Exchange In-Place eDiscovery & Hold | Introduction | 5#7

of 23 | Exchange In-Place eDiscovery & Hold | Introduction | 5#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Exchange In-Place eDiscovery & Hold | Introduction | 5#7

The Exchange In-Place Hold & eDiscovery is a very powerful tool that can help us to

accomplish three main tasks.

1. Search for information (mail items) in single or multiple mailboxes.

2. Put specific information on “hold” (enable to save the information for an

unlimited time period).

3. Recover deleted mail items.

In this article, we will review the logic and the concepts of the Exchange In-Place

Hold & eDiscovery tool.

In the next article Using Exchange In-place eDiscovery & Hold for recovering

deleted mail items | 6#7, we will demonstrate how to use the Exchange In-Place

Hold & eDiscovery tool for recovering deleted mail items.

One thing that we should know about the Exchange In-Place eDiscovery & Hold is

that our “First meeting” meeting with this tool can be a little confusing because in

http://o365info.com/exchange-in-place-ediscovery-hold-introduction-part-5-7

https://il.linkedin.com/in/eyaldoron1

http://o365info.com/

http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7

http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7



we are not already familiar with the logic and the characters of this tool.

Exchange In-Place eDiscovery & Hold | Server-side side

mailboxes search tool.

If we want to simplify that purpose if the Exchange In-Place eDiscovery & Hold, we

can relate to the Exchange in-Place eDiscovery & Hold as a giant search tool.

I use the term “giant” because verse the search tool that is included in Outlook or

OWA that can help us to locate information in a specific mailbox, the Exchange In-

Place eDiscovery & Hold can perform a search in all the mailboxes that are hosted

at a specific Exchange organization.

In other words, the Exchange In-Place eDiscovery & Hold help us to “flatten” all the

complex Exchange storage infrastructure that can contain hundreds or even

thousands of mailboxes.






Another interesting capability of the Exchange In-Place eDiscovery & Hold tool is

that we can use it for looking and finding specific information that is located on all

the “different parts” of Exchange mailbox.






Using the Exchange In-Place eDiscovery & Hold tool we can find information (mail

items) that are located in all the different “parts” of the user mailbox.

For example, when using the Exchange In-Place eDiscovery, we can search for a

specific information (mail items) in the following “parts” of a user’s mailbox

The “standard” mailbox (Inbox, Sent items, Drafts and so)

Online archive mailbox

Recoverable Items folder partition

The real power of the Exchange In-Place eDiscovery tool is realized when we need

to access the mailbox partition (Recoverable Items folder) that is not accessible to

our users for searching and recovering a specific mail item.

When we use the Exchange In-Place eDiscovery looking for mail items, the results

could include information about mail items stored in the Recoverable Items






folder.

Exchange In-Place eDiscovery & Hold as a “hold” tool

As the name suggests, the Exchange In-Place eDiscovery & Hold serve for two main

purposes: eDiscovery & Hold.

So, what is the meaning of the term “hold”?

The term – “in-place Hold“, relates to our ability as an Exchange administrator to

protect specific data from deletion.

For example – when we talk about a standard mailbox, in case that a user performs

Hard delete (delete information from the Deletion folder), the default Exchange

Deleted Item retention policy will enable us (as Exchange administrators) to

recover the data over a period of 14 days. After this period end, the data will be lost

forever.






The operation of “in-place Hold“ enables us to “override” or “bypass” the default

Exchange Deleted Item retention policy and decides that we want to define a

specific mail item or specific mailbox data as “un-deleted”.

In Exchange architecture, the term “hold” can be implemented by using one of the

following options:

1. In-Place Hold

2. Litigation Hold

The feature of Litigation Hold was introduced in Exchange 2010 server version and

the future of Exchange In-Place eDiscovery & Hold was introduced in Exchange

2013 server version.






Exchange 2013 support booth of this option (Litigation Hold or In-Place Hold).

In Exchange 2010 server architecture, the “parts” that were used for

performing the search in user mailboxes was described as: Multiple mailbox

search and the “tool” that was used for putting mailbox in hold described as

Litigation Hold.

In Exchange 2013 server architecture the “parts” of – searching multiple

mailboxes + put information (mail items) on Hold, was unified into one tool

named – Exchange In-Place eDiscovery & Hold.

What was the reason for providing Litigation Hold or In-Place

Hold?

The initial reason or business need that was “answered” by the Litigation Hold or In-

Place Hold Exchange feature was for providing a tool for implementing eDiscovery.

An Enterprise Company that has a legal need or committed to regulations that

dictate the mandatory need of – keeping information (mail items in our case) and

providing evidence in a scenario of Illegal or criminal activity of a company

employee.

