Read All Posts »

As Seen On WindowsITPro.com: Comparative Review – Exchange Server E-Discovery

by Stephanie Sheaffer on May 7, 2012

These products go beyond the basic e-discovery capabilities
Read the original article by Orrin Thomas on WindowsITPro.com

E-discovery products let you search your messaging infrastructure for messages that contain specific keywords. E-discovery requirements are usually driven by a legal or compliance process. When a legal request comes in that requires the organization to provide all messages that contain a specific keyword or phrase, the e-discovery administrator is the one who needs to find all those messages and provide them to the requesting party.

In many firms, e-discovery isn’t handled by people whose primary responsibility is managing the messaging infrastructure. There’s a growing number of professionals whose expertise encompasses both the legal and messaging administration professions. This means that a good e-discovery product needs to be user-friendly and not require a deep understanding of how to construct regular expressions.
Exchange Server 2010 includes basic e-discovery functionality out of the box. To access this functionality, you use the Discovery area of the Exchange Control Panel (ECP), as Figure 1 shows. The ECP is available through a web interface.

Discovery searches in Exchange 2010 let you perform multi-mailbox searches on addresses in the To and From fields and date ranges. You can search specific mailboxes or all mailboxes in the organization, including archive mailboxes. You can use query-based criteria for selecting mailboxes, which can be helpful in organizations with tens of thousands of mailboxes. Exchange 2010 searches can use the AND, OR, and NOT operators. A user who has been delegated the Discovery Management role can use the ECP to search all message types, including email, meetings, tasks, notes, documents, journals, contacts, and IM conversations. Multi-mailbox search requires an Enterprise CAL. Another Enterprise CAL feature is litigation hold, which stops messages from being deleted directly or indirectly, even when users hard-delete them from their mailboxes.

In this review, I look at two products that you can use for e-discovery that go beyond the basic functionality offered in Exchange 2010. Those products are Sherpa Software’s Discovery Attender and Quest Software’s Archive Manager.

Discovery Attender
Discovery Attender lets you search Exchange mailboxes, including archive mailboxes, public folders, and PST files. You can also use Discovery Attender to search Microsoft Office documents, NSF files created by Lotus Notes, and PDF files stored on accessible file shares and SharePoint servers.

You can deploy Discovery Attender on a workstation or a separate server. Sherpa Software recommends that you not run it on a computer used for mission critical tasks because the search process is processor intensive. Figure 2 shows the Discovery Attender interface.

With Discovery Attender, you can create complex and refined searches. This includes the ability to use wordlists. A keyword logic tree utility lets you examine the syntactic logic of your keywords to ensure that execution occurs as intended. You can save complex or common searches as templates, which you can easily modify for new circumstances. You can also perform trial searches against known data to determine whether the search parameters will return the types of results in which you’re interested before you query your organization’s entire Exchange infrastructure.

Discovery Attender results are returned to a local store, which you can then export to PST format. This ensures that messages that were returned are still available, even if they are later hard-deleted from the Exchange messaging infrastructure. Although regular users should be unable to delete messages placed on litigation hold in a properly configured Exchange infrastructure, it might be necessary to run discovery searches against Exchange administrators who have permission to bypass this setting.

Discovery Attender is powerful, but there’s a steep learning curve when it comes to being able to fully leverage the product’s capabilities. Although e-discovery administrators can always read the documentation about all the query builder’s options, adding an IntelliSense-like capability would ensure that they’re aware of the product’s search capabilities. Discovery Attender is a comprehensive tool, but it will take most e-discovery administrators some time to be able to fully utilize all of its functionality.

Archive Manager
Archive Manager is a retention and discovery product. It captures, indexes, and stores messaging data in a repository. Messages are moved to the repository as soon as they are processed by the messaging server. This repository also serves as a message backup. You configure the repository so that your organization complies with appropriate retention requirements. You can grant access to users so that they can perform e-discovery searches against the contents of this repository. Archive Manager doesn’t have a direct litigation hold function, but end users are unable to directly modify the contents of the Archive Manager store.

E-discovery administrators use a web interface, shown in Figure 3, to access the Archive Manager repository. This interface supports the same search terms as the Exchange 2010 Discovery search but has the advantage of running that search against offline data, minimizing the impact on the messaging infrastructure. You can use the same interface to allow end users to search their mail archive. Archive Manager’s sophisticated permissions model ensures that the scope of discovery searches can be limited when necessary so that only users with appropriate permissions can perform searches against other users’ mailboxes. Archive Manager includes a PST import tool that allows you to add PST files to the existing archive. Once imported, the e-discovery administrator can search the contents of the PST file.

