Doing e-Discovery / Message Retention / Legal Recovery in Exchange 2010 - Office 365

Native in the Box (Journaling), Lookup, and Recovery

1 2 3 Page 2
Page 2 of 3

5.  With the user’s details displayed, scroll down to the “Mailbox Features” section and “Enable” Litigation Hold.  An options screen will pop up and allow you the option of entering in text to notify the user that they are on or why they are on Litigation Hold.  You can choose to just leave it blank (which does not provide the user any notification) and click Save.  If your company has a URL to an Intranet page or employee handbook Web page that might provide them company policies on Litigation hold, you can enter in the URL and click Save for the user.

Note:  It may take upwards of an hour before Litigation Hold takes effect on a user’s mailbox.  This is because the policy needs to be enacted on all messages and folders in the user’s mailbox and the policy needs to be replicated through Active Directory.  You can see the status of Litigation Hold on a user’s mailbox by going back and looking at the “Mailbox Features” and it may show Litigation Hold “Enable – Pending” when it is in the process of enabling Litigation Hold.  When the mailbox is fully held, the Mailbox Features will simply show “Enabled”

With Litigation Hold enabled, all messages, regardless of the organization’s retention policy, will be retained.

Once an employee is removed from Legal Hold, going back to Exchange or Office 365 and selecting “Disable” for Litigation Hold will turn off Litigation Hold on the user’s mailbox.

More information on this topic is covered in Microsoft’s Tech article

Searching for Content (aka Multi-Mailbox Search)

Searching for information, whether it is information actively in a user’s mailbox, edited or modified by the user, deleted from their mailbox (but not yet purged off the Exchange / Office 365 server), or held for Litigation Hold is all searched the exact same way.  The only difference is the amount of information that may be found (ie: mailboxes on Litigation Hold or for organizations that have cranked up the Deleted Item Retention to save information beyond the default 14-days (potentially indefinitely) will find more information since the information has not been automatically purged off the Exchange or Office 365 servers)

Key to searching is to choose words, date ranges, and other key parameters to help you zero in on the information you are looking for, but not narrow down so tightly that your search doesn’t find all the information you are looking for.  As an example, if you simply search for information between Bob and Mary over a 30-day period, you might end up with 1000 messages that might be too much information to find what you are looking for.  On the other hand, if you search for messages between Bob and Mary over the 30-day period with the key phrase “don’t tell anyone”, which might narrow down the search to say 8 messages, if at any point during the email thread either Bob or Mary deleted or changed the “don’t tell anyone” phrase in the email, those subsequent emails would not show up in your search results.  This happens frequently as messages get really long, users may delete or truncate part of the message.  Or if you only look for words in a Subject line but then one of the users change the Subject Line title, then your tight search may not result in what you were expecting to look for either.

It is recommended that you create a very small mailbox with only a dozen messages inside it of it and try out the searching process to perfect your ability to look for (and ultimately find) information you are looking for before you try to look at a mailbox or several mailboxes with hundreds of thousands of email messages.  Remember, this is a very specific search, it will find exactly what you are looking for, unlike searching the Web with Google or Bing where it finds information that “kind of” has the same words, or similar words and phrases, the eDiscovery search in Exchange / Office 365 will only find 100% exact matches to what you query.

Additionally, when you do a multi-mailbox / e-Discovery search in Exchange / Office 365, depending on your configuration, the results can show up in several different folders including:

• Tthe folder where the message currently resides

• The Deleted Items folder which holds messages that have been deleted but not yet flushed from the Deleted Items folder

• The Recoverable Items / Deletions folder which contains  messages deleted from the Deleted Items folder

• The Recoverable Items / Purges folder which is used  for messages deleted while the mailbox is in Litigation Hold or Single Item Recovery, and

• The hidden Recoverable Items / Versions folder which contains messages that were edited or modified.

So you may find content for a single message that has been modified, edited, deleted, and attempted to be purged in 4 or 5 different locations!

Additionally, the eDiscovery / Multi-mailbox search capabilities in Exchange 2010 / Office 365 does not piece together the sequence of events for a message history, so while you may find a message in 4 or 5 different places dependent on the message status, you won’t know the sequence where a message was deleted, modified, edited, or purged without manually going through and comparing timestamp properties for the messages.

There are 3rd party tools being developed that will be able to take extracted information from the Recoverable Items folders and pieces together the history and sequence of events on messages.  Instead of having to buy an entire archiving and Litigation Hold server solution, if you will be doing a lot of eDiscovery work, you may want to investigate and buy one of the 3rd party analysis tools.

To search for information using the native Multi-Mailbox search capabilities in Exchange 2010 / Office 365, do the following:

e-Discovery Step 1 – Assign Someone the Rights to Create a Search Query

This is a one-time step that needs to be performed to give someone the rights to create a search query.  By default, NO ONE in the organization, including the Exchange Administrator, has the rights to create search queries.  However, even though the Exchange Administrator doesn’t have the right to create a search query, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) rights to create the query.  So it’s just 1 extra step for the Exchange Administrator to give themselves Search Query creation capabilities, or in large organizations, the Exchange Administrator may give the Search Query capability to someone in their internal legal counsel or human resources department, as frequently the person who creates the query is someone “inside” the organization, later in Step 2, the person who has the rights to view the Query Results may be “outside” the organization.

