Question on E-Discovery

[SubSolar0]

I was just wondering how everyone was handling e-discovery laws. Is it enough to just keep an Exchange ntbackup file of each day for a few years? Or do you have to invest in some sort of archiving software such as GFI MailArchiver? What software is everyone using?

 

[ntinlin]

Backups are not really enough because you have to provide the data to the other side timeously and preferably with auditing, proof that nothing has been changed etc. Restoring from backups would just take too damn long, then you have to search through for the text / phrases that you want and so on. Yuck.

Most people are using stuff like GFI Archiver - pretty basic or Symantec Enterprise Vault - Expensive.

They all have their own little foibles as well. Enterprise vault is more of an archiving solution that has had e-discovery tacked on to it, and not tacked very well at that.

Neill

 

[SubSolar0]

I should have stated before that this is for small business clients, under 35 employees per site. Restoring from backups would not take very long. Also, wouldn't each ntbackup file have all of the e-mails from the last 30 days, including ones that users deleted in Outlook?

 

[ntinlin]

That's fine but what happens if the lawsuit says we need to see all e-mails over the last year containing the phrase "xyz", you'd have to restore EVERY backup tape, then search EVERY mailbox for those phrases. AND you have to satisfy them that you didn't miss anything.

What is worse is that dumpster items won't normally be found by any search you do, although Ontrack may be able to do that, I'm not sure.

It is a bit of a nightmare for a small business.

My previous company spent over $100k on Enterprise Vault and it only did about 80% of what the salesman said it would.

Neill

 

[Zelandakh]

Think about a simple part of that...

You back up your Exchange server every night. I receive an email at 9am and delete it at 10am including doing a permanent delete. Next night that email did not get backed up and therefore does not exist.

 

[ntinlin]

Indeed. You can use XC to journal all those e-mails but you need some mechanism to get them out of the journal mailbox and into an archive for searching.
You also want to be able to import the contents of the existing mailboxes before you turned journaling on.

Although as far as XC is concerned the mail is still there in the dumpster until the system cleans it out but as far as any search tools are concerned it would indeed be invisible.

GFI looked ok when I tested it but if I recall it wasn't the greatest at getting that existing data, could do one mailbox or one PST at a time I think with no way of batching. But they may have improved it by now.

You'd probably want to use exmerge to extract out the dumpster items as well and import them into the archive.
Then you'd just have to hope that no e-discovery requests come in before your tape rotation and archiving processes get in sync. so you didn't have to do restores from earlier tapes.

Neill

 

[cajuntank]

As a school, we also are being mandated to have a email archive in place. I will be going with the Arcmail Defender product. It has great reviews, doesn't require another server for data store; when I tried out GFI a few years back it was pretty simple, but it did house it's data on a SQL server; and it's a very mature product. I also looked briefly at Barracuda Networks new mail archiver appliance. This was a pretty good first attempt at this and I feel in another 3-5 years, they will have a very rounded proven appliance, but not right now. Arcmail has been doing this for many years now and they have a very mature, solid product that is top notch.

Run through there web demo and if it looks good, you can even request a eval unit to test on your network...can't beat that. Hope that helps.

 

[SubSolar0]

Is there a way to prevent users from permanently deleting e-mails through Exchange/OWA? Then keeping ntbackups seems like it would suffice. And I thought exmerge didn't work with Exchange 2007? I'm trying to find the cheapest way to get my clients to PCI DSS and E-Discovery compliance. The mom and pop businesses ain't going to spend $5K on software to get there.

 

[cajuntank]

One of the Arcmail's functions is that email can never be deleted off the archive. This is one of the reasons it adheres to all the Sarbanes/Oxley bla bla bla stuff out there. Depending on how many e-mail boxes, how big your emails are, and how long you want a live archive will dictate to you the model of box. I believe their units start off at around 3K (list on their web-site), but you probably will do better going through a reseller.

It's one of those things that you can do it cheap or you can do it correctly. One day you'll have to do it correctly and realize you wasted "cheap".

 

[SubSolar]

Has anyone used Hexamail Vault yet? It seems reasonably priced ($463 for 30 users) and doesn't require SQL.

 

[ShackDaddy]

I've been deploying GFI's MailArchiver. It doesn't cost $5000. It costs $1100 for 50 seats. It can use SQL, but doesn't require it. I've deployed it with and without. And you can do archive-wide searches on certain phrases, across all mailboxes. Whatever limitations were mentioned above, I haven't seen them in my interaction with it.

I wouldn't do the backup route. That would require keeping EVERY SINGLE backup on through the requirement period in order to keep the emails that were deleted shortly after being received/sent. You may spend more in media during that time than you would on the MailArchiver software, which works via journaling so that it captures EVERYTHING, and only once. Your backups will be mostly redundant space.

Dave Shackelford
Shackelford Consulting

 

[SubSolar0]

I've been evaluating Policy Patrol Archiver and it's been working fine so far. can use SQL Express and is only $145 for 25 users, $195 for 35 users or $225 for 50 users. Cheapest solution I could find that works so far.

 

[ShackDaddy]

The last time I used Red Earth's Policy Patrol Archiver, I had issues because they didn't have a good mechanism at the time for automatically (or manually!) switching to a new archiving database, so I was stuck with a single database that was eventually too big for my drive. That was the first product I used. They told me a year or two ago that they were going to be adding that feature, but I didn't have time to wait for them. That's when I moved over to GFI, and their scheduled database cutovers work very nicely.

Dave Shackelford
Shackelford Consulting

 

[SeanFlynn]

I've implemented Enterprise Vault for years, but recently Mimosa NearPoint is catching my eye because it doesn't require journaling for the discovery piece.

As someone mentioned before, you need to capture email data in real time instead of just using backups. If someone sends an email that they were not supposed to send, they can delete it from their sent items, then out of their deleted items before the backup runs. Without a way to capture data in real time, that email is never found.

Enterprise Vault captures email via journaling, but that is not included in the base product. If you are simply using EV to archive data, you're not capturing all data unless you use the journaling and discovery piece.

Mimosa uses log shipping, so the data is captured as it flows through your messaging environment and you'll be able to discover it. An added benefit, aside from the archiving and discovery, is since it uses log shipping, it is very easy to configure it in a DR scenario as well.

Hope this helps.

John Price

http://www.ChampionTechGroup.com

http://www.learnITstuff.com