document does not give you any license to commvault’s

Information in this document, including URL and other website references, represents the current view of Commvault Systems, Inc. as of the date of publication and is subject to change without notice to you.

Descriptions or references to third party products, services or websites are provided only as a convenience to you and

should not be considered an endorsement by Commvault. Commvault makes no representations or warranties, express or implied, as to any third-party products, services or websites.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,

places, and events depicted herein are fictitious. Complying with all applicable copyright laws is the responsibility of the user. This document is intended for distribution to

and use only by Commvault customers. Use or distribution of this document by any other persons is prohibited without

the express written permission of Commvault. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,

mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Commvault Systems, Inc.

Commvault may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering

subject matter in this document. Except as expressly provided in any written license agreement from Commvault, this document does not give you any license to Commvault’s intellectual property.

COMMVAULT MAKES NO WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE INFORMATION CONTAINED IN THIS DOCUMENT.

©1999-2018 Commvault Systems, Inc. All rights reserved

Commvault, Commvault and logo, the “C” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor,

Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, IntelliSnap, ROMS, Simpana OnePass, CommVault Edge and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All

other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.

All right, title and intellectual property rights in and to the Manual is owned by Commvault. No rights are granted to you

other than a license to use the Manual for your personal use and information. You may not make a copy or derivative work of this Manual. You may not sell, resell, sublicense, rent, loan or lease the Manual to another party, transfer or

assign your rights to use the Manual or otherwise exploit or use the Manual for any purpose other than for your personal use and reference. The Manual is provided "AS IS" without a warranty of any kind and the information provided herein is

subject to change without notice.

eDiscovery Compliance Search

Commvault® Education Services of 46

About this Document

This document is intended for all audiences and is current as of the software version and service

pack stated in the top left corner of the page.

This document is updated every three to six months depending on feature changes to Commvault®

software. The date of publish is within the document title, e.g. 170530 indicating a publish date of

May 30, 2017, and the date appears in the top right-hand side of each page. New and updated

sections are indicated in the revision history section with hyperlinks to each section and appear with

a RED heading and darker text for easy identification. For updated versions of this document, contact

us at: [email protected]

Whether an employee, partner, or customer; we all want to work collectively to provide the best

technical education material possible. If you have ideas to improve this document or corrections to

existing content, please contact us as: [email protected]

Authors

Frank Celauro, Irene Grimaldi, Carl Brault

Edited by: Madelyn Moalam

Revision History

Link Date Contributing

Author

Notes

May 30, 2017 Initial document release

September 1,

2018

Updates

For comments, corrections, or recommendations for additional content,

contact: [email protected]

mailto:[email protected]





Contents About this Document ............................................................................................................................................... 3

Authors ................................................................................................................................................................... 3

Revision History ....................................................................................................................................................... 3

eDiscovery Overview ................................................................................................................................................ 5

The eDiscovery Process and Commvault® Software ................................................................................................... 5

Proactive and Reactive Investigations ....................................................................................................................... 7

Reactive Investigation .......................................................................................................................................... 7

Proactive Investigation ......................................................................................................................................... 8

Responsibilities for Legal and IT Teams During an Investigation ................................................................................. 9

Preservation Methods ........................................................................................................................................... 9

Effective Data Preservation .................................................................................................................................... 11

Compliance Search Interface .................................................................................................................................. 12

Features Overview of the Compliance Search Interface ......................................................................................... 12

Accessing Compliance Web Search Console ......................................................................................................... 13

Compliance Search Navigation ............................................................................................................................ 13

Content and Metadata Search ............................................................................................................................. 14

Conducting Basic Searches .................................................................................................................................. 15

Advanced Search ................................................................................................................................................... 17

Field and Inter-Field Logic ................................................................................................................................... 18

Group Logic ....................................................................................................................................................... 20

Email Search Guidelines ...................................................................................................................................... 21

File Search Guidelines ......................................................................................................................................... 22

Discovery Search Guidelines ................................................................................................................................ 22

Client Search Guidelines ..................................................................................................................................... 23

Query Builder ..................................................................................................................................................... 24

Query Sets ............................................................................................................................................................ 26

Review Sets .......................................................................................................................................................... 26

Legal Hold Sets ..................................................................................................................................................... 32

Export Sets ........................................................................................................................................................... 33

Creating and Managing an Effective Search Process ................................................................................................. 35

Case Manager ....................................................................................................................................................... 37

Creating a Case Using Case Manager ................................................................................................................... 38



eDiscovery Overview eDiscovery is the process of proactively or reactively conducting content searches on information within an environment.

This is most commonly used during litigation cases to discover relevant information for an investigation. This information

is made up of custodians, individuals directly or indirectly related to the case, date ranges, and information, contained

within messages and documents. The eDiscovery process requires several steps to identify, preserve, review, and

produce responsive information.

eDiscovery investigation high level concept

The eDiscovery Process and Commvault® Software Understanding the eDiscovery process using Commvault software is essential for a complete investigation. IT and legal

communication is essential during all phases of the process.

The eDiscovery process using Commvault software includes the following steps:

• Identify data for investigation including custodians, relevant data types, and data ranges.

• Preserve data using IT holds or litigation holds.

• Content index data.

• Create a legal review workflow process.

• Conduct basic and advanced searches for relevant information.

• Move relevant items to Review sets for deeper analysis including tagging and adding comments.

• Move responsive items to legal holds or export sets.

• Produce responsive items for investigation as CAB, PST, NSF and HTML files.

• Release non-relevant data from legal holds.

Identify data for investigation

The first part of identifying data is knowing the type and location of the data. This is primarily Email but also can include

documents which may be on servers or personal computers. The legal team should communicate as much information to

the IT team so they can quickly identify the location of the data to be preserved. Along with what type of data must be

preserved, the date range and relevant custodians must also be provided.