To assign the rights to create a search query, do the following:

1.  Logon  to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to create Search Queries as well as be able to put mailboxes on Litigation Hold, then click Save

This individual (or individuals) now have the ability to go to Step 3 to create and initiate a Search query (and put someone’s mailbox on Litigation Hold)

e-Discovery Step 2 – Assign Someone the Rights to View the Query Results

However, one more step before creating and viewing queries is to assign someone the right to actually View the query results.  As noted earlier, this may be someone completely different in the organization than the person who creates and initiates the query.  For internal Human Resource (HR) queries, the person reviewing the results will likely be the same person who created the query, so for internal searches, the same person in e-Discovery Step 1 will be added to this e-Discovery Step 2.  However, in cases of litigation from another outside firm, internal counsel would likely be added to e-Discovery Step 1, but the other firm’s legal counsel “MAY” be given remote access rights to review the results of the query directly and added to this e-Discovery Step 2.

This process is more formally known as “Manage Full Access Permissions” rights for the Discovery mailboxes.  Without this permission issued, a query can be made and searched messages may be found, but no one has the rights to view the resulting messages.

To give someone the rights to access and view the results of a query, do the following:

1.  Go into the Exchange Management Console (EMC) of an Exchange Server in the organization, Go to the Recipient Configuration / Mailbox container, highlight  and right click the “DiscoverySearchMailbox” and select “Manage Full Access Permissions” and a wizard will begin.

2.  In the Manage Full Access Permissions wizard, click on Add and enter in the name of the user / administrator you want to have access to the Search Results. In the screenshot below, I want the user “Rand” to have access to the DiscoverySearchMailbox content, and as such added Rand here.  Click OK to select the name, then click “Manage”

 e-Discovery Step 3 – Create and Initiate a Search Query

Once key individuals have been granted rights to create queries and review the results of the queries, the next step is to have the individual who has the right to create a query (the person in e-Discovery Step 1) to actually create a query.  The process is as follows:

1.  Logon  to Outlook WebApp with a user who was given Discovery management rights from e-Discovery Step 1 (just like the user is logging in to check their email)

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Mail Control / Discovery section, under the Multi-Mailbox Search section, click on “New” to create a new search query

5.  For the Search Query, enter in the keywords you want to search for:

6.  In the Keywords section, click on the “Select message types…” and typically select “Search all messages types including one that may not be listed below” so that EVERYTHING is returned in the search results including email messages, posts, calendar appointments, notes, tasks, etc.  (by default, only “E-mail” is selected, thus Notes, tasks, IM Conversations, etc are skipped, which is usually not a good search result, so likely Search all message types)

7.  In the “Mailboxes to Search” section, Add the mailbox(es) that you wish to be searched and click OK

8.  In the “Search Name Type, and Storage Location”, enter in a name of the search (something that will help you remember what this search is about, such as “Searching for keywords Help Me” or “Search for all emails between Bob and Mary in July 2011” or the like.  Select the “Copy the search results to the destination mailbox”.  You would typically uncheck the “Enable deduplication” and leave the mailbox as the default “DiscoverySearchMailbox” (note: while choosing to Enable deduplication saves space, you don’t end up with the key results in ALL mailboxes, and thus if you are searching in 7 different mailboxes, there’s only 1 copy of the message which isn’t good for true discovery.  If you are concerned about disk space, click on the “Estimate the search results” and run the estimate first to see how much space is needed which merely comes up with an estimate number and does not actually extract any information).  However, if you are good to start the search, then click on Save.

9.  The search (or estimate) will begin as soon as you click Save and dependent on how much information is being searched could take a few seconds or could take an hour.  In the Discovery page, you will see the search query noted.  Remember, this is a WebPage, so the page won’t automatically refresh with an update on the %-age of completion, so click on the Refresh icon  periodically to see whether the search has “completed” or the %-age of the search.

10.  At any point, you can highlight the search query, click on the Details option, and change the keywords on the query.  Click the “Start Search” option to begin the new search, and remember to periodically click the refresh button option to check the status.

Once the Search has been Successful, a user who has been set in e-Discovery Step 2 will have the ability to see the search results.  Proceed to e-Discovery Step 4 to view the results.

e-Discovery Step 4 – Review the Results of the Search Query

A person who has been given “Manage Full Access Permissions” in Step 2 will be able to view the results from a Query initiated in e-Discovery Step 3.  To see the results, the individual would do the following:

1.  Launch Microsoft Outlook 2010 client and logon just like the individual is checking their normal emails.  Because the individual was added in e-Discovery Step 2 to have Full permissions to the Discovery Mailbox, they will have an additional set of folders noted as the “Discovery Search Mailbox”.  Within the “Discovery Search Mailbox” will be a folder that has the name of the Search Query noted in e-Discovery Step 4 under step 8) such as “Searching for keywords Help Me” or “Search for all emails between Bob and Mary in July 2011” or the like. 

1 2 3 Page 2
Page 2 of 3