Exchange 2007: Electronic Discovery David Sengupta Exchange MVP
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Exchange 2007: Electronic Discovery
David Sengupta
Exchange MVP
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
Introduction to Electronic DiscoveryDefinitions
• The process of finding, identifying, locating, retrieving, and reviewing potentially relevant data in designated computer systems.1
• Also known as – “Digital discovery" – “E-discovery” (ED)– “Electronic digital discovery“ (EDD)– “Electronic document discovery“ (EDD)– “Electronic evidence discovery" (EED)– 1Source: http://edrm.net/index.php/Glossary:_E
Introduction to Electronic Discovery Drivers behind E-Discovery• E-discovery is typically driven by investigations
Type of Investigation
Examples
Internal H.R. investigations, assessment of liability, etc.
Regulatory Sarbanes-Oxley, HIPAA, Basel II, FDA (21 Rule 11), US Patriot Act, California SB 1386, Freedom of Information Act (FOIA), etc.
Legal Civil lawsuits, criminal investigations, patent infringement, wrongful dismissal, trade secrets, insurance claims, anti-terrorism, etc.
Introduction to Electronic Discovery Top targets• Favorite targets for investigations:
– E-mail & attachments– Instant messages– Document Metadata– Voicemail & Unified Messaging data– Portal & web content (blogs, wikis, etc.)
• E-mail content frequently represents a large percentage of the evidence
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
• Exchange 5.5
• Exchange 2000
• Exchange 2003
• Exchange 2007
State of the MarketTechnology timeline
• E-mail becoming mainstream
• Desktop maturity• Coexistence• Internet protocols• Outlook Web
Access
Anti-virus maturingAnti-spamMigrationsE-mail mission critical in some sectors
Storage managementRise of e-mail management disciplinesIncreasing interest in archival and complianceMobility in the enterprise
• 1996 • 2006
E-mail mission criticalRegulatory complianceContent & discoveryAutomated managementMaturity of e-mail management (MOF, ITIL, etc.)Exchange 2007 SP1
• 1970s • 1980s • 1990s • 2000s
State of the MarketLegal timeline
• Evidence completely paper-based
Evidence mostly paper-basedSome electronic evidence emerging (spreadsheets & documents)Electronic evidence printed
Volume of electronic evidence surpasses paperScanning, OCRBSI BIP 0008 (1996)HIPAA (1996)Early data forensics & e-discovery
Sarbanes-Oxley Act (2002)Enron (2002)Zubulake v UBS Warburg (2003-4)Basel II (2004)ISO TR 15801 (2004)Sedona, EDRMFederal Rules of Civil Procedure
• 1970 • 2000
State of the MarketE-mail evidence in the news…• White, Michael & Andrew Clark. Special report: Paddington Train Crash - Ministers bid to plug email leak. Guardian U
nlimited, June 7, 2002 • E-mail Ensnarls St. Louis-Based Bank in Privacy Inquiry. BankInfoSecurity.com. Feb. 2004. • Investigation launched into e-mail leak about Pacific Lumber fraud suit (AP). SignsOnSanDiego.com. Feb. 19, 2004. • CBC. Police searched reporter's garbage, e-mail. Ottawa, March 24, 2004. CBC News. • Summers, Bobby. E-mail leak may have cost provost's job. Daily Cougar, September 25, 1995. • Dunn, Andrew. Principal Apologizes for Joke E-Mail. March 24, 2004. The Ledger. • MacAskill, Ewen & Michael White. How Email became a Diplomatic Incident. Guardian Unlimited. April 28, 2004. • Sinrod, Eric J. E-mail notification of change to employment policy insufficient. USA Today. Jun. 23, 2004. • Hansell, Saul. You've Got Mail (and Court Says Others Can Read It). The New York TImes: Technology. July 6, 2004. • Graham, Pam. Email-wiping may go to police. The New Zealand Herald. July 17, 2004. • Hayes, Frank. E-mail Answers to "E-mail glitch exposes private data in California". Computerworld. Aug. 2, 2004. • Barnako, Frank. Evidence Piles Up in E-mail. Investors.com. Oct. 19, 2004. • McKenzie, Gia. Charleston County School District Issues Apology For Email. ABC News. Nov. 5, 2004. • Speaker's aide quits over e-mail. Edinburgh Evening News. Nov. 5, 2004. • Enron E-mail Study Shows Liability Nightmare. TechWeb News. Nov. 17, 2004. • Kabbany, Jennifer. Trustee faces lawsuit over e-mails. NCTimes.com. Jan. 6, 2005. • McNish, Jacquie. E-mail used as weapon in court case. The Globe and Mail. Jan. 6, 2005. • LaMendola
, Bob. Palm Beach County worker demoted over e-mail release of HIV/AIDS patients: South Florida Sun-Sentinel. May 20, 2005.