In modern environments, it is quite common for user data not to be in central locations. Using Commvault features

including end user desktop and laptop agents provides a longer reach of what data can be identified. An understanding of

what users are doing with their data can assist when an investigation arises.



Preserve data

Once data is identified it must be preserved. In certain cases, especially when it is unclear what data must be preserved,

an IT legal hold is implemented. This can be accomplished in several ways:

• Disabling data aging operations for storage policy copies, clients, or the entire CommCell® environment.

• Using Reference Copy to preserve files and Email messages on certain production systems. Reference Copy

configuration is typically implemented by Commvault administrators with guidance from legal teams.

• Using Case Manager to preserve files and Email messages owned by custodians. It is important to note that file

ownership is tied to system ownership which means that Case Manager is suitable when managing end user data

such as laptops and desktops. Server data such as file shares and home folders can be included but it is not tied

to a specific custodian. Filter criteria such as file types and key words can be used to determine which server data

is preserved in the case. Case Manager implementation is typically handled by legal teams.

A critical point in the data preservation process is that data is managed independently from standard corporate retention

policies. A standard policy of 30 – 60 days may be used for normal business operations which would not be adequate for

an investigation that may span multiple years. Disabling data aging is a temporary method to preserve data but can come

at a significant cost in extra storage requirements. Reference Copy and Case Manager physically copies data to an

alternate storage location providing a more efficient long term storage solution.

Content index data

Content indexing is required to conduct full content searches for Email messages and files. In some environments content

indexing is an ongoing process. This allows investigations to be conducted with minimal communication with IT teams,

although it is still critical to check with Commvault administrators to ensure all indexing operations are up-to-date based

on the scope of the investigation. Content indexes can exist for the entire retention time of the data or indexes can be

pruned prior to data exceeding retention. Any indexable data that exists in a Commvault environment can retroactively be

content indexed. It is always important to establish the data types, custodians, and date ranges to ensure all required

data is preserved and content indexed.

Legal Review Workflow Process

Although searches can immediately be conducted, a good practice is to establish a workflow process. This includes who

will be investigating and at what stage they will be actively involved. At this point a workflow can be established by

defining query sets and review sets. Multiple sets can be defined and permissions can be assigned to ensure a secure

workflow process.

Conduct basic and advanced searches for relevant information.

At the start of the review process, basic and advanced queries can be crafted to begin identifying relevant information.

Queries are then modified to remove non-relevant information and narrow the scope of search results. Multiple queries

can be crafted and saved to query sets to simplify the process and divide responsibilities when multiple legal team

members are involved. It is critical that all queries are saved in a query set to ensure a complete and defensible

investigation.

In some cases, relevant items are immediately exported or placed in legal hold retention policies. This is common for

basic investigation or in early case assessment situations where items are to be exported and presented to others or

analyzed using third party software.



Move relevant items to Review sets

Once queries are crafted, relevant items can be moved to one or more review sets. Review sets provide a more granular

method of investigation where comments can be added to items and items can be tagged. Multiple review sets can be

created in a cascading manner when multiple levels of investigation are required. For example, the primary review set can

be used for a high-level investigation to identify and tag potentially relevant items. These items can then be moved to

another review set for a deeper analysis. This also is used to create a workflow where different individuals at different

phases of the investigation can analyze items for relevance, non-relevance, or attorney-client privilege.

Move responsive items to legal holds or export sets

Throughout the investigation process, relevant items are reviewed to determine if they are responsive – all items within

the scope of the investigation. These items can be moved to a legal hold or an export set. Both operations create physical

copies of items and it is important to note that depending on how many items are included, this process can take some

time.

A legal hold, in the context of the Commvault Compliance Search interface, copies items to a separate physical location

and a specific retention is placed on these items. Legal hold retention policies are defined by the Commvault

administrator with the assistance of legal teams. Legal hold retention policies can be named based on a case, retention

terms such as 5-year hold, or any other naming convention required by the organization.

A common practice is to have a legal hold policy using infinite retention. This guarantees the

preservation of data for the life of the investigation. Once the investigation is closed, the legal hold

data can be released.

Export sets take selected items and immediately exports them to a compressed file such as CAB, PST, NSF or HTML. The

export process may take some time to complete depending on how many items must be copied to the compressed file.

The export file can then be downloaded directly to the local computer. It is important to note that placing items into an

export set does not change the retention of items in Commvault protected storage.

Produce responsive items

Once all items are placed in a legal hold or and export file, they can be exported outside of the Commvault environment.

Release data from legal holds

Legal holds, implemented by IT, can be released if it is determined that all responsive information has been produced or

the investigation is closed. If it is uncertain that all information has been gathered, it may be necessary to maintain the

legal holds. Note that Commvault has additional features including Commvault OnePass archiving, storage to cloud, and

SILO storage which can be implemented to hold on to data for extended periods of time.

Proactive and Reactive Investigations When a case is initiated, it could be conducted as a reactive or proactive investigation. The differences between these will

determine how data is identified, preserved, and indexed; as well as which Commvault eDiscovery tools provide the most

efficient methods to process the case.

Reactive Investigation

A reactive investigation is typically a case where data that is preserved in storage but is not indexed or the indexes have

been pruned. An example of this would be a harassment case with a former employee and a manager. The relevant

custodians and time range for the investigation consists of Email messages dating back two years ago. The Email

messages have been preserved but they have not been content indexed. The Commvault administrators will need to run

content indexing jobs on the older data for the legal teams to conduct their searches to identify relevant items for the

investigation.



Commvault® tools for a Reactive Investigation

In order to conduct a reactive investigation, the jobs the data resides in must be retained in Commvault storage. The jobs

are picked or re-picked for content indexing. This may require Commvault administrators to place an IT legal hold on the

jobs until it is known what data requires preservation and legal teams properly preserve all relevant information. Once the

jobs are content indexed, there are several tools that can be used to identify and preserve relevant information.

• Create a case using Case Manager to identify custodians, data types, and keywords to preserve data by copying

relevant case items to a separate physical location.

• Use reference Copy to identify data types and keywords to preserve data by copying relevant items to a separate

physical location. Note that data in a Refence Copy would require a separate content indexing job to make the

data searchable in the Compliance Search interface.

• Conducting searches using the Compliance Search interface and move relevant items into a legal hold policy.

Proactive Investigation

A proactive investigation is when custodians and data types are known to legal teams during an ongoing investigation.

This allows a proactive preservation to occur by identifying, isolating and preserving relevant data into a secure physical

location. An example of a proactive investigation would be the collection of all data relevant to a new product that is

being developed. The preservation of data would include everyone involved with the product development as well as any

Email messages and documents that contain the name or patent information of the product.

Another method for proactive investigation is identifying various custodians and risk levels. For example, Corporate

executives will have all Email messages preserved for seven years and content indexed for the duration of the

preservation. Other users will have their Email messages preserved for three years but not have their messages content

indexed. Note that if an investigation is required for the users, their data can be reactively content indexed for the

investigation within the three year period the data is being preserved.

Commvault® Tools for a Proactive Investigation

There are several methods which can be used for proactive preservation of data:

• Disable data aging on specific end user systems. This preserves the data even if the data has not been content

indexed.

• Create a case using Case Manager to identify custodians, data types, and keywords to preserve data by copying

relevant case items to a separate physical location. This method requires data to be content indexed.

• Use Reference Copy to identify data types and keywords to preserve data by copying relevant case items to a

separate physical location. If keyword searches are not used, this method does not require content indexing.

Note that data in a Reference Copy would require a separate content indexing job to make the data searchable in

the Compliance Search interface.

• Conduct searches using the Compliance Search interface and move relevant items into a legal hold policy. This

method requires data to be content indexed.

• Create multiple subclients, isolating custodians within each subclient and direct the subclients to various storage

policies corresponding to retention requirements. Subclients can be selected to be content indexed or skipped for

indexing.



Responsibilities for Legal and IT Teams During an Investigation When using Commvault software and features during an investigation, it is critical for IT and legal teams to communicate.

The responsibilities will shift during the various phases but it is important to note that no investigation is static. The scope

may change based on evidence discovered during reviews. Additional data may need to be preserved and indexed. In

some cases, this data may be in cold storage and adequate time must be provided to IT teams to make the data available

for review.

During the beginning phases of an investigation (identify, and preserve), Commvault administrators must work with legal

teams to determine the scope of the investigation. Once relevant information has been identified and preserved, the legal

teams takes over digging into the information to review and produce responsive information for the investigation. This

provides a separation of powers and reduces IT responsibilities during the legal processes (review, analyze, and produce).

If legal teams discover evidence that may affect the scope of the investigation, they must communicate with IT to ensure

additional data is available for the legal teams to search.

eDiscovery IT and legal responsibilities high level concept

Preservation Methods

There are two methods for preserving data:

• Proactive preservation

• Reactive preservation

Proactive Preservation

Proactive preservation is used to identify, preserve and content index data that is actively being protected and retained.

As new data is protected by Commvault software, indexing jobs can run to make the data immediately searchable. This

provides a big advantage as legal teams can work more autonomously without the need to check with IT teams to

content index data.

Reactive Preservation

Any indexable job in Commvault storage can be retroactively indexed. This is useful when conducting investigation that

require searches on older data. Depending on the capacity of the index engine, content indexes may not be able to be

retained if the data is being retained. For example, an investigation requiring searches on data that is five years old is

required. The retention on the data is seven years but the content index retention is only set to three years. The

Commvault administrator can re-pick the five-year-old jobs to be content indexed. Once the indexing process is complete,

legal teams can conduct searches using the Compliance Search interface.



The following table details responsibilities for both legal teams and IT teams during the Identification,

Preservation, Review, and Production phases.

Identification Phase

IT Responsibilities Legal Responsibilities

• Coordinate with legal team regarding

custodians, search scope, and data types.

• IT must assess how the relevant information is currently being managed in

the Commvault environment. All data within the legal team’s defined scope

must be included in Commvault’s protected environment.

• Legal must define the scope of the search including date

ranges, relevant custodians, types of data required (Email, document types).

• Present this information to IT so they can begin preparing

data for collection, preservation, and content indexing.

Preservation Phase

• Coordinate with the legal team regarding

length of investigation.

• An IT legal hold would be required if processing and analysis of relevant data is

going to be potentially performed beyond the scope of standard retention policies.

• Configure subclients to define all relevant

data (if necessary) and direct them to a

Content Indexing enabled storage policy.

• Configure a new or existing CI enabled storage policy to content index relevant

subclient data.

• Configure a legal hold storage policy for use by the legal team.

• Legal teams must determine the length of the

investigation.

• Provide IT with the length of time data must be preserved so they can assess current data retention and destruction

policies and determine whether an IT legal hold will be required.

• If the data is going to be processed and analyzed within

the currently defined data retention policies, then the

legal team can perform any legal holds if required. Coordinate with IT so they can define legal hold policies

within the Commvault software that will be used by the legal team.

• If the length of the investigation is going to be potentially

beyond the scope of standard retention policies, IT must

place data into IT legal hold.

Review Phase

• Security can be defined to permit certain

users to have rights to searching

custodian data. Coordinate with the legal team to determine security requirements

based on each member of the legal team.

• IT can define Reference Copy policies and schedule them to run which can be used

for an ongoing investigation where new data must be collected daily. This can be

beneficial in ongoing investigations where

custodians are being actively monitored or if additional data is discovered after

the initial searches.

• Conduct initial queries using basic or advanced search.

