Ediscovery collecti...
 
Notifications
Clear all

Ediscovery collections of PST files

3 Posts
3 Users
0 Likes
367 Views
(@bntrotter)
Posts: 63
Trusted Member
Topic starter
 

For EDiscovery Practitioners,

How do you deal with the collection of significantly large sized files such as PST archive files -Outlook 2016 (ex.25-50+ GB)?

Do you have Custodians identify email records of value to collect?

Especially when users on- and off-board from the network daily. Do you enforce indefinite connectivity until collections are completed?

Or for users that connect through VPN? Do you enforce users to come into office?

 
Posted : 06/07/2017 1:37 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

A few different options you have here

1. what is the retention policy at the org? If they have a strong one where they "do not delete" and keep all data on the exchange server, you're best best is to pull if from the EDB.

2. PST's are huge these days, and you do what you have to in order to copy them from a remote or local connection. Usually, if it's done over the wire, I used to schedule time with them on their calendar to run the task or request they leave the PC online overnight to collect.

Custodians already have a duty to preserve so I let legal handle the policy and the interviewing so we can focus on the preservation. Trying to parse a 25GB PST for targeted emails is very challenging. Its usually faster to pull the whole file and filter after (if that is allowed).

 
Posted : 06/07/2017 6:08 pm
(@cults14)
Posts: 367
Reputable Member
 

Assuming you're talking about an environment where there is Exchnage or an alternate email server…………………..

We use Litigation Hold in Exchange 2013 to preserve mailbox info. When it comes to searching, normally we're asked by outside counsel to provide either everyting within a date range OR everything with X Y and Z email addresses (or domains) in it. Content searching is fraught with difficulty and we don't do enough of it. So we run a search, export to PST, hash, and upload (normally) to outside counsel or their vendor's secure ftp site. Then they has at their end so we know if anything got trashed along the way.

As to PSTs on local drives, custodians are responsbile for preserving their own data but most users don't know one end of a PST from the other. TBH we don't have a good policy/process for preservation at that level, it would make some sense to gather up all "local" PSTs at the outset.

HTH

 
Posted : 10/08/2017 7:05 pm
Share: