internals of ediscovery for office 365, exchange, and sharepoint
TRANSCRIPT
Internals of eDiscovery for Office 365, Exchange, and SharePointQuentin ChristensenProgram ManagerMicrosoft Corporation
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
Identify and
Preserve
Search and
ProcessReview Produce
eDiscovery Overview
Volume Relevance
eDiscovery Challenges
Preservation
Search and reduction
Export
Quick Investigation
Demo
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
Quick Investigation
Early case assessment
Fast, real time search
Answers in minutes, not weeks
eDiscovery simplified
Save time and money
Reduce risk
Key Takeaways
Advantages: in-place, real time, more content
Capabilities: In-Place Hold, Query, and Export
Exchange Admin Center
Demo
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
eDiscovery as easy as 1, 2, 3.
In-Place Hold: protect content in-place in real time
Query: find up to date and relevant content quickly
Export: transfer content for review and production
1
2
3
Across: SharePoint, Exchange, Lync, and file shares on-premises and Office 365
In-place hold: content stays in Exchange and SharePoint, less storage space, lower costs, higher fidelity
Location and query based: hold entire mailboxes, SharePoint sites, or apply a query to hold less content
No impact to users: seamlessly create, edit, and delete without knowing its on hold
1. In-Place Hold
In-Place Hold
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
eDiscovery Sets: group mailboxes, SharePoint sites, and file shares
Filters: scope down that amount of content to hold and search
Easy: place and release holds on multiple sources with one click and without weeks of manually collecting content
1. In-Place Hold
13
SharePoint Preserving Items
Item Updated
Item Deleted Site on in-place hold?
Allow Item Edit/Delete to CompleteNo
Yes
Place current version in
preservation hold library.
Last modified date older than preservation date?
Site on in-place hold?
Yes
Yes
14
SharePoint In-Place Hold• Preservation occurs synchronously• Items are placed in a secured library in the same
SharePoint site• Lists items, social feeds, documents, and pages are
covered• Supports multiple holds, preserved content is cleaned
up after the last hold is released• Site collection and farm admins cannot delete the hold
data or site • Versions cannot be deleted when the site is on hold• Version history is preserved when an item is deleted
15
SharePoint Query Based HoldQuery Based
Preservation Feature enabled?
Site on in-place hold?
End
No
Yes No Keep Item
Does item match union of hold search queries?
Does item have search indexing errors?
No
Yes
NoDelete Item
16
Exchange In-Place Hold All edits and deletes are retained Content is always held 30 days after deletion date
Supports multiple holds, preserved content is cleaned up after the last hold is released
User A Mailbox
Recoverable Items
Deletions
Inbox
Purges
Versions
Audits
Deleted Items
…
DiscoveryHold
Calendar Logging
(6a) Messages purged by DIRW Policy (or maintained for Litigation Hold)
(5) Message Edited
(3) Message deleted
(4a) Message “purged” by user (Litigation Hold / Single Item Recovery)
Lifecycle of mailbox items
(4b) Message “purged” by user (In-Place Hold)
(6c) MFA evaluates item against hold queries set on mailbox
(6b) Mailboxes with SIR and In-Place Hold enabled have expired messages moved
(1) Message delivered
(2) Message moved to Deleted Items
18
Exchange Query Based Hold
Mailbox on in-place hold?
End
No
YesKeep Item
Does item match union of hold search queries?
Does item have search indexing errors?
No
Yes
NoDelete Item
Lync archives content into Exchange mailboxes when user is on In-Place Hold
Includes instant messaging and meeting content
In-Place Hold, eDiscovery, MRM of Lync data consolidated to Exchange tools
Lync 2010 Exchange 2010
Compliance
Archive
Compliance
New Lync New Exchange
Preserve: Lync ArchivingSingle In-Place data store for Exchange & Lync compliance
Lync Archiving: How does it work?
