E-Discovery in Exchange 2013

Microsoft has revamped its email server offerings with the introduction of Exchange 2013. Among the major areas of improvement are the enhanced electronic discovery capabilities.

Electronic discovery (e-discovery) is the process of identifying, preserving, collecting and producing all electronic information that is relevant to litigation. These tasks are also the focus of internal investigations, open records requests, subpoena response and compliance requirements.

Simplifying E-Discovery

Traditionally, the Information Technology personnel have been responsible for responding to the e-discovery data collection requests. And although IT has the permissions and the technical knowledge to access and deliver the data, they become the middlemen in a convoluted process. For this reason (and others), there have been strong demands to make e-discovery tasks easier to implement.  The main goal of simplification is to enable the teams directly responsible for requests (e.g. Legal, Security, Compliance, Human Resources) to have complete ownership of the discovery processes without granting them access to critical IT administration functionality.  Microsoft has been listening and it shows in the way Exchange 2013 e-discovery has been re-architected.

Earlier versions of Exchange had rudimentary searching and production capability. Most features were dependent on Powershell or other highly technical or tortuous workarounds lacking in refinement.  Exchange 2010 introduced a helpful Multi-Mailbox Search with a shiny new interface.  Accessible by members of the new Discovery Management role, the Multi-Mailbox Search was designed to be straightforward to run and easily accessible to non-technical personnel.

Sherpa Aside: Sherpa Software’s Discovery Attender for Microsoft Exchange can help your organization streamline the process of electronic discovery. Download a free trial.

Exchange 2013 upgrades that functionality while introducing an entirely new model for compliance, highlighted by the searching and preservation features.  A new web-based Exchange Administrator Center has been added, while the name has been changed to In Place eDiscovery and In-Place Hold.

The improvements are far more than cosmetic. The searching functionality maintains the variety of options introduced in Exchange 2010 and adds a few new ones.  Behind the scenes, searches are now powered by the Microsoft Search Foundation, a powerful indexing and querying engine that is integrated in a number of platforms.  It introduces to Exchange a completely new querying language that allows for far more flexibility in setting up searches for keywords, addresses and other criteria.

By all accounts, the searching is significantly faster with the introduction of optimized indexing. Microsoft Office items (Word, Excel, PowerPoint, etc.) and PDF files are natively processed without the burden of installing iFilters on the server. Some of the limitations on keywords have been removed while enhanced review options for the Discovery mailbox have been added.

In addition to these search side improvements, Exchange 2013 has a new method for implementing the preservation of data on a more granular level with In-Place Holds. Three options are now available for hold in Exchange 2013:  Indefinite, Time-Based, and Query Based.  This latter option freezes items found in the In-Place Search, effectively preventing any change to the items which match the original query.

All holds are now performed without moving data. This helps prevent double storage and double work managing multiple data stores.  Any modifications or deletions to the on hold items are logged and each version is stored to maintain unadulterated data – all while being completely invisible to the mailbox end-user.

Areas of Concern

As mentioned above, there are many benefits to the new Exchange 2013 features, but there are some areas of concern as well.

First, although the results of a query can be placed in a special Discovery mailbox to place the items on hold, as of this writing there is no way to export the items to PST without resorting to Powershell or connecting to an Outlook client.  This somewhat negates the idea of having a web-based console while keeping IT out of the mix. This lack of PST export also introduces a challenge in auditing the chain of custody.

Next, it is important to be aware of the limitations of the new Exchange 2013. The In Place e-discovery is not a federated search.  Only data stored within Exchange 2013 can be searched or placed on hold.  Querying across platforms or other Exchange versions is not possible. No PST files, files servers, or mailboxes on older servers can be included in the In-Place eDiscovery.  Microsoft has addressed some of these concerns with the new cross-platform eDiscovery Center in SharePoint 2013. However, that has its own complications and the lack of this feature in Exchange can be limiting to some organizations. This is especially true with those in mixed Exchange environments or those who do not utilize SharePoint.

While not a flaw of the new Exchange 2013 features, it would be nice to see the analytics given some more attention. Keyword statistics are helpful, but more metrics would be nice in both quality and quantity.  So much data is collected that it would be helpful to see more upgrades such as views and data breakdowns, filtering within results, grouping by domains, sent to or received from, search expressions, addresses, conversation count, etc..  A syntax builder would also be a nice touch when setting up complex search criteria.

Another item that should be taken into consideration is that the Search Foundation is based on an index and indexes cannot store all details of all items found in the data stores. Significant improvements have been made in reporting unsearchable items (i.e. those that could not be indexed). However, the administrator can improve the processing even further by adding to the default deployment. For example, Search Foundation does not process OneNote or Publisher items natively and needs to have the appropriate iFilters deployed to index those items successfully.  End-users should be made aware of the limitations of the indexing mechanism in their particular environment so they can correctly scope their searches and handle the unsearchable exceptions.

Aside from these quibbles, it is interesting to hear that some organizations are taking a ‘wait and see’ attitude to Exchange 2013. Many are looking forward to the upgrades in Service Pack 1. If Exchange 2010 is any guide, SP1 one will bring a host of improvements and some of these challenges or concerns may even be addressed.

[hs_action id=”4086″]

I hope this brief overview helps with your understanding of the e-discovery features in Exchange 2013.  Keep an eye out on this space for upcoming articles including a practical guide for setting up In Place eDiscovery as well as a review of the new SharePoint 2013 based eDiscovery Center.

Leave a Reply

Your email address will not be published. Required fields are marked *