Refinements to queries should be made to eliminate non-

relevant data. Use the advanced search options to exclude non-relevant messages, date ranges, file types, and

keywords. Strong knowledge of search and query language should be obtained through Commvault training.

• When data is moved to a review set, ensure as much non-

relevant data has been excluded from queries. The purpose of the review set is to process documents and

messages individually, comment and tag items for

relevance and follow up.



• Tags can be created by the legal team or

a list can be provided to IT to create in the CommCell Console.

• When jobs are submitted to legal hold or

export, these jobs may take some time to run and there is the possibility of object

failures if data cannot be retrieved from

backups and archives. It is essential to monitor jobs, configure alerts, and

reports. Determine what type of reports and alerts are required and which legal

team members should receive them.

• Case Manager can be used to proactively identify and

preserve items by legal teams. Items for custodians, data types, and review set items can be preserved for ongoing

investigations.

• Once all relevant data has been processed, items can be moved to a legal hold or export set.

• When jobs are submitted to legal hold or export, the jobs

may take some time to complete and there is the

possibility of object failures if data cannot be retrieved from backups and archives. Coordinate with IT so they

can set up all required alerts and reports for the legal team to receive.

Production Phase

• Once all relevant data has been

processed it is important for IT to remove any IT legal holds to ensure data

protection requirements are complying with standard data retention and

destruction policies.

• Data can be exported to CAB files, PST (Exchange), or

NSF (Lotus Notes).

• Once all relevant data has been processed coordinate with IT so they can remove any IT legal holds to comply with

defined data retention and destruction policies.

Effective Data Preservation Commvault software provides several methods for preserving data. It is important to note, from a legal and compliance

perspective, that the physical separation of compliance data from normal backup data is essential. Consider locking down

specific items for an investigation that may last five years on a disk array which is also storing normal backup data. These

disks are working hard, backing up new data, running restore operations, auxiliary copy jobs, and pruning old data off.

The potential for disk failures and data loss could result in losing months of investigative work. Commvault software

provides several methods of locking data in place and also copying data to separate physical locations.

In place preservation methods:

• IT legal holds implemented by disabling data aging operations.

• Case Manager cases where custodian data is not associated with a storage policy.

Physical copy preservation methods:

• Reference Copy implemented from the CommCell® console.

• Legal hold initiated from the Compliance Search interface.

• Case Manager cases where custodian data is associated with a storage policy.



Compliance Search Interface The Commvault Compliance Search interface is a web based tool used to conduct searches, review items, export data,

and place items into legal holds. It is also used to create and manage Case Manager policies.

Features Overview of the Compliance Search Interface

Query Sets

Complex queries can be crafted, shared and saved. Multiple queries can be used to ensure the full scope of the

investigation is being achieved. Relevant information can be moved to review sets, legal holds, or export sets.

Review Sets

When information is moved to a review set each object is typically reviewed in greater detail. At this point the items can

be tagged, filtered, or comments can be made. Multiple review sets can be used to further process information. Items in

review sets can be moved to legal hold, export sets, or additional review sets.

Comments

Comments can be added to items in a review set. Multiple comments can be added, each date and time stamped along

with who added the comment.

Tags

Items in a review set can be tagged for follow up. Along with the built-in tags, custom tags can be created by the

reviewer. Multiple tags can be assigned to individual items or by multiple items by selecting all items for tagging.

Legal hold

When the legal team places items into legal hold they will be able to associate the items with a selected legal hold policy.

The legal hold policy is a storage policies designated as a legal hold policy. When items are moved into a legal hold they

will be retrieved from previous backup or archive jobs and a new job will write them to the legal hold policy. This means

data is physically moved in Commvault protected storage which requires the media to be in libraries for a legal hold

operation to complete successfully.

Export

Members of the legal team can also add items to an export set. The export can be in CAB (compressed files), PST

(Exchange), or NSF (Lotus Notes) format. This is an operation that will retrieve the items from Commvault protected

storage and save them in the export file. The exported file can then be downloaded and managed independently of the

Commvault environment.



Accessing Compliance Web Search Console

• The Compliance web search interface is accessed from any supported web browser.

• Enter URL to access search interface (provided by Commvault administrator) http://<host name>/<web alias

name>.

• Login using Active Directory credentials. Select the domain or use <domain\username> format.

Accessing the Compliance Search interface

Compliance Search Navigation

The web interface is intuitive and easy to use on any device with a web browser. Links are clicked on from a PC or tablet

to access all options. Multiple tabbed windows are used to provide simplified navigation. Items within a search are

displayed in the center window. Contents of a selected item appear in the right window. Additional refinements based on

search results can be made in the left window.

Compliance search interface overview



My Sets

My sets are displayed in the left window by clicking the My Sets icon. Review set, legal hold, query set, export set, tag

set, job status, and case manager are displayed within my sets. Each section can be clicked on and expanded to access

information contained within the section.

Viewing My Sets

Content and Metadata Search

Commvault software manages both metadata and content indexes. Metadata includes information such as: file name and

type, date range, Email address, from, to, subject, CC, and BCC fields. Content search includes text strings within

documents, Email body, and attachments. When a search is conducted, it will seek items based on metadata search

criteria and content search criteria at the same time.

Key points regarding metadata and content index searches:

• Basic content keyword search using Boolean logic (AND, OR, NOT). Search terms are NOT case sensitive but

Boolean operators are case sensitive.

• Metadata searches use metatags for search criteria such as From:[email protected].

• Search can combine both content and metadata such as From:[email protected] AND “illegal gambling”.

• Email Metadata searches for Email address, To, From, Subject, CC, BCC, Received Time.

• File Metadata searches for type, location, modified date, and size.

• Advanced search provides a simplified method to combine both metadata and content searches.

• When searching for metadata and content, the metadata criteria is joined with the content with an AND.



