Purview eDiscovery Checklist

This rough checklist is just a starting point and intended to support documentation, coordination and considerations relevant to Purview eDiscovery actions. Such a checklist can be created in your eDiscovery platform, a secured SharePoint site or any other appropriate platform. Every export should have a fully documented Chain-of-Custody form that ties to the decision history.

• Request Goal and matter factors
  • Investigation – informal
  • Investigation – formal
  • Civil or criminal standard of evidence
  • Legal hold? Silent or custodial notices?
  • ECA or scoping searches
  • Collection Request
• System
  • Standard – M3
  • Premium – M5
  • External/Custom – GraphAPI
• Identification/Scope
  • Custodians
    • Mailboxes
    • OneDrives
    • Conversations/Chat
  • Groups
    • SPOD
    • Mailboxes
    • Conversations/Chats
  • Apps – Yammer, Streams, etc.
    • Any potentially relevant use of Copilot AI or issued Copilot+ laptops to custodians?
  • Known locations – SharePoint content
• Actual search refined from identification scope iterations. Actual KQL syntax from search properties in UI should be preserved.
  • Scope/targets – may have to divide by sources
    • Global?
    • Custodians – Mailboxes/OneDrive
    • Locations – Group/URL
      • SP
      • Mailbox
    • Inactive/Public/Shared
  • Selection criteria –
    • Date – fielded or UI aggregate? Sent vs. DateCreated vs. Date Modified
    • People – SMTP & DisplayName
      • Communications – container vs. fields (Participants/Sent/Received/BCC/etc.)
    • Documents – location (access) vs. Fields (CreatedBy/ModifiedBy)
    • Content criteria – See Purview search documentation and/or guide page (TBD).
    • Options: Guest mailboxes, Shared Teams channels, Inactive mailboxes, group mailboxes, Unindex items (were they added to the results?)
    • Search metrics – as documented at the time of search
  • Processing/Export – how were the results exported?
    • Were the collection search results directly exported (manual/API) or added to a review set to process?
    • Export settings –
      • Selected documents that were tagged or otherwise refined.
      • All search results
      • Report only
      • Export format
      • Directory structure settings
      • Include tage, text files and replace redated natives with PDFs?