• Recent management articles: Morgan Stanley's email bounceback. Infoconomy. 2 Jun 2005 • Bank of America to pay $1.5m fine for email violation. Computer Business Review. Jun 16, 2005. • Kawamoto, Dawn. E-mail key to AMD's antitrust fight. ZDNet. June 28, 2005. • Callimachi, Rukmini
. FBI e-mails shed new light on wrongful arrest in Madrid train bombings. KGW.com. Jul. 13, 2005. • Phillips, Jim. Fraudulent e-mail case at Ohio University (OU) may be Investigated by Fairfield Sheriff. The Athens NE
WS. Aug. 1, 2005. • Ahlers, Mike. Democrats: Katrina e-mails show levee breaches reported early. CNN. Feb 10, 2006 • CNN. Lawmaker: E-mails show Brown 'out of touch' during Katrina - Nov 3, 2005 • White House E-Mail Archive Problem Hinders CIA Leak Probe. FOX News. Feb. 2, 2006.• Levy, Gideon. Barak's mail to Yale. Haaretz - Israel News. May 21, 2006.
http://www.sun-sentinel.com/features/health/sfl-rxnames20may20,0,2338877.story?coll=sfla-news-health
http://www.sun-sentinel.com/features/health/sfl-rxnames20may20,0,2338877.story?coll=sfla-news-health
1Source: http://www.lexisnexis.com/applieddiscovery/lawlibrary/focus_04.asp
State of the MarketLandmark case: Zubulake v. UBS Warburg1• Gender discrimination suit• Plaintiff requested defendant produce:
– “all documents concerning any communication by or between UBS employees concerning the plaintiff”
• Production of e-mail evidence:– Defendant: approx. 100 pages– Plaintiff: approx. 450 pages
• 5 Decisions by Judge Shira Scheindin:– Zubulake I & II (May 13, 2003), Zubulake III (July 24, 2003),
Zubulake IV (October 22, 2003), Zubulake V (July 20, 2004)
Concerning Implication
Lesson 1Scope of party’s “duty to preserve” once a party “reasonably anticipates litigation”
Responding party must produce all relevant e-mail on “accessible media [including] backups of electronic data of “key players”.1,2 Failure to preserve can be considered willful destruction of potentially relevant information.
Lesson 2
Lawyer’s duty to monitor clients’ compliance with preservation & production orders
Counsel must communicate litigation hold order to all key players. Duty to preserve falls on shoulders of party on notice.
Lesson 3 Data sampling
Court can order defendant to produce (at their own cost) relevant e-mail on sampling of “inaccessible media” (i.e., Exchange backups)
Lesson 4Cost-shifting of restoration from “inaccessible media”
Court can shift costs of recovery from backup media to requesting party
Lesson 5 Sanctions for spoliation of evidence
High Stakes. Laura Zubulake awarded $20.1M punitive & $9.1M compensatory damages
1Federal Rules define 30 days response time for discovery requests2Restoration Costs for each backup tape (HP Openmail in this case) were estimated at $3,800.69 per tape, with review costs between $170-410/hr depending on expertise of reviewer.
