Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence. SharePoint Server 2013 introduces the eDiscovery Centre, a new type of site collection that serves as a portal for managing eDiscovery cases. From this central location you can discover content in the SharePoint farm, in Exchange Server 2013, on file shares, and in other SharePoint farms. You can apply a hold to SharePoint and Exchange content that you discover. The hold ensures that a copy of the content is preserved, while still allowing users to work with their content. When you have identified the specific items that you will have to deliver, you can export them in an industry-standard format.
Managing an eDiscovery case
When you receive a new request for eDiscovery, you create an eDiscovery case in the eDiscovery Centre. An eDiscovery case is a collaboration site that you can use to organize information related to the eDiscovery request. From within an eDiscovery case, you can search for content, apply a hold to content, export content, and view the status of holds and exports that are associated with the case.
The two primary components of an eDiscovery case are eDiscovery sets and queries. Use an eDiscovery set to find content and apply a hold. Use a query to find content and export it.
eDiscovery process flow
To find and preserve content, create an eDiscovery set. Each eDiscovery set contains the following:
· Sources, which are locations to be searched. Exchange mailboxes, SharePoint sites, and file shares can all be sources.
· A filter, which defines what you are searching for. A filter can include search terms, a date range, and an author’s name.
· An option to apply an in-place hold to the sources that contain content that matches the filter.
To find and export content, create a query. Each query contains the following:
· Query filters, which define what you are searching for. Query filters resemble a filter in an eDiscovery set, and can include search terms, a date range, and an author’s name. However, query filters in a query can also use stemming.
· Sources to be searched. Exchange mailboxes, SharePoint sites, file shares, and eDiscovery sets can all be sources in a query.
When you run a query, you can see statistics about the items that were found, you can preview the results, and you can filter the results by message type (for Exchange results) or by file type (for SharePoint results). When you are finished, you can export the results of the query.
The content that you export by using a query is formatted according to the Electronic Data Reference Model (EDRM) specification so that it can be imported into a review tool. An export can include the following:
· Documents: Documents are exported from file shares. Documents and their versions can be exported from SharePoint 2013.
· Lists: If a list item is included in the query results, the whole list is exported as a comma-separated values (.csv) file.
· Pages: SharePoint pages, such as wiki pages or blogs, are exported as MIME HTML (.mht) files.
· Exchange objects: Items in an Exchange Server 2013 mailbox, such as tasks, calendar entries, contacts, email messages and attachments are exported as a.pst file. If Lync conversations are archived in Exchange, those can be discovered and exported, too.
· Crawl log errors.
· An XML manifest that provides an overview of the exported information.
How eDiscovery works in SharePoint products
The Search service application is a key component of the search system in SharePoint Server 2013. (For more information about service applications. You can associate an eDiscovery Centre with a Search service application. Any content that is indexed by the Search service application can be discovered from the eDiscovery Centre. If you configure the Search service application to crawl file shares, you can use the eDiscovery Centre to discover content on the file shares. If you configure the Search service application to crawl other websites - for example, a team site that was created by using Office SharePoint Server 2007 - you can use the eDiscovery Centre to discover content on the websites. For SharePoint 2013 farms, you can also put the content on hold. If you add Exchange Server 2013 to the Search service application as a result source, you can discover content within Exchange mailboxes from the eDiscovery Centre and put the mailboxes on hold. If you archive content from Lync in Exchange, you can also discover Lync content.
A eDiscovery Centre for Search service application.
As the Search system crawls content, it creates a search index. The search index stores data that is used to provide the results for search queries. The search index also stores information about the permissions that are required to access each piece of content. When a user performs a search, the search system uses the search index to identify the appropriate search results. Before displaying the results, the Search service application performs security trimming, by which the system compares the user’s permissions to the permissions that are required to access content that search results link to, and then “trims” the results to show only those results that the user has permissions to view.
In-place holds
SharePoint Server 2013 introduces the concept of an in-place hold. When you apply an in-place hold to a site, content in the site remains in its original location. Users can still work with the content, but a copy of the content as it was at the time that you initiated the hold is preserved. In-place holds differ from the style of hold that you could use in SharePoint Server 2010. In SharePoint Server 2010, users could not change or delete content when it was on hold. By using in-place holds in SharePoint Server 2013, users do not even have to know that their content is on hold.
An in-place hold is applied at the level of a site. When a hold is placed on a SharePoint site, a preservation hold library is created, if one does not already exist. Most users cannot view the preservation hold library. It is only visible to site collection administrators. The search crawler also has special permissions to crawl content in the preservation hold library.
If a user attempts to modify or delete content in a site that is on hold, SharePoint first checks whether the content has been modified since the hold was applied. If this is the first modification since the hold was applied, SharePoint copies the content to the preservation hold library, and then allows the user to modify or delete the original content. Note that any content in the site can be copied to the preservation hold library, even if the content does not match the filter of the eDiscovery set that initiated the hold.
The Information Management Retention timer job cleans up the preservation hold library. The timer job runs periodically and compares all content in the preservation hold library to the filters for the eDiscovery sets that put the site on hold. Unless content matches at least one of the filters, the timer job deletes the content from the preservation hold library.
Two important consequences of this process are as follows:
· The version of content that is current at the time that the hold was applied is the only version that is preserved. If the content is changed multiple times, intermediate versions of the content are not preserved.
· Storage space is used efficiently. Most content in a site does not change, and content that is not changed is not copied to the preservation hold library.
You can manage the discovery process for Exchange Server 2013 from a SharePoint eDiscovery Centre. You can do the following:
· Add Exchange mailboxes as sources to either an eDiscovery set or a query.
· Preview content that is discovered in an Exchange mailbox.
· Apply a hold to an Exchange mailbox.
· Export content that is discovered in an Exchange mailbox.
No comments:
Post a Comment