Overview of eDiscovery and in-place holds in SharePoint Server 2013
Published: July 16, 2012
Summary: Learn about eDiscovery across SharePoint Server 2013 and Exchange Server 2013, the eDiscovery Center, eDiscovery cases, in-place holds, and exports.
Applies to: SharePoint Server 2013
Electronic discovery, or eDiscovery, is the process of identifying and delivering electronic information that can be used as evidence. SharePoint Server 2013 introduces the eDiscovery Center, a new type of site collection that serves as a portal for managing eDiscovery cases. From this central location you can discover content in the SharePoint farm, in Exchange Server 2013, on file shares, and in other SharePoint farms. You can apply a hold to SharePoint and Exchange content that you discover. The hold ensures that a copy of the content is preserved, while still allowing users to work with their content. When you have identified the specific items that you will have to deliver, you can export them in an industry-standard format.
In this article:
Managing an eDiscovery case
When you receive a new request for eDiscovery, you create an eDiscovery case in the eDiscovery Center. An eDiscovery case is a collaboration site that you can use to organize information related to the eDiscovery request. From within an eDiscovery case, you can search for content, apply a hold to content, export content, and view the status of holds and exports that are associated with the case.
The two primary components of an eDiscovery case are eDiscovery sets and queries. Use an eDiscovery set to find content and apply a hold. Use a query to find content and export it.
eDiscovery process flow
To find and preserve content, create an eDiscovery set. Each eDiscovery set contains the following:
Sources, which are locations to be searched. Exchange mailboxes, SharePoint sites, and file shares can all be sources.
A filter, which defines what you are searching for. A filter can include search terms, a date range, and an author’s name.
An option to apply an in-place hold to the sources that contain content that matches the filter.
To find and export content, create a query. Each query contains the following:
Query filters, which define what you are searching for. Query filters resemble a filter in an eDiscovery set, and can include search terms, a date range, and an author’s name. However, query filters in a query can also use stemming.
Sources to be searched. Exchange mailboxes, SharePoint sites, file shares, and eDiscovery sets can all be sources in a query.
When you run a query, you can see statistics about the items that were found, you can preview the results, and you can filter the results by message type (for Exchange results) or by file type (for SharePoint results). When you are finished, you can export the results of the query.
The content that you export by using a query is formatted according to the Electronic Data Reference Model (EDRM) specification so that it can be imported into a review tool. An export can include the following:
Documents: Documents are exported from file shares. Documents and their versions can be exported from SharePoint 2013.
Lists: If a list item is included in the query results, the whole list is exported as a comma-separated values (.csv) file.
Pages: SharePoint pages, such as wiki pages or blogs, are exported as MIME HTML (.mht) files.
Exchange objects: Items in an Exchange Server 2013 mailbox, such as tasks, calendar entries, contacts, email messages and attachments are exported as a.pst file. If Lync conversations are archived in Exchange, those can be discovered and exported, too.
Crawl log errors.
An XML manifest that provides an overview of the exported information.
How eDiscovery works in SharePoint products
The Search service application is a key component of the search system in SharePoint Server 2013. (For more information about service applications, see Services architecture planning (SharePoint Server 2010).) You can associate an eDiscovery Center with a Search service application. Any content that is indexed by the Search service application can be discovered from the eDiscovery Center. If you configure the Search service application to crawl file shares, you can use the eDiscovery Center to discover content on the file shares. If you configure the Search service application to crawl other websites - for example, a team site that was created by using Office SharePoint Server 2007 - you can use the eDiscovery Center to discover content on the websites. For SharePoint 2013 farms, you can also put the content on hold. If you add Exchange Server 2013 to the Search service application as a result source, you can discover content within Exchange mailboxes from the eDiscovery Center and put the mailboxes on hold. If you archive content from Lync in Exchange, you can also discover Lync content.
If your environment includes two isolated Search service applications – for example, SharePoint Online and SharePoint on-premises – you have to have two eDiscovery Centers to discover content across the farms. For more information about how many eDiscovery Centers you will need, see Plan eDiscovery in SharePoint Server 2013.
A separate eDiscovery Center for each isolated Search service application.
As the Search system crawls content, it creates a search index. The search index stores data that is used to provide the results for search queries. The search index also stores information about the permissions that are required to access each piece of content. When a user performs a search, the search system uses the search index to identify the appropriate search results. Before displaying the results, the Search service application performs security trimming, by which the system compares the user’s permissions to the permissions that are required to access content that search results link to, and then “trims” the results to show only those results that the user has permissions to view.
SharePoint Server 2013 introduces the concept of an in-place hold. When you apply an in-place hold to a site, content in the site remains in its original location. Users can still work with the content, but a copy of the content as it was at the time that you initiated the hold is preserved. In-place holds differ from the style of hold that you could use in SharePoint Server 2010. In SharePoint Server 2010, users could not change or delete content when it was on hold. By using in-place holds in SharePoint Server 2013, users do not even have to know that their content is on hold.
If SharePoint Server 2013 runs on a server that uses Alternate Access Mapping (AAM), host-named site collections, or SSL termination format, then users will not be able to edit web pages in a site that has an in-place hold applied. To allow users to edit pages in sites that are on hold, you will need to disable loopback checking as described under Method 2 in KB article 896861 (http://go.microsoft.com/fwlink/p/?LinkId=272340).
An in-place hold is applied at the level of a site. When a hold is placed on a SharePoint site, a preservation hold library is created, if one does not already exist. Most users cannot view the preservation hold library. It is only visible to site collection administrators. The search crawler also has special permissions to crawl content in the preservation hold library.
There is one case in which a user can view the preservation hold library. Users who are granted permissions at the web application level can view all content in all site collections within the web application. For more information about permissions and eDiscovery, see Plan for eDiscovery in SharePoint Server 2013.
If a user attempts to modify or delete content in a site that is on hold, SharePoint first checks whether the content has been modified since the hold was applied. If this is the first modification since the hold was applied, SharePoint copies the content to the preservation hold library, and then allows the user to modify or delete the original content. Note that any content in the site can be copied to the preservation hold library, even if the content does not match the filter of the eDiscovery set that initiated the hold.
The Information Management Retention timer job cleans up the preservation hold library. The timer job runs periodically and compares all content in the preservation hold library to the filters for the eDiscovery sets that put the site on hold. Unless content matches at least one of the filters, the timer job deletes the content from the preservation hold library.
Two important consequences of this process are as follows:
The version of content that is current at the time that the hold was applied is the only version that is preserved. If the content is changed multiple times, intermediate versions of the content are not preserved.
If an item is placed on hold multiple times, SharePoint preserves the version that is current at the time each hold is placed. For example, if version 27 of an item is the most recent when the site is placed on hold the first time, and version 51 is the most recent when the site is placed on hold the second time, versions 27 and 51 are preserved.
Storage space is used efficiently. Most content in a site does not change, and content that is not changed is not copied to the preservation hold library.
Integration with Exchange
You can manage the discovery process for Exchange Server 2013 from a SharePoint eDiscovery Center. You can do the following:
Add Exchange mailboxes as sources to either an eDiscovery set or a query.
Preview content that is discovered in an Exchange mailbox.
Apply a hold to an Exchange mailbox.
Export content that is discovered in an Exchange mailbox.
To discover content in Exchange mailboxes, you must first configure a trust relationship between SharePoint and Exchange. You must also grant specific Exchange permissions to the users of the eDiscovery Center. For more information about these tasks, see Configure eDiscovery in SharePoint Server 2013.