State of the MarketLandmark decisions: Zubulake v. UBS Warburg
State of the MarketOther decisions: The stakes are high
• $1.45B Morgan Stanley– Coleman Holdings v. Morgan Stanley (2005)– Failure to produce e-mail evidence
• $10M Bank of America (2004)– SEC Settlement– Failure to produce e-mail evidence
• $2.75M Philip Morris– United States v. Philip Morris USA Inc. (2004)– Spoliation (deletion of 60-day old e-mail for 2 years)
• $2.1M J.P. Morgan (2005)– SEC, NASD, NYSE Settlement– Spoliation of e-mail
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
• Information Management
•Identification
•Preservation
•Review
•Production
•Presentation
• Collection
• Analysis
• Processing
E-discovery and E-mailE-discovery Reference Model (EDRM)
• Information
Management
• Identification
• Preservation
• Collection
• Processing
• Review
• Analysis
• Production
• Presentation
E-discovery and E-mailKeep E-mail or Delete it
• Keep Email
• Delete Email
• Org Profile SOX, JSOX, CSOX, LSF, L262, etc Financials/Government agencies Large Orgs Large budgets
Archives High Discovery Cost
• Org Profile Litigation Risk SMOrgs Relatively tighter budgets
Archive optional
• Keep Email• Exchange Hosted Archive• 3rd party archives• Transport Journaling
• Selectively Retain
• Message Retention Management
• Mailbox Journaling
• Delete Email• Retention Policies• Mailbox Quotas
E-discovery and E-mailDiscover E-mail
• Discover Email• Org Profile
FRCP (Fed Rules of Civil Proc), SEC 17a-4
Includes non regulatory scenarios All Orgs Budgets variable, archive optional
• Keep Email
• Delete Email
• Org Profile SOX, JSOX, CSOX, LSF, L262, etc Financials/Government agencies Large Orgs Large budgets
Archives High Discovery Cost
• Org Profile Litigation Risk SMOrgs Relatively tighter budgets
Archive optional
E-discovery and E-mailFinding the needle in the haystack
• Challenges in e-mail as a communications medium:– Volatile – Portable– Alterable– Distributed– Persistent– High volume– High quantity
• Challenges in scope:– Find the ‘smoking gun’
(i.e., conclusive evidence)– Prove there is no ‘smoking gun’
• Challenges in process:– Moving from large volumes of
data to relevant evidence– Preservation of evidential
weight, chain of custody & defensibility
– Maintaining transparency & validation of process
– Ensuring accuracy & completeness of evidence
– Proving reliability & trustworthiness of evidence
E-discovery and E-mailE-mail is Volatile (e.g., 70 copies in 45 minutes…)
E-discovery and E-mailGlossary of key terms
• Chain of Custody (CoC) – accounting of the control (custody) of evidence at all times
• Custodian – person having administrative control of a document • Evidential Weight – value as evidence• Metadata – data about data• Preservation Order – temporary order to keep party from deleting data
until a warrant or production order is issued• Privilege - special and exclusive legal advantage or right
(i.e., client/attorney communications)• Redaction – removing privileged information • Spoliation – destruction of records “relevant” to a case,
with a “culpable state of mind” when a “duty to preserve” exists
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
Microsoft Exchange & e-discoveryTwo approaches to e-discovery• Reactive approach:
– “We don’t know what’s out there, or where it all is, but need to produce evidence for <reason> within x days”• Analogy: “I lost my keys…I need them now!”
• Proactive approach:– “We need to set up our Exchange environment
in order to facilitate discovery”• Analogy: “I’m going to put my keys in the
right place so that I can find them easily!”
Microsoft Exchange & e-discoveryDesigned with Organizational Governance in mind…
• End-to-end approach to governance around Microsoft Exchange
• See UNC360 for transport-level view into Protect, Preserve, Discover
• Protect• Privacy• Confidentiality• Anti-fraud and
Corruption
• Preserve• Keep all email• Selectively
Retain• Delete all email
• Discover• Search all
users’ email• Federated
search
• Prove• Auditing• Monitoring• Reporting
• “Protect”• Privacy• Confidentiality• Anti-fraud and
Corruption
• “Preserve”• Keep all email• Selectively
Retain• Delete all email
• “Discover”• Search all
users’ email• Federated
search
• “Prove”• Auditing• Monitoring• Reporting
Reactive E-Discovery & ExchangeCommon misconceptions• “We are safe because”…
– …“we delete all e-mail after 30 days”– ...“we have 7 years of backups”– …“we bought an archive”– …“we have ExMerge”– …“we have export-mailbox”– …“we have e-mail policies signed by all our
employees”– …“we’re not in a heavily regulated industry”– …“we’re government”– …“we haven’t been asked to do anything by corporate
legal”
Reactive E-Discovery & ExchangeMessage classes yield different types of evidence
• Message Classes…Message
Appointment
Task
Etc.
Reactive E-Discovery & ExchangeE-mail anatomy: Understand what you’re looking for
• Message parts…Message
Header
P1
P2
Subject Line
Body
Attachment
Filename
Contents
Reactive E-Discovery & ExchangeE-mail storage: Understand where to look• Exchange “silos” to be
searched– On-premises Exchange Servers
• Mailboxes• Public folders
– “Offline” data • PSTs, OSTs, Mobile devices,
removable storage, “deleted” shadow data on hard drives, MSG files, etc.
– Archives• 3rd party archives
– Backups• Tapes, VSS, DPM, Other Media
– Exchange Online• See UNC256 for Discovery & EHS
Backup MediaIn Transit to Offsite
Storage
Corporate E-mail Archive
Backup Media in Datacenter
E-mail Server Farm in Corporate Datacenter
PST on Staff Laptop in Home Office
E-mail on PDAs & Cell Phones
Branch Office with E-mail Server, Backup
Media, PSTs
CORPORATE HEADQUARTERS
BRANCHOFFICE
HOMEOFFICE
ON-PREMISES BACKUP ARCHIVE
OFFLINE
BACKUP OFFLINE
ONLINE
Microsoft Datacenters
Reactive E-Discovery & ExchangeSearch technologies: Understand what’s going on
• Single Mailbox– Outlook 2000 & earlier – Find did not use Exchange FTI– Outlook 2002 & later – Find & Advanced Find use
Exchange FTI– ExMerge (pre-Exchange 2007)– MSN Desktop Search – Local Indexing Service
• Multiple Mailbox– ExMerge (pre-Exchange 2007)– Exchange 2007 PowerShell
• MSH> Get-user | where{_.Department –Eq “Product Management”}|export-mailbox –TargetFolder ‘investigation1’ –TargetMailbox CorporateSecurityOfficer
• Search engines:– Crawl data– Create an index (catalog)– Update the index on a set interval– Rebuild the index on a set interval
• Key concepts– IFilters used to access and index document contents
• HKLM\SYSTEM\ControlSet001\Control\ContentIndex\DLLsToRegister
– Not all content indexed, typically only first n MB per document– Language-specific
• Wordbreaker & Stemmer• Noise word file
HKLM\SYSTEM\ControlSet001\Control\ContentIndex\Language\English_US\NoiseFile which corresponds to
%systemroot$\system32\noise.enu
Reactive E-Discovery & ExchangeSearch technologies: Understand search engines
Reactive E-Discovery & ExchangeSearch technologies: Understand your assumptions
• “Am I really discovering everything?”– Is my scope defined adequately?– What headers am I searching?
• i.e., Exchange Full Text Indexing (FTI) defaults are From, To, Cc, Bcc– Do I have all needed IFilters installed?
• i.e., Exchange FTI Defaults are DOC, XLS, PPT, HTML, HTM, ASP, TXT, EML
– Is my logon security restricting me from any search results?– When was the last index rebuild and update? What has changed
since then?– Are wildcards supported for my search?
• i.e., Exchange FTI does not support wildcards– Am I using correct operators and syntax?
• i.e., Exchange FTI interprets commas as “OR” delimiters• Your search may not return all the evidence you think it is!
Reactive E-Discovery & ExchangeExchange 2007 SP1 Discovery Features - Example
• Scenario: Someone sent information about our merger to the media!• Who did it?
• Get-mailbox –ResultSize:10 | export-mailbox_ –ContentKeywords “merger”_ –TargetFolder “Investigation”_ -TargetMailbox “Admininstrator”
Any “hits” appear in “Investigation” folder of Administrator mailbox. One folder created for every mailbox containing matchesOptional PSTFolderPath switch (Requires Outlook 2003 SP2)
Reactive E-Discovery & ExchangeExchange 2007 SP1 Discovery Features - Example
get-mailbox –ResultSize:10 | export-mailbox _- ContentKeywords “merger” –TargetFolder “Investigation”_-TargetMailbox “Administrator
• PowerShell Engine
• Exchange 2007 Cmdlets
• Configuration Data Access
• Active Directory
• Source MAPI Store
• mdb1
• Investigator’s Mailbox
Reactive E-Discovery & ExchangeExchange 2007 SP1 Discovery Features - Example
Reactive E-Discovery & ExchangeSearching PSTs
• Options to search small numbers of PSTs– Gather PSTs– Manually map MAPI profiles– Use MSN Desktop Search or Lookout to index & search
• Options to search large quantities of PSTs– Search in place
• Third-party tools (C2C, Sherpa)
– Migrate to an archive• Most third-party archive vendors (HP, Quest, Symantec, Zantaz, etc.)
