Using Exchange In-place eDiscovery & Hold for recovering deleted mail items | 6#7

Page 1 of 33 | Using Exchange In-place eDiscovery & Hold for recovering deleted mail

items | 6#7

Written by Eyal Doron | o365info.com | Copyright © 2012-2015

Using Exchange In-place eDiscovery &

Hold for recovering deleted mail items

| 6#7

In the current article, we will review how to use the Exchange In-place eDiscovery &

Hold feature as a tool for searching and recovering deleted mail items.

We will review the following subjects:

How to create an Exchange In-place eDiscovery & Hold query.

How to send a copy of the search results to the Discovery Search Mailbox.

How to export the search results to PST file.

How to access the Exchange Online In-Place eDiscovery admin interface by Office

365 Business customers.

Scenario description

http://o365info.com/using-exchange-in-place-ediscovery-hold-for-recovering-deleted-mail-items-part-6-7


https://il.linkedin.com/in/eyaldoron1

http://o365info.com/


items | 6#7


In the following section, we will demonstrate the way that we use Exchange Online

in-place eDiscovery & Hold for searching and recovering mail items.

In our scenario, we get a call from a user named John that reports that he noticed

that some of his mail are missing.

John is not sure if the mail items were deleted in a specific date range and cannot

point out a specific charter of the mail item that was deleted.

In this scenario, we would like to create a query that will “scan” John’s mailbox and

“send” the search result of the – Discovery Search Mailbox.

Later on, we look for information about deleted mail items located in

the Recoverable Items folder in the Purges folder

Step 1 – assign permissions

To be able to create an in-place eDiscovery & hold query, that will search through

Exchange users’ mailboxes and in addition, enable us to view data from a user

mailbox, we will need to have the required permissions.

The required permissions are membership in a group named:

Discovery Management.

In the Exchange Online management portal, choose the permissions menu and

then, on the top-bar choose admin roles.






items | 6#7


Double-click on a group named – Discovery Management

In the members sections, click on the plus icon to add the username that need to

have the required permission (the user that will perform the In-place eDiscovery






items | 6#7


& hold search).

Additional reading

Assign eDiscovery permissions in Exchange





https://technet.microsoft.com/en-us/library/dd298059(v=exchg.150).aspx


items | 6#7


Step 2 – creating in-place eDiscovery & hold search

query

In the following section, we will create the required in-place eDiscovery & hold

search query. In our specific example, we will not create a specific filter, but instead,

search the “whole of John mailbox”.

On the left side, menu bar choose the menu – compliance management

On the top menu, bar choose the menu – In-place eDiscovery & hold

Click on the plus sign for creating a new in-place eDiscovery & hold search






items | 6#7


In the text box – Name and description, provide the name for the -place

eDiscovery & hold search query. Note – the name cannot contain spaces.

In our specific scenario, we want to look at John’s mailbox.

For this reason, we will choose the option of: specify the mailbox to search.






items | 6#7


In the window that appears, we will search for John’s name and then, click on

the add button.

In the following screenshot, we can see that the search query “boundary” is John’s

mailbox.






items | 6#7


The following window enables us to set the specific parameters of the search query.

In our specific scenario, we will choose the option of – include all content.

Note – in case that the Filter based on criteria option is “dimmed”, this mean that

you don’t have the required permissions.






items | 6#7


On the next screen we will not select anything because, this part is related to a

scenario in which we want to put on hold specific mail items (our purpose is only to

search and recover mail items).

For this reason, we will just click on the finish button






items | 6#7


In the following screenshot, we can see we can see that the In-place eDiscovery &

hold search query was successfully created.






items | 6#7


In the following screenshot, we can see the In-place eDiscovery & hold search query

that we have created. Notice that the status is Serach has been queued.

Exchange server needs some time to look for the required information in the

Exchange index database.






items | 6#7


Additional reading

Create an In-Place eDiscovery search

Step 3 – View the In-place eDiscovery & hold search

results

In the section, we want to “take a peek” in the search results, meaning the

information (mail items) that was founded based on our search query.

To view the information, click on the link – Preview search results.







items | 6#7


In the following screenshot, we can see the search result meaning – the mail items

that appear in john mailbox.

Note that the information is displayed in a “flat manner”.

The meaning is that the view doesn’t include the “original folder structure and

Hierarchy” as at appear in the “original John mailbox”.

From my experience, this “flat view” is suitable only in a scenario that the search

result includes a few mail items.

In a scenario that we create a search query that “fetch” all of the user mailbox

which can contain thousands or even tens of thousands of mail items, the “Flat

view” will make it very hard to look for a specific mail item.

But fear not!






items | 6#7


In the next section, we will provide a solution for this “display problem”.

Step 4 – copy\save the In-place eDiscovery & hold

search results to the Discovery Search Mailbox

In the next section, we will demonstrate how to “export” (copy) the search query

results to a special Exchange system mailbox named: Discovery Search Mailbox

The option of saving the search query results to the Discovery Search Mailbox, will

enable us to get a clear view of the folder structure in John’s mailbox and in

addition, save the information for later use.

Click on the Magnifying glass icon and choose the menu – Copy search results






items | 6#7


In the following windows, we will need to choose where to “store” the search query

results.

By default, Exchange creates one dedicated system mailbox named

DiscoverySearchMailbox-GUID

Technically, we can ask to create additional Exchange Discovery Search Mailboxes

but for now, let’s satisfied in the “original” Discovery Search Mailbox.