Conducting Basic Searches

Basic searches require no advanced query building knowledge. A quick search returns results within milliseconds,

depending on the scope of the search. Refinements on data types, file types, custodians, and additional metadata.

Basic searches can be conducted by entering the criteria and clicking Search. Results display in the center window.

Selecting an item in the search results will display detailed content in the right window. Multiple searches are conducted

by clicking the Search tab. Note that multiple searches appear as separate navigation tabs at the top of the window.

When conducting a search, up to 50 results are displayed on the screen. Use the navigation controls to explore search

results. Use the Show Option to display either files, email messages or both. Multiple items can be selected by clicking the

check box to the left of the item or using the Control or Shift keys. Selected items can be downloaded, exported to CAB,

PST or NSF files, or added to Review, Legal Hold or Export Sets.

Basic searches provide the following:

• Basic search is used to run quick queries for content and metadata.

• Searches can use Boolean logic (AND, OR, NOT), nested statements grouped by parenthesis, and additional

search functionality (proximity, fuzzy and wildcards).

• Content searches can be entered as multiple single words separated by an operator or multiple words as a string

joined by double quotes “one two” to return exact string.

• Metadata search criteria must always be preceded by the token identifier followed by a colon such as

From:[email protected] OR To:Ksmith@*.

• When using the advanced search option, any content entered in the basic search text field will appear under the

keyword search tab.

Conducting a basic search



Selecting to view files, Emails or both

Customizing Search Columns

You can add or remove columns from the results list and sort your search results into ascending or descending order. Simply click on

the down arrow button and choose an option from the drop-down menu.

Customize search columns



Advanced Search Advanced Search provides a great deal of flexibility by providing metadata and content searches in a tabbed window

format. Clicking on the Advanced Search link will display the Advanced Search window. Metadata searches can be

conducted for email messages, files stored on a server or workstation, and files embedded within email messages.

Content searches are conducted within email messages and files using simple keyword search or complex query

construction.

The query builder provides an area to craft complex queries and validate queries prior to running them. Both content and

metadata search criteria can be entered in the query builder. When using the query builder tab, any search terms in the

keyword tab are ignored.

Advanced Search Options and Tips

• Tabs are used to navigate and enter metadata and content search criteria.

• Search criteria for all pages are combined into a single search query.

• Content searches entered in the query builder or keyword tab are joined with an AND against all metadata search

criteria.

• When using the query builder tab, criteria entered in the keyword tab is ignored.

• Use the Search Criteria page to view a summary of the entire query.

• All fields in each search page are customizable.

• When entering search criteria into a field, multiple criteria can be entered separated by a semicolon.

• Wildcards * and ? are supported when entering field criteria.

Advanced search interface overview



Field and Inter-Field Logic

Understanding how fields are populated with content, the operator to join multiple criteria within a field, and how multiple

fields are joined is essential to ensure accurate results are displayed.

A field contains three components:

• Token - Allows you to select the search object for the field such as email address, subject field, domain user, or

filename. Tokens can be modified by selecting the drop-down box. If a token is changed, any criteria entered in

the field is discarded.

• Operand - Allows you to enter search criteria such as [email protected] or file *.PDF or john smith. Multiple

entries can be made within the operand component of a field with a semicolon separating each entry.

• Operator - Determine the logic AND, OR, NOT that will be used for multiple criteria within the same operand

field.

Fields can be added with the + button to the right of the first field or removed with the X button to the right of the field

you want to remove. To simplify the search interface, consider removing any fields that are not required.

Field logic

Field logic determines how multiple criteria is joined based on the token selected. You can use AND, OR, or NOT for most

field tokens.

Example:

A search is being conducted for the email addresses JDoe* AND [email protected]. Since it is uncertain what domain

JDoe belongs to, an asterisk wildcard is used. Each entry in the operand field is separated with a semicolon. The field

logic is set to AND, which means only messages that contain both email addresses are displayed.

The search logic is: (JDoe* AND [email protected])

Example of multiple search criteria within an operand field



Inter-field logic

The Inter-Field Operator determines the logic in which multiple fields will be joined. This means an individual field can

have multiple search criteria joined by an AND, and multiple fields can be joined with an OR.

Example:

A search is being conducted for the email addresses JDoe* OR [email protected]. Any messages that contain the word

‘gambling’ must be returned. However, to limit results, any subject that includes the words ‘football’ or ‘hockey’ should

not be displayed. We also want to eliminate any messages from any address from xyz.com or [email protected].

Each field is populated with the proper criteria and the Inter Field Operator is set to AND.

The search logic is: (JDoe* OR [email protected]) AND NOT (football OR hockey OR From:*@xyz.com OR

From:[email protected])



Group Logic

Multiple field groups can be added within a metadata search tab. This is most commonly used when multiple fields within

a group must be joined with a different operator. This can also be used to simplify the view of complex queries.

• Groups allow for additional sets of fields to be used.

• This allows separate Inter-Field operators to be used for different groups.

• The Group Operator determines the logic in which multiple groups are joined.

• Use groups for logic such as: ((a AND b AND c) OR (d AND E)) AND ((f OR g) AND (h AND I)).

Example:

A search is being conducted for Email addresses [email protected] AND [email protected] that contains ‘vacation’ in

the subject. In addition, any message from jdoe* AND contains the subject “trip to vegas” should be included. To

accomplish this, two separate inter-field operators are required. An AND for student and jsmith that must contain

“vacation” in the subject, and an OR for any message from jdoe or any message that contains “trip to vegas”.

The search logic is: (([email protected] AND [email protected]) AND ((Conv:vacation”)) OR ((From:Jdoe) OR

Conv:”trip to vegas”))

Group logic example



Email Search Guidelines

• Email tab is used to search Email metadata – use the keyword or query builder tab to search Email body and attachment contents.

• Use the token fields: From, To, Cc, or Bcc to search for email addresses or display names specifically in those

fields.

• Use the Email address field to search for specific Email addresses regardless of what token field they appear in.

• Enter multiple search terms on the same line by using a semicolon to separate each value: jdoe; jane smith; *@cv.com

• Methods for entering Email addresses: Full Address: [email protected]

Partial address domain not known: jdoe@*

Partial address user not known, domain known: *@cv.com

• Methods for searching display names or aliases:

Search for display name: John Doe (must be exactly as appears)

Search for display name (last, first name): “doe, john”

Search for display name partially known: john

• Use the field operator AND, OR, NOT to determine the logic for multiple search terms within the same field. Jdoe*; jane smith with AND operator returns results that contain both terms.

Jdoe*; jane smith with OR operator returns results with either term.

Jdoe*; jane smith with NOT operator returns results that do NOT contain these terms.

• Use the inter-field operator to determine the logic for ALL fields within a field group.

TO field with jdoe*; Jane smith with the OR operator and FROM field with Hwhite* with NOT operator and the inter-field operator set to AND will return messages sent TO jdoe OR jane smith, but NOT if they came from hwhite*.

• Use multiple groups to specify different inter-field logic AND, OR, NOT for fields within each group.

• Design searches to limit search scope to relevant data. Run query, assess results and modify query to focus

search results. Subject Field

• Enter phrase or keywords contained in the subject field.

• Use double quotes “this is a phrase” to search for an exact phrase.

Attachment Name

• To search for messages with specific attachments use this field to search for document titles.

• To search for attachments with specific file types enter *.<file extension> such as *.jpg or *.doc (which will also return DOCX results).

Received Time

• Use these fields to narrow the search scope to specific date ranges.

Keyword Page

• Use the keyword search options to search for specific terms within the body or attachments of the message.

mailto:*@cv.com



Query Builder Page

• The Query builder allows for elaborate search options for body and attachments using Boolean and proximity

searches to narrow search scope.

File Search Guidelines

• File names and / or file extensions can be added to search criteria using wildcards: *.pdf or *.DOC*.

• Wildcards can be used to search partial filename with extension: holiday*.pdf returns all PDF files that start with

holiday.

• Specify a folder to limit the file search.

• Keyword or query builder can be used to search specific files or file types containing content search criteria: *.pdf

in file tab and “top secret” in keyword search returns all PDF files with “top secret” in the content.

• Use the size settings to limit results based on file size.

File Search tab search criteria

Discovery Search Guidelines

• Use the discovery tab to search based on domain users, domain groups, or files accessed by specific users or

groups.

• When typing characters into a field, suggestions matching characters are displayed.

• Domain users and group searches can be refined to return files, Emails, or both.



Discovery Search tab search criteria

Client Search Guidelines

• The client search tab is used to search for files and / or Emails on a specific client or items preserved in a Case

Manager case.

• Files, Emails or both can be searched.

• Use ‘Filter by client name’ field to locate a specific client system or Case Manager case.

Client Search tab search criteria



Query Builder

The Query Builder tab is used to craft more complex content queries. Although metadata search criteria can be entered in

the query builder, it is a best practice to enter metadata search criteria in the metadata tabs such as Email and File.

When using the query builder, any search criteria that was entered in the Keyword field is ignored.

Key points using the Query Builder:

• Search criteria can be entered in the basic search, keyword search, or query builder.

• Once the search criteria is entered in the query builder tab, keyword criteria is ignored.

• Enter operator logic terms AND, OR, NOT in capital letters to make queries easier to read.

• If no operator is entered between words that are not in double quotes, an AND is used to join terms.

• Searches can be conducted for content and metadata . Metadata searches are conducted using token name

followed by a colon and then the search criteria (From:[email protected]).

• Always test a query by clicking the Validate Query button prior to executing the query.

Search example:

((From:jdoe@* OR From:*@abc.com) AND (“illegal” OR “football betting”)) AND NOT ((To:[email protected] OR

To:[email protected]) AND (conv:”hockey betting” OR hockey))

This search will return messages from jdoe@* (domain not known) or from anyone at abc.com that must contain the

word “illegal” or string “football betting” but NOT to jsmith or Bcarter at xyz.com and not with the subject line “hockey

betting” or “hockey”.



Common search options using the query builder tab

How it works Examples Notes

AND Returns results that contain ALL

search terms

Blue AND red Returns items that contain both blue and red

Blue AND “red green” Returns items that contain both blue and ‘red green’ as an exact string

OR Returns results

that contain Any search terms

Blue OR red Returns items that contain either blue or red

Blue OR “red green” Returns items that contain either blue or ‘red green’ as an exact string

NOT Returns results

that do NOT contain search

terms

Blue OR red NOT green Returns items that contain either blue or red but do

not contain green

Blue OR red AND NOT green Returns same result as above

Search groupings

Use parenthesis to group terms

(blue OR red) AND green Returns items that have either blue or red and also must contain green

((blue OR red) AND (green OR orange)) NOT (purple or

yellow)

Returns items with either blue or red but must also contain either green or orange but not contain

purple or yellow

Searching exact strings

Use double quotes e.g. “ one two “

“big fish” AND blue Returns items that have the exact string ‘big fish’ and contain the word blue

Proximity

search ~<number>

Search for multiple

words that must appear within

defined proximity

“big fish”~3 Returns items where big and fish are within three

words e.g. “big blue fish” or “big blue swimming fish”

Fuzzy search ~

Search terms that are similar in

spelling

Blu~ AND fsh~ Returns items with words spelled similar such as blue and Fish

Wildcard search

* Or ?

? Replaces one character

* Replaces any characters before

or after

?et Returns items bet, get, vet, set…

Bet* Returns items that start with ‘bet’ e.g. bet, betting, better

*ing Returns items that end in ‘ing’ e.g. betting,

gambling, swimming, etc…

Metadata

Token searches

Used to search

metadata fields

From:[email protected] Searches for Email messages from [email protected]

“blue fish” and Datatype:2 Returns Email messages that contain the string ‘big

fish’ . Datatype:1 = files and 2=Email



Query Sets You can conduct simple queries by entering search criteria in the main search field. When conducting queries using the

Advanced Search options, queries become a bit more complex. As queries are constructed and results viewed, the query

can be modified to exclude non-relevant results. When constructing more complex queries, you can save the queries in a

Query Set to run again later. Saving a query also provides details about the scope of the query for legal and compliance

purposes. If multiple queries are being conducted for a specific investigation, create a Query Set for the investigation and

save all queries within the set.

It is critical that queries are saved to a query set as the query is not saved automatically

Saving a query to a query set

Review Sets • Review sets are used to individually investigate items.

• Individual or multiple items can be tagged for further review. Standard and custom tags can be applied to items.

• Comments can be added to items, each with user, date and time stamps.

• Items from one review set can be moved to another review set to create an investigation workflow.

• Security to review sets can be configured to grant and restrict user rights based on the following: add/append,

delete, retrieve/download, and view.



Adding items to a review set

Create a New Review Set

When creating a review set, the options to create a ‘Classic’ or ‘Custom’ review set are available. The ‘Custom’ review set

provides the ability to remove duplicate items from the review set. Removing duplicate items can be further customized

by Email metadata or file metadata to determine how duplicate items are identified.

Creating a new review set



Viewing items in a review set

Customizing review set columns



Comments

Comments can be added to individual items by selecting it and clicking the Comment link. Each comment is date and time

stamped and includes the name of the reviewer who entered it. Multiple comments are displayed within the comment

window for easy viewing of multiple comments. Comments can also be edited and deleted.

Adding comments to an item in a review set



Tags

One or more items can be tagged by selecting the items and clicking ‘Manage Tag’. Tags are categorized by common,

discovery, health safety records, and personal records. Additional tags and tag categories, referred to as Tag Sets can be

added. To view tags associated with items in the review set, add the ‘Tag(s)’ column to the review set window.

Adding and managing tags in a review set



Add Items to Review Sets

Items can be added from one review set to another by selecting items and clicking ‘Add To’ and then ‘Review Set’. Using

multiple review sets within an investigation provides a means to create a full review process where different reviewers at

different stages of the investigation can review just items they are responsible for.

Adding items from a review set to a new review set



Legal Hold Sets Legal Holds are used to apply specific retention policies to items to ensure their availability for legal and compliance

purposes. Items can be placed in Legal Hold from Review Sets or search results. When items are placed in a Legal Hold,

the items are physically retrieved from Commvault protected storage and copied to the Legal Hold location. The items are

retained based on the Legal Hold policy settings or until the case is closed.

Legal Hold policies must be set up by Commvault administrators. Policies can be set to create one or more copies of the

items and retention can be defined for each copy. This provides the option of storing hold items onsite and offsite for

complete protection and preservation of compliance data. It is recommended to always have at least one copy onsite and

one offsite.

Different Legal Hold policies can be created for different purposes. Standard Legal Hold policies can be created for

specific time ranges such as five year, ten year, or infinite. Legal Hold policies can also be purpose based, such as the

name of an investigation or a policy to hold all executive email messages. The most common method of using legal hold

sets is to set the legal hold retention policy to infinite. This ensures all data is preserved for the duration of the case.

Coordinate with your Commvault® administrators to effectively plan and implement Legal Hold policies.

Key points for legal holds:

• Legal Hold sets can be used to copy items to a legal hold retention policy.

• Retention policies (storage policies) must be configured in the CommCell® console.

• Items are physically moved to legal hold sets. Depending on the number of items copied, this operation can take

a lot of time.

• Legal hold operations can be monitored in the job status view.

• Items in legal holds can later be exported as a CAB file from the web search console or through the CommCell

console.

Adding items to a legal hold



Creating a new legal hold

Export Sets Export Sets are used to collect multiple items and compress them for export for external processing. Items can be moved

to an Export Set from search results, Review Sets or Legal Holds. When items are moved to an Export Set, they are

retrieved from Commvault storage and copied to a location where the items are compressed into a CAB, PST or NSF file.

Once the export process completes, the compressed file can be downloaded.

Key points for export sets:

• Export sets can be used to copy items to a compressed CAB, PST, or NSF file.

• Compressed files are stored on the web search server and can be downloaded to the local system once complete.

• Items are physically moved to export sets. Depending on the number of items copied, this operation can take a

lot of time.

• Items successfully moved or failed during export can be viewed.

• Manifest of export set can be viewed and downloaded.



Exporting items to an export set

Viewing export sets



Creating and Managing an Effective Search Process Although a complicated search process is not required in many situations, it can be useful for complex investigations or

when defining a comprehensive search process involving multiple personnel. It is important to note that in many

investigations the scope may expand based on evidence discovered during the search process. Additional custodians, data

types, and date ranges may be required. This would result in additional data preservation, possible content indexing of

the data, and adjusting queries or creating additional queries.

Sample search workflow process

Preliminary Searches

Prior to crafting complex queries, a preliminary search should be conducted. In some cases, this may be all that is

required. For example, all items that have “illegal gambling” may require investigation. A basic search is all that is

needed. Another example would be identifying all Email messages that have [email protected]. In this case, enter the

user’s mailbox in the Email Address field.

The following provides a more detailed breakdown of the search process:

Identify

• Identify custodians including: Email address, display name, titles, and folder locations for owned data.

• Determine relevant data types including: document types, PST files and if mailbox journaling has been

implemented.



Search

• Conduct basic keyword searches to include and/or exclude search terms and patterns.