Reactive E-Discovery & ExchangeSearching mobile devices
• No way to perform remote search• If you need e-mail evidence retrieved
from mobile devices:– “Black-bag collection” still the preferred approach– Nickel-Copper-Silver fabric to shield wireless signals
• Over-the-air-synch• Remote wipe
– Engage computer forensics team to extract evidence securely in a shielded clean-room
Reactive E-Discovery & ExchangeSearching archives
• All third-party archives include search• Consult with archive vendor to understand:
– How indexing works– What is indexed and what isn’t– How search works– What search syntax to use– How evidence can be produced to legal without
affecting evidential weight– How Chain of Custody is maintained
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
Proactive E-Discovery StrategiesPutting it all Together in an Exchange environment
• Technology
• Process
• People
Proactive E-Discovery StrategiesReduce data in mailboxes and public folders
• People– User education & corporate policies– Peer pressure (i.e., posting mailbox size reports publicly)
• Process– Controlled mailbox quotas with limited exceptions– IT charge-backs by mailbox size– Clear ownership of public folders– Inactivity and stale content analysis
• Mailboxes not sending or receiving mail, Empty public folders, etc.– De-provisioning processes
• 30-day retention upon termination, then delete
• Technology– Limited deleted item retention intervals– Mailbox manager & automated controls
• Technology
• Process
• People
Proactive E-Discovery StrategiesMinimize your “Attack Surface”
• People– Ensure security checks for sensitive positions
• Process– Be proactive about electronic discovery of e-mail:
• Establish controls to minimize “attack surface” ahead of time• Reduce the amount of e-mail data in:
– Production mailboxes and public folders (“on-prem” silo)– PSTs & mobile devices (“offline” silo)– Backup media (“backup” silo)
• Ensure discovery processes & costs are covered in hosting agreements (“online” silo)
• Technology– Move e-mail that needs to be maintained into a centralized, searchable
archive (“archive” silo)– Implement Data Leak Protection (DLP) or similar technologies for real-time
protection, ethical walls, etc.
• Technology
• Process
• People
Proactive E-Discovery StrategiesReduce data in PSTs
• People– User education & corporate policies
• Process– Enable System Policy:
• “Prevent users from making changes to Outlook profiles”
• Technology– Office XP SP2 and higher support Disabling PSTs
• HKLM\SOFTWARE\Microsoft\Office\10.0\Outlook• Add DisablePst as REG_DWORD• DisablePst = 1• Blocks opening or creating PST files.
• Technology
• Process
• People
Proactive E-Discovery Strategies Reducing data on mobile devices• People
– User education & corporate policies
• Process– What devices permitted, and what to do when lost
• Technology– “Remote Wipe” in Exchange 2003 SP2 and higher
• Requires Windows Mobile 5.0 device• Wipes device memory but not storage cards
• Technology
• Process
• People
Proactive E-Discovery Strategies Reduce data in backup media
• Process– If possible…
• Keep only a minimum set of backup media • Migrate backup data to an archive if you need to retain the Exchange
data on them• Control your backup media & ensure old tapes are erased
– Companies who lost customer/client information via lost backup media over the past 24 months:1• CitiBank – 3.9 million• CityFinancial – 3.9 million• Bank of America – 1.2 million• Time Warner – 600,000• Ameritrade – 200,000• City National Bank – Unknown
• 1Schwartz, Mathew. Backup-Tape Security: Enter the “Brown Bag”. Enterprise Systems. April 11, 2006.
• Technology
• Process
• People
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Information Management– Process of identifying, classifying, archiving and destroying records– ISO 15489:2001 Definition: “the field of management responsible for
the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including the processes for capturing and maintaining evidence of and information about business activities and transactions in the form of records”
• Exchange impact: – If e-mail within your Exchange environment is considered a
corporate record, then you need to manage these e-mails as you would any other records
• Information
Management
• 1Socha, George et al. Electronic Discovery Reference Model (EDRM). Glossary. May 2006.
