Internals of eDiscovery for Office 365, Exchange, and Sharepoint
Download as PPTX, PDF0 likes967 views
The document provides an overview of eDiscovery capabilities including in-place hold, querying, and exporting data. In-place hold allows legal holds to be applied without moving content, preserving current and deleted items that match query criteria. Queries can be used to search content across mailboxes and sites based on keywords, metadata, and other filters. Exports then package the search results for review or production.
Internals of eDiscovery for Office 365, Exchange, and Sharepoint
- 3. Identify and Preserve Search and Process Review Produce eDiscovery Overview
- 7. Advantages: in-place, real time, more content Capabilities: In-Place Hold, Query, and Export
- 10. 1. In-Place Hold
- 11. In-Place Hold
- 12. 1. In-Place Hold
- 13. ItemUpdated ItemDeleted Site on in-place hold? Allow Item Edit/ Delete to Complete No Yes Placecurrent version in preservation hold library. Last modified date older than preservation date? Site on in-place hold? Yes Yes
- 15. Query Based Preservation Feature enabled? Site on in-place hold? End No Yes No Keep Item Does item match union of hold search queries? Does item have search indexing errors? No Yes NoDelete Item
- 17. User A Mailbox Recoverable Items Deletions Inbox Purges Versions Audits Deleted Items … DiscoveryHold Calendar Logging (6a) Messages purged by DIRW Policy (or maintained for Litigation Hold) (5) Message Edited (3) Message deleted (4a) Message “purged” by user (Litigation Hold / Single Item Recovery) Lifecycle of mailbox items (4b) Message “purged” by user (In-Place Hold) (6c) MFA evaluates item against hold queries set on mailbox (6b) Mailboxes with SIR and In-Place Hold enabled have expired messages moved (1) Message delivered (2) Message moved to Deleted Items
- 18. Mailbox on in-place hold? End No Yes Keep Item Does item match union of hold search queries? Does item have search indexing errors? No Yes NoDelete Item
- 19. Lync archives content into Exchange mailboxes when user is on In-Place Hold Includes instant messaging and meeting content In-Place Hold, eDiscovery, MRM of Lync data consolidated to Exchange tools Lync 2010 Exchange 2010 Compliance Archive Compliance New Lync New Exchange Single In-Place data store for Exchange & Lync compliance
- 20. User A Mailbox Recoverable Items Deletions Deleted Items Inbox Versions Purges DiscoveryHolds Server side archiving All Lync modalities captured (PC, mobile, web, OWA) User A on hold
- 21. 2. Query
- 22. Query
- 23. 2. Query
- 24. Exchange Sharepoint Farm 1 Hub eDiscovery Center SSA Proxy Search Service Application Services Farm Search service Cases Sources Queries eDiscovery Sets Exports Query Actions Interface Exchange Web Services Hold ReleaseHold GetStatus MailboxCopy SharePoint Farm 2 Timer job SSA Proxy Fed Query
- 25. USE TO EXAMPLE AND Find content that contains all of the words or phrases it separates. risk and value and VAR finds content that contains all three words. OR Find content that contains either of the words or phrases it separates. risk OR VAR finds all the content that contains either word. NOT Exclude content that contains the term within a phrase. Executive NOT Summary finds all the content that contains the phrase Executive, unless the content also contains the term Summary. ( ) Group words or phrases to show the order in which they are applied. (Risk AND management) OR (VAR or Value- at-risk) NEAR(n) Finds words that are near each other, where n equals the number of words apart. If no number is specified, the default distance is 8 words. Mid Near(5) Office finds Mid and Back Office and Mid-Office and Mid, Back, and Front Office. “ “ Search for specific phrases. “risk management” finds the exact phrase * at the end of word Find terms that contain the root word and any additional letters. risk* finds risk, risks, risked, risking, and risky
- 26. KEYWORDS EXAMPLE RESULTS “Executive Briefing” Any content that contains the words “Executive Briefing” together, anywhere in the document, page, or message. “Executive Briefing” AND “Executive Summary” Any content that contains the words “Executive Briefing” together, anywhere in the document, page, or message, or any content that contains the words “Executive Summary” together. filename:budget Any file with budget in its filename, such as 2014 budget projections.docx, 2015 budget priorities.pptx, 2014 budget planning.xlsx, 2014 budget review.xlsx, and so on filename:2014 budget filetype:xlsx Excel worksheets that contain the phrase 2014 budget, such as “2014 budget planning.xlsx” and “2014 budget review.xlsx”
- 27. NEAR(n)
- 28. Auditing
- 29. 3. Export
- 30. Export
- 31. 3. Export
- 32. Export Client Export Data Query Download Exchange Sharepoint Farm 1 Hub eDiscovery Center SSA Proxy Search Service Application Services Farm Search service Cases Sources Queries eDiscovery Sets Exports Query Actions Interface Exchange Web Services Discovery Web Service Hold ReleaseHold GetStatus MailboxCopy SharePoint Farm 2 Timer job SSA Fed Fed Query
Editor's Notes
- #11: In-place hold helps you protect content that is important for legal events.
