e-discovery

eDiscovery in Office 365

Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence in legal cases. You can use eDiscovery in Office 365 to search for content in Exchange Online mailboxes, Office 365 Groups, Microsoft Teams, SharePoint Online and OneDrive for Business sites, and Skype for Business conversations. You can search mailboxes and sites in the same eDiscovery search by using the Content Search tool in the Security & Compliance Center. And you can use eDiscovery cases in the Security & Compliance Center to identify, hold, and export content found in mailboxes and sites. If your organization has an Office 365 E5 subscription, you can further analyze content by using the Advanced eDiscovery solution in Microsoft 365.

Office 365 provides the following eDiscovery tools:

• Content Search in the Security & Compliance Center
• eDiscovery Cases in the Security & Compliance Center
• Advanced eDiscovery solution in Microsoft 365

Content Search in the Security & Compliance Center

The following table contains links to topics that will help you use the Content Search tool in the Security & Compliance Center.

Topic	Description
Run a Content Search in the Security & Compliance Center	Learn how to use the Content Search tool to search mailboxes, public folders, Office 365 Groups, Microsoft Teams, SharePoint Online sites, One Drive for Business locations, and Skype for Business conversations in your Office 365 organization in a single search.
Keyword queries and search conditions for Content Search	Learn about the email and file properties and search conditions you can use to search for content in mailboxes and sites in your Office 365 organization.
View keyword statistics for Content Search results	Learn how to use search statistics to display and compare the statistics for one or more content searches, and to configure new and existing searches to return statistics for each keyword in the search query.
Bulk edit Content Searches in the Security & Compliance Center	Learn how to bulk edit the search queries and content locations of one or more Content Searches.
Export search results from the Security & Compliance Center	Learn how to export the results of a Content Search.
Increase the download speed when exporting eDiscovery search results from Office 365	Learn how to configure the Windows Registry on your computer to increase the download speed with exporting Content Search results.
Export a Content Search report	Learn how to download the export report without having to export the actual search results.
Limits for Content Search in the Security & Compliance Center	Learn about the limits of the Content Search tool, such as the maximum number of searches that you can run at one time.
Unindexed items in Content Search	Learn about unindexed items in Exchange and SharePoint that you can include in the estimated search result statistics when you run a search. You can also include unindexed items when you export search results.
Differences between estimated and actual eDiscovery search results in Office 365	Learn about the reasons why there might be differences between the number of estimated search results and the number of actual items that are exported.
De-duplication in eDiscovery search results	Learn about the optional de-duplication feature that you can enable when you export Exchange email messages that are the results of a Content Search.
Search for and delete email messages in your Office 365 organization	Learn how to use Content Search to search for and delete an email message from allmailboxes in your organization. This can help you find and remove potentially harmful or high-risk email.
Use Content Search to search the mailbox and OneDrive for Business site for a list of users	Learn how to use a script to search the mailbox and One Drive for Business site for a group of users. Use Step 2: Generate a list of users in this topic to quickly generate a list of email addresses that you can use for the source content locations when you create and run the search in Step 3.
Create, report on, and delete multiple Content Searches	Learn how to use scripts to create multiple Content Searches, run reports to get the estimated results for each search, and then delete the searches. This can help you to quickly and efficiently identify and cull search data.
Clone a Content Search in the Security & Compliance Center	Learn how to use the Windows PowerShell script in this article to quickly clone an existing Content Search. This can help you compare the results of different keyword search queries run on the same content locations or save time because you don't have to re-enter a large number of content locations when you create a new search.
Configure permissions filtering for Content Search	Learn how to use permissions filtering to let an eDiscovery manager search only a subset of mailboxes and sites in your Office 365 organization.
Prepare a CSV file for a targeted Content Search	Learn how to use a Results.csv file or Unindexed Items.csv file (both which contain information about the results of a content search) to create a targeted search for specific mailbox items.
Use Content Search in Office 365 for targeted collections	Learn how to use the Windows PowerShell script in this article to perform targeted collections using Content Search. A targeted collection means you want to search a specific folder because you're confident that items responsive to a case (or privileged items) are located in that folder. Use the script in this article to obtain the folder ID or path for the specific mailbox or site folders that you want to search.
Use Content Search to search third-party data that was imported to Office 365	Learn how to use the kind and itemclass message properties to search third-party data that you imported to Office 365.

eDiscovery Cases in the Security & Compliance Center

The following table contains links to topics that will help you use eDiscovery cases in the Security & Compliance Center. Use cases to add members who can access the case, place a hold on content locations relevant to the case, associate multiple Content Searches with the case, and export the search results from the case.

Topic	Description
Manage eDiscovery cases in the Security & Compliance Center	Learn how to create and manage eDiscovery cases in the Security & Compliance Center.
Assign eDiscovery permissions in the Office 365 Security & Compliance Center	Learn how to assign eDiscovery permissions in the Security & Compliance Center. You can assign permissions to let users create eDiscovery cases, create holds associated with an eDiscovery case, run Content Searches, preview search results, and export search results.
Create a report on holds in eDiscovery cases in Office 365	Learn how to use the Windows PowerShell script in this article to generate a report that contains information about all the holds that are associated with eDiscovery cases in the Security & Compliance Center.
Use a script to add users to a hold in an eDiscovery case in the Security & Compliance Center	Learn how to use the Windows PowerShell script in this article to quickly add the mailboxes and OneDrive for Business sites for a list of users to a new hold that's associated with an eDiscovery case in the Security & Compliance Center.
Search for eDiscovery activities in the Office 365 audit log	Learn how to search the Office 365 audit log for activities related to creating and managing eDiscovery cases and Content Searches.

Advanced eDiscovery solution in Microsoft 365

The Advanced eDiscovery solution in Microsoft 365 builds on the existing eDiscovery and analytics capabilities in Office 365. This new solution, called Advanced eDiscovery, provides an end-to-end workflow to preserve, collect, review, analyze, and export content that's responsive to your organization's internal and external investigations. It also lets legal teams manage the entire legal hold notification workflow to communicate with custodians involved in a case.

Overview

eDiscovery (Electronic Discovery) is the process of identifying, finding and capturing electronic information to be utilized as evidence in legal cases. eDiscovery is one of many features built into the Office 365 Security and Compliance Center. eDiscovery allows authorized users to search, investigate and place Office 365 content and conversations on hold for a legal purposes. Content can be found and held based on its location, content conditions, as well as keywords/phrases within the following services:

• SharePoint Online documents
• Email content
• OneDrive for Business documents
• Group / Shared Mailbox content
• Microsoft Teams content
• Skype for Business conversations

Basic eDiscovery in Office 365 is fairly intuitive and we will break down the process in the following 4 steps:

1. Office 365 eDiscovery Roles
2. Creating & Managing eDiscovery Cases
3. Placing Content Locations on Hold
4. Performing Content Searches and Exporting Results

As a note, Microsoft is currently rolling out modern user experience within eDiscovery. Tenants all will get this new user interface at different times, with the option to return to the classic experience if users choose. Screen shots within this blog will show the modern user experience, but note that changes are constantly happening and pictures here might vary from what you experience in your tenant. Some functionality is slightly different between the two experiences, but mostly it is the same tools and features displayed differently to the users.

1. Office 365 eDiscovery Roles

As a first step, the appropriate permissions must be assigned to allow users the ability to interact with the eDiscovery Center and cases. A user has to be a member of the Organization Management role group (or be assigned the Role Management role; or a Global Admin) in the Office 365 Security & Compliance Center to assign eDiscovery permissions. eDiscovery managers will then have the ability to create and manage case, and add users to eDiscovery cases. eDiscovery roles are broken into two groups, Reviewers and Managers (which are further distinguied as either Managers or Admins).

eDiscovery roles and the corresponding permissions are as follows:

Role	Description	Allowed Activities	Activities Not Allowed
Reviewer	Reviewers can only see and open cases on the eDiscovery page that they have been made members of by a Manager or Admin.	Can: View / open their cases	Cannot: Create cases Add members to a case Place content on hold Create searches Export results Prepare Advanced eDiscovery results
eDiscovery Manager	Managers can create eDiscovery cases and manage all activities of cases that they are members of.	Can (only for their cases): View / open their cases Add / delete case members Place content on hold Create / edit content searches in case Export content search results Prepare results for Advanced eDiscovery	Cannot: View / open other cases (cases they are not members of)
eDiscovery Admin	Administrators can perform all case management tasks that an eDiscovery Manager can do, while also having access to ALL eDiscovery cases and the ability to perform all Advanced eDiscovery tasks.	Can (for all cases): View / open ALL cases Add / delete case members Place content on hold Create / edit content searches in case Export content search results Prepare results for Advanced eDiscovery	​

eDiscovery Roles are assigned by an authorized user (Global Admin / Org. Manager) in the Office 365 Security & Compliance Center. To get to here, navigate to https://protection.office.com. Select the desired role and edit that role within the management panel.

 

Once all of the necessary users have been assigned the appropriate roles within the Security & Compliance Center, eDiscovery Managers can begin to create / manage eDiscovery cases and add users to those cases.

 

2. Creating & Managing eDiscovery Cases

Before creating and managing eDiscovery cases, it is important to understand that a "case" is simply a logical container or grouping of content holds, searches and results within eDiscovery. Case can have one to many holds and searches within them.