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Identification– Process of learning the location of all data which you or
your client may have a duty to preserve and potentially disclose in a pending or prospective legal proceeding.1
• Exchange impact: – Need clear documentation tying a “custodian” to
accounts, mailboxes, distribution lists and, ultimately, all data owned by the custodian• Current state• History (including mailbox moves, etc.)
• Identification
• 1American Bar Association Definition
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Preservation– When it can be reasonably anticipated that an action will be filed, all parties
have a duty to preserve potentially relevant evidence1
• Exchange Impact:– Once aware of a “duty to preserve”, the following changes are potentially
required in Exchange (consult with legal) in order to avoid ‘spoliation’ charges:• Legal – communicate preservation requirements to company• Backup Operators – stop recycling backup media• Exchange Administrators – set deleted item & deleted mailbox retention intervals to
maximum• Exchange Administrators – stop mailbox manager or other automated content-deletion
services• Storage Administrators – source sufficient storage for “long haul” storage bloat
associated with “worst case” scenario• End Users – stop manually deleting mail• Archive Administrators – stop all automated deletion policies from firing
• Preserve
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Collection– Collection of all electronic data that is potentially relevant
to an investigation– Includes metadata and contextual history– Requires maintenance of evidential integrity
• Exchange impact:– Where you find e-mail evidence is just as important as what you find.
Context needs to be captured and retained with every piece of evidence (messages & attachments, etc.)
– Proving that you didn’t change the evidence, including attachment metadata, is critical (i.e., MD5 hash, etc.)
– Remember, opening a Word document adds your metadata and triggers the timestamp. The same applies to viewing e-mail.
• Collection
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Processing– The process of changing unstructured data (i.e., e-mail, etc.)
into structured data– Involves culling datasets, de-duplication, triaging and prioritizing the
evidence found– Also includes reporting of key performance indicators to assess cost
and productivity as a case progresses
• Exchange Impact:– Minimizing the number of duplicate copies of e-mail and attachments
in your environment will minimize processing costs when e-discovery needs arise
– Single instance ratios and co-location of mailboxes play a small factor– Minimizing overall ‘attack surface’ by reducing number of e-mail storage
silos is key
• Processing
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Review– Assess evidence that has been collected– “Redact” privileged content
• Blacking out sections or withholding entire e-mails or documents
– Determining which e-mails to produce to other party i.e., “responsive” evidence
• Exchange Impact:– No direct impact. By the time e-mail evidence
is in the Review phase, it is out of Exchange.
• Review
• 1Socha, George et al. Electronic Discovery Reference Model (EDRM). Glossary. May 2006.
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Analysis– Analysis is the process of evaluating a
collection of electronic discovery materials to determine relevant summary information, such as key topics of the case, important people, specific vocabulary and jargon, and important individual documents.1
• Exchange Impact:– No direct impact. By the time e-mail evidence
is in the Analysis phase, it is out of Exchange.
• Analysis
• Production– The act of presenting evidence to the requesting party as
negotiated by both parties early in the e-discovery process, and as governed by the proposed amendments to the Federal Rules of Civil Procedure
– Bates stamping– Convert to TIFF or other “responsive format”
• Exchange Impact:– No direct impact. By the time e-mail evidence is in the
Production phase, it is out of Exchange
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Production
Proactive E-Discovery Strategies E-Discovery Reference Model (EDRM)
• Presentation– Delivery of relevant evidence in court
• Exchange Impact:– No direct impact. By the time e-mail evidence is
in the Presentation phase, it is out of Exchange.
• Presentation
• To be considered useful, evidence must be:1
1. Admissible – able to be used in court or elsewhere
2. Authentic – relevant to the case at hand
3. Complete – representative of all perspectives
4. Reliable – collected in a manner that does not cast doubt on authenticity
5. Believable – traceable to original collection and obviously not faked
• Bottom Line – the higher the stakes, the higher the degree of care required in collecting and handling evidence
1Source: Braid, Matthew. Collecting Electronic Evidence After System Compromise in AusCERT. Aug. 2, 2001.
E-mail as EvidenceFive rules of evidence
E-mail as EvidenceEvidential weight in court• Sample questions a judge could ask about e-mail
presented as evidence:– Who accessed it?– What was done with it?– When was it changed? Why?– Where was it at all stages between discovery and court?– How was it collected?– Where was it collected from?