Archive Manager allows saved searches to be stored as RSS-compliant data, a form of updatable data to which a client can subscribe. This means that you can configure Archive Manager so that an RSS reader is able to access the output of scheduled searches and provide the e-discovery administrator with an alert if any new search results come back.

Although it’s listed as one of its features, Archive Manager isn’t primarily an e-discovery product. It’s possible to save searches, but the web interface limits the complexity of those searches. While most organizations will find this functionality adequate, the e-discovery functionality isn’t as extensive as that of Discovery Attender.

I found setting up Archive Manager fiddly. I had to check the documentation several times to get the product working correctly, and the instructional video available on Quest Software’s website is for a previous version of the product. Final installation required modifying the properties of an IIS 7.5 configuration file before everything ended up working as it should. The Archive Manager installation routine could do with a comprehensive prerequisite checker. Plus, several manual steps could be automated to simplify the deployment process.

Editors Choice
Many products in the e-discovery space primarily function as archive products because retention is closely tied with discovery. With Exchange 2010’s powerful retention functionality, many organizations are finding retention-specific products less necessary than they did with previous versions of Exchange. Discovery Attender’s pinpoint focus on discovery and its ability to search live data and PST files make it this editor’s choice. If you do purchase the product, just make sure that the e-discovery administrator takes the training so that he or she is aware of everything that the product can do.


About Sherpa Software
For over 10 years Sherpa Software has provided award-winning email management software specifically designed to address archiving, e-discovery, PST management and compliance requirements for Lotus Notes and Microsoft Exchange environments. Based in Pittsburgh, Pennsylvania, Sherpa’s solutions have been installed at over 2,000 worldwide organizations. Its products offer reasonable prices, easy-to-use interfaces and flexible architectures that streamline administrative processes without requiring any additional hardware or add-on components. Sherpa Software is an IBM Premier Business Partner and a Microsoft Certified Partner. For more information about Sherpa Software, visit www.sherpasoftware.com.

ACEDS 2012

by Doug Yarabinetz on May 7, 2012

The Association of Certified E-Discovery Specialist (ACEDS) held their annual conference on April  2-4 at the Westin Diplomat Hotel in Hollywood, Florida. This marked the second year for the event but the first that Sherpa Software participated. We wanted to provide a brief overview of the event and our perspective on this up and coming organization.

For those of you not yet familiar with ACEDS, the organization was established by The Intriago Group in 2010. It is a member organization for professionals in the private and public sectors who work in the field of e-Discovery. ACEDS is building a community of e-discovery specialists for the exchange of ideas, guidance, training and best practices and offers e-Discovery certification.

ACEDS conference focuses on an engaging, interactive format that is designed to provide attendees with current information and guidance from top experts along with networking and introduction to suppliers of products and services via the exhibit hall. Sherpa decided not to exhibit this year but instead, joined the conference for educational purposes as well as networking and evaluation of marketing opportunities. Sherpa’s very own Marta Farensbach, Product Manager of Discovery Attender, attended this year’s activities to see what it was all about.

The plethora of speakers and topics made for a very informative and entertaining couple of days. Ms. Farensbach was able to network with peers, investigate the certification process, as well as meet and discuss partnership opportunities with consultants in the discovery, forensics and corporate investigation arena. “ The panels had interesting presenters and the discussions were quite lively.” said Farensbach. “The association is new and still trying to establish an attendee base and attract vendors, but despite the limited numbers, the conference provided a nice opportunity to meet others in the e-Discovery space.”

The e-Discovery certification universe has exploded over the last year and a half and ACEDS seems to be one of the leaders in providing an organized and established presence. Sherpa will be exploring the certification process with ACEDS in the near future and we look forward to next year’s event to see how we may participate again.

For more information on Sherpa’s e-Discovery product, click here!

Preparing for an E-Discovery Search

by Shoshana Mahler on May 7, 2012

Many people become puzzled when responding to an e-Discovery request.  Often times, a person will begin searching and not realize that some preparations should to be made prior to doing so.  To save time (and therefore money), it is a good idea to ask the following questions as soon as you get an e-Discovery request:

  • Can you narrow the scope of the search?
  • How should exceptions be handled?
  • How should the results be presented?
    • Should the result be deduplicated?
    • What format should the results be in?
    • What types of reports are needed?
  • Who is the key point-of-contact if anything needs to be clarified?

