eDiscovery using Office 365

eDiscovery is the discovery and delivery of electronic information related to civil ligation or government investigations. It is a key component of an organizations security and compliance strategy. Enterprise Office 365 subscribers and SharePoint 2013 enterprise customers can use eDiscovery center to search, hold and export cases. The discovery can be configured to include Exchange, SharePoint, Lync or external sources like a file share. The eDiscovery center is designed to be self-service allowing legal personal to manage cases without using IT resources. Using role based access you can provide appropriate levels of access to legal and compliance teams. Key benefits of the eDiscovery center include;

  • Search across Exchange, Lync, and SharePoint
  • Reduce Amount of data sent to review
  • Near Real time results
  • In Place Hold keeps the business running
  • Export results with a few clicks
  • Reduce dependency or eliminate other services

Let’s walk you through an example using SharePoint Online. eDiscovery center is a SharePoint Online site collection. To create an eDiscovery center from the SharePoint Admin portal we’ll create a new private site collection. When selecting a template, select the “Enterprise” tab and then select “eDiscovery Center”

Figure 1 Creating an eDiscovery site collection

A new site collection is generated and you can begin creating cases.

Figure 2 SharePoint online eDiscovery center

Select “Create new case”. A case is a SharePoint Online site so we will be prompted for some basic information about the site.

Figure 3 Creating a case. A case is a SharePoint Online site.

Select create and a new site is generated.

Figure 4 A new case has been created

The first step is to identify the data to include in our case. This is done by defining eDiscovery sets.

Figure 5 Creating a eDiscovery Set

A set contains data sources. A source can be an Exchange Online mailboxes a SharePoint Online sites, Lync or external sources which have been included in SharePoint search index. To add a source select add & manage sources. I can further refine my source by adding a query in the filter section.

In this example I am searching a mailbox and a SharePoint site. Searching using an Exchange distribution group is supported so I can easily search a large group without having to enter all the names individually. I am using the company name ‘Contoso’ as a filter. This is a simple keyword but rich query syntax is supported so I can add a complex query. An example would be a proximity search: For instance, wingtip NEAR(30) marketing identifies results where “wingtip” is within 30 keywords of “marketing”.

Figure 6 Adding my sources

Results will be returned almost immediately because they are retrieved from the search index.

Figure 7 eDiscovery sets with sources and a filter

I can then preview the results ensuring I have the right information and if needed make adjustments. If I decide to place this content on hold I can do so by selecting “enable in place hold”. In place hold ensures the original content cannot be altered or deleted. If an attempt is made to delete or alter the original content it will be copied and hidden from view and the action is performed on a duplicate. Using in-place hold allows the business to functional normally irrespective of the hold there by limiting the impact on business.

Figure 8 Previewing Results of the eDiscovery set

Figure 9 In-Place Hold Status shows “processing”

Office 365 will now process the hold request. We can see this under “In-Place Hold Status”. Office 365 uses a process called “copy on writer” this means the on hold data is not automatically copied. Only content that is modified/deleted is copied. This reduces storage requirements and system stress.

Exchange Online In-Place Hold uses the Recoverable Items folder to preserve items. The Recoverable Items folder replaces the feature informally known as the dumpster in previous versions of Exchange. The Recoverable Items folder is hidden from the default view of Outlook, Outlook Web App, and other email clients.

Figure 10 – View In Place hold status from Exchange admin console

In SharePoint hold is set at the site level and will include any sub sites. SharePoint Online creates a hidden document library “Preservation Hold Library”. We can see this if we are the admin and open the site in SharePoint Designer. Once a document is modified or deleted it’s on hold state is preserved in this library.

Figure 11 Viewing hidden library in SharePoint Designer

Figure 12 Hidden library is SharePoint, looks like any other document library

Once content in a site or mailbox has been placed on hold. It cannot be deleted until the item are removed from hold.

Figure 13 Error message I tried to delete a site that had documents with legal hold

Once we have established our eDiscovery sets we are ready to export. Select new item from the Search and Export section. The eDiscovery set we just created is set as the default source. This can be modified. You are then asked to supply a name and can further refine the results. The ability to further refine results, quickly and easily ensures only needed information is sent to review. Review is costly so we do not want to send excess content. The dashboard provides detailed statistics so you can perform accurate refinements.

Figure 14 Refined export query

In my example I am adding the filter “expansion” to further refine my export.

Figure 15 Export Options

Selecting export provides additional options. Select OK to export. The first time an export is performed a client side download tool is installed and controls the download process.

Figure 16 Confirm output

Figure 17 Status provided by eDiscovery Download Manager

Figure 18 Exported results on PC

Results are exported in industry standard EDRM format

List à csv

Web pages, blogs, wikis à mht

eMail à pst

To remove an in place hold return to the case and select “Disable In Place Hold”.

Figure 19 – Disable In place hold

The eDiscovery center can also be used to identity sensitive data types in SharePoint Online and One Drive for Business. Sensitive information is a pre defined template the search engine uses to find data like social security number or credit card numbers. There are 51 templates. A list can be found here. To find sensitive information use a query in the “Search and Export” section of a case. An example would the query SensitiveType=”U.S. Social Security Number (SSN)” will find any content containing US social security numbers. The results can be previewed or exported.

I hope you found this information helpful. The example above uses out of the box features. If extended functionality is required eDiscovery can be extended using client side object model or by leveraging one of the many partners within the Office 365 ecosystem.

This paper was written in August of 2014. The Office 365 service is continually improving to find the latest features please check the Office 365 Service descriptions. To see what is coming up you can check the Office 365 Public Roadmap.