 

To begin performing eDiscovery work, from the Security & Compliance Center, select the Search & Investigation on the left-hand menu and click "eDiscovery". eDiscovery Managers and Admins can create new cases at the top of the page by selecting Create a case, then providing a name and description for the case.

 

Upon creation, Managers can quickly perform the following tasks from the case management fly-out:

• Add / remove / search for case members
• Edit the name / description
• Close / delete the case

 

Opening the case will give the manager full access to the case and the eDiscovery features. From the case management page, users can complete the next 3 activities:

(3) Creating and managing Holds
(4) Creating and managing Searches
(5) Exporting Search Results and preparing them for Advanced eDiscovery

 

3. Placing Content Locations on Hold

Within a case, the first thing the user should do is create a hold on content. A hold simply preserves content from being modified or deleted through the discovery process. Content on-hold cannot be deleted by any user, while the files and their contents are under review. Office 365 users will not know if content they are working with is on hold.

To create a hold, a user must:

1. Create, name and describe the hold
2. Determine the hold location across:
   • Exchange Email: If an item is deleted in Exchange, the content will be placed in the hidden "Recoverable Items" folder
   • SharePoint Sites / OneDrive for Business Sites: If an item is deleted in SharePoint / OneDrive for Business, the content will be placed in the hidden "Preservation Hold" library
   • Exchange Public Folder
3. Create a query for the hold
4. Review and create the hold

Hold Queries follow the KQL Syntax which leverages boolean and other operators, as well as symbols for performing search. Read more on the KQL Syntax.

We often recommend to our clients to leverage locations for holds, but not queries (or at least not extremely specific ones). If your query is too narrow for a hold and it may not preserve content that it should. That content could be modified or deleted while you better-configure your query. The best approach is to preserve more content with your hold, then narrow the content analyzed through your searches.

 

4. Performing Content Searches and Exporting Results

Searching

Once holds have been created, eDiscovery Managers can then configure their search(es) that are relevant for the legal matter.

The query editing screen allows users to configure search elements (keywords, conditions, and locations) and execute a search. Search will apply query keywords to all content properties (file title, body, etc.) Users may also preview & export search results.

See below the Keyword and Condition areas:

 

The Search will also allow the Manager to preview the results returned, as seen below:

 

Once you are satisfied with the Search results, Managers can (from he quick managemnt fly-out > "more" drop-down) export the results for analysis, export a high-level statistics report, or prepare results for Advanced eDiscovery (we'll go into this more in another blog poste).

* Users with eDiscovery Permissions (Managers, Security & Compliance Admins, etc.) can also perform queries through the Content Search tool (Security & Compliance > Search & Investigation > Content Search). This enables you to freely search and configure queries without having to manage full eDiscovery cases. This is a good way to practice KQL syntax and refine search queries.

Exporting Search Results

Once you are ready to export the results of an eDiscovery Search, you will have several options regarding the format and structure of the output. Case Managers will have options around the following:

• Handling of result items that have unrecognized format, are encrypted, or were not indexed for other reasons
  • Include items with unrecognized formats, are encrypted, or un-indexed items
  • Exclude items with unrecognized formats, are encrypted, or un-indexed items
  • Only export items with unrecognized formats, are encrypted, or un-indexed items
• Handling of Exchange (Email) output
  • One PST per mailbox
  • One PST file for all messages
  • One PST file containing all messages in a single folder
  • Separate all messages individually
• De-duplication of Exchange content (finds similar/duplicate emails and combines email threads into one item)
• Including SharePoint file versions
  • If versioning is already enabled in SharePoint: all versions of an on-hold item will be copied into the Preservation Hold Library
  • If versioning is NOT enabled in SharePoint: all versions of the on-hold item AFTER the hold is applied will be copied into the Preservation Hold Library

 

5. Closing / Re-Opening Cases

I know what you're thinking, this was promised to be done in 4 steps, but I'm including step number 5 to close out the process for basic eDiscovery. All cases will eventually be closed, potentially re-opened, and ultimately deleted at some point. It's important to consider the effects of the holds, search results and cases themselves under each action. Below are the ramifications of each outcome of the case:

• Closed: all holds are turned off and held content is released. Files that had previously been deleted while on hold are then released, which can result in a loss of that content. All configurations for the case are maintained and can be re-opened at any time.
• Re-opened: existing holds and searches will be re-enabled, however, items changed while the case was closed are not retained.
• Delete: a deleted case will lose all configuration settings permanently. All holds, searches and result exports will be deleted.

I hope you found this blog insightful and provided you with some tools to start working with eDiscovery in Office 365.