• Opposing legal teams will challenge everything!• British Standards Institution (BSI)
– BIP0008: Legal Admissibility and Evidential Weight of Information Stored Electronically
E-mail as EvidenceA word of warning…
• If you’re tasked with e-discovery for a high-stakes investigation … STOP!– Don’t touch anything
• “Shut Down” changes 100s of files…if you must, pull the plug– Engage legal immediately– Computer forensics experts may be needed
• Collection could require:– Search warrants– Planned search & seizure– Team approach
• Team lead, legal, scribe, collector, security, human resources– Forensic imaging of hard drives
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
Case StudyUS v. Philip Morris et al1
• 1Baron, Jason R. Complex Legal Requirements in Electronic Discovery Search and Retrieval: A NARA Case Study. Nov. 8, 2005.
• Clinton Administration civil lawsuit against tobacco companies– Racketeering allegation – conspiracy against
the American public since 1953 concerning health effects of smoking
– Trial ended in 2005• Started with 20 Million e-mails…
Case StudyUS v. Philip Morris et al1
• Keyword
searches
• 200 Million E-mails
• 200,000 Hits (many false positives)
• 100,000 Relevant e-mails
• 80,000 E-mails Presented to
Opposing Party
• 20,000 E-mails in Privilege Logs• 5 E-mails used in
Trial
• Analysis &
Review
200,000,000 e-mails
• 5 e-mails
Agenda
• Introduction to electronic discovery• State of the Market• E-discovery and E-mail• Microsoft Exchange 2007 & e-discovery
– Reactive e-discovery– Demonstration– Proactive e-discovery
• Case study• Summary
SummaryCall to action…
• Legal & IT must work together i.e., People, process & technology are all important– People:
• Compliance team• Staff knowledgeable in Exchange + e-discovery (=you!)
– Process: • Corporate Code of Conduct• E-mail Policy• Preservation Plan
– Technology: • Archival• Discovery• Etc.
• Ignorance is no excuse!
WebsitesLaw.com E-Discovery Site http://www.law.com/jsp/legaltechnology/edd.jsp
Discovery Resources http://www.discoveryresources.org/
Reference Models & Best PracticesBest Practices for Exchange e-Discovery (David Sengupta): http://www.quest.com/tediscowp Electronic Discovery Reference Model (EDRM) http://www.edrm.netThe Sedona Conferences http://www.thesedonaconference.org
Legal SitesU.S. Courts Federal Rules of Civil Procedure (FRCP) http://www.uscourts.gov/rules/newrules4.html Lexis Nexis http://www.lexisnexis.comFind Law http://www.findlaw.comAmerican Bar Association http://www.abanet.org/
BlogsThe P0stmaster’s Blog on Exchange & Compliance (David Sengupta) http://p0stmaster.blogspot.com Electronic Discovery Law site by Preston Gates & Ellis LLP http://www.ediscoverylaw.com/ Sound Evidence E-Discovery Simplified (Mary Mack) http://soundevidence.discoveryresources.org/
PublicationsE-Discovery Advisor http://e-discoveryadvisor.com/ RenewData E-Discovery Insider Newsletter http://www.renewdata.com/newsletter.php
E-Discovery Resources
ResourcesTechnical Chats and Webcastshttp://www.microsoft.com/communities/chats/default.mspx http://www.microsoft.com/usa/webcasts/default.asp
Microsoft Learning and Certificationhttp://www.microsoft.com/learning/default.mspx
MSDN & TechNet http://microsoft.com/msdnhttp://microsoft.com/technet
Virtual Labshttp://www.microsoft.com/technet/traincert/virtuallab/rms.mspx
Newsgroupshttp://communities2.microsoft.com/communities/newsgroups/en-us/default.aspx
Technical Community Siteshttp://www.microsoft.com/communities/default.mspx
User Groupshttp://www.microsoft.com/communities/usergroups/default.mspx
• © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.• The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Related Documents
![1 SQL Best Practices Analyser Thierry DEMAN Consultant [MVP Exchange,SQL/Server] Sté BY THE WAY.](https://static.cupdf.com/doc/110x72/551d9d7d497959293b8b51ce/1-sql-best-practices-analyser-thierry-deman-consultant-mvp-exchangesqlserver-ste-by-the-way.jpg)