Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2017-07-06 20:00:00Format, images and links may no longer function correctly.
Sorry for slacking off on blogs while I have been wrestling with tricky matters and systems. I am stealing a moment to carefully report some potential search and export issues with the new Office 365 Security & Compliance Center. Normally I would not write about any potential eDiscovery system issue until I fully understood the behavior and gave the provider time to debug the problem. Because the vast majority of my clients and readers are already experimenting with the new Compliance Center for holds, searches and collections, I felt compelled to at least raise a yellow warning flag of caution. Reasonable quality control steps in your eDiscovery workflow may catch the export issues we encountered, but they would not catch the inconsistent search results in our scenario without validation level confirmation tests. Before I detail the anonymized scenarios, it is important to reaffirm that circumstances have prevented us from more than minimal testing or even opening a Microsoft support ticket yet, though that is in progress. I was not able to reproduce this behavior in my own test O365 environment. All of this means that the issues may be related to corrupt data or other unique client variable – i.e. not relevant to your environment.
Scenarios and behavior:
- Multiple mailbox search – A single search with date criteria targeted multiple user mailboxes. The search results were not deduplicated or otherwise restricted. A set of QC searches on individual mailbox targets with the same date criteria produced roughly 20% more results. The additional QC searches were run after the initial export was missing an entire mailbox’s PST files. That same mailbox did have substantial email within the date range that was successfully exported when it was the only target selected. It is unclear whether the multi-mailbox search just missed items or whether the export dropped items, but there were no warnings or errors to alert the user of unavailable targets or other issues. Normal QC caught the missing mailbox PST files, but if only a few items were missing it could have slipped through.
- FolderID search – If you have not tried to search for specific folders in Exchange mailboxes or SharePoint/OneDrive for Business sites, you have a rude awakening the first time an interviewed custodian says, “I keep all that right in this folder.” It is time to dust off you PowerShell skills or open a help desk ticket with your Exchange/SP team. Using the FolderID: and Path: properties in Content searches require you to retrieve and 48 character ID value instead of just searching by the folder name. Note that searches by FolderID/Path with NOT retrieve items from subfolder/subsites. You will need the IDs from all subcontainers in your search. I will write up a piece covering this after we finish debugging the inconsistent results issue to determine if we can even use the Content Search. The good news is that you can use the Get-MailboxFolderStatistics PowerShell cmdlet to get both the FolderID and the current item count directly from the source. The bad news is that one of our subsequent folder search was off by a single item with no errors or warnings. So some of the FolderID searches in the Compliance Center matched the PS query results and some did not. By this point I and my client are completely paranoid and go back to prior, proven tools to meet tight deadlines.
Obviously I am not declaring that Office 365 is broken or should not be used for discovery yet. We do not have enough information yet and Microsoft support has not had a chance to investigate things. But I wanted to make sure that my clients and readers were aware of potential incomplete searches/exports from a critical, universal data source as quickly as possible. My last round of client validation testing of the New-MailboxExportRequest cmdlet and EAS export function for on-premise exchange was successful, but the cmdlet was not available for Office 365 mailboxes to my best knowledge. That seriously limits customer’s ability to export terminated users or custodians to PST with confidence.
Have you found similar search inconsistencies? Have you already debugged this with Microsoft? If so, please reach out to me and hopefully save me time and sweat running this down.
Stay skeptical my friends!
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Contact him directly for a free 15 minute ‘Good Karma’ call. He solves problems and creates eDiscovery solutions for enterprise and law firm clients. His active research topics include analytics, mobile device discovery, the discovery impact of the cloud, Microsoft’s Office 365/2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.
Greg’s blog perspectives are personal opinions and should not be interpreted as a professional judgment. Greg is no longer a journalists and all perspectives are based on best public information. Blog content is neither approved nor reviewed by any providers prior to being posted. Do you want to share your own perspective? eDJ Group is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.