Litigation Support Tip of the Night

March 5, 2020

Relativity Collect is an application for RelativityOne, which can assist with the collection of email and documents from Office 365.  When collecting data directly from OneDrive or Outlook, the admin must first set a custodian. 

At the second stage search criteria are designated.  

 While wildcard and proximity searches cannot be run, any words which begin with a keyword will be returned in the results.  For example, the keyword 'court' will return files using 'courthouse' or 'courtroom'.  Multiple criteria can be used.  The Office 365 index of electronic files is searched rather than the files themselves.  

Searches in OneDrive can be set for specific file extensions and files created in a particular date range.   Searches can be set on the file name and file path fields as well.

The standard email metadata fields can also be searched, as well as the body of the email.  The attachment content cannot be searched, but there is a setting to return emails with or without attachments. 

January 27, 2020

After an email is deleted from the Deleted Items folder, or removed from the Inbox with SHIFT + DELETE, the email will be sent to the Deletions subfolder of the Recoverable Items Folder.   The Recoverable Items Folder is not visible to the user.  Each user's profile contains a deleted item retention period set by the admin.  The default is 14 days.  So, in most cases emails can be recovered for up to 14 days after a user has tried to delete them.  The 'Recover Deleted Items' command is on the Folder tab of Outlook.  

If an email is purged from the Recovered Deleted Items folder, or if the set retention period elapses, it is sent to the Purges subfolder of the Recoverable Items Folder.   However, the email will not be removed from the Purges folder until the mailbox assistant processes the folder.  A post on Microsoft's official site for Exchange states that:  "You can configure the Managed Folder Assistant to process all mailboxes on a Mailbox server within a certain period (known as a work cycle). The work cycle is set to one day by default."

January 26, 2020

Microsoft Exchange makes possible in place preservation of email messages.  The archiving of relevant emails involves significant costs because of the need for a user to manage the copying or because of the need to purchase software to implement the hold on the email messages. 

The LitigationHoldEnabled property of a mailbox will prevent any item in a mailbox from being removed. 

The alternate 'in-place hold' will only direct the retention of emails which come up in a search query.   A single mailbox can have multiple in-place holds, but no more than 500 search terms can be used.

  Using more than 500 terms in a query will cause all content in the mailbox to be preserved. The LitigationHoldEnable property is either set or not.   Either type of hold can be set to remain for a specific time period.  

Searches can be run on the messages that are subject to in-place holds.   While a hold is in place a user will retain the same rights to delete emails.  The admin has the option of informing the user that the mailbox is subject to a hold.  

Both types of holds use the Recoverable Items folder to preserve emails.  So even when SHIFT + DELETE is used or emails are deleted from the Deleted Items folder, the emails are transferred to the Recoverable Items folder.   The recoverable items folder is not visible to users.  Note that a user does have the option to recover deleted items on the folder tab. 

June 1, 2018

Tonight I field tested an app designed to collect data from multiple places or people. It’s called MiniVAN.  I used it to collect data from potential voters while canvassing for a candidate but it can easily be used for a variety of purposes.   It can be downloaded from the iOS App Store here. 

The app keeps track of multiple locations and associates a form with each one.    (Unfortunately the map pinpointing the locations gets cut off.)  It does however tag addresses which a letter code,letting you see at a glance the places that are trending in a particular area of concern. 

The user gets a chart summarizing his own collected data (what percentage of targets are coded issue A as opposed to B, C, or D) and of course the data is fed back to the main CAN database in realtime. 

January 31, 2017

There is a file in Windows 7 at C:\Users\[username] named NTUSER.DAT.   This is a registry hive.    A new hive is created for each user that logs in.  The hives contain information about a user's application settings, network connections, printers, and environment settings.   This is a very useful file to have when you're imaging a user's laptop or desktop.  However registry files like this one cannot be copied with Windows Explorer.   If you try, you'll get an error message like this one:

FTK Imager can be used to copy this files.    On the toolbar, click on the yellow safe icon.    A new dialog box will appear prompting the user to 'Obtain System Files'.   If you select the option for 'Password recovery and all registry files', and select a folder to copy the files to, the NTUSER.DAT file will be copied with other registry files to the new destination. 

August 28, 2016

Download the free utility available on the Nuix site, Evidence Mover, which will allow you to securely copy files from one location to another.  The utility generates hash values for both the source and copied files in order to confirm that the collected evidence is complete.   Data transfers will be re-executed until the matching MD5 hash values have been confirmed.

Note the option in this screen grab to perform 'Recursive' copying.   When this option is selected both the source folder and any subfolders inside it will be copied as well.

 Evidence Mover also generates a log file noting the hash values of the files and providing confirmation that there were found to match.

The modified and created times of the files are also preserved.

May 1, 2016

Stage four of the EDRM is collection .   Be sure to recognize that the are two basic forms of collection - physical collection and logical collection.  Physical collection is the imaging of an actual hard drive - including its unallocated space.  Logical collection involves collecting from the virtual constructs presented to a user by an operating system - for example in Windows one may have the C drive logical volume and the D drive logical volume - each actually part of one drive.   A volume level logical collection may consist of a single volume from multiple hard drives - perhaps a Redundant Array of Independent Disks (RAID).   A distinction may be made between logical volume collection and folder level logical collections.



March 24, 2016

When you copy data from a hard drive on to a flash drive or other storage device, normally you'll notice the meta data for the file is altered.  Instead of the date created on the source, you end up with the current time & date at the point of transfer.   For the purposes of data collection you want to preserve the original meta data values intact.  In order accomplish this, make use of the Robocopy command in Windows.   


You just need to go to the folder you want to copy data from, press SHFT + CTRL + Right click and choose 'Open Command Window Here' , and then enter the file path of the folder from which data is to be collected (use quotes if the path has spaces), the path of the destination, and forward slash 'E'.   See for example this command:


I:\Litigation Support\Electronic Discovery\EDRM>Robocopy "I:\Litigation Support\
Electronic Discovery\EDRM" H:\ /E



So when we collect data from a folder like this:



. . .  and run the Robocopy command - 'Robust File Copy for Windows' . . . the data is copied in a special fashion 



. . . so the Date Created field is not altered. 



Please reload

Please reload

Sean O'Shea has more than 15 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.


All content provided on this blog is for informational purposes only. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of this information.


This policy is subject to change at any time.