An additional option that is available for us are options such as Enable full

logging and more






items | 6#7


To finish the “export” (copy) process of the search results to the Discovery Search

Mailbox, click on the OK button.






items | 6#7







items | 6#7


In the following screenshot, we can see that a “new section” was added.

To be able to view the search result, click on the [open] link

In the following screenshot, we can see the content of the Discovery Search

Mailbox.

Pay attention to the logic behind the Discovery Search Mailbox structure.

The search results that appear in the Discovery Search Mailbox, have the structure

and the Hierarchy as it appears in the “original mailbox”. For example, the default

inbox folder and so on.

The search results, are saved under a “dedicated folder” that use the name whom

we have defined in the earlier steps for the In-place eDiscovery & holds search

query

(In our scenario – Search_john_mailbox).

Another interesting thing is that the search results include the Purges folder. This

is the folder that will include “hard deleted” mail items and that cannot be seen or

accessed by the mailbox owner (John in our scenario).






items | 6#7


Step 5 – export the search results to PST file

A very useful option that includes in the In-place eDiscovery & hold is the option of

exporting the search results to a PST file.






items | 6#7


To be able to export the specific search result, we will need to choose the search

result job (Search_john_mailbox in our scenario) and click on the down arrow icon

(Export to a PST file).

Note

The computer you use to export search results to a PST file has to meet the

following system requirements:

32- and 64-bit versions of Windows 7 and later versions

Microsoft .NET Framework 4.5

A supported browser:

Internet Explorer 10 and later versions

Mozilla Firefox or Google Chrome, with the ClickOnce add-in installed

The export process is implemented by downloading a specific software component

that will help us to download the file from Exchange Online to our local desktop.






items | 6#7


Click on the Run option






items | 6#7


Choose a local folder that will be used for saving the exported PST file. In our

example, we have created a folder named: John PST

Provide the credentials (user name + password) of a user that have the required

permission (membership in the Discovery Management group)






items | 6#7


In the following screenshot, we can see the result. The results are the required PST

file + Log file

In the following screenshot, we can see an example, in Log file that was provided as

part as the exported files.

The Log file includes information about every mail item that appear in the search

result.






items | 6#7


Additional reading

Export eDiscovery search results to a PST file

You can’t start the eDiscovery PST Export Tool from the Exchange admin

center in Exchange Online

View the mail items in the PST file using Outlook mail

client

In the former section, we review the steps that are needed for exporting the search

result to a PST file.

To be able to view the content of the PST file, we will need to add the PST file to

existing Outlook profile.

In the following example, we will add to existing Outlook mail profile the PST file

that we got from the In-place eDiscovery & hold search result of John’s mailbox.

In outlook choose the File menu ==> Account Settings and then again Account

Settings…





https://technet.microsoft.com/en-us/library/dn440164(v=exchg.150).aspx

http://support.microsoft.com/kb/2919825

http://support.microsoft.com/kb/2919825


items | 6#7


Choose the Data Files tab and click on the Add… button

In our example, John PST is located on drive C: in a folder named: John PST






items | 6#7


In the following screenshot, we can see the “new PST” file that was added to our

Outlook mail profile.






items | 6#7


In the following screenshot, we can see “John PST” that appear as an additional

mailbox in the Outlook mail profile.






items | 6#7


How to access the Exchange Online In-Place eDiscovery

admin interface by Office 365 Business customers






items | 6#7


As mentioned, the option to use Exchange In-place eDiscovery & hold is available

for Office 365 customers who have purchased Office 365 Business license but, not

via the standard Office 365 portal admin interface.

To be able to view the “advanced Exchange Online” admin interface, we will need to

use a little trick in which we will “rewrite” the URL address.

In the following screenshot, we can see that standard portal interface of Office 365

Business customer.






items | 6#7


Login into your mailbox using the OWA web mail client – click on the options menu

and then on the Mail icon

In the following screenshot, we can see we can see that “standard” OWA mail client

URL address.






items | 6#7


To be able to access the Exchange Online admin interface, we will need to “remove”

the URL part after the address: https:/outlook.office365.com

To be able to access the Exchange Online web based management, we will need to

add the folder name ECP to the URL address

For example, https:/outlook.office365.com/ecp






items | 6#7


In the following screenshot, we can see the “standard” Exchange Online admin

interface that enables us to access the option of Exchange In-Place eDiscovery &

Hold

Additional reading

How to do In-place eDiscovery in new O365?

In-Place eDiscovery

In-Place eDiscovery and In-Place Hold in the New Exchange – Part I

In-Place eDiscovery and In-Place Hold in the New Exchange – Part II

Video links

Support Webcast, eDiscovery and In-Place Hold relative to Exchange Online

Microsoft Exchange Server 2013 Archiving and Compliance eDiscovery EPC

Group





http://blogs.technet.com/b/praveenkumar/archive/2013/07/19/single-item-recovery-in-new-o365.aspx


http://blogs.technet.com/b/exchange/archive/2012/09/26/in-place-e-discovery-and-in-place-hold-in-the-new-exchange.aspx

http://blogs.technet.com/b/exchange/archive/2012/09/28/in-place-ediscovery-and-in-place-hold-in-the-new-exchange-part-ii.aspx

https://www.youtube.com/watch?v=GATZ3ZqcyPc

https://www.youtube.com/watch?v=XfYfP-zWHJw

https://www.youtube.com/watch?v=XfYfP-zWHJw


items | 6#7






Documents

Using Exchange In-place eDiscovery & Hold for recovering deleted mail items | 6#7