.
Figure 8: eDiscovery Search Preview to preview messages and determine query effectiveness
The eDiscovery Search Preview displays message count and total size for each mailbox searched. The preview functionality is built on Outlook Web App, which shows the message in its native format without any changes.
Figure 9: eDiscovery Search Preview displays live message preview without copying messages to a Discovery mailbox
Robin can quickly scroll through all of her results to view additional items that came back with her search. Since she is using the full- fidelity Outlook Web App preview, she can also view attachments.
Once Robin has previewed her results and she's happy with them, she can make a copy for of them for later review, or export them so that she can export them to handoff to her outside legal counsel. To do that, she simply clicks on the Copy search results link.
Figure 10: Copying messages returned by the search to a Discovery mailbox
When copying messages to a discovery mailbox, she has the following options:
The last thing Robin will pick is the Discovery mailbox into which she wants to put her search results.
After copying is completed, Robin can see that the copy operation is complete and she has a link to the mailbox where the results are stored. Robin can now navigate to the copy of her search results to view them. In this view, she does have the ability to perform a review on her items, she can tag items that are important, or if she decides some are not important, she can take them and move them to the deleted items folder so that they are no longer in her view.
Once that's done, if Robin needs to share the consolidated results with an outside counsel, she can use her Outlook client to export the consolidated results list to a PST file.
We’ve provided you with an overview of the In-Place eDiscovery & In-Place Hold functionality in the new Exchange. In Part II of this post, which is scheduled to be published shortly, we will dig deeper into In-Place Hold.
Bharat Suneja and Julian Zbogar-Smith
Go to In-Place eDiscovery and In-Place Hold in the New Exchange – Part II