User A Mailbox
Recoverable Items
Deletions
Deleted Items
Inbox
Versions
Purges
DiscoveryHolds
Server side archiving
All Lync modalities captured (PC, mobile, web, OWA)
User A on hold
Hold state synced
Real time: no need to wait for indexing, always live and up to date
Reduce: proximity search, rich query syntax
Make decisions: query and source statistics help you analyze
2. Query
Query
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place HoldQueryAuditingExport
Refiners and filters: multi select refiners, author, domain, and more…
Preview: hover cards with descriptions, open in OWA
Content: Lync IMs and meetings, Exchange mail, calendar, tasks, SharePoint documents, pages, communities, and social feeds
2. Query
Exchange
eDiscovery Architecture
24
Sharepoint Farm 1 Hub
eDiscovery CenterSS
A
ProxySearch Service
Application
Services Farm
Search service
CasesSourcesQuerieseDiscovery SetsExports
Query
Actions Interface
Exchange Web
Services
HoldReleaseHoldGetStatusMailboxCopy
SharePoint Farm 2
Timer job
SSA Proxy
Fed Query
25
OperatorsUSE TO EXAMPLEAND Find content that contains all of the
words or phrases it separates.risk and value and VAR finds content that contains all three words.
OR Find content that contains either of the words or phrases it separates.
risk OR VAR finds all the content that contains either word.
NOT Exclude content that contains the term within a phrase.
Executive NOT Summary finds all the content that contains the phrase Executive, unless the content also contains the term Summary.
( ) Group words or phrases to show the order in which they are applied.
(Risk AND management) OR (VAR or Value-at-risk)
NEAR(n) Finds words that are near each other, where n equals the number of words apart. If no number is specified, the default distance is 8 words.
Mid Near(5) Office finds Mid and Back Office and Mid-Office and Mid, Back, and Front Office.
“ “ Search for specific phrases. “risk management” finds the exact phrase
* at the end of word
Find terms that contain the root word and any additional letters.
risk* finds risk, risks, risked, risking, and risky
26
Keywords and PropertiesKEYWORDS EXAMPLE RESULTS“Executive Briefing” Any content that contains the words “Executive
Briefing” together, anywhere in the document, page, or message.
“Executive Briefing” AND “Executive Summary”
Any content that contains the words “Executive Briefing” together, anywhere in the document, page, or message, or any content that contains the words “Executive Summary” together.
filename:budget Any file with budget in its filename, such as 2014 budget projections.docx, 2015 budget priorities.pptx, 2014 budget planning.xlsx, 2014 budget review.xlsx, and so on
filename:2014 budget filetype:xlsx Excel worksheets that contain the phrase 2014 budget, such as “2014 budget planning.xlsx” and “2014 budget review.xlsx”
27
Important Notes Proximity is NEAR(n) Property restrictions (filename:example.docx) in the free text keyword field will exclude all content that does not have that property so use carefully
Keyword line breaks are still an AND, not an OR
Operators must be capitalized (AND, OR, NOT)
Auditing
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place Hold QueryAuditingExport
Easy: download from SharePoint, Exchange, and file shares whether on premises or in Office 365 all at once
Extensible: convert into popular load files
Export Multiple Queries: Easily export one or many queries.
3. Export
Export
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place Hold QueryAuditingExport
Exchange De-Duplication: across Exchange mailboxes
EDRM XML Support: growing industry standard for data interchange, import into popular review tools
Take it offline: Native files, PSTs, pages as .MHT, lists and feeds as .CSV
3. Export
32
Export Architecture
Export Client
Export Data
Query
Download
Exchange
32
Sharepoint Farm 1 Hub
eDiscovery CenterSS
A
ProxySearch Service
Application
Services Farm
Search service
CasesSourcesQuerieseDiscovery SetsExports
Query
Actions Interface
Exchange Web
Services
Discovery Web Service
HoldReleaseHoldGetStatusMailboxCopy
SharePoint Farm 2
Timer job
SSA
Fed
Fed
Query
33
eDiscovery Export Full results report Download errors report Indexing errors report EDRM XML Manifest
34
EDRM XML 1.1 Support
eDiscovery as easy as 1, 2, 3.
In-Place Hold: protect content in-place in real time
Query: find up to date and relevant content quickly
Export: transfer content for review and production
1
2
3
Across: SharePoint, Exchange, Lync, and file shares on-premises and Office 365
In-Place Real Time More Content
Office eDiscovery Advantages