Are Mailboxes Enough?

Many eDiscovery projects are based only on the collection of individual custodian e-mailboxes. This raises some important preservation and process questions. Does ESI collection focused on user mailboxes preserve everything that is required? Will searching only those mailboxes find everything that the courts may eventually request?

If a user is acting covertly they might not leave critical evidence in their mailbox. They might be smart enough to remove it or even hide it. In that case collection that is narrow in focus will not be enough to ensure all appropriate ESI is preserved. There is an alternate approach to preserving and searching email that exists outside the limited scope of a user’s mailbox.

The most obvious location of objects that are no longer in the user’s mailbox is deleted email. When a user deletes an email it temporarily resides in the user’s deleted items folder. This folder is typically set to purge after a short period of time. After this period the email then moves to the Exchange dumpster. The dumpster is an independent component from the user’s mailbox. The email will live in the dumpster for a set number of days and is then purged. Therefore any email that a user deletes could be accessible in their deleted items folder for a short period of time. Then it would move outside their mailbox, and outside their control, to the dumpster and thus not included in the custodian’s mailbox. Therefore, ESI collection that is focused only on user mailboxes would not see any content residing in the dumpster.

Another alternate source of valuable email information is the Exchange Server transaction logs. These can be quite convoluted because they often have internal references to the specific EDB for which transactions are logged. By carefully parsing a full EDB and the subsequent log files it is possible to recreate all the emails that came in or out of the Exchange Server. Simple collection and preservation of Mailboxes via a tool that parses just the EDB will always miss this important secondary source of emails. Most importantly, the user has no ability to influence the content of the Exchange server logs. Thus, in an environment where the user is somehow bypassing the dumpster, the logs will still contain many of the emails.

Other valuable content that would not be captured in user mailboxes are email communications with other users. For example, user A, who is under investigation, initiates an email string that is relevant to the case at hand. The email was sent to user B, who is not under investigation. User A then deletes the email, and purges it from their deleted folder, and also over time it will be deleted from the dumpster. So from the perspective of user A’s mailbox, the email no longer exists. However, the email could still reside in user B’s mailbox if they did not delete it. When user A’s mailbox is collected the “smoking gun” email will be left behind even though it exists in the mail server. This scenario is common in the world of Exchange and it exposes an additional major flaw in the use of custodian mailboxes for collection, preservation, and searching purposes.

Index Engines technology allows access to a fully indexed Exchange image for deeper discovery and a more cost effective approach. Not only are full user mailboxes searchable, but also complete conversations that may reside in other user’s mailboxes and not with the custodian in question can be uncovered. Additionally the entire dumpster can be accessed and searched, making email available that was thought to be long gone. What’s more is that Index Engines technology gives access to this full set of Exchange data at a rate up to ten times faster than traditional email discovery approaches.