Skip to content

Exchange In-Place eDiscovery & Hold | Introduction | 5#7

The Exchange In-Place Hold & eDiscovery is a very powerful tool that can help us to accomplish three main tasks.

  1. Search for information (mail items) in single or multiple mailboxes.
  2. Put specific information on “hold” (enable to save the information for an unlimited time period).
  3. Recover deleted mail items.

In this article, we will review the logic and the concepts of the Exchange In-Place Hold & eDiscovery tool.
In the next article Using Exchange In-place eDiscovery & Hold for recovering deleted mail items | 6#7, we will demonstrate how to use the Exchange In-Place Hold & eDiscovery tool for recovering deleted mail items.

One thing that we should know about the Exchange In-Place eDiscovery & Hold is that our “First meeting” meeting with this tool can be a little confusing because in we are not already familiar with the logic and the characters of this tool

Exchange In-Place eDiscovery & Hold | Server-side side mailboxes search tool.

If we want to simplify that purpose if the Exchange In-Place eDiscovery & Hold, we can relate to the Exchange in-Place eDiscovery & Hold as a giant search tool.

I use the term “giant” because vs. the search tool included in Outlook or OWA that can help us to locate information in a specific mailbox, the Exchange In-Place eDiscovery & Hold can perform a search in all the mailboxes that hosted at a particular Exchange organization.

In other words, the Exchange In-Place eDiscovery & Hold helps us to “flatten” all the complex Exchange storage infrastructure that can contain hundreds or even thousands of mailboxes.

Another interesting capability of the Exchange In-Place eDiscovery & Hold tool is that we can use it for looking and finding specific information located on all the “different parts” of Exchange mailbox.

The different “parts” of Exchange mailbox

Using the Exchange In-Place eDiscovery & Hold tool we can find information (mail items) that located in all the different “parts” of the user mailbox.

For example, when using the Exchange In-Place eDiscovery, we can search for specific information (mail items) in the following “parts” of a user’s mailbox

  • The “standard” mailbox (Inbox, Sent items, Drafts and so)
  • Online archive mailbox
  • Recoverable Items folder partition

The real power of the Exchange In-Place eDiscovery tool is realized when we need to access the mailbox partition (Recoverable Items folder) that is not accessible to our users for searching and recovering a specific mail item.

When we use the Exchange In-Place eDiscovery looking for mail items, the results could include information about mail items stored in the Recoverable Items folder.

Exchange In-Place eDiscovery & Hold as a “hold” tool

As the name suggests, the Exchange In-Place eDiscovery & Hold serve for two main purposes: eDiscovery & Hold.

So, what is the meaning of the term “hold”?

The term – “in-place Hold“, relates to our ability as an Exchange administrator to protect specific data from deletion.

For example – when we talk about a standard mailbox, in case that a user performs Hard delete (delete information from the Deletion folder), the default Exchange
Deleted Item retention policy will enable us (as Exchange administrators) to recover the data over a period of 14 days. After this period end, the data will be lost forever.

The operation of “in-place Hold“ enables us to “override” or “bypass” the default Exchange Deleted Item retention policy and decides that we want to define a specific mail item or specific mailbox data as “un-deleted”.

in-place hold enable us to override the default Exchange Deleted Item retention policy

In Exchange architecture, the term “hold” can be implemented by using one of the following options:

  1. In-Place Hold
  2. Litigation Hold

The feature of Litigation Hold was introduced in Exchange 2010 server version and the future of Exchange In-Place eDiscovery & Hold was introduced in Exchange 2013 server version.

Exchange 2013 support booth of this option (Litigation Hold or In-Place Hold).

The term hold
  • In Exchange 2010 server architecture, the “parts” that were used for performing the search in user mailboxes was described as: Multiple mailbox search and the “tool” that was used for putting mailbox in hold described as Litigation Hold.
  • In Exchange 2013 server architecture the “parts” of – searching multiple mailboxes + put information (mail items) on Hold, was unified into one tool named – Exchange In-Place eDiscovery & Hold.

What was the reason for providing Litigation Hold or In-Place Hold?

The initial reason or business need that was “answered” by the Litigation Hold or In-Place Hold Exchange feature was for providing a tool for implementing eDiscovery.

An Enterprise Company that has a legal need or committed to regulations that dictate the mandatory need of – keeping information (mail items in our case) and providing evidence in a scenario of Illegal or criminal activity of a company employee.

