In-Place eDiscovery and In-Place Hold in the New Exchange - Part I
Published Sep 26 2012 12:47 PM 94.4K Views
Microsoft

When faced with eDiscovery requests, organizations need to be able to preserve email records, search relevant records and produce them for review.

In Exchange Server 2010 and Office 365, Litigation Hold makes it possible to preserve mailbox items. When a user or a process attempts to delete an item permanently, it is removed from the user’s view to an inaccessible location in the mailbox. Additionally, when a user or a process modifies an item, a Copy-on-write (COW) is performed and a copy of the original item is saved right before the changed version is committed, preserving original content. The process is repeated for every change, preserving a copy of all subsequent versions.

Using Multi-Mailbox Search, also new in Exchange 2010, delegated legal, human resources or IT personnel (referred to as discovery managers because they need to be assigned Discovery Management permissions) can search mailbox content across their entire Exchange 2010 organization. Messages returned from a search can be copied to a Discovery mailbox, which is a special type of mailbox with higher mailbox quotas and no capability to send or receive messages.

What's New in In-Place eDiscovery & Hold in Exchange 2013

Since the release of Exchange 2010 and Office 365, we have received a lot of feedback from organizations of all sizes about the messaging policy & compliance features, including archiving, eDiscovery & hold. When planning the evolution of compliance features, we’ve kept your feedback front and center. Let’s take a look at what has changed.

  • A new name In the new Exchange, Multi-Mailbox Search is known as In-Place eDiscovery.
  • A new search engine In-Place eDiscovery still uses the search indexes generated by Exchange Search, but under the hood Exchange Search has been retooled to use Microsoft Search Foundation. The content indexing function was previously performed by Windows Search. Microsoft Search Foundation is a rich search platform that comes with significantly improved indexing and querying performance and improved search functionality.
  • A new way to preserve In the new Exchange, you can use In-Place Hold to place searched content on hold. In-Place Hold is integrated with In-Place eDiscovery, allowing you to simultaneously search and hold content using the same easy-to-use interface. Integrating hold with eDiscovery allows you to be very specific as to what you hold using a query. Reducing the volume of data you preserve lowers the cost of reviewing the data later.
  • A new UI The new Exchange sports a brand new, unified web-based admin tool, the Exchange Administration Center (EAC). Discovery Managers use the new In-Place eDiscovery & Hold wizard to perform eDiscovery searches.
  • Keyword statistics After you create an In-Place eDiscovery search, you can get detailed keyword statistics showing you the number of items matched for each keyword. You can use this information to determine if the query has returned the number of messages you estimated. Depending on whether a query is too broad or too narrow, the search may return too many or too few messages. Use this information to fine-tune your query.
  • eDiscovery Search Preview After you’ve created an eDiscovery search, you can quickly preview search results. Messages returned from each source mailbox are displayed in search preview. Being able to quickly preview messages allows you to ensure your query returns the content you’re searching and further fine-tune your query.
  • Integration with the New SharePoint Exchange offers an integrated eDiscovery & Hold experience with the new SharePoint. Using the eDiscovery Center, you can search and hold in-place all content related to a case -– SharePoint web sites, documents, file shares indexed by SharePoint, mailbox content in Exchange and archived Lync content from a single location. You can export content associated with case, including files, lists, web pages and Exchange mailbox content. Mailbox content is exported as a .PST file. An XML manifest that complies with the Electronic Discovery Reference Model (EDRM) specification provides an overview of the exported information.

    To search Exchange content, SharePoint uses Exchange’s Federated Search API. Regardless of whether you search Exchange content from the EAC or using SharePoint, the same search results are returned. The new SharePoint and Exchange both use the same underlying indexing and querying engine – Microsoft Search Foundation, which allows you to use the same search query for both SharePoint and Exchange content.

Performing an In-Place eDiscovery search

Let’s take a look at how one discovery manager performs an In-Place eDiscovery search.

Robin works on the legal team at marketing firm Contoso. Contoso receives a request from a company called Tailspin Toys to assist with a marketing campaign for a new toy they are producing. Contoso is known for doing great toy marketing campaigns since they do a lot of work in the toy industry. This is great for business but they also have to be careful because many of the toy companies with which they work are competitors. Contoso just finished a highly successful marketing campaign with another toy company called Wingtip Toys and Robin wants to ensure that there's no confidential information that may accidentally get past from one customer to another through his team. To that end, Robin wants to search through her company's email and documents with the help of her legal team to make sure there are no potential issues.

To use In-Place eDiscovery, a user must be delegated the Discovery Management role group. You can delegate the role to authorized legal, compliance management or human resources personnel. Robin is one of those legal team members. This ability to have scoped roles in the new Exchange 2013 allows IT Pros to delegate compliance responsibilities to folks like Robin without giving them full access to all Exchange server functionality.

Robin starts by navigating to the Exchange Administration center Center. The EAC’s Compliance Management tab is where you can manage compliance features in the new Exchange. Because Robin doesn’t have any other Exchange administrator roles, she only sees the interface relevant to the Discovery Management role group. On the compliance management tab, she can only see In-Place eDiscovery & Hold.


Figure 1: In-Place eDiscovery and Hold tab is accessible to users with delegated Discovery Management permissions

She clicks on the Add button to start the New new In-Place eDiscovery & Hold wizard and enters a name and an optional description for the search.


Figure 2: Create an In-Place eDiscovery search using the new In-Place eDiscovery & Hold wizard in EAC

Robin can search all mailboxes in the Exchange organization or select the mailboxes she wants to search.


Figure 3: Specify mailboxes (to search or search all mailboxes)

On the Search query page, Robin can select the option to return all mailbox content or just specific content. Robin wants to find specific content related to work done between hers team members and WingTip Toys. She has the option to perform a simple search by just entering in a few key words or more complex search if she wants with Boolean operators like ANDs, ORs, parenthesis, etc. so she can be very specific as to what she is looking for. This can be a big time and cost savings for her since multiple gigabyte mailboxes are very common and she wants to reduce that set of content down to the minimum amount she needs to look at to find what she wants.


Figure 4: Specify a search query, including keywords, start and end dates, sender and recipients

In addition to using Boolean logic she’s also using the proximity operator (NEAR), which allows her to find words that are close to each other. You can also see her using a wildcard character so in this case she is looking for the word wingtip within three words of toy, toys, toymaker or anything similar.

In this particular case, Robin wants to look for these keywords anywhere in a given email, but if she wants to be more specific, for example search for a phrase only in the message subject, she could type in Subject: and then her phrase right after it. Depending on how specific she wants to be, she can create complex queries. You can use several hundred keywords in a query.

She can also choose specific types of messages. An Exchange mailbox has email but also calendar items, tasks, notes and other items related to personal information management. The new Exchange allows her to search all of those items or she can narrow the query down to specific types of items. She selects email and also meetings so she can track which ones of her employees met with Wingtip and read the meeting invites to find out what was discussed.


Figure 5: Select all message types or specify the message types to search

Once Robin has created hers query to define what content is important to her, she has a few options in terms of what to do with the results. If she feels it's important to protect this content she has the option to place it on hold. When content is placed on hold, Exchange automatically captures any attempts to edit or delete or delete data and stores those items in a hidden folder in the mailbox. It's completely invisible to the end-users so it doesn't interrupt their daily workflow, but it does keep that important data for recovery later.


Figure 6: Placing search results on an In-Place Hold

We will talk more about In-Place Hold in Part II of this post.

Robin clicks Finish. The search is running against Exchange 2013 mailboxes and placing items on hold.

When the search is complete, Robin takes a look at the total size and item count to see if it’s manageable. If there are a million items, her query is likely too broad;, if there are no items, it may be too narrow. If she wants to dig into the details, she can view the search statistics to see exactly how each keyword contributed to the overall result set. That lets her really be targeted about the way she's tweaking her queries so she can quickly get a result set down to a manageable size.


Figure 7: Use search estimate and keyword statistics to fine-tune search queries

Once she is done tweaking her query, she can stop the search and discuss with her team or legal counsel whether the query is correct. She can also create additional eDiscovery searches and use different query parameters.

She can also choose to preview messages returned in the search.


Figure 8: eDiscovery Search Preview to preview messages and determine query effectiveness

The eDiscovery Search Preview displays message count and total size for each mailbox searched. The preview functionality is built on Outlook Web App, which shows the message in its native format without any changes.


Figure 9: eDiscovery Search Preview displays live message preview without copying messages to a Discovery mailbox

Robin can quickly scroll through all of her results to view additional items that came back with her search. Since she is using the full- fidelity Outlook Web App preview, she can also view attachments.

Once Robin has previewed her results and she's happy with them, she can make a copy for of them for later review, or export them so that she can export them to handoff to her outside legal counsel. To do that, she simply clicks on the Copy search results link.


Figure 10: Copying messages returned by the search to a Discovery mailbox

When copying messages to a discovery mailbox, she has the following options:

  • Include unsearchable items She can choose whether she wants to include "unsearchable" items, items that our indexing system may not be able to handle, such as a corrupted item, a password-protected zip attachment, or an item encrypted with something other than Information Rights Management. This check box gives her the option to include those two in case she wants to review them manually just to make sure she's doing her due diligence and not missing anything.
  • Enable de-duplication She also has the option to enable de-duplication. As you know, it's very common to send email to multiple people at once. De-duplication allows her to reduce that down to only one copy so there are fewer messages to review.
  • Enable full logging She can also keep a full log of research results of she wants, which includes a complete list of every item she found. This is especially useful for de-duplication, since if you duplicate you only keep one copy of a message that multiple people may have. Later on, you she may have a need to know if one person had it in his inbox and it was flagged as important, but another person moved it into his deleted items folder and never read it. All that information is in that log.
  • Email notification She can also choose to have an email sent to her when the copy process completes. If search results return 20-30 GB of data, it can take a while to copy them to a discovery mailbox.

The last thing Robin will pick is the Discovery mailbox into which she wants to put her search results.

After copying is completed, Robin can see that the copy operation is complete and she has a link to the mailbox where the results are stored. Robin can now navigate to the copy of her search results to view them. In this view, she does have the ability to perform a review on her items, she can tag items that are important, or if she decides some are not important, she can take them and move them to the deleted items folder so that they are no longer in her view.

Once that's done, if Robin needs to share the consolidated results with an outside counsel, she can use her Outlook client to export the consolidated results list to a PST file.

We’ve provided you with an overview of the In-Place eDiscovery & In-Place Hold functionality in the new Exchange. In Part II of this post, which is scheduled to be published shortly, we will dig deeper into In-Place Hold.

Bharat Suneja and Julian Zbogar-Smith

Go to In-Place eDiscovery and In-Place Hold in the New Exchange – Part II

7 Comments
Version history
Last update:
‎Jul 01 2019 04:09 PM
Updated by: