Posted on: September 01, 2016in Blog
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Most people are generally unaware of Enterprise Vault Shortcuts (aka “stub files”) until they find their way into document collections, reviews or ultimately productions. If you encounter stub files before or during a document review it is important to have a basic understanding of what they are and how to identify any that may be lurking in your ESI collection.
What is a stub file in Enterprise Vault?
For the purpose of this article, stub files are shortcut files created by Symantec Enterprise Vault (“EV”). EV is used by organizations to archive and store ESI - specifically email messages and attachments. Using a defined rule set, EV moves messages and/or attachments from the user’s mailbox into the EV archive location. What’s left behind in the user’s mail-store is a stripped down message without attachments or graphics, which is a message that is a stub of its former self.
To the IT professional this may seem wonderful, as it reduces the size of the mailbox. However, to a lawyer or an eDiscovery professional that needs to review the full message with its attachment(s), it may not be ideal.
eDiscovery Best Practices: Identify Collected Stub Files
Talk to your client’s IT department and inquire if they use EV or another archiving solution. This may seem obvious, but it’s a question or point of inquiry that is often overlooked.
Some large organizations have many locations in which email can reside; such as Office 365, email servers or locally on the custodian’s workstations. Be sure to identify all of these locations from your client so you can direct the collection of ESI.
During review you come across an email that states “see attachment for x” and there is no attachment. This may be an indication that the message was stubbed.
Another indication could be an image file that displays a “@” symbol in the attachment line, but the file is presented as a single file without attachments. The commercial @ symbol is one way to identify it’s an EV stub.
Metadata searches may be the quickest way to identify a larger set of stub files. Searching for all files containing “EnterpriseVault” in the Message Class field may yield the stubbed files. Building on these results, the user can create a series of searches to assist with identifying stubs with full email matches and stubs without matches. Some examples of the full verbiage of message class for stub files are:
There are dozens of stub message classes but the three examples listed above seem to be the most common.
Locate Missing Attachments from Email Archives
How does one get the full message with the attachment? One solution may be to collect directly from the EV archive. Depending on the organization’s document retention policy, the full message and its attachments may be hiding in plain sight. Additionally, the user may have a separate mail-store archive on a network share, removable drive or stored locally that has the complete message.
Once again, talk to your IT department and find out how EV operates within the organization. This is the best way to ensure all files, if available, have been collected.
Considerations for Stub Files During Document Review
It is possible that inconsistent coding may result in a stub being marked responsive and the complete message the opposite or vice versa. Don’t assume that if a stub is relevant or not privileged that its full counterpart is as well. An attachment may contain privileged material or the un-truncated message may contain work product.
Again, the best options to remediate are recollection or a full search of the collected data and hopefully the full emails are captured in one of the many archives in the custodian’s mailbox. There is a chance that it can be found as a loose file somewhere on the custodian’s home drive or local drive.
Document any steps or discussions around the process used to address stubbed messages. It may be something that is shared with the court or opposing parties if stubs ever become an issue.
The best time to address stubs (or the potential of them) is during collection and prior to the start of review. Be sure to talk about it within your team and you may even consider raising the topic with the opposition to get in front of any questions. At the end of the day, always remember: the legal standard is reasonableness, not perfection.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted May 17, 2017
How to Comply with 21 CFR and HIPAA Data Retention Requirements
Posted May 11, 2017
4 Key Advantages of Conducting Remote Depositions
Posted May 03, 2017
eDiscovery in International Dispute Resolution: What Experts Want You to Know
Posted April 27, 2017
China Expands Data Transfer Requirements for its Cybersecurity Law
Posted April 26, 2017
How to Use Office 365 Advanced eDiscovery to Prioritize Your Review
Posted April 21, 2017
American Bar Association Section of International Law | 2017 Spring Meeting in Washington DC
Posted April 19, 2017
Office 365 Enterprise E5: 6 Features That Could Benefit Your Business
Posted April 12, 2017
Data Reuse in eDiscovery: 4 Questions to Help Start Your Policy
Posted April 05, 2017
ESI Data Mapping Basics for eDiscovery
Posted March 30, 2017
China’s Cybersecurity Law: Objectives, Compliance and Business Recommendations