For example – a scene in which we suspect that a company employee performs an illegal or criminal activity and our fears that he will try to cover his track by deleting evidence (mail items). In this case, we need to fulfill two tasks:

  1. Prevent for the employee the option to permanently delete a specific mail item (put the information on “hold”)
  2. Have the ability to provide evidence to the Illegal or criminal activity of a company employee (the ability to scan the user mailbox and “pull out” the required mail items).
Exchange Litigation Hold or In-Place Hold as - a tool for dealing with Illegal or criminal activity

Over time, the Exchange developer thought how to use the Impressive capabilities of the Litigation Hold feature as a “backup and recovery” tool and the “improve version” of Litigation Hold presented in Exchange 2013 version under the name – “In-Place eDiscovery & Hold”.

The term “In-Place eDiscovery”

The term “In-Place eDiscovery” is a little vague term.
It may sound arrogant, but I’m willing to bet that even if you are an Exchange professional, this term is not entirely clear to you.

The reasons for this ambiguity are:

  • The Exchange In-Place eDiscovery is a term that built upon and relates to many different parts and components in Exchange infrastructure and also, relates even to other Microsoft technologies and products such as SharePoint.
  • The public information is not so clear, and there is not a lot of information that enables to understand the “big picture” which presents all the different Exchange Online components and infrastructures that relate to “In-Place eDiscovery”.

If we want to be more formal, let’s use the Wikipedia definition of the term – eDiscovery

Electronic discovery (or e-discovery or ediscovery) refers to discovery in litigation or government investigations which deals with the exchange of information in electronic format (often referred to as electronically stored information or ESI).[1] These data are subject to local rules and agreed-upon processes and are often reviewed for privilege and relevance before being turned over to opposing counsel.
Data are identified as potentially relevant by attorneys and placed on legal hold. The evidence is then extracted and analyzed using digital forensic procedures and is reviewed using a document review platform. Documents can be reviewed either as native files or after a conversion to PDF or TIFF form.[1] A document review platform is useful for its ability to aggregate and search large quantities of ESI.

How the concept of eDiscovery does is implemented in Exchange infrastructure?

The implementation of eDiscovery in Exchange-based environment (Exchange version 2013) implemented by the feature named: Exchange In-Place eDiscovery & Hold.

Using the Exchange In-Place eDiscovery & Hold we can fulfill the required needs:

  1. Index data stored in all the user mailboxes.
  2. Use a tool that will enable us to search through this infrastructure.
  3. Use a tool for “holding” data, meaning the option of preventing specific data from being deleted.
  4. A toll for “pull out” of “fetch” a specific data from the user’s mailbox to “other location” – we can relate to this operation as saving evidenced in a scenario of the Illegal or criminal activity or just relate to this operation as an option to recover deleted mail items.

The different “parts” of Exchange In-Place eDiscovery & Hold infrastructure

Despite the need to keep it simple, I find it important to provide a brief overview of the different components that relate to the Exchange In-Place eDiscovery & Hold infrastructure.

In the following diagram, we can see the different “parts” or “building block” which creates the Exchange service named: Exchange In-Place eDiscovery & Hold.

Exchange In-Place eDiscovery & Hold - The building blocks

1. The “hold”

This is the part that enables us to “inform Exchange” that we want to “stamp” of “flag” specific information (mail item) as information that will not delete under any circumstances.

2. The mailbox deleted items “store” (Recoverable Items folder)

This is the “hidden parathion” of the user mailbox that serves as a container for deleted mail items (and for additional purposes such as audit). When we say that we put a specific information “in hold” the meaning is deleted mail items that are stored in the Recoverable Items folder.

3. The search tool interface & The search Hold tool interface

This is the Exchange Online web admin tool that enables us to perform the search, define the search parameters and if needed, define the “hold” on the mail items that answer the search parameters.

4. The search result “store”

When we use the Exchange In-Place eDiscovery & Hold for searching for a mail item that “answer” specific parameters, the results are displayed by using “flat view” using OWA web client.

In case that we need to save the information (not only view the information) for further analysis, as evidence or for recovery purposes, but we can also ask to “store” the data (the search result) in a specific store.

Exchange Discovery Search Mailbox is a built-in system mailbox, which serves as a “container” for the In-Place eDiscovery search results.

Discovery Search Mailbox - container for the In-Place eDiscovery search results

In the following screenshot, we can see the output of the PowerShell command:

Get-Mailbox

We can see the Exchange Discovery Search Mailbox appear along with the other user mailboxes.

