MSExchangeGuru.com

This document is the guide to do the emails discovery on the litigation hold mailboxes. This is a very handy feature of exchange 2010 which is a plus for security team. The search eases the investigation by the accurate search result for investigation which saves a lot of time of the investigator.

Steps:

Discovery Step 1 – Assign the Rights to Create a Search Query
This is a one-time step that needs to be performed to give someone the rights to create a search query.  By default, NO ONE in the organization, including the Exchange Administrator, has the rights to create search queries.  However, even though the Exchange Administrator doesn’t have the right to create a search query, the Exchange Administrator can go into the Exchange Control Panel and give themself (and anyone else) rights to create the query.

To assign the rights to create a search query, do the following:

1.  Logon to Outlook WebApp with a user that has administrator rights (just like you are logging in to check your email)

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Roles & Auditing / Administrator Roles section, select the “Discovery Management” role and click on “Details”

5.  In the Discovery Management details, under “Members”, add the person (or people) in your organization that you want to have the ability to create Search Queries as well as be able to put mailboxes on Litigation Hold, then click Save

This individual (or individuals) now have the ability to go to Step 3 to create and initiate a Search query (and put someone’s mailbox on Litigation Hold)

Step 2 – Create and Initiate a Search Query
The next step is to have the individual who has the right to create a query (the person in e-Discovery Step 1) to actually create a query.  The process is as follows:

1.  Logon to Outlook WebApp with a user who was given Discovery management rights from e-Discovery Step 1 (just like the user is logging in to check their email)

2.  On the upper right corner, select “Options” and “See All Options”

3.  In the upper left corner, select “Manage” “My Organization”

4.  In the Mail Control / Discovery section, under the Multi-Mailbox Search section, click on “New” to create a new search query

5.  For the Search Query, enter in the keywords you want to search for:

6.  In the Keywords section, click on the “Select message types…” and typically select “Search all messages types including one that may not be listed below” so that EVERYTHING is returned in the search results including email messages, posts, calendar appointments, notes, tasks, etc.  (by default, only “E-mail” is selected, thus Notes, tasks, IM Conversations, etc are skipped, which is usually not a good search result, so likely Search all message types)

7. In the Message from and to/cc/bcc we can type email addresses if we are searching for specific email address emails else we can leave them blank.

Date Range, we have to select the required range of date or select don’t limit the search by time range. If there is no date mention then it will search the mailbox till today from the date of creation.

8. In the “Mailboxes to Search” section, Add the mailbox/es that you wish to be searched and click OK

9. In the “Search Name Type, and Storage Location”, enter in a name of the search (something that will help you remember what this search is about, such as “Ticket number” or “UserId” or Date.  Select the “Copy the search results to the destination mailbox”.

Check the “Enable deduplication” when are doing for one mailbox and uncheck when you are doing for multiple mailbox and Enable Logging then select mailbox in which to store the search results as “DiscoverySearchMailbox” or any other mailbox which is enabled for discovery from powershell.

Note: while choosing to Enable deduplication saves space, you don’t end up with the key results in ALL mailboxes, and thus if you are searching in 7 different mailboxes, there’s only 1 copy of the message which isn’t good for true discovery.  If you are concerned about disk space, click on the “Estimate the search results” and run the estimate first to see how much space is needed which merely comes up with an estimate number and does not actually extract any information).  However, if you are good to start the search, and then click on Save.

9.  The search (or estimate) will begin as soon as you click Save and dependent on how much information is being searched could take a few seconds or could take an hour.

In the Discovery page, you will see the search query noted.  Remember, this is a WebPage, so the page won’t automatically refresh with an update on the %-age of completion, so click on the Refresh icon periodically to see whether the search has “completed” or the %-age of the search.

10.  At any point, you can highlight the search query, click on the Details option, and change the keywords on the query.  Click the “Start Search” option to begin the new search, and remember to periodically click the refresh button option to check the status.

Once the Search has been Successful, we can give manage full permission to manage the discovery to any client user who is from security team or take SendAS permission and export to PST using PowerShell.

Prabhat Nigam (Wizkid)
Team@ MSExchangeGuru

KeyWords: Exchange 2010 Mailbox recovery, Exchange 2010 Discovery mailbox, Exchange 2010 Discovery, Exchange 2010 Litigation hold, Exchange 2010 Litigation enabled, Exchange 2010 Search for email, Exchange 2010 Compliance and security, Exchange 2010

Posted January 25th, 2012 under Exchange 2010, Exchange Tools, Recovery. RSS 2.0 feed. Leave a response, or trackback.