Saturday, January 26, 2013

New Capabilities eDiscovery with Office 365


I can happily say I am very excited about the new eDiscovery capability that is part of SharePoint 2013. I am even more excited for this capability being delivered with Office 365. Up to this point in Office 365 you have had the ability to do eDiscovery in the cloud but you have had to execute multiple searches. Now with the new features that will be released, there is a unified eDiscovery for Exchange, SharePoint and Lync data in Office 365. Additionally there are some new features for Exchange 2013, which are available in Office 365, which allows more granular way of eDiscovery and then placing a legal hold on that item.

The following are my notes and some additional resources which you will valuable as you start exploring this technology more.

  • The new eDiscovery solution is part of SharePoint Online Plan 2 and is part of the SharePoint 2013 Enterprise CAL on-premise.
  • This solutions allows you to search, hold, and export content from Exchange and SharePoint. Lync instant messages can be captured when they in Exchange’s conversation history folder.
  • The high level process is you create a case, identify locations of where to search, and any filter to find it. You can manage sources, eDiscovery Sets (sources/filter combos), queries and all exports done. All of these operations can be done from a site in SharePoint Online.
  • The major steps are to Create a Case >> Create a eDiscovery set to find and preserve content (optional in-place hold) >> Create a Query to find and export content (previewing and filtering) >> Release Hold

General Legal Hold Improvements for SharePoint and Exchange

With SharePoint 2013 delivered in Office 365, there will be some additional new features available.

  • The state of the content is recorded, thus allowing users to continue to work with the data. With SharePoint 2010 technologies this was not possible as once the item placed on Hold, it is locked down until the Hold is released. Even though users have the ability to edit or delete, SharePoint will ensure there is no loss of an item that was placed on hold. Discovery managers will continue to have access to all the data that was put on hold. There is a new special SharePoint library created at the site level to handle edit and delete scenarios. Basically when anyone of those transactions occur, the file or item on hold will be stored there.
  • Preservation can be done at the site level now. Users can continue to use preserved content.

With Exchange 2013, there is again a several new features that are available.

  • With Exchange Server 2010, the notion of legal hold was to hold all mailbox data for a user indefinitely or until when hold is removed. The legal hold was placed at the mailbox level. With Exchange 2013 in Office 365 you can now determine what to hold and for hold long.
  • Indefinite Holds – This is the way it was done with Exchange 2010 and it is still available. The entire mailbox is put on indefinite hold; nothing can be deleted and edits are managed until the mailbox is released.
  • Query Holds – This is new. If you need the ability to query for items to be placed on hold, this is now supported. When items are found in the query, just the items are placed on hold. Additionally this does support not just finding existing items, but to future email items that have not arrived yet.
  • Time-based Holds – is the idea where legal hold and retention policies are used in conjunction with each other. Specifically this allows you to place a hold on items for a specific period of time which is calculated from the date the item is received or when the hold is created. What this allows you to easily do is create a rule to ensure that all items are retained for X days / years. For instance a policy that says all emails must be kept for 90 days. When an item is deleted out of the user’s mailbox, it will be retained for the remaining amount of time required by the policy.
  • Multiple Holds – this is new where by a user can be placed on multiple holds. When a user is on multiple holds, all of the holds are applied together using an OR operator.
  • In summary, with the addition of these new in Exchange Online you will be able to place an entire mailbox or specific items on hold; Email will be preserved whether a user or process edits or deletes an email; Users can be placed on multiple holds; Items can be held indefinitely; Legal hold can be made transparent to the user; eDiscovery searches can be done on items that have been placed on hold.
  • One Small Note – the In-Place hold utilizes the Recoverable Items folder which is a replacement to the “dumpster”. The Recoverable Items folder is used in support of Legal Hold. There are four sub folders which are used to manage items. First there is the Deletions Sub Folder which is used when a user were to shift delete from inbox or when an item is deleted from the deleted items folder in their mailbox. Users have the ability to recover items from that folder using the item recovery feature from Outlook or OWA. Second there is the DiscoveryHold Sub Folder which manages items that were on legal hold but deleted by the user. Third is the Versions Sub Folder which manage email items that edited and all versions of the edits. For both DiscoveryHold and Versions Sub Folders items will be removed once the hold is released. None of the data stored in these three folders count against the end-user’s mailbox size limit either. Finally there is the Purgres Sub Folder which is responsible for deleting items once all rules have passed.

If you are deep in both SharePoint and Exchange, what you may not is some convergence. SharePoint has always had query based holds which has been brought forward into Exchange. As well Exchange has always allowed user to still work with their mailbox even though they were on hold which SharePoint did not allow. Additionally SharePoint only support legal hold at the item level and not the site level (which is similar conceptually to a mailbox). This is great and is needed to support the next part of this discusion!!!

eDiscovery Sites

Now let’s talk a little bit about this new eDiscovery site that will be available in SharePoint Online to do eDiscovery on Exchange, SharePoint and Lync.

First you create a case using a site template; pretty straight forward process. Once the site is created you will have the some major buckets of features. There are Discovery Sets which facilitates define the sources the search and creating holds. Second there are Queries which search those sources, allow for previewing of results and ultimately exporting the data.


The below screen a new discovery set. As you can see you have the ability to identify the sources, filters, data ranges, etc. for information you want to hold. You have the ability to define what type of hold you want, and in most cases an In-Place hold will be utilized.


Then once items have be placed on hold, you can use the Search and Export feature to run queries to narrow down and find items. Once you find those items, you can export them.

Below is a screen capture of shows has a query can be created across your held data sources. You have the ability to run the query, get information about that query and even preview items before you do an export. You can see that when the Exchange tab is selected you can see all the email, contacts, etc. objects that were round.


The following is from the same query above and shows you the SharePoint data that was returned.


Finally you can export a query once you have it fined tuned. The big question everyone always asks is how the data will be exported. Data will be exported conforming to Electronic Discovery Reference Model standard:

  • SharePoint Documents – in their format
  • Lists - .csv file will be created.
  • Pages – will be exported in MIME HTML (.mht) files
  • Exchange Objects – email, tasks, contacts, calendar, attachments exported in .pst.
  • Additional XML manifest that complies with EDRM is provided that captures all the information exported.



No comments: