Posted on: September 01, 2016in Blog
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Most people are generally unaware of Enterprise Vault Shortcuts (aka “stub files”) until they find their way into document collections, reviews or ultimately productions. If you encounter stub files before or during a document review it is important to have a basic understanding of what they are and how to identify any that may be lurking in your ESI collection.
What is a stub file in Enterprise Vault?
For the purpose of this article, stub files are shortcut files created by Symantec Enterprise Vault (“EV”). EV is used by organizations to archive and store ESI - specifically email messages and attachments. Using a defined rule set, EV moves messages and/or attachments from the user’s mailbox into the EV archive location. What’s left behind in the user’s mail-store is a stripped down message without attachments or graphics, which is a message that is a stub of its former self.
To the IT professional this may seem wonderful, as it reduces the size of the mailbox. However, to a lawyer or an eDiscovery professional that needs to review the full message with its attachment(s), it may not be ideal.
eDiscovery Best Practices: Identify Collected Stub Files
Talk to your client’s IT department and inquire if they use EV or another archiving solution. This may seem obvious, but it’s a question or point of inquiry that is often overlooked.
Some large organizations have many locations in which email can reside; such as Office 365, email servers or locally on the custodian’s workstations. Be sure to identify all of these locations from your client so you can direct the collection of ESI.
During review you come across an email that states “see attachment for x” and there is no attachment. This may be an indication that the message was stubbed.
Another indication could be an image file that displays a “@” symbol in the attachment line, but the file is presented as a single file without attachments. The commercial @ symbol is one way to identify it’s an EV stub.
Metadata searches may be the quickest way to identify a larger set of stub files. Searching for all files containing “EnterpriseVault” in the Message Class field may yield the stubbed files. Building on these results, the user can create a series of searches to assist with identifying stubs with full email matches and stubs without matches. Some examples of the full verbiage of message class for stub files are:
There are dozens of stub message classes but the three examples listed above seem to be the most common.
Locate Missing Attachments from Email Archives
How does one get the full message with the attachment? One solution may be to collect directly from the EV archive. Depending on the organization’s document retention policy, the full message and its attachments may be hiding in plain sight. Additionally, the user may have a separate mail-store archive on a network share, removable drive or stored locally that has the complete message.
Once again, talk to your IT department and find out how EV operates within the organization. This is the best way to ensure all files, if available, have been collected.
Considerations for Stub Files During Document Review
It is possible that inconsistent coding may result in a stub being marked responsive and the complete message the opposite or vice versa. Don’t assume that if a stub is relevant or not privileged that its full counterpart is as well. An attachment may contain privileged material or the un-truncated message may contain work product.
Again, the best options to remediate are recollection or a full search of the collected data and hopefully the full emails are captured in one of the many archives in the custodian’s mailbox. There is a chance that it can be found as a loose file somewhere on the custodian’s home drive or local drive.
Document any steps or discussions around the process used to address stubbed messages. It may be something that is shared with the court or opposing parties if stubs ever become an issue.
The best time to address stubs (or the potential of them) is during collection and prior to the start of review. Be sure to talk about it within your team and you may even consider raising the topic with the opposition to get in front of any questions. At the end of the day, always remember: the legal standard is reasonableness, not perfection.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted February 23, 2017
Women in eDiscovery Atlanta | New Data Technology Trends
Posted February 23, 2017
Corporate Internal Investigations Best Practices
Posted February 13, 2017
4 Key Internal Roles Involved with Conducting Corporate Investigations
Posted February 09, 2017
Corporate Internal Investigations: A Legal & IT Love Story [Webinar]
Posted February 09, 2017
Intellectual Property Theft: How to Ensure a Defensible Investigation
Posted February 02, 2017
Could the Amazon Echo be a New Source of ESI?
Posted January 26, 2017
Information Governance Policies: The Fundamental Building Block to eDiscovery
Posted January 25, 2017
4 Urban Legends about Analytics and e-Discovery
Posted January 19, 2017
Legal Hold Triggers: When Should You Document Your Reasonable Anticipation of Litigation?
Posted January 12, 2017
5 New Year's Resolutions from an Experienced eDiscovery Team