eDiscovery Cases

Document created by user.oxriBaJeN4 Employee on Sep 11, 2015Last modified by user.Yo2IBgvWqr on Jul 27, 2017
Version 9Show Document
  • View in full screen mode

eDiscovery Cases allow administrators to group multiple Archive Searches together in a single case. They can be used in a number of ways.

 

NameDescription
ExportMessages can be exported from the Administration Console in .ZIP files containing messages in .EML format.
Retention AdjustmentMessages can be made subject to a retention adjustment, to increase or decrease the length of time that they are stored in the Mimecast archive.
Litigation HoldMessages can be placed in Litigation Hold, where they will not be expired from the Mimecast archive for a time period defined by an Administrator. This is regardless of the message's actual expiry date.
Link to Smart TagMessages can be linked to a Smart Tag. This allows individual users or groups or users to view archived messages, where they are not the sender or recipient.

 

Creating an eDiscovery Case

 

To create and work with eDiscovery cases, you must be a administrator and have one of the following roles:

  • Super Administrator
  • Full Administrator
  • Discovery Officer

 

To create an eDiscovery case:

  1. Log in to the Administration Console.
  2. Click on the Administration toolbar button. A menu drop down is displayed.
  3. Click on the Archive | Discovery Cases menu item.
    eDiscovery cases are stored in folders. Cases cannot be created in the "Root" folder. See the Administration Console: Managing Folders page for details of how to create a folder.
  4. Click on the New Discovery Case button. 
  5. Complete the Discovery Properties dialog as follows:

    Field / OptionDescription
    DescriptionEnter in a description for your case. This will be displayed in the Discovery Case Definitions list.
    Notes Enter the case details. This helps you and other administrators identify the case at a later date.
  6. Click on the Save and Exit button.

eDiscovery cases cannot be deleted once they are created.

Assigning Archive Searches to an eDiscovery Case

 

To assign archive searches to your eDiscovery case:

  1. Open the Discovery Case.
  2. Select the Build Discovery Case drop-down menu.

 

Build_discovery_case_options.png

 

The options available are described below. You can use a combination of these options in a single eDiscovery case.

 

 

A Quick Basic Search allows you to search a specific mailbox in your archive. Additionally, you can narrow the mailbox search to include specific text in the selected mailbox.

 

  1. Click on the Build Discovery Case.
  2. Select Quick Basic Search.

 

eDiscovery_quick_search.png

 

FieldDescription
Search DescriptionA name to identify the search.
Search TextThe text you would like to search for.
MailboxThe Mailbox you would like to limit the search to. Use the Lookup button to locate the correct mailbox.
From DateThe earliest message sent date to be included in the search. The default is Eternal to ensure all past messages are considered in the search.
To DateThe latest message sent date to be included in the search. The default is Eternal to ensure all future messages are considered in the search.

 

 

For more granular options, the Create Advanced Search function can be used.

 

  1. Select Build Discovery Case | Advanced Search and complete your required Search parameters.

 

Admin_Search.png

 

FieldDescription
Search TextThe text you would like to search for. View the guidance on screen for using search operators.
Message ComponentsSelect which message components to be considered in the search.
Include Litigation Hold MessagesSelect whether to messages that have passed their natural expiry date but are still available due to Litigation Hold.
Search within a Smart TagWhen used, the search will be limited to messages that have been assigned to the selected Smart Tag.
Sender and recipient filters

Either the full email address(s) or domain name of the sender and / or recipient you want to filter the search on:

  • Use spaces to enact an "OR" when including multiple addresses or domains.
  • If you are unsure of the full address use a wildcard (*) for the domain part of the address.
  • A wildcard (*)  cannot be used at the start of an email address.
  • To exclude address from the search use the "NOT" operator. This must be used after an address or domain to include, for example:
    mimecast.com NOT user@mimecast.com
Date RangeThe date range to filter the search on based in message sent date.
Route FilterSpecify the route of the messages to search for, for example, inbound, outbound, or internal.
Result sort orderThe order in which you would like to see the results.

 

To view the results of the search, click on Search button on the top toolbar.

eDiscovery_Toolbar.png

Once reviewed, click on the Back button to return to the Advanced Search screen.

 

To save the search to the Case, click on the Save and Exit button on the top toolbar.

 

 

If there are searches that have previously been saved, these can be linked to an eDiscovery case. Once a saved search is assigned to an eDiscovery case it will no longer display within the Archive > Saved Searches section to prevent accidental update or deletion of the Saved Search.

 

To add the Saved Search to the case, click on the Save and Exit button on the top toolbar.

 

Export an eDiscovery Case

 

Once your eDiscovery case is built, you can export the messages that are part of the case. Each message is in .EML format inside a .ZIP file.

  1. Log in to the Administration Console.
  2. Click on the Administration menu item.
  3. Click on the Archive | Discovery Cases menu item.
  4. Select the required Discovery Case.
  5. Click on the Export Case button.

    eDiscovery_Export.png
  6. Complete the Export Details dialog as required.

    Field / OptionDescription
    Discovery DescriptionSpecify a description for the download.
    Export TypeSpecify the file type to use for the exported file.
    Download FilenameSpecify a file name for the exported file.
  7. Click on the Save button.

 

The export is visible in the Case Exports section of the Discovery Case page.

 

Canceling an eDiscovery Case Export

 

While an export is either Pending or In Progress, it is possible to cancel the export using the Cancel Exports button in the toolbar.

 

eDiscovery_Cancel_Exports.png

 

Link an eDiscovery Case to a Smart Tag

 

Results from an eDiscovery case can be linked to a previously created Smart Tag. This allows specific users to view messages in a secure manner.

 

Select Build Discovery Case | Link to Smart Tag:

 

eDiscovery_smart_tag.png

 

FieldDescription
Select Smart TagUse the Lookup button next to the Select Smart Tag field to select from a list of existing Smart Tags.
Linking Action

Select whether messages will be linked to the Smart Tag or removed from the Smart Tag.

  • Use Create smart tag links when you want to make the messages available to user via a Smart Tag.
  • Use Remove smart tag links when you want to remove messages from a Smart Tag preventing users from being able to view them.

This action will not be applied immediately, a request will be posted to your account and will be accessed during nightly housekeeping tasks.

Perpetual Link

Check the Perpetual Link option to include all future messages as well as existing ones. If not selected, only those emails that matched the criteria when the search was created will be displayed. Additionally no future messages will be included.

 

Once the search options have been created, click on the Save and Exit button on the top toolbar to add them to the Case.

 

Managing an eDiscovery Case

 

eDiscovery cases are managed from the Administration Console in the Administration | Archive | Discovery Cases menu. The cases are listed by folder in this screen. High level information about each case is available at a glance.

 

eDiscovery_View_cases.png

eDiscovery Case Status

 

eDiscovery cases can have a status of either Editable or Locked. A case will be locked when it:

  • Has been assigned to a Litigation Hold.
  • Has been assigned to a Retention Adjustment.
  • Has been assigned to a Smart Tag.
  • Is being exported.

When locked, no new searches can be added and existing searches cannot be amended.

Mimecast will automatically unlock a case if:

  • An associated Litigation Hold expires.
  • There are no Retention Adjustments linked to the case.
  • It is not being exported. This is automatically checked once per day during nightly housekeeping routines.

 

When a Case is unlocked, an entry of type Unlock Discovery Case is added to the Account Access Event Log. This is viewed in the Administration | Account | Audit Logs menu in the Administration Console.

 

Editable Cases

 

If the case status is Editable, a Manage Saved Searches option is available:

 

Discovery_saved_search_options.png

 

This provides a list of all the searches assigned to the case, giving additional information such as:

  • Who created the search.
  • Whether it was saved.
  • The search time and date.
  • Basic search parameters.

 

Right-clicking on the search allows the Administrator to amend the search criteria, unlink or delete the saved search.

 

As long as it's editable, you can remove a saved search from an eDiscovery case (unlink Saved Search). However you cannot delete a case once it has been created.

 

Locked Cases

 

Once the case has been Locked, a View Saved Searches option is available. The same information is displayed, however no changes can be made to the search. Right clicking on the Saved searches provides the view menu options.

 

A Saved Searches Summary is also provided. This lists all searches assigned to the Case.

 

Auditing

 

eDiscovery case auditing is linked to the Search Audit Logs and the Message View Logs. To view the logs, open the case, click on the View Audit logs drop down menu and choose a log.

 

eDiscovery Search Audit

 

Shows a log of all searches performed as part of this Case along with the search parameters. This also includes any searches that were not saved to the Case.

 

Details such as who created the search, whether it was saved, the time and date of the search and the basic search parameters are included. Right clicking on a searches gives you the option to View Search Parameters or View Search Result. Note that you do not have the ability to remove any entries from the list.

 

eDiscovery Email View Audit

 

Shows a log of all viewed emails associated with this Case. A list of all messages that have been viewed is provided, as well as whether the content or metadata has been viewed, who viewed the message, and the date and time the message was viewed.

Attachments

    Outcomes