- #18: The Deletions folder replaces the ptagDeletedOnFlag view that was displayed when a user accessed the Recover Deleted Items tool. When a user soft deletes or performs an Outlook hard delete against an item, the item is moved to the Recoverable Items\Deletions folder. When the user accesses Outlook/OWA Recover Deleted Items, the RPC Client Access service translates the request and returns the Recoverable Items\Deletions folder view. At this point you may be thinking, how is this any different than in previous versions of Exchange? With short-term preservation deleted items will still be moved into the Recoverable Items folder structure. However, the data cannot be purged until deletion timestamp is past the deleted item retention window. Even if the end user attempts to purge the data, the data is retained. Consider this example by a malicious user: User sends or receives a message that is legally incriminating. User deletes the message. The message is moved to the Deleted Items folder. The user empties the deleted items folder. The user accesses the Recover Deleted Items functionality in Outlook or OWA. The user then selects the item and deletes the item. At this point the user believes he has removed the incriminating evidence. And this is a key strength in this work flow as the end user's actions are not interrupted or prevented; in other words, the end user's work flow is not impaired with single item recovery enabled. However, the message was not purged from the mailbox store. Instead the message was moved from the Recoverable Items\Deletions folder to the Recoverable Items\Purges folder. All store hard-deleted items end up in this folder when single item recovery is enabled. The Recoverable Items\Purges folder is not visible to the end user, meaning that they do not see data retained in this folder in the Recover Deleted Items tool. When the message deletion timestamp has exceeded the deleted item retention window, Records Management will purge the item. Not only does short term preservation prevent purging of data before the deleted item retention window has expired, but it also enables versioning functionality. Essentially when an item is changed, a copy-on-write is performed to preserve the original version of the item. The original item is placed in the Recoverable Items\Versions folder. This folder is not exposed to the end user. What triggers a copy-on-write? For messages and posts (IPM.Note* and IPM.Post*), copy-on-write will capture changes in the subject, body, attachments, senders/recipients, and sent/received dates. For other types of items, copy-on-write will occur for any change to the item except for moves between folders and read/unread status changes.\ Drafts will be exempt from copy-on-write to prevent excessive copies when drafts are auto-saved. The data stored in the Recoverable Items\Versions folder is indexed and discoverable by compliance officers.
- #20: Conversation history will be client side archiving If user is on hold, then data will be stored in exchange With Exchange 2010, management of data was completely separate from the data stored in Lync. Lync data was stored in SQL and queries were executed to get discovery data. With Exchange 2013, the ability for you to have Lync archive all user content into Exchange user mailboxes. There is no longer a need to have a SQL database for management of compliance data. From an on-premises admin standpoint this enables you to have a unified storage model that is completely based on mailboxes. This now enables compliance officers to no longer have to manage and use two different experiences for managing Lync and Exchange data. We capture all Lync data – meetings, IM, whiteboards, transcripts, attachments, etc. All of that gets stored in the user mailbox when the mailbox is on hold.
- #21: I have a user who is currently on hold in Exchange. Tis user participates in a meeting via Lync. The Exchange and Lync services share the attributes in code so both are aware of the fact that the user is on hold. Lync on the server side will capture the conversation or anything associated with the user’s participation in the meeting. Lync will package that up as a transcript and write that into the user’s mailbox, specifically into the Recoverable Items\Purges folder. This folder is indexed and available for discovery. Lync uses EWS to write the data. When the user is on hold, all conversation archiving happens from the server side, not from the client side. This is to ensure that there’s no repudiation of the data. By doing server side, any Lync data is preserved regardless of modality.
- #37: The in-place approach helps you reduce costs by only retaining copies of content that changes. By leveraging the search systems of SharePoint and Exchange, you can run up to date queries any time, and we support all different types of SharePoint, Exchange, and Lync content to help you meet your eDiscovery needs.