Skip Links

Doing e-Discovery / Message Retention / Legal Recovery in Exchange 2010 - Office 365

Native in the Box (Journaling), Lookup, and Recovery

By Rand Morimoto on Fri, 07/29/11 - 12:12am.

The topic has come up many times recently on how organizations can leverage Microsoft Exchange 2010 (on-premise) or Microsoft Office 365 (in the cloud) to retain messages, legally hold and recover messages, and successfully perform eDiscovery tasks as required by legal counsel, by law, and/or as needed.

This document clarifies what’s included “in the box” in Exchange 2010 and Office 365, and goes through the step by step procedures for setting up what is necessary to retain content and detailed procedures on how to query and look up information.

Basic Background
To be able to retrieve information for legal or official purposes, information must be properly retained (lawyers may say-LMS-"preserved) so that the integrity of the information retrieved is valid (lawyers will request an "audit trail" to "verify" and "authenticate" the information by showing the "chain of custody" and who, and how, it was "preserved" and "collected").  As an example, if the Human Resources department, Legal department, or outside Legal Counsel wants to gather information, it’s not good enough to just go into a user’s mailbox and extract information because the information in a mailbox is considered “fragile.”  It is fragile because a user can easily “delete” a key message or the user can even go in using the Microsoft Outlook client and EDIT a message.  If someone opens a user’s mailbox, the messages in the Outlook client can be tampered (LMS-modified) and are NOT considered valid evidence (even if modified accidentally).

In the past with Exchange 2007, Exchange 2003, or earlier, it required specific technologies and practices to protect the messages from tampering.  The old way of doing things was to buy a 3rd party archiving product like Symantec Enterprise Vault, Iron Mountain / Mimosa NearPoint for Exchange, EMC EmailXtender, Zantaz EAS, or the like.  The 3rd party tools required a separate server, typically a special agent to be installed on all Exchange servers and clients, and a relatively high expense to manage, maintain, and support the archiving server and services.

With Exchange 2007, Microsoft included email “Journaling” that allowed a copy of any/all emails to be forwarded to a Journaling Server so that while a user’s mailbox content might have been tampered with, the Journaling Server mailbox would have a un-modified version of the content.  Legal review of the Journal copy provided assurances that the copy has not been edited.

With the release of Exchange 2010 and the Archiving capabilities of Exchange 2010, some mistakenly believe they must create an “Archive Mailbox” for all users to preserve data, that is not true.  An Archive Mailbox creates a 2nd mailbox store for a user to move content from their Primary mailbox to the Archive mailbox to get it out of their Primary mailbox, but data retention (LMS-"preservation") can actually be done on Exchange 2010 (or Office 365) simply by extending the Deleted Item Retention period and enabling the Single Instance Recovery function of Exchange / Office 365.

The Archive Mailbox feature in Exchange 2010 / Office 365 simply allows users (or the organization through rules) move messages out of their primary mailbox to the Archive box to keep the primary mailbox small, and the archive as large as the user requires.  The Archive Mailbox replaces PST files that users have used for years to backup or archive their messages, but instead of being scattered across filesystems, hard drives, USB drives, and other devices, archived mail can be kept in the user’s Archive Mailbox for quick and easy search and access.  For the balance of this article, the reader can be assured that the Archive Mailbox is completely separate and not needed for the “in the box” message retention / discovery discussed in the balance of this article.

What Can be Done “In the Box” in Exchange 2010 and Office 365
While an organization can continue to buy 3rd party products as well as do Journaling in Exchange 2010 (on-premise) and Office 365 (in the Cloud), an easier way of handling message retention and legal recovery (LMS-"collection") / e-Discovery can be used by making setting changes right in Exchange 2010 / Office 365.

