Posted on: June 26, 2014in Blog
9 Steps to a More Defensible Email Collection Protocol
Nothing can derail an eDiscovery project like a poorly planned email collection, and one of the most common road blocks we see are searches performed in live email environments pre-collection. There are several issues with performing live searches across email systems including; loss of the opportunity to sample and test search terms; inability to search non-searchable messages and attachments; difficulty in identifying custodians; breaks in chain of custody for search exports; and the lack of a preservation copy for future use...just to name a few.
Rather than performing a live search in existing email environments, D4 recommends that a forensic collection be performed for each custodian. Such a collection allows for proper preservation of the data set. In addition to the preservation copy, a forensic collection allows for another copy of the data to be ingested into an eDiscovery tool. Utilizing an eDiscovery tool is beneficial because it is designed for indexing large amounts of data, searching non-searchable data, sampling and testing search terms, using analytics to expand search terms, and deduplicating data while tracking the custodial values of the deduped files.
Take these nine steps for your most defensible email collection protocol yet:
1. Extract full PST/NSF Files from Live Email Environments
When working with a live email environment, D4 recommends that you export the individual custodian’s mailbox to PST or NSF file, rather than searching within exchange.
2. Import Custodian PST/NSFs to an eDiscovery Tool
There are several eDiscovery tools and all of them accept PST or NSF files for ingestion. At the time of import, the custodian is assigned to all files within the mailstore (PST). This allows for tracking of each file, as it is deduped creating a record of each custodian’s files.
3. Resolve Errors and Exceptions
While ingesting files, most eDiscovery tools alert the user to files that have exceptions due to encryption, corruption, unrecognized filetype, extraction errors, etc. These exceptions are reconciled as well as they can be, and those unable to be reconciled are reported as non-processed documents.
4. OCR All Non-Text Messages
Certain attachments and messages may not have searchable text after import. These non-searchable files will be made searchable by running an Optical Character Recognition (OCR) software across them. OCR allows the non-searchable files to be searched.
5. Identify and Analyze Search Terms
An eDiscovery expert should review search terms to ensure their efficacy for the specific tool in which they are being applied. This analysis should:
- a) Include the identification of “stop words” - certain words and punctuation withheld from the index. (These are ignored by most search engines. Examples of “stop words” are about, but, the, to, from, you, etc.)
- ** Search term analysis should be run before indexing so as to allow for adjustments to be made to the stop word list or punctuation list, if needed.
- b) Ensure the search syntax conforms to the syntax of the search engine;
- c) Take a close look at proper names to make sure that nicknames and formatting are captured;
- d) Confirm email addresses are properly formatted, and;
- e) Make sure that number strings, leading wildcards, and single letters should are avoided as much as possible. These terms seldom yield the desired result.
6. Index All Data Including Messages
Once all files have text, the eDiscovery tool will create an index of all the words in all the files in the database. This index is then searched.
7. Report Results
Once the searches have been run, search term reports should be reviewed to look for anomalies. Terms netting few or no results should be reviewed for syntax and formatting to confirm they are working as expected (refer to step 5). Terms returning large hit counts should be reviewed with the intent of applying limiters (proximity or qualifiers).
8. Sample Results
Certain eDiscovery tools allow for the generation of random sample sets from search results. Samples can be reviewed to confirm efficacy of search results and weed out false positives.
9. Refine Search Terms
After running the first iteration of the terms and having reviewed the results and sample sets, a refined set of terms can be re-run across the data set.
The above protocol is best practice for working with live email environments, but it is important to note that not all organizations have the same data retention policies, and not all custodians store their email data in the corporate email environment. In fact, many organizations encourage their employees to archive email on local shares or on their laptops. Searches run across the [live] environment often do not account for these files.
For these reasons, D4 recommends that, in addition to the forensic collection of the exchange environment, firms also perform custodian interviews. The two primary goals of those interviews should be to interview each employee related to the matter and to identify areas where he/she may store data.
With these basic principles in place you will ensure that your collection sets up the rest of the e-discovery project for success and no train wrecks lie around the next bend.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted November 16, 2017
5 Workflow Tips for Conducting a Foreign Language Review
Posted November 10, 2017
What You Need to Know About Managed Review and the eDiscovery Process
Posted November 02, 2017
7 Steps to Help You Defensibly Migrate eDiscovery Data
Posted October 27, 2017
CLE Webinar with Lewis Brisbois: How to Do Social Media Collection and Presentation Right
Posted October 26, 2017
Despite Clawback, Defendant’s Reckless Abandon of Rule 502 Bites Back
Posted October 20, 2017
How to Use the eDiscovery PST Export Tool in Office 365 E3
Posted October 12, 2017
Recent eDiscovery Cases for Mobile Phones and Social Media
Posted October 05, 2017
Raising Objections to the Format of ESI Productions: Do it Early and Do it Clearly
Posted September 27, 2017
5 Reasons eDiscovery Alternative Fee Models Make Sense for You
Posted September 22, 2017
Why it's Crucial to Have a Corporate Mobile Device Policy