Internals of eDiscovery for Office 365, Exchange, and Sharepoint
-
Upload
quentin-christensen -
Category
Software
-
view
31 -
download
0
Transcript of Internals of eDiscovery for Office 365, Exchange, and Sharepoint
![Page 1: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/1.jpg)
Internals of eDiscovery for Office 365, Exchange, and SharePointQuentin ChristensenProgram ManagerMicrosoft Corporation
![Page 2: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/2.jpg)
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
![Page 3: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/3.jpg)
Identify and
Preserve
Search and
ProcessReview Produce
eDiscovery Overview
Volume Relevance
![Page 4: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/4.jpg)
eDiscovery Challenges
Preservation
Search and reduction
Export
![Page 5: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/5.jpg)
Quick Investigation
Demo
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
![Page 6: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/6.jpg)
Quick Investigation
Early case assessment
Fast, real time search
Answers in minutes, not weeks
![Page 7: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/7.jpg)
eDiscovery simplified
Save time and money
Reduce risk
Key Takeaways
Advantages: in-place, real time, more content
Capabilities: In-Place Hold, Query, and Export
![Page 8: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/8.jpg)
Exchange Admin Center
Demo
AgendaeDiscovery OverviewQuick InvestigationExchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
![Page 9: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/9.jpg)
eDiscovery as easy as 1, 2, 3.
In-Place Hold: protect content in-place in real time
Query: find up to date and relevant content quickly
Export: transfer content for review and production
1
2
3
Across: SharePoint, Exchange, Lync, and file shares on-premises and Office 365
![Page 10: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/10.jpg)
In-place hold: content stays in Exchange and SharePoint, less storage space, lower costs, higher fidelity
Location and query based: hold entire mailboxes, SharePoint sites, or apply a query to hold less content
No impact to users: seamlessly create, edit, and delete without knowing its on hold
1. In-Place Hold
![Page 11: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/11.jpg)
In-Place Hold
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery CenterIn-Place HoldQueryAuditingExport
![Page 12: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/12.jpg)
eDiscovery Sets: group mailboxes, SharePoint sites, and file shares
Filters: scope down that amount of content to hold and search
Easy: place and release holds on multiple sources with one click and without weeks of manually collecting content
1. In-Place Hold
![Page 13: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/13.jpg)
13
SharePoint Preserving Items
Item Updated
Item Deleted Site on in-place hold?
Allow Item Edit/Delete to CompleteNo
Yes
Place current version in
preservation hold library.
Last modified date older than preservation date?
Site on in-place hold?
Yes
Yes
![Page 14: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/14.jpg)
14
SharePoint In-Place Hold• Preservation occurs synchronously• Items are placed in a secured library in the same
SharePoint site• Lists items, social feeds, documents, and pages are
covered• Supports multiple holds, preserved content is cleaned
up after the last hold is released• Site collection and farm admins cannot delete the hold
data or site • Versions cannot be deleted when the site is on hold• Version history is preserved when an item is deleted
![Page 15: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/15.jpg)
15
SharePoint Query Based HoldQuery Based
Preservation Feature enabled?
Site on in-place hold?
End
No
Yes No Keep Item
Does item match union of hold search queries?
Does item have search indexing errors?
No
Yes
NoDelete Item
![Page 16: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/16.jpg)
16
Exchange In-Place Hold All edits and deletes are retained Content is always held 30 days after deletion date
Supports multiple holds, preserved content is cleaned up after the last hold is released
![Page 17: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/17.jpg)
User A Mailbox
Recoverable Items
Deletions
Inbox
Purges
Versions
Audits
Deleted Items
…
DiscoveryHold
Calendar Logging
(6a) Messages purged by DIRW Policy (or maintained for Litigation Hold)
(5) Message Edited
(3) Message deleted
(4a) Message “purged” by user (Litigation Hold / Single Item Recovery)
Lifecycle of mailbox items
(4b) Message “purged” by user (In-Place Hold)
(6c) MFA evaluates item against hold queries set on mailbox
(6b) Mailboxes with SIR and In-Place Hold enabled have expired messages moved
(1) Message delivered
(2) Message moved to Deleted Items
![Page 18: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/18.jpg)
18
Exchange Query Based Hold
Mailbox on in-place hold?
End
No
YesKeep Item
Does item match union of hold search queries?
Does item have search indexing errors?
No
Yes
NoDelete Item
![Page 19: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/19.jpg)
Lync archives content into Exchange mailboxes when user is on In-Place Hold
Includes instant messaging and meeting content
In-Place Hold, eDiscovery, MRM of Lync data consolidated to Exchange tools
Lync 2010 Exchange 2010
Compliance
Archive
Compliance
New Lync New Exchange
Preserve: Lync ArchivingSingle In-Place data store for Exchange & Lync compliance
![Page 20: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/20.jpg)
Lync Archiving: How does it work?
User A Mailbox
Recoverable Items
Deletions
Deleted Items
Inbox
Versions
Purges
DiscoveryHolds
Server side archiving
All Lync modalities captured (PC, mobile, web, OWA)
User A on hold
Hold state synced
![Page 21: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/21.jpg)
Real time: no need to wait for indexing, always live and up to date
Reduce: proximity search, rich query syntax
Make decisions: query and source statistics help you analyze
2. Query
![Page 22: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/22.jpg)
Query
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place HoldQueryAuditingExport
![Page 23: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/23.jpg)
Refiners and filters: multi select refiners, author, domain, and more…
Preview: hover cards with descriptions, open in OWA
Content: Lync IMs and meetings, Exchange mail, calendar, tasks, SharePoint documents, pages, communities, and social feeds
2. Query
![Page 24: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/24.jpg)
Exchange
eDiscovery Architecture
24
Sharepoint Farm 1 Hub
eDiscovery CenterSS
A
ProxySearch Service
Application
Services Farm
Search service
CasesSourcesQuerieseDiscovery SetsExports
Query
Actions Interface
Exchange Web
Services
HoldReleaseHoldGetStatusMailboxCopy
SharePoint Farm 2
Timer job
SSA Proxy
Fed Query
![Page 25: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/25.jpg)
25
OperatorsUSE TO EXAMPLEAND Find content that contains all of the
words or phrases it separates.risk and value and VAR finds content that contains all three words.
OR Find content that contains either of the words or phrases it separates.
risk OR VAR finds all the content that contains either word.
NOT Exclude content that contains the term within a phrase.
Executive NOT Summary finds all the content that contains the phrase Executive, unless the content also contains the term Summary.
( ) Group words or phrases to show the order in which they are applied.
(Risk AND management) OR (VAR or Value-at-risk)
NEAR(n) Finds words that are near each other, where n equals the number of words apart. If no number is specified, the default distance is 8 words.
Mid Near(5) Office finds Mid and Back Office and Mid-Office and Mid, Back, and Front Office.
“ “ Search for specific phrases. “risk management” finds the exact phrase
* at the end of word
Find terms that contain the root word and any additional letters.
risk* finds risk, risks, risked, risking, and risky
![Page 26: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/26.jpg)
26
Keywords and PropertiesKEYWORDS EXAMPLE RESULTS“Executive Briefing” Any content that contains the words “Executive
Briefing” together, anywhere in the document, page, or message.
“Executive Briefing” AND “Executive Summary”
Any content that contains the words “Executive Briefing” together, anywhere in the document, page, or message, or any content that contains the words “Executive Summary” together.
filename:budget Any file with budget in its filename, such as 2014 budget projections.docx, 2015 budget priorities.pptx, 2014 budget planning.xlsx, 2014 budget review.xlsx, and so on
filename:2014 budget filetype:xlsx Excel worksheets that contain the phrase 2014 budget, such as “2014 budget planning.xlsx” and “2014 budget review.xlsx”
![Page 27: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/27.jpg)
27
Important Notes Proximity is NEAR(n) Property restrictions (filename:example.docx) in the free text keyword field will exclude all content that does not have that property so use carefully
Keyword line breaks are still an AND, not an OR
Operators must be capitalized (AND, OR, NOT)
![Page 28: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/28.jpg)
Auditing
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place Hold QueryAuditingExport
![Page 29: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/29.jpg)
Easy: download from SharePoint, Exchange, and file shares whether on premises or in Office 365 all at once
Extensible: convert into popular load files
Export Multiple Queries: Easily export one or many queries.
3. Export
![Page 30: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/30.jpg)
Export
Demo
AgendaeDiscovery OverviewQuick Investigation Exchange Admin CentereDiscovery Center In-Place Hold QueryAuditingExport
![Page 31: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/31.jpg)
Exchange De-Duplication: across Exchange mailboxes
EDRM XML Support: growing industry standard for data interchange, import into popular review tools
Take it offline: Native files, PSTs, pages as .MHT, lists and feeds as .CSV
3. Export
![Page 32: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/32.jpg)
32
Export Architecture
Export Client
Export Data
Query
Download
Exchange
32
Sharepoint Farm 1 Hub
eDiscovery CenterSS
A
ProxySearch Service
Application
Services Farm
Search service
CasesSourcesQuerieseDiscovery SetsExports
Query
Actions Interface
Exchange Web
Services
Discovery Web Service
HoldReleaseHoldGetStatusMailboxCopy
SharePoint Farm 2
Timer job
SSA
Fed
Fed
Query
![Page 33: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/33.jpg)
33
eDiscovery Export Full results report Download errors report Indexing errors report EDRM XML Manifest
![Page 34: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/34.jpg)
34
EDRM XML 1.1 Support
![Page 35: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/35.jpg)
eDiscovery as easy as 1, 2, 3.
In-Place Hold: protect content in-place in real time
Query: find up to date and relevant content quickly
Export: transfer content for review and production
1
2
3
Across: SharePoint, Exchange, Lync, and file shares on-premises and Office 365
![Page 36: Internals of eDiscovery for Office 365, Exchange, and Sharepoint](https://reader036.fdocuments.net/reader036/viewer/2022062320/55cac4debb61eb82118b469b/html5/thumbnails/36.jpg)
In-Place Real Time More Content
Office eDiscovery Advantages