Exchange Discovery Search Mailbox

We use the PowerShell command for displaying the information about the Exchange Discovery Search Mailbox because the Exchange Discovery Search Mailbox doesn’t appear in the graphic interface the display the Exchange recipients.

5. Exchange Index services

The ability to perform a fast and efficient in hundreds or even thousands of mailboxes heavily depends on the “Exchange index” services.

The search not carried out by searching the “actual data” stored in each of the mailboxes, but instead the “search” performed the mailbox search is carried out by searching the Exchange index database (the Exchange index is spouses to provide information about all the mail items stored in an Exchange mailbox database).

The Exchange In-Place eDiscovery & Hold | Search scope and Search objects

The Exchange In-Place eDiscovery & Hold is a very powerful tool that enables us to excite many varied types of searches.

To be able to use the Exchange In-Place eDiscovery & Hold search option, it’s important that we be a failure with the different “search scope” that is available to us when using the Exchange In-Place eDiscovery & Hold.

Search scope level 1 – Exchange In-Place eDiscovery & Hold can perform a search in a specific user mailbox, a group of mailboxes or all the existing mailboxes.

Most of the time, in a mail recovery scenario, our search scope will be focused on a particular mailbox.

Exchange In-Place eDiscovery & Hold - Mailbox Search scope

Search scope level 2 – the “power” of the Exchange In-Place eDiscovery & Hold in mail recovery scenario is the ability to “pull out” mail items that are “hidden” are stored in the
Recoverable Items folder.

Exchange In-Place eDiscovery as a search tool

At the current time, the search query parameter doesn’t include an option to define that the mailbox search will be implemented only in the Recoverable Items folder.

Note – if you want to implement a mailbox search that will look and copy information only from the Recoverable Items folder mailbox partition you will need to use the PowerShell command:

Search-Mailbox

You can read more information about how to perform mail recovery using the
Search-Mailbox in the article – Recovering deleted mail items using PowerShell cmdlets Search-Mailbox | 7#7

Search scope level 3 – that last “search scope” that I would like to mention is the search scope that relates to the “type” of mail items that we want to look for.

The Exchange In-Place eDiscovery & Hold tool, enable us to define a specific type of mail items such as – calendar mail item, contact mail item, note mail item and so on.

What is the specific Mail item that we look for

In-place eDiscovery & hold | Search query and search results

In-place eDiscovery & hold | Search results

When using the option of In-place eDiscovery & hold for searching for a specific mail item the “outcome” meaning the search results, can be “implemented” in different ways.

For example, we create a Search query and activate the search process, the result of the search process (the Search results) could use in the following way:

  1. Information about the mail items that found – a report that includes information about each of the mail items that was found.
  2. The specific mail items found during the search process. We can ask to save the mail items that found for purposes such as recover the mail item, etc.
  3. Put on hold – we can use the search results (the list of specific mail items) to “tell” Exchange to put these particular mail items on hold.

In-place eDiscovery & hold | Search query

When we use the in-place eDiscovery & hold, the first step is to define the search query.
The search query serves as a “container” for the search parameters that we define.

An example of a query that we can create using the in-place eDiscovery & hold could be:

  • Example 1- we can define a query that will look for a specific calendar, mail item in a specific user mailbox in a specific time range.
  • Example 2- we can define a query that will look for mail items that have a specific string of text and perform the search (define a search scope) that include all the mailboxes that are hosted in the Exchange organization.

The Exchange in-place eDiscovery & hold interface that we use for creating the required search query, consider is a powerful interface because it enables us to create a very specific query based on many different parameters such as:

  • Date range
  • A specific mailbox, group of mailboxes or all the Exchange organization mailboxes
  • Source recipient – the recipient who creates the email item.
  • Destination recipient – the recipient who accepts the email item.
  • Specific Exchange mail items –the ability to look for a specific type of Exchange mail items such as calendar mail item, mail item, note items and so on.
In-place eDiscovery & hold - The logic flow

After we have created the required search query, we “execute” the search operation.

Later on, we will need to decide what “to do” with the mail items that “answers” the specific query that we have defined.

In-place eDiscovery & hold | What to do with the search results?

After the search operation was ended, we need to decide

  1. Create a report about the findings (Log) – in some scenarios, all we want is to get a report about the mail items that found.
  2. View the search results – this option is relevant to a scenario in which we want to have a general look at the mail items that were found, looking for a specific mail item content, etc.
  3. Keep the search results in Discovery Search Mailbox – this option is relevant is a scenario of recovery mail items or a scenario in which we need the mail items that were found as evidence. By default, the mail items will be saved in an Exchange dedicated system mailbox that is automatically created and named as – Discovery Search Mailbox.
  4. Keep the search results in other Mailboxes – in case that we prefer to save the mail items from the search result in another mailbox and not in the default Exchange Discovery Search Mailbox, we can do so. The option to choose other mailboxes is available only when we activate In-place eDiscovery & hold via the PowerShell interface.
  5. Exports the Search results to a PST file – this is a very useful and Comfortable option that enables us to export the mail items that found in a PST file. Note – we will review this option in the section – Step 5 – Export the search results to PST file
  6. Put the specific mail items on hold – the Exchange In-place eDiscovery & hold tool use the “search query parameter” as a filter for searching specific mail items that answer the search parameter and when Exchange found this mail item, put a “hold” on this mail item.
In-Place eDiscovery - What to do with the search results

One of the most notable “missing option” of Exchange in-place eDiscovery & hold is – that the interface that we use for creating the search query and that include many options and parameters for filtering the search results, doesn’t include a filter that enables us to limit the search scope to the mailbox partition – the Recoverable Items folder.

Optional scenarios for using In-place eDiscovery & hold

Scenario 1 | Standard user mailbox – Hard Delete event

A scenario in which Exchange user who has a “standard” mailbox (mailboxes without Litigation Hold or In-Place Hold) and the user performs, Hard delete mail items.

In this case, the mail item is relocated to the Purges folder in the Recoverable Items folder partition and, the user cannot use Outlook or OWA mail client for recovering the specific mail items.

In this case, the mail can be recovered by the Exchange Online administrator who uses the Exchange In-Place eDiscovery tool up to a maximum period of 14 days.

Scenario 2 | Exchange mailbox with Litigation Hold or In-Place Hold enabled

A scenario in which the user mailbox configured as:

  • Litigation Hold enabled
  • In-Place Hold enabled

In this scenario, in case that the user performs Hard delete operation, we will have the ability to recover the deleted mail for a period that defended by the Litigation Hold or In-Place Hold policy.

Case 1 – mailbox defined as Litigation Hold enabled
In this case, mail items that were Hard deleted will be saved in the Purges folder.

Case 2 – mailbox defined as In-Place Hold enabled
In this case, mail items that were Hard deleted will be saved in the DiscoveryHolds folder.

1. Exchange In-place eDiscovery & hold tool is used only for a mailbox that configured as Litigation Hold enabled or In-Place Hold enabled

This assumption is wrong!

The Exchange In-place eDiscovery & hold as the name operates as a “search tool” that created for searching mail items based on a specific parameter (search query).

Exchange In-place eDiscovery & hold “doesn’t care” if the mailbox is a standard mailbox or a mailbox that configured as – Litigation Hold enabled or In-Place Hold enabled.

The only difference between a standard mailbox vs. mailbox that is configured as Litigation Hold enabled or In-Place Hold enabled is that in case that we implement the “hold” option on a specific mailbox, we can use the Exchange In-place eDiscovery & hold search capability to search and recover mail items stored in the Purges folder or the DiscoveryHolds folder for a longer time period that the default 14-day period.

What are the Exchange mailboxes that can be searched by in-place eDiscovery

2. Exchange Online In-place eDiscovery & hold option can be used only by customers who have purchased E3 license.

This assumption is wrong!

Regarding Office 365 customers who have purchased Office 365 Business license its true that the Exchange Online admin interface is different.

The Exchange Online admin interface of Office 365 customers with Office 365 Business license considers as “simplified” and many of the menus and options that include in the Exchange management interface of “E” customer doesn’t appear in this “simplified interface.”

For example – the “simplified management interface” of Office 365 customers with Office 365 Business license doesn’t include two options of – In-place eDiscovery & hold

The little secret that most of us don’t know is that the Exchange option of In-place eDiscovery & hold is available also for Office 365 customers with Office 365 Business license.

The catch is that we need to use a little trick for displaying the “Advanced Exchange Online management” that include the In-place eDiscovery & hold option.

It’s important to emphasize that the option of “hold” is not available for Office 365 customers who have purchased Office 365 Business license!

The Exchange In-place eDiscovery & Hold operate as a “search mailbox tool” and not for putting a specific data “on hold”

o365info Team

o365info Team

This article was written by our team of experienced IT architects, consultants, and engineers.

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *