E-Discovery Tips: Finding Conversations Between Two People

When performing an e-Discovery search, you may be requested to find conversations between two or more persons of interest.  Sherpa Software’s Discovery Attender contains a number of options to assist with these types of searches.

First, Discovery Attender provides you with options to search for conversations between two addresses using either the Find Conversation Between Any Two Addresses option or the Find Conversation Between Different Sender and Recipient option as seen below:


“Find Conversation Between Any Two Addresses” Option


“Find Conversation Between Different Sender and Recipient” Option

The Find Conversation Between Any Two Addresses option requires that the sender and at least one recipient must be in the address list.  The Find Conversation Between Different Sender and Recipient option locates results where the sender is from one list and at least one recipient is from the other.

These options may not always be ideal.  For instance, if your custodians are in the habit of copying themselves (CCs or BCCs) on an email, it may generate a false-positive hit.  Additionally, it is not a good idea to use this option if one of the addresses belongs to the custodian whose email you are searching.  In this case, all messages in those data stores will be to or from that address leading to redundant searching.  It is more efficient to use the correspondent’s addresses in a standard address search. To help avoid generating false-positives and false-negatives due to these factors, you may want to consider breaking down your search into separate searches per number of custodians and addresses being searched:

  1. Perform a search against the first custodians data stores searching for all additional correspondent addresses
  2. Perform a search against the second custodians data stores searching for all additional correspondent addresses
  3. … and so on with any additional custodians

For instance, let’s say you are trying to find conversations between John Doe, Robert Jones and Jane Smith, where John Doe and Jane Smith are custodians in my organization.  Assuming you want all instances of the conversations between any of these persons of interest, you would first search all of John Doe’s mail stores (mailbox, online archive and/or PST files) for both Jane and Robert’s email addresses.  For the second search, you will search all of Jane Smith’s data stores (mailbox, online archive and/or PST files) for John and Robert’s email addresses, and so on.

When searching addresses in general, please remember that to be considered a hit, the address search terms must match the entire address property text.    There are actually three properties for each address:

  • Display name (e.g. Jeffrey Lebowski)
  • Exchange Internal address (e.g. /O=FIRST ORGANIZATION/OU=FIRST ADMINISTRATIVE GROUP/CN=RECIPIENTS/CN=JeffreyLebowski)
  • SMTP address (Lebowski @exchangelab.local)

Too often, people will enter just the SMTP address in their search criteria and forget other properties.  For internal communications, the SMTP address is never used.  Only when communicating with people outside of your organization will you see the SMTP address.  Because of this, it is best to use all three addresses for internal email recipients.  The easiest way to do so is to click on the Browse button and pull in the addresses through the Global Address List (GAL) available from Outlook:


Available Addresses by Browsing the GAL

As you can see from this screenshot, this automatically brought in all three available addresses and formatted them properly for the test user, Jeffrey Lebowski.

Keep in mind that pattern matching can be used with the address search term to maximize hits.  For instance, you could combine the above addresses into a single expression by using wildcards (designated by asterisks [*]):


Pattern Matching with Addresses

However, pattern matching may not always work with your criteria.  If the name is too common, your search will result in numerous false-positive hits.  (That is, you probably do not want to search for just *smith*).   In addition, the Exchange and SMTP addresses may not include the full name either, therefore causing an incomplete result set.  To get around this, make sure verify you have all the address properties and don’t forget to use the GAL for all internal addresses.

That being said, the GAL may not always include the addresses you need to search.  For example, external address and former employees are likely not listed in the GAL or you may not even have access to a GAL.  If that is the case, you can do a small sample search with Discovery Attender and find the addresses from your result set.  Once you have the result set, go to the Address node and every address will be listed including the display name and the specific address it found.  For instance, if I needed to find John Doe’s Exchange address, it is listed here:


Finding Unknown Addresses

Using this information, you can now structure the search accordingly:


Searching for Previoulsy Unknown Addresses

We hope this information was valuable. To learn more or to speak with a Sherpa representative, email information@sherpasoftware.com or call us toll free at 1-800-255-5155.

Leave a Reply

Your email address will not be published. Required fields are marked *