IT tutorials

Microsoft Exchange Server 2013 : Preserving information (part 6) - Examining search results

11/21/2014 3:29:42 AM
- Windows 10 Product Activation Keys Free 2019 (All Versions)
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

Examining search results

By default, an Exchange organization has a single discovery mailbox. You have to select a discovery mailbox to use when you copy items for a search. The default discovery mailbox serves well for most purposes. However, you can create additional discovery mailboxes to hold search results. You might want to segregate the items belonging to one search clearly from those belonging to another, spread the load required to copy items as they are fetched from databases around the organization, or isolate items retrieved from mailboxes belonging to users in a certain country to comply with privacy regulations.

The results of the search, including copies of all items that match the search criteria, are placed in the selected discovery mailbox. If you copied items for the same search to the discovery mailbox previously, Exchange removes the items for the old search before it copies items for the new search.

Within the discovery mailbox, Exchange organizes search items differently, depending on the kind of search you perform. For searches that retrieve all items (de-duplication not performed), items are organized into a set of folders under a root folder called the name you gave to the search. For example, if you call the search “Illegal stock trading investigation,” Exchange creates a root folder of this name in the discovery mailbox and then creates a child folder underneath for each mailbox in which a matching item was found (Figure 14). The date and time of the search (the date and time of the server rather than the client workstation that starts the search) is appended to the mailbox name to clearly identify different searches that have occurred and provide a solid time line for when evidence is gathered for an investigation. If you open the folder for a mailbox, you see all the folders from which items have been copied in both the primary mailbox and the archive (if the mailbox has one). You can then click the items to review their content and decide whether they are of real interest to your investigation. Incriminating evidence can be retained and any useless information discarded.

This screen shot illustrates the structure used to store copied items in the discovery mailbox. A separate folder is created for each of the source mailboxes under a root folder named the same as the search. In this case, the search is Contoso Stock Trading query.

Figure 14. Search items placed in a discovery mailbox

In Figure 14, you can also see a message in the Inbox of the discovery mailbox that contains details of the search performed and an attachment containing the log file for the search. The log file contains information about all the items the search found, including the folder in which the items are located in the source mailboxes.

Items retrieved for de-duplicated searches are stored in a different form. As you can see from Figure 15, instead of a folder structure composed of a separate folder for each mailbox that is searched, Exchange creates a single folder named after the search together with the date and time the items were copied, and a single copy of each item that’s found by the search is stored in the folder. The message identifier, which is a unique value established when items are first created, is used as the basis of de-duplication. As noted earlier, investigators have to verify that they can discover who received an item located by the search by opening the item and examining its properties. Far fewer items are copied for a de-duplicated search, so it’s a good idea to use this kind of search as the starting point for an investigation and move to a full copy only if absolutely required.

This screen shot shows how items are stored in the discovery mailbox after a de-duplicated search. One large folder is created, identified by the date and time the search is performed. Inside the folder are all the matching items the search copied.

Figure 15. Items retrieved for a de-duplicated search

Note the presence of the Unsearchable subfolder. This contains all the items Exchange considers unsearchable for some reason (perhaps because of an attachment Search Foundation could not index). The items have been located by the search because some elements such as the message properties have been indexed. An investigator must open and examine each of the items in the Unsearchable folder to determine whether it meets the search criteria.

Outlook Web App in Exchange 2010 supports an annotation option an investigator can use to mark an item for follow-up. This option is not available in Exchange 2013.

Controlling access to discovery mailboxes

The users who perform eDiscovery searches are not necessarily those who can access the results of the searches that are placed in discovery mailboxes. You need to assign full access permission to the discovery mailbox to a user before he can open it to access the search results. By default, members of the Discovery Management role group should be able to access the default discovery mailbox, but you have to grant full access explicitly to any other discovery mailboxes you create for use in mailbox searches.

A clear separation therefore exists between the following:

  • Membership of the Discovery Management role group, which is required to be able to create and execute mailbox searches.

  • Full access to the discovery mailbox used for a mailbox search, which is required to open the discovery mailbox and review the items copied there by the mailbox search.

The separation between the two requirements enables a division of responsibilities between those who are responsible for responding to requests for information (often the IT department) and those who will review the retrieved information forensically to look for evidence or other information that is important to an investigation (often the legal department). You might therefore create discovery mailboxes to hold information retrieved for different types of searches so that you can restrict access to those mailboxes to ensure that confidential material is always treated in a correct and legally defensible manner. Some discovery mailboxes might be used for straightforward legal discovery actions and be under the control of the legal department, whereas others might be used for the pursuit of internal complaints against an employee for offenses such as sexual harassment and be restricted to selected members of the HR department.


Access to content held in discovery mailboxes should be carefully controlled so that only the people who need to review and work with the data have access. You must also be sure that the users do not interfere with the search results in an unauthorized manner. For example, it would not be a good situation if someone attempted to cover up illegal activities by appearing to conduct a search for suspicious items and then deleted a selected group of the discovered items to remove evidence. To address this situation, you can enable auditing for discovery mailboxes to force Exchange to capture information about the actions these users take when they work with items.

Exporting discovered content

After the members of the investigation team have settled on the content that is relevant to a discovery action, they might have to export the information so that it can be provided to a third party such as external legal advisors. Exporting data from the discovery mailbox to a PST is the usual approach in these cases. This can be done in two ways:

  • Select the search from EAC and click the Export icon.

  • Run the New-MailboxExportRequest command.

The EAC Export To PST option exports the complete contents of a mailbox without applying a filter. You might not want to export everything that has been uncovered by a search from the discovery mailbox, so EMS is often the better solution because you can build a mailbox export request based on whatever filter is required and use it to export the data. For example, this command uses a date filter to export items from the default discovery mailbox to a PST:

New-MailboxExportRequest -ContentFilter {(Received -ge "01/01/2012") -and (Received -lt "01/01/2013") -or (Sent -ge "01/01/2012") -and (Sent -lt "01/01/2013")} -Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -Name ExportContoso  -FilePath \\ExServer2\PST\ExportContosoAction.pst -Baditemlimit 10
- Microsoft Exchange Server 2013 : Preserving information (part 5) - Retrieving discovered content
- Microsoft Exchange Server 2013 : Preserving information (part 4) - Creating a new search - Refining a search
- Microsoft Exchange Server 2013 : Preserving information (part 3) - Creating a new search
- Microsoft Exchange Server 2013 : Preserving information (part 2) - Searching mailbox content, In-place holds
- Microsoft Exchange Server 2013 : Preserving information (part 1) - Putting a mailbox on litigation hold
- Microsoft Exchange Server 2013 : How the Managed Folder Assistant implements retention policies (part 2) - Retention date calculation
- Microsoft Exchange Server 2013 : How the Managed Folder Assistant implements retention policies (part 1) - Behind the scenes with the MFA
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 4) - Assigning New Visitor, Member, and Owner Groups at Site Creation
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 3) - Creating a New Group, Deleting a Group
- Sharepoint 2013 : Security and Policy - SharePoint Security Groups (part 2) - Removing Users from a Group, Group Settings and Permissions
Top 10
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
programming4us programming4us
Popular tags
Video Tutorail Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS