Outline of Craig Ball's Electronic Discovery Workbook - Email

Outline of Craig Ball's Electronic Discovery Workbook - Email

September 29, 2017

Here's a continuation of my outline of the 2016 edition of Craig Ball's Electronic Discovery Workbook which I last posted about on June 9, 2017.     




X.  Mastering Email in Discovery

  1. Introduction

    1. Will clients attempt to conceal damaging emails?

    2. Will employees delete emails from a company’s systems?

    3. Will searches target the correct digital venues?

    4. Will review inadvertently disclose privileged communications or confidential data?

  2.  Overview

    1. The average person sends and receives 123 emails each day.

    2.   E-mail lodges on servers, cell phones, laptops, home systems, thumb drives and in the cloud. 

    3. Most IT professionals don’t know where it’s stored or for how long.

  3. Checklist About Client Email Systems

    1. MS Exchange; Domino; or Office 365?

    2. All discoverable emails go through company’s server?

    3. Local email stores synch with system?

    4. How long email clients and server applications in use?

    5. What are the message purge, retention, journaling and archival settings for each key custodian?

    6. Can a custodian be prevented from deleting emails?

    7. Does backup system capture email stored on custodian’s desktops?

    8. Where are email container files stored?

    9. Collection and preservation methods?

    10. Home PCs used for business purposes?

    11. Instant messaging used for business?

    12. Are employee owned devices allowed to access the network?

  4. New Tools

    1. Enterprise search – search of remote email stores from central location.

    2. Email archiving - Enterprise collections collected into single repository.

    3. Reduce through single instance de-duplication; rules based journaling.

  5. Email Systems and Files

    1. Behind the firewall environment dominated by:

      1. MS Exchange Server

      2. IBM Lotus Domino

      3. Novell GroupWise (popular with government)

    2. Cloud products

      1. Google Apps

      2. MS Office 365

  6. Mail Protocols

    1. API – application protocol facilitates communication

    2. ISP email

      1. POP3 (Post Office Protocol, version 3)

        1. Now rarely used.

        2. Local

      2. IMAP (Internal Mail Access Protocol)

        1. Email client only download all headers.  Downloads body only when messaged is opened.

        2. Server stored email with support for local storage.

      3. MAPI (Message Application Programming Interface)

        1. Pre-installed on Windows for basic messaging.

        2. Possible but not common to prevent storage of .pst or .ost files on local machines.

      4. HTTP (Hyper Text Transfer Protocol) –

        1. E.g. Gmail and Hotmail

        2. No local rcord.

  7. Outgoing Email: SMTP and MTA

    1. Simple Message Transfer Protocol – outgoing email.

    2. Message Transfer Agent – uses SMTP to route email over a network to its destination.

  8. Anatomy of an Email

    1. Email is a plain text file.

    2. Attachments are binary data encoded into text.  May use Base64 encoding.




  1. Email Header  - only the data in section A is visible to the user.



  1. "Received" or X-Received” represents the transfer of the message between two e-mail servers.

  2. Content-Type declaration distinguishes between header and body of message.

  1. Hashing and Deduplication

    1. messages contain unique identifiers, time stamps and routing data that would frustrate efforts to compare one complete message to another using hash values.

    2. Hashing emails omits the header parts with the message identifier and transit data.

  2. Local Email Storage

    1. Email may not only be found on the server but also in:

      1. Temporary Internet Files

      2. Short Message Service exchanges in smartphone synch files.

      3. Offline synch files (.ost files) on laptops.

      4. Email server

      5. File server

      6. OLK system subfolders holding viewed attachments.

      7. Nearline email – backups of user email folders

      8. Email residing on non-party servers

      9. Legacy email stores

      10. Email saved to other formats

      11. Email retained by vendors

      12. Offline on backup tapes and other media

      13. Email in forensically accessible areas.

  3. Looking for Email

    1. finding e-mail stores will hinge on your knowledge of the User’s Account Name or Globally Unique Identifier (GUID) string assigned by the operating system.

    2. .ost files - access to messages when the user has no active network connection.

    3. Every other week (by default), Outlook seeks to auto archive any Outlook items older than six months (or for Deleted and Sent items older than two months).

    4. Outlook viewed attachment folder will have a varying name for every user and on every machine, but it will always begin with the letters “OLK” followed by several randomly generated numbers and uppercase letters.

    5. The latest versions of Exchange Server and the cloud tool, Office 365, feature robust e-discovery capabilities simplifying initiation and managements of legal holds and account exports.

    6. Older versions of Exchange Server stored data in a Storage Group containing a Mailbox Store and a Public Folder Store, each composed of two files: an .edb file and a .stm file. .stm files contain SMTP messages.

    7.  Since 2003 MS Exchange can collection email without interrupting its operation.

    8. ExMerge can filtering emails for export.

    9. After an email is deleted by a user, it’s retained for 30 days by default or until Exchange is backed up.

    10. Journaling is the practice of copying all e-mail to and from all users or particular users to one or more repositories inaccessible to most users.

  4. Lotus Notes

    1. Not purpose built for email messaging and calendaring.  It’s a toolkit for building capabilities.

    2. .NSF archive files are constantly duplicated across the network.

    3. Must collect the .id file or may be locked out of encrypted content.

    4. Deletions of an email are replicated system wide.

  5. Web based email

    1. Gmail can be exported in a MBOX format.


Please reload

Contact Me With Your Litigation Support Questions:


  • Twitter Long Shadow

© 2015 by Sean O'Shea . Proudly created with Wix.com