Examining search results
By default, an Exchange organization has a single discovery
mailbox. You have to select a discovery mailbox to use when you copy
items for a search. The default discovery mailbox serves well for most
purposes. However, you can create additional discovery mailboxes to hold search results.
You might want to segregate the items belonging to one search clearly
from those belonging to another, spread the load required to copy items
as they are fetched from databases around the organization, or isolate
items retrieved from mailboxes belonging to users in a certain country
to comply with privacy regulations.
The results of the search,
including copies of all items that match the search criteria, are
placed in the selected discovery mailbox. If you copied items for the
same search to the discovery mailbox previously, Exchange removes the
items for the old search before it copies items for the new search.
Within
the discovery mailbox, Exchange organizes search items differently,
depending on the kind of search you perform. For searches that retrieve
all items (de-duplication not performed), items are organized into a
set of folders under a root folder called the name you gave to the
search. For example, if you call the search “Illegal stock trading
investigation,” Exchange creates a root folder of this name in the
discovery mailbox and then creates a child folder underneath for each
mailbox in which a matching item was found (Figure 14).
The date and time of the search (the date and time of the server rather
than the client workstation that starts the search) is appended to the
mailbox name to clearly identify different searches that have occurred
and provide a solid time line for when evidence is gathered for an
investigation. If you open the folder for a mailbox, you see all the
folders from which items have been copied in both the primary mailbox
and the archive (if the mailbox has one). You can then click the items
to review their content and decide whether they are of real interest to
your investigation. Incriminating evidence can be retained and any
useless information discarded.
In Figure 14,
you can also see a message in the Inbox of the discovery mailbox that
contains details of the search performed and an attachment containing
the log file for the search. The log file contains information about
all the items the search found, including the folder in which the items
are located in the source mailboxes.
Items retrieved for de-duplicated searches are stored in a different form. As you can see from Figure 15,
instead of a folder structure composed of a separate folder for each
mailbox that is searched, Exchange creates a single folder named after
the search together with the date and time the items were copied, and a
single copy of each item that’s found by the search is stored in the
folder. The message identifier, which is a unique value established
when items are first created, is used as the basis of de-duplication.
As noted earlier, investigators have to verify that they can discover
who received an item located by the search by opening the item and
examining its properties. Far fewer items are copied for a
de-duplicated search, so it’s a good idea to use this kind of search as
the starting point for an investigation and move to a full copy only if
absolutely required.
Note
the presence of the Unsearchable subfolder. This contains all the items
Exchange considers unsearchable for some reason (perhaps because of an
attachment Search Foundation could not index). The items have been
located by the search because some elements such as the message
properties have been indexed. An investigator must open and examine
each of the items in the Unsearchable folder to determine whether it
meets the search criteria.
Outlook
Web App in Exchange 2010 supports an annotation option an investigator
can use to mark an item for follow-up. This option is not available in
Exchange 2013.
Controlling access to discovery mailboxes
The users who perform eDiscovery searches are not necessarily
those who can access the results of the searches that are placed in
discovery mailboxes. You need to assign full access permission to the
discovery mailbox to a user before he can open it to access the search
results. By default, members of the Discovery Management role group
should be able to access the default discovery mailbox, but you have to
grant full access explicitly to any other discovery mailboxes you
create for use in mailbox searches.
A clear separation therefore exists between the following:
Membership of the Discovery Management role group, which is required to be able to create and execute mailbox searches.
Full
access to the discovery mailbox used for a mailbox search, which is
required to open the discovery mailbox and review the items copied
there by the mailbox search.
The separation
between the two requirements enables a division of responsibilities
between those who are responsible for responding to requests for
information (often the IT department) and those who will review the
retrieved information forensically to look for evidence or other
information that is important to an investigation (often the legal
department). You might therefore create discovery mailboxes to hold
information retrieved for different types of searches so that you can
restrict access to those mailboxes to ensure that confidential material
is always treated in a correct and legally defensible manner. Some
discovery mailboxes might be used for straightforward legal discovery
actions and be under the control of the legal department, whereas
others might be used for the pursuit of internal complaints against an
employee for offenses such as sexual harassment and be restricted to
selected members of the HR department.
Caution
Access
to content held in discovery mailboxes should be carefully controlled
so that only the people who need to review and work with the data have
access. You must also be sure that the users do not interfere with the
search results in an unauthorized manner. For example, it would not be
a good situation if someone attempted to cover up illegal activities by
appearing to conduct a search for suspicious items and then deleted a
selected group of the discovered items to remove evidence. To address
this situation, you can enable auditing for discovery mailboxes to
force Exchange to capture information about the actions these users
take when they work with items.
Exporting discovered content
After the members of the investigation team have settled on
the content that is relevant to a discovery action, they might have to
export the information so that it can be provided to a third party such
as external legal advisors. Exporting data from the discovery mailbox
to a PST is the usual approach in these cases. This can be done in two
ways:
The
EAC Export To PST option exports the complete contents of a mailbox
without applying a filter. You might not want to export everything that
has been uncovered by a search from the discovery mailbox, so EMS is
often the better solution because you can build a mailbox export
request based on whatever filter is required and use it to export the
data. For example, this command uses a date filter to export items from
the default discovery mailbox to a PST:
New-MailboxExportRequest -ContentFilter {(Received -ge "01/01/2012") -and (Received -lt "01/01/2013") -or (Sent -ge "01/01/2012") -and (Sent -lt "01/01/2013")} -Mailbox "DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}" -Name ExportContoso -FilePath \\ExServer2\PST\ExportContosoAction.pst -Baditemlimit 10
