Exchange 2010 Message Search and eDiscovery


An important aspect of the eDiscovery process is finding all potentially responsive ESI. In other words the eDiscovery auditor must perform a search on all ESI repositories which could house responsive ESI.

Key to eDiscovery search in Exchange 2010 is to choose words, date ranges, attachment file names etc to help the auditor narrow the results set to be reviewed, but not to the point of overlooking responsive ESI. The eDiscovery keyword search in Exchange 2010 will only find exact matches of those terms input. Additionally, the eDiscovery multi-mailbox search in Exchange 2010 will not reproduce the history of the email, such as when it was opened, what folders it existed in and when, if it was deleted and when etc., something which can add a great deal of context to the ESI.

Another key in this process is the effectiveness of your system’s indexing capability. Does it index everything including metadata, the entire email message and all attachments so that when you perform a search, you find all instances of the content? And… is the index reliable?

The indexing and search functionality of Exchange 2010 is considered neither accurate nor reliable by eDiscovery industry experts. In testing by a 3rd party market research firm, it was found that:

  • Custodian display name and address searches missed more than 20% of custodian email compared to last name only searches.
  • Lists of search terms became corrupt without generating warning errors.
  • When items are placed on litigation hold, the preservation system did not preserve the critical location context or other metadata properties of content.

To the opposing counsel, these deficiencies are a prime target to call into question your eDiscovery process and maybe enough to have the Judge force you to perform the eDiscovery search again using very expensive third party services.

Although improved over the search capabilities of previous versions of Exchange, several major limitations to Exchange Search remain that should be fully understood. These limitations restrict how Exchange Search is used, and limit its ability to be a primary factor for upgrade for stand-alone eDiscovery support by most organiza­tions.

The biggest drawbacks to Exchange 2010 include:

  • Default search filters limited: Standard Microsoft Office formats can be indexed by Exchange 2010 so that eDiscovery searches can find and return these record types, but there is limited support for other common formats such as the popular PDF file format as well as audio or video file formats. By default, the content of email messages with PDF attachments are unsearchable. (see the iFilter section below)
  • No public folder search: Organizations with a significant investment in public folders will find that they cannot search across public folder data using the native Exchange Search functionality.
  • Localization and language limitations: Emails written in multiple languages are not indexed by Exchange Search. In addition, queries made in a specific language must match the locale of the local computer doing the search.
  • Encrypted messages not indexed: Messages encrypted with S/MIME encryption are not able to be indexed and are subsequently not searchable.
  • Exchange 2010 effectively has 2 indexes per mailbox: One index exists on the Exchange Server and one on the local Outlook machine. Any local PST files cannot be searched from the eDiscovery search interface. Local user search syntax and search results may differ from the network eDiscovery search.
  • Broad-brush legal holds: Legal Holds are a mailbox wide setting meaning that all content in a target mailbox is placed on legal hold. You cannot place individual objects on legal hold. Users can move, forward, reply, flag and categorize items under legal hold with no record. Metadata changes such as the email folder location are not tracked.
  • No case management: eDiscovery searches have no matter folders, audit or security for all eDiscovery group users. Searches for unrelated cases will all be thrown together with no ability to set security by matter.
  • Metadata can be changed on export: According to a report, email exported from the Exchange archive mailbox could have the Creator, Last Modified, PR_Creation_Time, Conversation Index and even message size changed

A question corporate General Counsels need to ask themselves and their IT departments is; can I respond to an email discovery request quickly enough and in a defensible manner to satisfy the opposing counsel and Judge?

To answer that question, you need to consider another question. Is Exchange 2010 indexing everything in my system so that when you conduct a search it will find all relevant content?

The answer is probably not. The question of completeness of the eDiscovery search capability in Exchange 2010 is a big issue many don’t even think to question.

Can you rely on the Exchange eDiscovery search to produce the results so that 1: all potentially responsive ESI can be found and placed on a litigation hold and 2: does the results you end up with contain all potentially responsive ESI?

Advertisements

Does Exchange 2010 have eDiscovery Defensibility?


One question I get asked a lot lately at webinars and seminars is; doesn’t Microsoft Exchange have all the tools I need to respond to a Discovery request? In other words can you rely on Exchange 2010 discovery capability for defensible search and litigation hold? Depending on who you talk to the answer can be yes or no.

Now don’t get me wrong, Microsoft has made great strides on its eDiscovery capability over the last several years with Exchange 2007 and 2010. But there is at least one major question to ask yourself when considering if Exchange 2010 has the capabilities, by itself, to respond to a eDiscovery request. That question is; can I respond to a email discovery request quickly and completely enough to satisfy the opposing counsel and Judge in a defensible manner?

One potential problem I’ve run across is a question of completeness of the eDiscovery search capability in Exchange 2010. Can you rely on it to produce the search results so that 1, all potentially responsive ESI can be found and placed on a litigation hold and 2, does the results set you eventually end up with contain all potentially responsive ESI?

Exchange 2010 comes with a default package of what Microsoft terms as iFilters. These iFilters allow Exchange to index specific file types in email attachments. This default iFilter pack (a description of which can be seen here) must be installed when Exchanger server 2010 is installed. This default iFilter pack includes the following file types:

.ascx, .asm, .asp, .aspx, .bat, .c, .cmd, .cpp, .cxx, .def, .dic, .doc, .docx, .dot, .h, .hhc, .hpp, .htm, .html, .htw, .htx, .hxx, .ibq, .idl, .inc, .inf, .ini, .inx, .js, .log, .m3u, .mht, .odc, .one, .pl, .pot, .ppt, .pptx, .rc, .reg, .rtf, .stm, .txt, .url, .vbs, .wtx, .xlc, .xls, .xlsb, .xlsx, .xlt, .xml, .zip

An obvious missing file type is the Adobe Acrobat .pdf extension. Many/most eDiscovery professionals will tell you that PDF files make up a sizable share of potentially responsive ESI in discovery. What if your IT department didn’t know about this limitation and never installed a separate iFilter for Adobe Acrobat files? What if your legal department didn’t know of this missing capability?

Your discovery searches would not be returning responsive PDF files causing major risk in both litigation hold and your overall discovery response.

Another question in reference to the Exchange 2010 Abobe Acrobat search capability is the effectiveness of the search. In a WindowsITPro article from last year titled Exchange Search Indexing and the problem with PDFs, Or “Why I hate Adobe with the Burning Passion of 10,000 Suns”, Paul Robichaux writes:

This test provided an unsatisfying result. I don’t feel like I found or fixed the problem; I just identified it more closely. Telling my users, “Sure, you can search attachments in Exchange, unless they happen to be PDFs, but then again maybe not,” isn’t what I had in mind. I hope that Adobe fixes its IFilter to work properly; it’s a shame that Adobe’s poor implementation is making Exchange search look bad.”

Corporate attorneys in organizations using Exchange 2007 and 2010 as their email system should immediately ask their IT departments about their system’s ability to index and search PDF files.

Attorneys on the other side of the table should be asking defense counsel the status of their Exchange 2007/2010 Adobe Acrobat search and litigation hold capability.