For example – a scenario in which we suspect that a company employee performs

illegal or criminal activity and our fears that he will try to cover his track by deleting

evidence (mail items). In this case, we need to fulfill two tasks:






1. Prevent for the employee the option to permanently delete a specific mail item

(put the information on “hold”)

2. Have the ability to provide evidence to the Illegal or criminal activity of a

company employee (the ability to scan the user mailbox and “pull out” the

required mail items).

Over time, the Exchange developer thought how to use the Impressive capabilities

of the Litigation Hold feature as a “backup and recovery” tool and the “improve

version” of Litigation Hold was presented in Exchange 2013 version under the name

– “In-Place eDiscovery & Hold”.

The term “In-Place eDiscovery”

The term “In-Place eDiscovery” is a little vague term.

It may sound arrogant, but I’m willing to bet that even if you are an Exchange






professional, this term is not completely clear to you.

The reasons for this ambiguity are:

The Exchange In-Place eDiscovery is a term that built upon and relate to many

different parts and components in Exchange infrastructure and in addition,

relates even to other Microsoft technologies and products such as SharePoint.

The public information is not so clear, and there is a very little information

that enables to understand the “big picture” which presents all the different

Exchange Online components and infrastructures that relate to “In-Place

eDiscovery”.

If we want to be more formal, let’s use the Wikipedia definition for the term –

eDiscovery

Electronic discovery (or e-discovery or ediscovery) refers to discovery in litigation or

government investigations which deals with the exchange of information in

electronic format (often referred to as electronically stored information or ESI).[1]

These data are subject to local rules and agreed-upon processes, and are often

reviewed for privilege and relevance before being turned over to opposing counsel.

Data are identified as potentially relevant by attorneys and placed on legal hold.

Evidence is then extracted and analyzed using digital forensic procedures, and is

reviewed using a document review platform. Documents can be reviewed either as






native files or after a conversion to PDF or TIFF form.[1] A document review

platform is useful for its ability to aggregate and search large quantities of ESI.

[Source of information – Electronic discovery]

How the concept of eDiscovery does is implemented in

Exchange infrastructure?

The implementation of eDiscovery in Exchange based environment (Exchange

version 2013) is implemented by the feature named: Exchange In-Place eDiscovery

& Hold.

Using the Exchange In-Place eDiscovery & Hold we can fulfill the required needs:

1. Index data stored in all the user mailboxes.

2. Use a tool that will enable us to search through this infrastructure.

3. Use a tool for “holding” data, meaning the option of preventing a specific data

from being deleted.

4. A toll for “pull out” of “fetch” a specific data from the user’s mailbox to “other

location” – we can relate to this operation as saving evidenced in a scenario

of the Illegal or criminal activity or just relate to this operation as an option to

recover deleted mail items.

The different “parts” of Exchange In-Place eDiscovery &

Hold infrastructure

Despite the need to keep it simple, I find it important to provide a brief overview of

the different components that relates to the Exchange In-Place eDiscovery & Hold

infrastructure.

In the following diagram, we can see the different “parts” or “building block” which

creates the Exchange service named: Exchange In-Place eDiscovery & Hold.




https://en.wikipedia.org/wiki/Electronic_discovery



1. The “hold”

This is the part that enables us to “inform Exchange” that we want to “stamp” of

“flag” a specific information (mail item) as information that will not delete under any

circumstances.

2. The mailbox deleted items “store” (Recoverable Items folder)

This is the “hidden parathion” of the user mailbox that serves as a container for

deleted mail items (and for additional purposes such as audit). When we say that

we put a specific information “in hold” the meaning is deleted mail items that are

stored in the Recoverable Items folder.

3. The search tool interface & The search Hold tool interface

This is the Exchange Online web admin tool that enables us to perform the search,

define the search parameters and if needed, define the “hold” on the mail items

that answer the search parameters.

4. The search result “store”






When we use the Exchange In-Place eDiscovery & Hold for searching for a mail item

that “answer” specific parameters, the results are displayed by using “flat view”

using OWA web client.

In case that we need to save the information (not only view the information) for

further analysis, as an evidence or for recovery purposes, we can ask to “store” the

data (the search result) in a specific store.

Exchange Discovery Search Mailbox is a built-in system mailbox, which serves as a

“container” for the In-Place eDiscovery search results.

In the following screenshot, we can see the output of the PowerShell command

Get-mailbox.

We can see the Exchange Discovery Search Mailbox appear along with the other

user mailboxes.






We use the PowerShell command for displaying the information about the

Exchange Discovery Search Mailbox because the Exchange Discovery Search

Mailbox doesn’t appear in the graphic interface the display the Exchange recipients.

5. Exchange Index services

The ability to perform a fast and efficient in hundreds or even thousands of

mailboxes is heavily depended on the “Exchange index” services.

The search is not performed by searching the “actual data” stored in each of the

mailboxes, but instead the search is performed the mailbox search is carried out by

searching the Exchange index database (the Exchange index is spouses to provide

information about all the mail items stored in an Exchange mailbox database).

The Exchange In-Place eDiscovery & Hold | Search

scope and Search objects

The Exchange In-Place eDiscovery & Hold is a very powerful tool that enables us to

excite many varied types of searches.

To be able to use the Exchange In-Place eDiscovery & Hold search option, it’s

important that we be a failure with the different “search scope” that is available for

us when using the Exchange In-Place eDiscovery & Hold.

Search scope level 1 – Exchange In-Place eDiscovery & Hold can perform a search

in a specific user mailbox, a group of mailboxes or in all the existing mailboxes.






Most of the time, in a recovery mail scenario, our search scope will be focused on a

specific mailbox.

Search scope level 2 – the “power” of the Exchange In-Place eDiscovery & Hold in

mail recovery scenario is the ability to “pull out” mail items that are “hidden” are

stored in the

Recoverable Items folder.






At the current time, the search query parameter doesn’t include an option to define

that the mailbox search will be implemented only in the Recoverable Items folder.

Note – if you want to implement a mailbox search that will look and copy

information only from the Recoverable Items folder mailbox partition you will

need to use the PowerShell command –Search-Mailbox.

You can read more information about how to perform mail recovery using the

Search-Mailbox in the article – Recovering deleted mail items using PowerShell

cmdlets Search-Mailbox | 7#7

Search scope level 3 – that last “search scope” that I would like to mention is the

search scope that relates to the “type” of mail items that we want to look for.

The Exchange In-Place eDiscovery & Hold tool, enable us to define a specific type of

mail items such as – calendar mail item, contact mail item, note mail item and so

on.




http://o365info.com/recovering-deleted-mail-items-using-powershell-cmdlets-search-mailbox-part-7-7

http://o365info.com/recovering-deleted-mail-items-using-powershell-cmdlets-search-mailbox-part-7-7



In-place eDiscovery & hold | Search query and search

results

In-place eDiscovery & hold | Search results

When using the option of In-place eDiscovery & hold for searching for a specific

mail item the “outcome” meaning the search results, can be “implemented” in

different ways.

For example, we create a Search query and activate the search process, the result

from the search process (the Search results) could be used in the following way:

1. Information about the mail items that was found – a report that includes

information about each of the mail items that was found.

2. The specific mail items that were found during the search process. We can

ask to save the mail items that were found for purposes such as recover the

mail item, etc.

3. Put on hold – we can use the search results (the list of specific mail items) to

“tell” Exchange to put these specific mail items on hold.






In-place eDiscovery & hold | Search query

When we use the in-place eDiscovery & hold, the first step is to define the search

query.

The search query serves as a “container” for the search parameters that we define.

An example to a query that we can create using the in-place eDiscovery & hold

could be:

Example 1- we can define a query that will look for a specific calendar, mail

item in a specific user mailbox in a specific time range.

Example 2- we can define a query that will look for mail items that have a

specific string of text and perform the search (define a search scope) that

include all the mailboxes that are hosted in the Exchange organization.

The Exchange in-place eDiscovery & hold interface that we use for creating the

required search query, consider is a powerful interface because it enables us to

create a very specific query based on many different parameters such as:

Date range

A specific mailbox, group of mailbox or all the Exchange organization

mailboxes

Source recipient – the recipient who creates the email item.






Destination recipient – the recipient who accepts the email item.

Specific Exchange mail items –the ability to look for a specific type of

Exchange mail items such as: calendar mail item, mail item, note items and so

on.

After we have created the required search query, we “execute” the search

operation.

Later on, we will need to decide what “to do” with the mail items that “answers” the

specific query that we have defined.

In-place eDiscovery & hold | What to do with the search

results?

After the search operation was ended, we need to decide

1. Create a report about the findings (Log) – in some scenario all we want is to get a

report about the mail items that was found.






2. View the search results – this option is relevant to a scenario in which we want to

have a general look at the mail items that was fond, looking for a specific mail

item content, etc.

3. Keep the search results in Discovery Search Mailbox – this option is relevant is a

scenario of recovery mail items or a scenario in which we need the mail items

that was found as evidence. By default, the mail items will be saved in an

Exchange dedicated system mail box that is automatically created and named

as: Discovery Search Mailbox.

4. Keep the search results in other Mailboxes – in case that we prefer to save the

mail items from the search result in another mailbox and not in the default

Exchange Discovery Search Mailbox, we can do so. The option to choose other

mailboxes is available only when we activate In-place eDiscovery & hold via the

PowerShell interface.

5. Exports the Search results to a PST file – this is a very useful and Comfortable

option that enables us to export the mail items that was found in a PST file.

Note – we will review this option in the section – Step 5 – export the search

results to PST file

6. Put the specific mail items on hold – the Exchange In-place eDiscovery & hold

tool use the “search query parameter” as a filter for searching a specific mail

items that answer the search parameter and when Exchange found this mail

item, put a “hold” on this mail item.

The one thing that is missing in Exchange in-place eDiscovery & hold

search




http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7#SUB-5

http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7#SUB-5



One of the most notable “missing option” of Exchange in-place eDiscovery & hold is

– that the interface that we use for creating the search query and that include many

options and parameters for filtering the search results, doesn’t include a filter that

enables us to limit the search scope to the mailbox partition – the Recoverable

Items folder.

Optional scenarios for using In-place eDiscovery & hold

Scenario 1 | Standard user mailbox – Hard Delete event

A scenario in which Exchange user who has a “standard” mailbox (mailboxes

without Litigation Hold or In-Place Hold) and the user performs Hard delete mail

items.

In this case, the mail item is relocated to the Purges folder in the Recoverable

Items folder partition and, the user cannot use Outlook or OWA mail client for

recovering the specific mail items.

In this case, the mail can be recovered by the Exchange Online administrator who

uses the Exchange In-Place eDiscovery tool up to a maximum period of 14 days.

Scenario 2 | Exchange mailbox with Litigation Hold or In-Place Hold enabled

A scenario in which the user mailbox configured as:

Litigation Hold enabled

In-Place Hold enabled

In this scenario, in case that the user performs Hard delete operation, we will have

the ability to recover the deleted mail for a time period that was defended by the

Litigation Hold or In-Place Hold policy.

Case 1 – mailbox defined as Litigation Hold enabled

In this case, mail items that were Hard deleted will be saved in the Purges folder.

Case 2 – mailbox defined as In-Place Hold enabled

In this case, mail items that were Hard deleted will be saved in the DiscoveryHolds

folder.






Exchange Online In-Place eDiscovery | Two popular

misconceptions

1. Exchange In-place eDiscovery & hold tool is used only for a mailbox

that configured as Litigation Hold enabled or In-Place Hold enabled

This assumption is wrong!

The Exchange In-place eDiscovery & hold as the name operates as a “search tool”

that was created for searching mail items based on a specific parameter (search

query).

Exchange In-place eDiscovery & hold “doesn’t care” if the mailbox is a standard

mailbox or a mailbox that is configured as – Litigation Hold enabled or In-Place

Hold enabled.

The only difference between a standard mailbox versus mailbox that is configured

as Litigation Hold enabled or In-Place Hold enabled is that in case that we

implement the “hold” option on a specific mailbox, we can use the Exchange In-

place eDiscovery & hold search capability to search and recover mail items stored

in the Purges folder or the DiscoveryHolds folder for a longer time period that

the default 14-day period.






2. Exchange Online In-place eDiscovery & hold option can be used only by

customers who have purchased E3 license.

This assumption is wrong!

Regarding Office 365 customers who have purchased Office 365 Business license its

true that the Exchange Online admin interface is different.

The Exchange Online admin interface of Office 365 customers with Office 365

Business license considers as “simplified” and many of the menus and option that

include in the Exchange management interface of “E” customer doesn’t appear in

this “simplified interface”.

For example – the “simplified management interface” of Office 365 customers with

Office 365 Business license doesn’t include two options of – In-place eDiscovery &

hold

The little secret that most of us don’t know, is that the Exchange option of In-place

eDiscovery & hold is available also for Office 365 customers with Office 365

Business license.






The catch is that we need to use a little trick for displaying the “advanced Exchange

Online management” that include the In-place eDiscovery & hold option.

It’s important to emphasize that the option of “hold” is not available for Office 365

customers who have purchased Office 365 Business license!

The Exchange In-place eDiscovery & Hold operate as a “search mailbox tool” and

not for putting a specific data “on hold”

Additional reading

Exchange Server 2013 – Planning for In-Place Hold

Support Webcast, eDiscovery and In-Place Hold relative to Exchange Online




https://www.youtube.com/watch?v=J3PfVY3LB-k

https://www.youtube.com/watch?v=GATZ3ZqcyPc

Exchange In-Place eDiscovery & Hold | Introduction | 5#7

Documents

Transcript of Exchange In-Place eDiscovery & Hold | Introduction | 5#7