The Exciting World of eDiscovery
eDiscovery is an activity based on seeking answers to questions. Who did something and when did they do it? Who was involved? How were they involved? Where is the evidence and how strong is the evidence? And so on.
Lots of Data to Search
When it comes to performing eDiscovery in a Microsoft 365 tenant, a lot of data is available to search to find answers. The two basic workloads, Exchange Online and SharePoint Online, began adding compliance features in their 2010 on-premises versions. The on-premises technology is now largely superseded by newer and more capable cloud-specific implementations in the Office 365 data governance framework. For example, content searches are much faster and more capable than their on-premises counterparts because they can search multiple locations. Retention policies make sure that all workloads keep information based on the same criteria. Some older methods, like Exchange litigation holds, continue in use, but overall, Office 365 is a good place to go hunting for information.
Compliance Records for Communications
An increasing number of organizations use Teams for internal communications, many of which replacing Skype for Business Online in advance of Microsoft retiring that app on July 31, 2021. Anyone working in eDiscovery needs to understand how the two applications record information that might turn up in searches. As summarized in Table 1, both Skype for Business Online and Teams capture records for text-based communications (Skype calls these IM, Teams uses chats or conversations). Neither application captures compliance records for video or audio content. Note that the location of the Teams compliance records changed in 2020.
|Application||Mailbox folder||Visible to Clients||Record type|
|Skype for Business Online||Conversation History||Yes||Threaded transcript|
|Teams Chats||TeamsMessagesData (personal mailbox)||No||Individual items|
|Teams Channel Conversations||TeamsMessagesData (group mailbox)||No||Individual Items|
The TeamsMessagesData folder is part of the non-IPM section of mailboxes and is only available online. You can use the PowerShell Get-ExoMailboxFolderStatistics cmdlet to check the number of items in the folder. If you want to examine the items with a utility like MFCMAPI, make sure that your Outlook profile is not configured in Exchange cached mode as otherwise you will not see the folder contents.
Skype for Business Compliance Records
In the case of Skype for Business, the same method captures conversations for meetings and personal chats. Skype for Business records the interaction between people in a conversation in a transcript format. You can find the transcripts in the Conversation History folder in the mailbox of each participant. In fact, depending on the length of the conversation and other factors, several versions of a transcript might exist. For eDiscovery purposes, you always look for the most recent version as that holds the most complete record.
Teams Compliance Records
Teams takes a different approach to capture compliance records for conversations. As people communicate in chats and channel conversations, The Microsoft 365 substrate captures Teams compliance records in Exchange Online. The “real” chat data stays in the Teams chat service on Azure Cosmos DB. Some backup vendors incorrectly state that they can backup Teams because their products copy the compliance records stored in Exchange Online. Although the backup preserves the compliance records, the data is not a complete copy of what Teams holds in Cosmos DB.
Compliance records captured for personal chats go the TeamsMessagesData folder in participant mailboxes while items captured for channel conversations are in the same folder in group mailboxes. Teams captures records in phantom mailboxes for messages sent by hybrid users with on-premises mailboxes or guest users.
For example, if you have a conversation in in General channel of the “Planning 2018” team, compliance records are in the TeamsMessagesData folder of the “Planning 2018” group mailbox. If you then have a conversation in the Budget channel in the same team, the records also go into the same folder. In other words, all the compliance records for all channels in a team go into the same folder.
There is nothing wrong with having all the records for a team gathered in one place. The compliance items are safe from interference because clients do not reveal the folder in their user interface. The items are indexed and discoverable, and the most interesting information in a compliance record is likely to be the content.
Figure 1 shows Teams compliance records found by a content search. Three interesting points are evident.
- The message type (IM) instructs the search to find Teams messages.
- If set, the Add app content for on-premises users checkbox instructs the search to scan the cloud-only mailboxes used to hold compliance records generated by guest and hybrid accounts. If you need to use this capability and the checkbox is not visible, you’ll need to make a support request to have Microsoft expose the checkbox.
- Teams no longer stamps the channel name in the subject of compliance items. This makes it more difficult to establish exactly which channel a conversation comes from.
If you are lucky and the topic includes a title, you see that too. In short, if an investigator wants to understand the ebb and flow of a conversation, they might have to search all channels in the team (manually) using the date and time of a found item to recover all the compliance records for the conversation and be able to see how a discussion developed.
Transcripts versus Individual Records
The format used for compliance records creates another eDiscovery challenge. Because Skype for Business conversations are time-limited (in other words, they finish), the application can generate a complete transcript showing the full context of the conversation. Figure 2 shows an example. If an eDiscovery search uncovered this item, an investigator can easily understand how the conversation develops between the two participants and what they discuss.
Teams conversations are persistent. They are open-ended and can restart at any time, which then means that it is harder to create a transcript like the form used by Skype for Business. Teams therefore captures compliance records as a series of items, one for each contribution. Although the items are fully searchable, the fact that multiple individual items exist for a conversation creates a reassembly challenge for investigators.
Take the example where a search uncovers an interesting item from a Teams conversation. The content of the item might be enough for the investigation, but it is more likely that the investigators need extra information to understand how the conversation developed. They must therefore retrieve items captured before and after the item of interest and then assemble the items in time order to create the kind of transcript available in Skype for Business Online. This is a manual process, unless you have licenses to use Microsoft 365 Advanced eDiscovery, which can reassemble conversations for display.
The problem with manual processes is that they are both expensive and open to challenge in court. To satisfy a judge, it is likely that investigators must prove that they have the correct items (and did not omit any) and present the information in the correct order. Although I know how to use Skype for Business transcripts in legal actions, I have not yet experienced how the legal eagles deal with search results from Teams.
Compliance is Difficult
Generally speaking, compliance is a difficult and costly topic. The growing amount of data accumulated through computer interactions makes it harder for searches to find precisely the right information. On the upside, Teams captures information about conversations that is searchable. The downside is that the transition from Skype for Business Online to Teams might make searching and satisfying lawyers just a bit harder.