E-discovery products let you search your messaging infrastructure for messages that contain specific keywords. E-discovery requirements are usually driven by a legal or compliance process. When a legal request comes in that requires the organization to provide all messages that contain a specific keyword or phrase, the e-discovery administrator is the one who needs to find all those messages and provide them to the requesting party.
In many firms, e-discovery isn't handled by people whose primary responsibility is managing the messaging infrastructure. There's a growing number of professionals whose expertise encompasses both the legal and messaging administration professions. This means that a good e-discovery product needs to be user-friendly and not require a deep understanding of how to construct regular expressions.
Exchange Server 2010 includes basic e-discovery functionality out of the box. To access this functionality, you use the Discovery area of the Exchange Control Panel (ECP), as Figure 1 shows. The ECP is available through a web interface.
Discovery searches in Exchange 2010 let you perform multi-mailbox searches on addresses in the To and From fields and date ranges. You can search specific mailboxes or all mailboxes in the organization, including archive mailboxes. You can use query-based criteria for selecting mailboxes, which can be helpful in organizations with tens of thousands of mailboxes. Exchange 2010 searches can use the AND, OR, and NOT operators. A user who has been delegated the Discovery Management role can use the ECP to search all message types, including email, meetings, tasks, notes, documents, journals, contacts, and IM conversations. Multi-mailbox search requires an Enterprise CAL. Another Enterprise CAL feature is litigation hold, which stops messages from being deleted directly or indirectly, even when users hard-delete them from their mailboxes.
In this review, I look at two products that you can use for e-discovery that go beyond the basic functionality offered in Exchange 2010. Those products are Sherpa Software's Discovery Attender and Quest Software's Archive Manager.
Discovery Attender lets you search Exchange mailboxes, including archive mailboxes, public folders, and PST files. You can also use Discovery Attender to search Microsoft Office documents, NSF files created by Lotus Notes, and PDF files stored on accessible file shares and SharePoint servers.
You can deploy Discovery Attender on a workstation or a separate server. Sherpa Software recommends that you not run it on a computer used for mission critical tasks because the search process is processor intensive. Figure 2 shows the Discovery Attender interface.
With Discovery Attender, you can create complex and refined searches. This includes the ability to use wordlists. A keyword logic tree utility lets you examine the syntactic logic of your keywords to ensure that execution occurs as intended. You can save complex or common searches as templates, which you can easily modify for new circumstances. You can also perform trial searches against known data to determine whether the search parameters will return the types of results in which you're interested before you query your organization's entire Exchange infrastructure.
Discovery Attender results are returned to a local store, which you can then export to PST format. This ensures that messages that were returned are still available, even if they are later hard-deleted from the Exchange messaging infrastructure. Although regular users should be unable to delete messages placed on litigation hold in a properly configured Exchange infrastructure, it might be necessary to run discovery searches against Exchange administrators who have permission to bypass this setting.
Discovery Attender is powerful, but there's a steep learning curve when it comes to being able to fully leverage the product's capabilities. Although e-discovery administrators can always read the documentation about all the query builder's options, adding an IntelliSense-like capability would ensure that they're aware of the product's search capabilities. Discovery Attender is a comprehensive tool, but it will take most e-discovery administrators some time to be able to fully utilize all of its functionality.
Archive Manager is a retention and discovery product. It captures, indexes, and stores messaging data in a repository. Messages are moved to the repository as soon as they are processed by the messaging server. This repository also serves as a message backup. You configure the repository so that your organization complies with appropriate retention requirements. You can grant access to users so that they can perform e-discovery searches against the contents of this repository. Archive Manager doesn't have a direct litigation hold function, but end users are unable to directly modify the contents of the Archive Manager store.
E-discovery administrators use a web interface, shown in Figure 3, to access the Archive Manager repository. This interface supports the same search terms as the Exchange 2010 Discovery search but has the advantage of running that search against offline data, minimizing the impact on the messaging infrastructure. You can use the same interface to allow end users to search their mail archive. Archive Manager's sophisticated permissions model ensures that the scope of discovery searches can be limited when necessary so that only users with appropriate permissions can perform searches against other users’ mailboxes. Archive Manager includes a PST import tool that allows you to add PST files to the existing archive. Once imported, the e-discovery administrator can search the contents of the PST file.
Archive Manager allows saved searches to be stored as RSS-compliant data, a form of updatable data to which a client can subscribe. This means that you can configure Archive Manager so that an RSS reader is able to access the output of scheduled searches and provide the e-discovery administrator with an alert if any new search results come back.
Although it’s listed as one of its features, Archive Manager isn’t primarily an e-discovery product. It's possible to save searches, but the web interface limits the complexity of those searches. While most organizations will find this functionality adequate, the e-discovery functionality isn't as extensive as that of Discovery Attender.
I found setting up Archive Manager fiddly. I had to check the documentation several times to get the product working correctly, and the instructional video available on Quest Software's website is for a previous version of the product. Final installation required modifying the properties of an IIS 7.5 configuration file before everything ended up working as it should. The Archive Manager installation routine could do with a comprehensive prerequisite checker. Plus, several manual steps could be automated to simplify the deployment process.
Many products in the e-discovery space primarily function as archive products because retention is closely tied with discovery. With Exchange 2010's powerful retention functionality, many organizations are finding retention-specific products less necessary than they did with previous versions of Exchange. Discovery Attender's pinpoint focus on discovery and its ability to search live data and PST files make it this editor's choice. If you do purchase the product, just make sure that the e-discovery administrator takes the training so that he or she is aware of everything that the product can do.