First, identify if you can narrow the scope of a search.  For instance, try to determine who is important in this search, what date range is relevant and what kinds of data should be targeted.  The more you can familiarize yourself with the search, the more helpful you will be to the requester.  Sometimes entire data stores need to be included, but often the scan can be limited to just specific areas.  Additionally, although email is the most common type of data store included for discovery, often files shares, SharePoint, backups and even end-users’ machines may be relevant.  If you clarify the scope ahead of time, you will save ample time skipping over unrelated data.

In an ideal world, every document in your data set will be searchable.  However, there are instances when data cannot be searched due to encryption or corruption.  For every item that cannot be searched in Discovery Attender, an exception is generated.  What should you do with these items?  With Discovery Attender, you have a variety of options to deal with exceptions.  First, you can generate a report that lists the items that threw an exception and the reasons why.  Second, you can export these items (where possible) and deliver an exception set in conjunction with the result set.  In some instances, you might even be able to ignore the exceptions.  To determine which option is best, be sure to ask the requester how he/she would like you to handle the exceptions.

Once the search is complete, you will have a result set which contains the items that meet your specified criteria.  There are many things you can do to organize and streamline your data set.  One popular option is deduplication.  Deduplication will create a single instance of each item in your result set.  For example, let’s say a message was emailed to three of the mailboxes in your search.  This will result in the same message appearing three times in your result set.  Deduplicating will leave a single instance of this item, while still keeping the links to the original three.  Deduplication will save a significant amount of time and money if the data set needs to be further reviewed.

In addition to determining whether you need to deduplicate your result set, you will also need to determine how to present the data to the e-Discovery requester.  This not only includes the file type of the export, but also the internal structure.  This can be accomplished in a variety of ways with Discovery Attender.  For instance, you can export the result set to a PST file or to flat files.  To build on this even further, you can also vary the formatting of the exported data.  For example, you can either merge your result set to a single PST file regardless of the source or you can generate a PST file per email store you searched.  You can also enforce a size limitation on the exported PST files such that it will rollover to a new one once that size has been reached.  Additionally, you can change the layout used in the internal structure of the exported PST file or change the naming convention used when exporting to flat files.

Often times, you will need to supplement the exported result set with certain reports.  Specifically, you may need to report on the search criteria, the number of hits found and so forth.  There are a variety of reporting capabilities available within Discovery Attender.  You can generate a summary report that gives a brief synopsis of the search that was performed, a duplicates report that provides a listing of each unique item and whether it had duplicates, a custom CSV report and include only specified data and much more.

As you can see, there is a lot you can do with the result set; should duplicates be eliminated, how the result set should be exported and what type of reporting should be generated are all questions that you should ask.  Make sure the e-Discovery requester knows the options available so they can provide you with accurate information.

The last thing you should determine when you receive an e-Discovery request is who the main point-of-contact is (if you should have any questions).  The majority of the time, this will be the e-Discovery requester.  However, there may be another person who will need to clarify questions about keywords, export format, search locations, or other topics regarding the search.  You should be in touch with this person throughout the e-Discovery process to help determine the best plan of attack should any further questions arise.

This is not meant to be an exhaustive list of questions, as there are likely many others that could be added.  Any detail you can get about the search ahead of time will help you better prepare for an e-Discovery search.  Having clear direction and good communication will make the task run much smoother, and therefore will help reduce time and stress during the e-Discovery process.

If you would like to learn more or to speak with a representative, contact Sherpa support.

Alternate Uses for Discovery Attender

by Marta Farensbach on May 7, 2012

Discovery Attender is primarily used by legal and IT professionals who find the application helpful in responding to requests to perform electronic discovery or investigative functions.   Over the years, however, the Sherpa support team has noticed that our end-users (especially at smaller companies) deploy Discovery Attender to perform a variety of tasks outside the legal realm.  These include:

• Eliminating PCI data:  This use is so popular it should be considered a standard task.  A variety of regulations in a number of industries forbid the storage of ‘Payment Card Industry’ data in clear text (i.e. unmasked).  Discovery Attender is deployed to find email and files which contain the rouge information such as social security and credit card numbers. It does so by recognizing PCI identification patters using the Regular Expression feature. Once found, these items are moved out of the general data stores into secure repositories using the Advanced Actions.

• Identifying inappropriate data:  Mailboxes or file stores often contain data which is inconsistent with company policy. This can range from dirty words to media files. Once items are found using keyword, size or file type criteria, the Advanced Actions clean up the data repositories and bring them back into policy compliance.

• Removing confidential documents:  Occasionally proprietary or confidential information escapes into general, non-classified data stores.  Discovery Attender comes to the rescue by finding the offending documents via file names or keywords.  These files are then deleted with extreme prejudice thus ensuring no valuable data is able to break away from secure networks.

• Collecting product history:  Some manufacturing companies use Discovery Attender to track correspondence referencing specific products or parts (via. patent numbers or part numbers) so they can keep a complete record for reference and backup purposes.

• Finding lost items: Some IT administrators are called upon to locate files or email messages that have gone astray.  A surprising number of techs have reported turning to Discovery Attender to help them find and restore lost digital items to their proper owners.

• Locating viruses:  One of the more unexpected uses reported to our support team is using Discovery Attender to supplement anti-virus software.  Definitely an off brand exercise, but several admins have found the tool very helpful to track specific infected files in static email stores and network shares that conventional virus scans may have missed.

• Collecting data after separation: Often company policy dictates that all data from employees leaving a company must be collected and stored for a defined period of time. Because Discovery Attender can scan many data stores at once (Exchange, files shares, desktops, etc.) it is the ideal tool for performing this type of collection.  As an added bonus, the deduplication features helps reduce the amount of data which needs to be kept.

• Deleting clutter:  Many organizations find themselves faced with hordes of unneeded files which pollute mail servers and file shares alike.  Spring cleaning comes around when admins break out Discovery Attender to find and remove items that muddle the data stores.  Old newsletters, cross-company emails, viral media files and all those inspirational, but large power points are eradicated.

If you have any unconventional uses for Discovery Attender, we would love to hear from you.  Please don’t hesitate to comment below, or contact us at information@sherpasoftware.com

Keep it to Yourself

by Rick Wilson on May 7, 2012

April was officially recognized by the Association of Records Management and Administrators (ARMA) as Records & Information Management month. This year’s theme is ‘Keep it to Yourself’, a campaign to raise awareness about the sensitive nature of electronically stored information (ESI).  Executives and employees alike need to be reminded that information is one of the most vital and strategic assets that an organization possesses and securing that information is a vital task.

At Sherpa Software, we regularly work with records administrators who need tools that help them identify, monitor and secure information being stored or transmitted via email. If your organization is considering implementing a records management strategy here are some ways that Sherpa’s products can serve as a part of your enforcement strategy:

  • Mail Attender is an excellent tool for applying a retention policy to delete old email content. The flexible rules architecture allows you to select messages based on a variety of criteria and either delete them directly or relocate them into a ‘to be deleted’ folder where users have an opportunity to perform a final audit before the deletion occurs.
  • PST Backup Attender is a lightweight desktop service that can be deployed through Group Policies to scan desktop machines for PST file content and apply retention policies to delete old messages from the PST file. This is an ideal solution for customers who have a large number of widely dispersed computers to manage.
  • Need to assess the volume of ESI in your environment in order to plan a retention strategy? Try either Discovery Attender or Report Attender . Either of these products can help you identify the volume, type, size and location of many types of ESI data.

If you are a records management administrator please stay tuned to our website. Sherpa is currently working on a new product that will help you enforce a retention cycle for ESI data store in a variety of sources outside of email.

For more information or to download a free trial version, email information@sherpasoftware.com or click here!

Mail Attender Update: Remove Duplicates When Importing PST’s

by Harvey Coblin on May 7, 2012

The ability to locate PST files and import them into Exchange mailboxes has long been a favorite feature within Sherpa’s Mail Attender for Exchange. With the most recent update to Mail Attender 4.7 SP1, we’ve added the ability to deduplicate (or single instance) PST files during the import process. This is a great new addition to Mail Attender’s already powerful toolbox. The attached video is an updated version of one of our more popular instructional presentations, with updated screen shots and a brief description of how the deduplication process works. If importing PST files into Exchange is something that interests you, be sure to check it out! In addition to the new deduplication feature, this video describes how Mail Attender identifies PST files and automatically determines their proper ownership before importing them into the respective mailboxes.

View the video here:

For more information or to speak with a representative, contact Sherpa support!

← Previous Entries