Retrieving discovered content
When investigators confirm that a search is correctly focused
on the items that are necessary, they can proceed to the final stage in
the process: copying items from user mailboxes into a discovery mailbox
where the items can be reviewed and dealt with as necessary. When you
select Copy Search Results, EAC displays the screen shown in Figure 11.
The options available are:
Include Unsearchable Items. Although
a query used with an in-place hold cannot be guaranteed to find
matching content in unsearchable items, search and copy can locate
matching unsearchable items based on item properties such as Subject.
Therefore, you can include unsearchable items when instructing search
to copy items from user mailboxes. To hold everything in a mailbox,
including any unsearchable items, apply a litigation hold or an
in-place hold that doesn’t have an associated query.
Enable De-duplication. It
is the nature of email systems to have identical items in user
mailboxes. For example, a message you send to 14 recipients starts by
being discoverable in 15 mailboxes. Gradually, the number of
discoverable copies reduces as recipients delete their copy, but a
search inevitably turns up multiple copies of items. De-duplication
causes the search to retrieve a single copy (the first copy
encountered); you depend on the recipient list for the item to
understand who actually received it. Apart from the system overhead
incurred to copy and store every instance of a message found in the
searched mailboxes, providing extra copies of messages drives up the
cost of responding to legal discovery actions if the lawyers or other
individuals who review the search results are paid on a per-item basis.
De-duplication might or might not be acceptable to your legal team. If
de-duplication is not used, a search copies every copy of matching
items it finds, no matter the number of mailboxes in which the items
are located. Exchange 2013 does not support thread compression at this
point.
Enable Full Logging. The
default is to use basic logging when copying items. Full logging
generates comprehensive details of what’s been done to fetch items from
user mailboxes.
Send Me Email When The Copy Is Completed. Copying
items located by a search can take an awfully long time (defined as
being longer than a coffee break), especially if gigabytes of
information have to be retrieved from remote Mailbox servers. Asking
Exchange to send you an update to let you know when everything is done
is simple good sense and can enable you to do more valuable work in the
interim.
Note
In
terms of de-duplication, you should remember that because Exchange does
not expand the membership of a group into a message header, seeing that
a message was delivered to a group doesn’t tell you whether someone
received a copy because there’s no way of proving what the membership
of the group was at the point when the transport service expanded the
group membership and delivered the message.
When
you click Copy, EAC updates the search metadata and launches the search
and copy operation. Items are copied in the background and, eventually,
you receive an email similar to that shown in Figure 12 informing you that the search and copy operation has completed.
After
notification that the search has finished copying items, you can return
to EAC. At this point, the properties of the search shown in the
details pane should reveal the number of items the search found. It
also has a link you can click to access the discovery mailbox storing
the copied items (Figure 13).
The link invokes a new Outlook Web App session connected to the
discovery mailbox, assuming the user who ran the search also possesses
full access permission for the discovery mailbox.