When a user deletes a message from a folder other than the Deleted Items folder, the message is not really deleted but instead moved to the Deleted Items folder and sits in the Deleted Items folder until the message is fully deleted from the Deleted Items folder. When a user deletes an item from the Deleted Items folder or empties the Deleted Items folder, the message disappears from the Deleted Items folder and appears to be “gone”, but the message has actually just been moved to a hidden Recoverable Items folder.  The Recoverable Items folder replaces the feature formerly known as the Dumpster in previous versions of Exchange. The Recoverable Items folder is hidden from the default view of Microsoft Outlook or Outlook WebApp, and other e-mail clients so the user no longer sees deleted messages, but the messages are still sitting on the Exchange 2010 / Office 365 server.

Items in the Recoverable Items folder are retained for the deleted item retention period configured for the user's mailbox or per database in Exchange. By default, the deleted item retention period is set to 14 days (or 30GB of storage, whichever comes first).  This default retention period can be extended by the administrator to a longer period or even indefinitely.  At any point, messages in the Recoverable Items folder can be retrieved by someone in the organization with “Discovery Role” permissions (more on this later).

An important point to note is that even though messages that are deleted by a user are retained on an Exchange 2010 or Office 365 server and hidden from the user, users have the ability of accessing their Recoverable Items / Deletions messages through Outlook 2010.  An Outlook 2010 user simply sits on the Deleted Items folder, selects the Folder tab in the ribbon, and clicks on “Recover Delete Items” which shows messages that are stored in the Recoverable Items folder.  The user can click to recover messages back into their Deleted Items folder or they can click on the “delete” icon and messages are permanently deleted off the Exchange server.

However, the Exchange administrator can control message retention even for this permanent user deletion.  An Exchange administrator only needs to go to the Exchange Management Shell (EMS) and run the command Set-Mailbox -SingleItemRecoveryEnabled $true (when prompted for the Identity, enter in the name of the user’s mailbox you want to protect content).  This will activate Single Item Recovery (SIR).  SIR creates a Recoverable Items / Purges folder that is hidden from the user and is NOT accessible to the user at all.

By enabling Single Item Recovery for a user’s mailbox, messages that are edited / modified (and not necessarily deleted) are ALSO now retained for the length of the Deleted Item Retention.  Instead of ending up in a hidden Recoverable Items / Deletions folder for deleted messages, messages that are edited/modified end up in a hidden Recoverable Items / Versions folder.  So for every edited version of the message, there is also a copy of the message prior to the modification / edit.

Therefore all hard deleted or modified/edited messages are preserved for the default length of 14-days (or 30GB) or whatever the organization has set as the default retention period, whether that’s 60-days, 90-days, a year, 7-years, forever, etc.  To run the Single Item Recovery on all mailboxes in a database, run the EMS command Get-Mailbox -Database <DatabaseName> | Set-Mailbox -SingleItemRecoveryEnabled $true

Note, for organizations using Office 365 (in the cloud), per Microsoft’s Office 365 administrator guide (http://help.outlook.com/en-ca/140/hh125820.aspx) “Single item recovery is enabled by default for new user mailboxes created in Exchange Online and for mailboxes migrated to Exchange Online from an on-premises Exchange organization.”  As such, there is nothing an Office 365 administrator needs to do, all message deletions, edits, modifications are retained for the length of the organization’s Deleted Item Retention period.  To extend the default 15 and 30 day retention policies set in Office 365, see http://help.outlook.com/en-us/beta/gg271153.aspx on Messaging Records Management (MRM).

For Microsoft’s Tech article from which the following Exchange Management Shell (EMS) commands for configuring Deleted Item Retention / Recoverable Items Quota was extracted, see http://technet.microsoft.com/en-us/library/ee364752.aspx  To run any of these EMS commands, you need to be assigned “Organization Management,” “Recipient Management,” and “Records Management” role group permissions. For more details on configuring permissions, see the "Retention and legal holds" entry in the Mailbox Permissions topic at http://technet.microsoft.com/en-us/library/dd638132.aspx

Using the Shell to Configure Deleted Item Retention for a Mailbox
This example configures April Stewart's mailbox to retain deleted items for 30 days.
     Set-Mailbox -Identity - "April Stewart" -RetainDeletedItemsFor 30

Using the Shell to Configure Recoverable Items Quotas for a Mailbox
This example configures a Recoverable Items warning quota of 12 GB and a Recoverable Items quota of 15 GB for April Stewart's mailbox.
     Set-Mailbox -Identity "April Stewart” -RecoverableItemsWarningQuota 12GB –RecoverableItemsQuota 15GB -UseDatabaseQuotaDefaults $false

Note:  To configure a mailbox to use different Recoverable Items quotas than the mailbox database in which it resides, you must set the UseDatabaseQuotaDefaults parameter to $false.

Using the Shell to Configure Deleted Item Retention for a Mailbox Database
This example configures a deleted item retention period of 10 days for the mailbox database MDB2.
     Set-MailboxDatabase -Identity MDB2 -DeletedItemRetention 10

Using the Shell to Configure Recoverable Items Quotas for a Mailbox Database
This example configures a Recoverable Items warning quota of 15 GB and a Recoverable Items quota of 20 GB on mailbox database MDB2.
     Set-MailboxDatabase -Identity MDB2 -RecoverableItemsWarningQuota 15GB -RecoverableItemsQuota 20GB

Handling Legal Hold in Exchange 2010 / Office 365
Legal Hold or Litigation Hold are terms used in the legal profession to designate that “potential evidence” is to be retained, specific to email, all email messages and attachments need to be preserved (ie: prevent a user from deleting or modifying messages that might be used in a legal case).

As mentioned earlier in this article, with previous versions of Exchange, typically a 3rd party product needed to be purchased to retain content such as when a user’s mailbox is put on Legal Hold.  However with Exchange 2010 and Office 365 using the Deleted Item Retention process covered in this article, since all deleted and modified messages are automatically retained for a period of time, the only thing that needs to be done is make sure content is not automatically deleted after the default 14-days, by the user, or by some other full deletion process.  Specifically putting a user’s mailbox on Legal Hold ensures an indefinite retention on all content in the user’s mailbox until the mailbox is removed from Legal Hold.

To put a Mailbox on Litigation Hold, the person making that decision needs to be part of the “Discovery Management” Role in Exchange.  By default, NO ONE in the organization, including the Exchange Administrator, has the right to put a user’s mailbox on Litigation Hold.  However, even though the Exchange Administrator doesn’t have the default right to put a mailbox on Litigation Hold, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) the right to enable Litigation Hold for a mailbox.  For that individual (administrator, HR personnel, legal counsel) to be given the rights to make Litigation Hold changes to a user’s mailbox, do the following:

1.  Logon  to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email)

2.  On the upper right corner, select “Options” and “See All Options”

3. In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to put a mailbox on Litigation Hold, then click Save

This individual (or individuals) now have the ability to proceed with actually putting a mailbox on Litigation Hold.

To put a mailbox on Litigation Hold in Exchange 2010 or Office 365, an administrator needs to do the following:

1.  Logon  to Outlook WebApp as a user who has been given the Discovery Management role permissions in the previous series of steps

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Users & Groups / Mailboxes section, select the user you want to put on Legal Hold and click on “Details”

5.  With the user’s details displayed, scroll down to the “Mailbox Features” section and “Enable” Litigation Hold.  An options screen will pop up and allow you the option of entering in text to notify the user that they are on or why they are on Litigation Hold.  You can choose to just leave it blank (which does not provide the user any notification) and click Save.  If your company has a URL to an Intranet page or employee handbook Web page that might provide them company policies on Litigation hold, you can enter in the URL and click Save for the user.


 
Note:  It may take upwards of an hour before Litigation Hold takes effect on a user’s mailbox.  This is because the policy needs to be enacted on all messages and folders in the user’s mailbox and the policy needs to be replicated through Active Directory.  You can see the status of Litigation Hold on a user’s mailbox by going back and looking at the “Mailbox Features” and it may show Litigation Hold “Enable – Pending” when it is in the process of enabling Litigation Hold.  When the mailbox is fully held, the Mailbox Features will simply show “Enabled”

With Litigation Hold enabled, all messages, regardless of the organization’s retention policy, will be retained.

Once an employee is removed from Legal Hold, going back to Exchange or Office 365 and selecting “Disable” for Litigation Hold will turn off Litigation Hold on the user’s mailbox.

More information on this topic is covered in Microsoft’s Tech article http://technet.microsoft.com/en-us/library/ee861123.aspx.

Searching for Content (aka Multi-Mailbox Search)
Searching for information, whether it is information actively in a user’s mailbox, edited or modified by the user, deleted from their mailbox (but not yet purged off the Exchange / Office 365 server), or held for Litigation Hold is all searched the exact same way.  The only difference is the amount of information that may be found (ie: mailboxes on Litigation Hold or for organizations that have cranked up the Deleted Item Retention to save information beyond the default 14-days (potentially indefinitely) will find more information since the information has not been automatically purged off the Exchange or Office 365 servers)

Key to searching is to choose words, date ranges, and other key parameters to help you zero in on the information you are looking for, but not narrow down so tightly that your search doesn’t find all the information you are looking for.  As an example, if you simply search for information between Bob and Mary over a 30-day period, you might end up with 1000 messages that might be too much information to find what you are looking for.  On the other hand, if you search for messages between Bob and Mary over the 30-day period with the key phrase “don’t tell anyone”, which might narrow down the search to say 8 messages, if at any point during the email thread either Bob or Mary deleted or changed the “don’t tell anyone” phrase in the email, those subsequent emails would not show up in your search results.  This happens frequently as messages get really long, users may delete or truncate part of the message.  Or if you only look for words in a Subject line but then one of the users change the Subject Line title, then your tight search may not result in what you were expecting to look for either.

It is recommended that you create a very small mailbox with only a dozen messages inside it of it and try out the searching process to perfect your ability to look for (and ultimately find) information you are looking for before you try to look at a mailbox or several mailboxes with hundreds of thousands of email messages.  Remember, this is a very specific search, it will find exactly what you are looking for, unlike searching the Web with Google or Bing where it finds information that “kind of” has the same words, or similar words and phrases, the eDiscovery search in Exchange / Office 365 will only find 100% exact matches to what you query.

Additionally, when you do a multi-mailbox / e-Discovery search in Exchange / Office 365, depending on your configuration, the results can show up in several different folders including:
• Tthe folder where the message currently resides
• The Deleted Items folder which holds messages that have been deleted but not yet flushed from the Deleted Items folder
• The Recoverable Items / Deletions folder which contains  messages deleted from the Deleted Items folder
• The Recoverable Items / Purges folder which is used  for messages deleted while the mailbox is in Litigation Hold or Single Item Recovery, and
• The hidden Recoverable Items / Versions folder which contains messages that were edited or modified.

So you may find content for a single message that has been modified, edited, deleted, and attempted to be purged in 4 or 5 different locations!

Additionally, the eDiscovery / Multi-mailbox search capabilities in Exchange 2010 / Office 365 does not piece together the sequence of events for a message history, so while you may find a message in 4 or 5 different places dependent on the message status, you won’t know the sequence where a message was deleted, modified, edited, or purged without manually going through and comparing timestamp properties for the messages.

There are 3rd party tools being developed that will be able to take extracted information from the Recoverable Items folders and pieces together the history and sequence of events on messages.  Instead of having to buy an entire archiving and Litigation Hold server solution, if you will be doing a lot of eDiscovery work, you may want to investigate and buy one of the 3rd party analysis tools.

To search for information using the native Multi-Mailbox search capabilities in Exchange 2010 / Office 365, do the following:

e-Discovery Step 1 – Assign Someone the Rights to Create a Search Query
This is a one-time step that needs to be performed to give someone the rights to create a search query.  By default, NO ONE in the organization, including the Exchange Administrator, has the rights to create search queries.  However, even though the Exchange Administrator doesn’t have the right to create a search query, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) rights to create the query.  So it’s just 1 extra step for the Exchange Administrator to give themselves Search Query creation capabilities, or in large organizations, the Exchange Administrator may give the Search Query capability to someone in their internal legal counsel or human resources department, as frequently the person who creates the query is someone “inside” the organization, later in Step 2, the person who has the rights to view the Query Results may be “outside” the organization.

To assign the rights to create a search query, do the following:

1.  Logon  to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to create Search Queries as well as be able to put mailboxes on Litigation Hold, then click Save

This individual (or individuals) now have the ability to go to Step 3 to create and initiate a Search query (and put someone’s mailbox on Litigation Hold)

e-Discovery Step 2 – Assign Someone the Rights to View the Query Results
However, one more step before creating and viewing queries is to assign someone the right to actually View the query results.  As noted earlier, this may be someone completely different in the organization than the person who creates and initiates the query.  For internal Human Resource (HR) queries, the person reviewing the results will likely be the same person who created the query, so for internal searches, the same person in e-Discovery Step 1 will be added to this e-Discovery Step 2.  However, in cases of litigation from another outside firm, internal counsel would likely be added to e-Discovery Step 1, but the other firm’s legal counsel “MAY” be given remote access rights to review the results of the query directly and added to this e-Discovery Step 2.

This process is more formally known as “Manage Full Access Permissions” rights for the Discovery mailboxes.  Without this permission issued, a query can be made and searched messages may be found, but no one has the rights to view the resulting messages.

To give someone the rights to access and view the results of a query, do the following:

1.  Go into the Exchange Management Console (EMC) of an Exchange Server in the organization, Go to the Recipient Configuration / Mailbox container, highlight  and right click the “DiscoverySearchMailbox” and select “Manage Full Access Permissions” and a wizard will begin.

 

2.  In the Manage Full Access Permissions wizard, click on Add and enter in the name of the user / administrator you want to have access to the Search Results. In the screenshot below, I want the user “Rand” to have access to the DiscoverySearchMailbox content, and as such added Rand here.  Click OK to select the name, then click “Manage”


 

e-Discovery Step 3 – Create and Initiate a Search Query
Once key individuals have been granted rights to create queries and review the results of the queries, the next step is to have the individual who has the right to create a query (the person in e-Discovery Step 1) to actually create a query.  The process is as follows:

1.  Logon  to Outlook WebApp with a user who was given Discovery management rights from e-Discovery Step 1 (just like the user is logging in to check their email)

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Mail Control / Discovery section, under the Multi-Mailbox Search section, click on “New” to create a new search query

5.  For the Search Query, enter in the keywords you want to search for:

 

6.  In the Keywords section, click on the “Select message types…” and typically select “Search all messages types including one that may not be listed below” so that EVERYTHING is returned in the search results including email messages, posts, calendar appointments, notes, tasks, etc.  (by default, only “E-mail” is selected, thus Notes, tasks, IM Conversations, etc are skipped, which is usually not a good search result, so likely Search all message types)

 

7.  In the “Mailboxes to Search” section, Add the mailbox(es) that you wish to be searched and click OK

 

8.  In the “Search Name Type, and Storage Location”, enter in a name of the search (something that will help you remember what this search is about, such as “Searching for keywords Help Me” or “Search for all emails between Bob and Mary in July 2011” or the like.  Select the “Copy the search results to the destination mailbox”.  You would typically uncheck the “Enable deduplication” and leave the mailbox as the default “DiscoverySearchMailbox” (note: while choosing to Enable deduplication saves space, you don’t end up with the key results in ALL mailboxes, and thus if you are searching in 7 different mailboxes, there’s only 1 copy of the message which isn’t good for true discovery.  If you are concerned about disk space, click on the “Estimate the search results” and run the estimate first to see how much space is needed which merely comes up with an estimate number and does not actually extract any information).  However, if you are good to start the search, then click on Save.

 

9.  The search (or estimate) will begin as soon as you click Save and dependent on how much information is being searched could take a few seconds or could take an hour.  In the Discovery page, you will see the search query noted.  Remember, this is a WebPage, so the page won’t automatically refresh with an update on the %-age of completion, so click on the Refresh icon  periodically to see whether the search has “completed” or the %-age of the search.

 

10.  At any point, you can highlight the search query, click on the Details option, and change the keywords on the query.  Click the “Start Search” option to begin the new search, and remember to periodically click the refresh button option to check the status.

Once the Search has been Successful, a user who has been set in e-Discovery Step 2 will have the ability to see the search results.  Proceed to e-Discovery Step 4 to view the results.

e-Discovery Step 4 – Review the Results of the Search Query
A person who has been given “Manage Full Access Permissions” in Step 2 will be able to view the results from a Query initiated in e-Discovery Step 3.  To see the results, the individual would do the following:

1.  Launch Microsoft Outlook 2010 client and logon just like the individual is checking their normal emails.  Because the individual was added in e-Discovery Step 2 to have Full permissions to the Discovery Mailbox, they will have an additional set of folders noted as the “Discovery Search Mailbox”.  Within the “Discovery Search Mailbox” will be a folder that has the name of the Search Query noted in e-Discovery Step 4 under step 8) such as “Searching for keywords Help Me” or “Search for all emails between Bob and Mary in July 2011” or the like. 

2.  As the individual drills into the folders, messages that match the query will be found in any of a number of folders, such as the Inbox (if the message is still in the user’s Inbox), in a subfolder (if the user dragged/dropped the message into a subfolder), in the Deleted Items folder (if the message was deleted but not yet purged from the Deleted Items folder), in the Recoverable Items \ Deletions (if the message was purged from the user’s Deleted Items folder and is hidden from the user), in the Recoverable Items \ Versions (if the message was edited by the user), in the Archive Mailbox \ folder name (if the message is no longer in the user’s Primary Mailbox and has been dragged/dropped into the user’s personal Archive), etc.  Messages can be in any of a number of folders.

^^ List of messages in the user’s Inbox that matches the search criteria ^^

 


^^ Version of a specific message in the user’s Inbox that matches the search criteria ^^

 


^^ List of messages in the user’s Recoverable Items \ Versions folder that shows the same message appears to have been modified / edited that matches the search criteria ^^

 

 
^^ View of the original message showing that the original message was edited / modified ^^

 


^^ Another copy of the same message that was edited as well and ended up in the Versions folder ^^

The content in this search query can be exported to a PST, or it can be left on the server.  Additionally, a specific user account can be created in Exchange or Office 365, and instead of dumping the contents in e-Discovery Step 3 to the default Discovery Search Mailbox, you can dump the search results to a dedicated mailbox that a user can be given logon rights just to that “user account” (which effectively has just the search results from a single search).

There are a number of variations on how information can be queried and reviewed.  This document covered the most common functions, however other variations can be made.

Note: Email retention and deletion policies are specific to messages in a mailbox (either active or inactive mailbox).  Mailboxes can be deleted, databases can be deleted, and information can get corrupt.  Organizations need to protect the root storage of information from data loss that the mail handling policies noted in this document do not address.

 

Authored by Rand Morimoto (reviewed and edited by Guy Yardeni), Convergent Computing, http://www.cco.com

About the Author
Rand Morimoto is the author of the book “Exchange 2010 Unleashed” and the President of Convergent Computing (CCO), an IT consulting firm in the San Francisco Bay Area.  Dr Morimoto did his doctoral studies in Organization Management and has taught Undergraduate and Master degree courses on cyber-security, business ethics, and business law.  Dr Morimoto was the Internet Security advisor to President Bush (2002-2007), authored the book “Network Security for Government and Corporate Executives,” and frequently participates as an expert witness in legal cases regarding electronic data and information integrity.

Acknowledgement
I wanted to thank Cary Calderone, a California licensed attorney (http://www.dredlaw.com) for his contribution to this article.  Cary helped me insert in legal terms and terminology in the document so that those who speak that language will hopefully share a common understanding on some of the aspects of my technical content.  Cary is one who is a translator who speaks legal and tech.

Disclaimer
This document is provided for informational purposes only and the author makes no warranties, either express or implied, in this document.  Information in this document, including URL and other Internet Web site references, is subject to change without notice.  The entire risk of the use or the results from the use of this document remains with the user.