Posted on: September 01, 2016in Blog
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Most people are generally unaware of Enterprise Vault Shortcuts (aka “stub files”) until they find their way into document collections, reviews or ultimately productions. If you encounter stub files before or during a document review it is important to have a basic understanding of what they are and how to identify any that may be lurking in your ESI collection.
What is a stub file in Enterprise Vault?
For the purpose of this article, stub files are shortcut files created by Symantec Enterprise Vault (“EV”). EV is used by organizations to archive and store ESI - specifically email messages and attachments. Using a defined rule set, EV moves messages and/or attachments from the user’s mailbox into the EV archive location. What’s left behind in the user’s mail-store is a stripped down message without attachments or graphics, which is a message that is a stub of its former self.
To the IT professional this may seem wonderful, as it reduces the size of the mailbox. However, to a lawyer or an eDiscovery professional that needs to review the full message with its attachment(s), it may not be ideal.
eDiscovery Best Practices: Identify Collected Stub Files
Talk to your client’s IT department and inquire if they use EV or another archiving solution. This may seem obvious, but it’s a question or point of inquiry that is often overlooked.
Some large organizations have many locations in which email can reside; such as Office 365, email servers or locally on the custodian’s workstations. Be sure to identify all of these locations from your client so you can direct the collection of ESI.
During review you come across an email that states “see attachment for x” and there is no attachment. This may be an indication that the message was stubbed.
Another indication could be an image file that displays a “@” symbol in the attachment line, but the file is presented as a single file without attachments. The commercial @ symbol is one way to identify it’s an EV stub.
Metadata searches may be the quickest way to identify a larger set of stub files. Searching for all files containing “EnterpriseVault” in the Message Class field may yield the stubbed files. Building on these results, the user can create a series of searches to assist with identifying stubs with full email matches and stubs without matches. Some examples of the full verbiage of message class for stub files are:
There are dozens of stub message classes but the three examples listed above seem to be the most common.
Locate Missing Attachments from Email Archives
How does one get the full message with the attachment? One solution may be to collect directly from the EV archive. Depending on the organization’s document retention policy, the full message and its attachments may be hiding in plain sight. Additionally, the user may have a separate mail-store archive on a network share, removable drive or stored locally that has the complete message.
Once again, talk to your IT department and find out how EV operates within the organization. This is the best way to ensure all files, if available, have been collected.
Considerations for Stub Files During Document Review
It is possible that inconsistent coding may result in a stub being marked responsive and the complete message the opposite or vice versa. Don’t assume that if a stub is relevant or not privileged that its full counterpart is as well. An attachment may contain privileged material or the un-truncated message may contain work product.
Again, the best options to remediate are recollection or a full search of the collected data and hopefully the full emails are captured in one of the many archives in the custodian’s mailbox. There is a chance that it can be found as a loose file somewhere on the custodian’s home drive or local drive.
Document any steps or discussions around the process used to address stubbed messages. It may be something that is shared with the court or opposing parties if stubs ever become an issue.
The best time to address stubs (or the potential of them) is during collection and prior to the start of review. Be sure to talk about it within your team and you may even consider raising the topic with the opposition to get in front of any questions. At the end of the day, always remember: the legal standard is reasonableness, not perfection.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted July 13, 2017
How to Use Office 365 and X1 Discovery to Achieve Your Team's eDiscovery Goals [Webinar]
Posted July 12, 2017
Microsoft Office 365 is Disrupting the eDiscovery Industry in a Major and Permanent Fashion
Posted July 06, 2017
China's Cybersecurity Strategy: 5 Updates You Need to Know
Posted July 05, 2017
3 Workflows to Enhance Your Document Review Process
Posted June 28, 2017
Should you be using TAR? Judge Peck recommends you do
Posted June 21, 2017
Control Litigation Costs by Making the Most of Your Internal Capabilities
Posted June 15, 2017
Shanghai OSAC Quarterly Meeting
Posted June 15, 2017
5 Ways to Reduce eDiscovery Costs Before and During Litigation
Posted June 07, 2017
Defensible Deletion Strategy: Getting Rid of Your Unnecessary Data
Posted May 31, 2017
How Does the EU-US Privacy Shield Affect Cross-Border Discovery?