Speaker 1: Hi, my name is Rocky Messin. I'm a Senior Program Manager for the Office 365 Information Protection Team, working on compliance and eDiscovery solutions. I've been part of the eDiscovery industry for the last 15 years. Today, I'm going to walk you through a number of different solutions that we at Microsoft have to offer in regards to best practices around eDiscovery case creations, eDiscovery holds, eDiscovery searches to help you identify and produce data for investigations, litigation, and regulatory matters. We're going to walk through various different tools that the Microsoft Office 365 Information Protection solutions offer in order to help to identify where you have important information that you may not even know about. We are now looking at the Security and Compliance Center, the one-stop shop for administrators to manage all of their information protection and security and compliance features. The Security and Compliance Center provides access to such tools as data loss prevention or advanced data governance features, as well as search and investigation, which include eDiscovery. All of the different features are controlled via permissions. You can see that we have a role called eDiscovery Manager, which includes both the eDiscovery Manager, as well as the eDiscovery Administrator, which allows the user to control who has access to cases. eDiscovery Managers have access to the cases that they create, as well as any that they are specifically granted access to, and the eDiscovery Administrators have access to all cases within the tenant. We are now going to go into the eDiscovery area, where we today are going to look at a case that involves who at Enron was involved in lobbying for certain price concessions around their oil and gas in various different states. In order to do this, we are going to start off by creating an eDiscovery case. We are going to call the case Enron Oil and Gas. Once the case is created, we can go in and we can add specific members of our team who we want to have access to this case, including people who are outside of our organization, such as our external counsel. Once these users have been added, then we can go ahead and save their permissions. And now when they log into the Security and Compliance Center, they will see these specific cases that they now have access to. Let's go into the case in order to start the investigation about who was dealing with these issues. We are going to start off by creating a search. When we create a search, we have a number of different options of what data we are able to search. We can go ahead and pick specific mailboxes of specific users in order to find their data. This includes any data that may be in Skype for Business when the users are on hold or when they have conversation history included in their searches. We can also search SharePoint sites as well as OneDrive for Business sites. In this situation, where we don't really know who was involved in this case, we are going to start off by searching all of Exchange and all of SharePoint. And we are going to go ahead and create a search called the Enron oil search. Our searching capabilities here are vast. We have the ability to search on individual keywords, groups of keywords, phrases, doing proximity searches, doing ands, ors, nots, all kinds of various different tools to help us to find and identify key data in a case. For this specific case, we are going to start off by running a number of different terms to see who may have been involved in this case. We're going to search for the word Enron. We are going to search for the word oil. We are also going to search for oil near five, which means we are searching for the word oil within five words of the word gas. We are also going to search for the words oil and gas existing in the same document. And we will execute this search. We could have also used condition cards, which we'll come back to a little bit later, to help us to narrow down the search. But right now what we're trying to do is identify just who may have been involved in these different activities. The searches will run pretty quick. As you can see, we ran the search and it came back with 135,000 plus results in this data set. We're going to use our search statistics to help us understand a little bit more about this search. The first thing that we see is that the word Enron came back with 135,000 results. That's probably too broad of a search and we want to narrow it down a bit. The words oil, as well as the proximity search and the search for where oil and gas exist within the same email or document, have a much more manageable set of results. We can also see that in the SharePoint content, we have 19 results. But one of the questions that we want to answer is who actually has this content? We can use the locations to help us to understand which users SharePoint sites or OneDrive sites actually has this data. This can help to identify which of the users or custodians of the data need to have their data analyzed and reviewed. Now that we have identified which of the users have data that we are concerned with, we are going to take the top two users, A. Ring and A. Myers, to go ahead and start with our deeper dive into their data set. In order to do this, the first thing that we're going to do is place their data on hold. Placing data on hold guarantees that the data will not be deleted even if the end user goes ahead and deletes data. They don't have to go ahead and be worried about what they're doing with their own data. It's all managed on the backend. We are going to create a Enron hold, and we are going to add the mailboxes for those two users. When we create this hold, we have an option in order to either put their entire mailbox on hold, or alternatively, we can go ahead and we can just place on hold data that matches various different either keywords or conditions such as dates, email metadata, and other data types that we want to be able to see. Email metadata, or various different document metadata. In this case, we know that all of the data that we are concerned with took place before January of 2014. However, we're not really sure if all of the data actually had a keyword hit based on the various different keywords that we ran before. So we're going to place their entire mailbox from any data that is before that date on hold. This will go ahead and guarantee that preservation of that data. So even if the users are deleting things, we're not worried. Now that we've got some data on hold, we can go in and start doing some deeper searches. When we go ahead and create searches in order to provide the data to the attorneys for review, we are going to go ahead and narrow down the search to just try to find data that we're really concerned with right now. As you can see, the option to pick just all case content is selected. What this is doing is it is narrowing down our search to just those two users whose data is now on hold, and just the data that is on hold. We're going to now create a search and we are right now going to try to find things that are either from California, but we're worried that the users may have misspelled it. So we are going to add a wild card here to the word or data that was from Texas. We'll go ahead and execute that search. And again, within a couple of seconds, we can see how much data they have for those two keywords. As you can see, the results of the search are that there are 14,805 items that need to be reviewed. We could go ahead and export this data out into a search that we're going to call We could go ahead and export this data out in order to have the attorneys look at the data either in PST format or individual messages. If we're exporting it out in individual messages, then we'll also have the ability to decrypt any data that may have been encrypted with RMS encryption on it. We can deduplicate the data, which will mean that we'll only get a single copy of each message. And we can also include any versions of any SharePoint documents that hit on our search, even if the versions do not include the actual keywords. I can go ahead and export these results out in their native formats in order to provide them to the attorneys to look at them in either Outlook or their native applications, as well as using them to go through an eDiscovery processing tool in order that the attorneys can review them in eDiscovery review applications. Alternatively, I can also use my advanced eDiscovery analytics where I will be able to organize and help reduce the data using the various different analytics to provide a more efficient set of data to my attorneys for review. We will cover these features in one of our next sessions. This concludes the overview of case creation, as well as eDiscovery holds and searches to help me to identify data that is subject to various different investigations, litigations, and regulatory matters.