Posted on: September 01, 2016in Blog
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Most people are generally unaware of Enterprise Vault Shortcuts (aka “stub files”) until they find their way into document collections, reviews or ultimately productions. If you encounter stub files before or during a document review it is important to have a basic understanding of what they are and how to identify any that may be lurking in your ESI collection.
What is a stub file in Enterprise Vault?
For the purpose of this article, stub files are shortcut files created by Symantec Enterprise Vault (“EV”). EV is used by organizations to archive and store ESI - specifically email messages and attachments. Using a defined rule set, EV moves messages and/or attachments from the user’s mailbox into the EV archive location. What’s left behind in the user’s mail-store is a stripped down message without attachments or graphics, which is a message that is a stub of its former self.
To the IT professional this may seem wonderful, as it reduces the size of the mailbox. However, to a lawyer or an eDiscovery professional that needs to review the full message with its attachment(s), it may not be ideal.
eDiscovery Best Practices: Identify Collected Stub Files
Talk to your client’s IT department and inquire if they use EV or another archiving solution. This may seem obvious, but it’s a question or point of inquiry that is often overlooked.
Some large organizations have many locations in which email can reside; such as Office 365, email servers or locally on the custodian’s workstations. Be sure to identify all of these locations from your client so you can direct the collection of ESI.
During review you come across an email that states “see attachment for x” and there is no attachment. This may be an indication that the message was stubbed.
Another indication could be an image file that displays a “@” symbol in the attachment line, but the file is presented as a single file without attachments. The commercial @ symbol is one way to identify it’s an EV stub.
Metadata searches may be the quickest way to identify a larger set of stub files. Searching for all files containing “EnterpriseVault” in the Message Class field may yield the stubbed files. Building on these results, the user can create a series of searches to assist with identifying stubs with full email matches and stubs without matches. Some examples of the full verbiage of message class for stub files are:
There are dozens of stub message classes but the three examples listed above seem to be the most common.
Locate Missing Attachments from Email Archives
How does one get the full message with the attachment? One solution may be to collect directly from the EV archive. Depending on the organization’s document retention policy, the full message and its attachments may be hiding in plain sight. Additionally, the user may have a separate mail-store archive on a network share, removable drive or stored locally that has the complete message.
Once again, talk to your IT department and find out how EV operates within the organization. This is the best way to ensure all files, if available, have been collected.
Considerations for Stub Files During Document Review
It is possible that inconsistent coding may result in a stub being marked responsive and the complete message the opposite or vice versa. Don’t assume that if a stub is relevant or not privileged that its full counterpart is as well. An attachment may contain privileged material or the un-truncated message may contain work product.
Again, the best options to remediate are recollection or a full search of the collected data and hopefully the full emails are captured in one of the many archives in the custodian’s mailbox. There is a chance that it can be found as a loose file somewhere on the custodian’s home drive or local drive.
Document any steps or discussions around the process used to address stubbed messages. It may be something that is shared with the court or opposing parties if stubs ever become an issue.
The best time to address stubs (or the potential of them) is during collection and prior to the start of review. Be sure to talk about it within your team and you may even consider raising the topic with the opposition to get in front of any questions. At the end of the day, always remember: the legal standard is reasonableness, not perfection.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted January 18, 2018
5 Expert Predictions for the eDiscovery Industry in 2018
Posted January 17, 2018
Get Your Passport to GDPR Success - LegalTech New York 2018
Posted January 11, 2018
Is Your Organization Vulnerable to a Cyber Attack? 3 Steps to Put Your Mind at Ease
Posted January 04, 2018
How the EU and China Plan to Deal with Multinational Data
Posted December 28, 2017
How to Navigate International Data Privacy Laws for eDiscovery
Posted December 21, 2017
Cross-Border eDiscovery: An Introduction to Cultural and Legal Obstacles
Posted December 14, 2017
Webinar Q&A Featuring Panelists from Special Counsel and Brainspace
Posted November 30, 2017
Help Your Employees Find the Information They Need with Machine Learning
Posted November 22, 2017
How to Use Managed and Prioritized Workflows to Reduce the Cost of Review [On-Demand Webinar]
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review