Refine

• Use refinements to search for specific file types.

• Use the option Show to show only documents, email, or show both.

• Search within results to further refine search results by adding search terms and patterns.

Process

• Use Advanced Search to reduce search scope to specific custodians, folder locations, or Domain users/groups.

• Use the Query Builder to craft complex queries.

• Repeat query and refinement processes to limit results that will be moved to review set.

Review

• Review Sets are created to move relevant query results to review set.

• Items can be individually reviewed.

• Comments can be added for follow up and further investigation.

• Tags such as responsive, non-responsive, or privileged can be applied to items.

Analyze

• Audit processes for integrity, reviewer productivity, and quality assurance.

• Assess the scope of the review and determine if results meet the scope of the investigation.

• Based on analysis determine if additional searches, queries, and reviews will be necessary.

• Use multiple review sets to delegate search responsibility to proper team members.

Preserve

• Place responsive data into legal hold or export set.

• Custodian items can be locked down by Case Manager.

Produce

• Export data from query, review set, or legal hold.

• Export in CAB, PST, or NSF format.

• Items can also be exported by the Commvault administrator from the CommCell® Console.



Case Manager Case Manager is used to identify custodian data protected by Commvault® software and apply a legal hold to all items

defined within the case. All custodian items managed by the case are ‘locked’ in storage until the custodian is removed

from the case or the case is deleted. The items can be locked in place or copied to a separate physical location. Case

Manager is designed to be a short to intermediate term legal hold until relevant items can be identified and preserved

through export sets or legal hold sets.

Key points for using Case Manager:

• Cases are created and associated with a retention storage policy. Items can be held in place or moved to another

storage policy.

• Custodians added to the case will have legal hold retention policies applied to all relevant items. Retention length

is determined by the storage policy associated with the case.

• Additional custodians can be added to the case at any time.

• Preserved custodian data can be viewed and searched. Selected items can be moved to review sets for

comments, tagging and to create a legal workflow process.

• Custodian data can be exported to a CAB file. This would create a separate copy of selected items that can be

downloaded for data preservation, additional analysis outside of the search console, or to provide to opposing

counsel.

• Custodian data can be copied to a legal hold set. This would create a separate copy of selected items from the

case for long term archive.

• When custodians are removed from the case the legal hold will be released and files will age based on normal IT

retention policies.

• When cases are deleted, all custodian files will be released from legal hold and the files will age based on normal

IT retention policies.

• Information about deleted cases will remain in the system for auditing and reporting purposes.



Creating a Case Using Case Manager

Case Manager is a component of the Compliance Search interface. Cases, can be created, edited, and deleted.

Access Case Manager in the Compliance Search interface

l

Overview of Case Manager Sections

To create a case, there are several categories where case criteria is entered:

• Basic details is used to enter the name, case number, and notes of the case. The setting to create a legal copy

of data or preserve data in place is also entered in the basic details.

• Custodian data source is used to enter the names of case custodians. When typing in the name of a custodian,

based on Active Directory membership, names matching the typed characters will appear for simplified selection

of custodians. Custodian data sources including Email, desktop/laptops owned by the custodian, journal hold

Email, and additional file servers can be added.

• Non custodian data source is used to add existing review sets to the case. It is important to note that review

sets do not place a hold on data so including review set items in a case will lock down relevant items.

• Filter criteria provides keyword and metadata search criteria. It is important to note that only relevant items

that meet filter criteria will be included in the case.

• Add reviewers allows the case to be shared with other reviewers.

• Schedule is used to set a schedule for item collection and preservation.

• Preview and save is used to review to ensure the case has been properly configured. Note that settings within

the case can be modified after the case is created.



Case Manager sections view

Creating a new case



Custodian Data Sources

Custodians relevant to the case are added by clicking the plus (+) button in the upper-right side of the case window.

Begin typing the custodians name and domain users matching the typed characters are displayed to simplify custodian

selection. Multiple custodians can be added using a comma to separate each name.

Adding Custodians to a case

Data sources define what source locations custodian data will be searched in. Custodian sources includes desktops and

laptops owned by the custodian, Email messages, and journaled Email messages. Additionally, file servers can be included

as a data source, but the data from this source is not tied to a specific custodian. When defining file server data sources,

only items that meet the filter criteria are preserved as part of the case.



Adding data sources to a case



Non Custodian Data Source

Review sets are used to place selected items into a review where comments and tags can be added to items. Review sets

do not preserve or modify retention on items. This means that normal retention rules still apply to the data. This can

result in items in the review set being pruned from storage before a review is complete. Case Manager can be used to

preserve items from a specific review set. It is important to note that when adding a review set to a case, all case criteria

including custodians, content search criteria, and metadata search criteria are factored into which items are preserved

within the review set. If all items need to be preserved, do not set any other search criteria in the case.

Adding a review set to a case



Filter Criteria

The filter criteria section is used to add content and metadata search criteria to the case. One or more fields can be

added to determine specific search criteria within the case. Filter criteria applies to all custodian data sources, non-

custodian data sources, and review sets.

Adding content and metadata filter criteria to case



Add Reviewers

A case can be shared with other reviewers by using the Add Reviewers section in Case Manager. One or more reviewers

can be added by typing the name in the ‘Type Reviewer name’ field. A list of users matching the characters entered into

the field are displayed to simplify the process. Multiple reviewers are displayed in the text field.

Sharing a case with other reviewers



Schedule

Creating a case defines what criteria is used to collect and preserve case items. The process of collecting the items must

be scheduled. Schedules can be set to run daily or weekly at a specific time. If the case is configured to use a storage

policy to physically copy items, each time the job runs, relevant items are physically copied to a separate storage location.

This process can take some time depending on how many items match the search criteria. It is important to coordinate

case schedules with Commvault administrators to determine the best schedule frequency and time to run Case Manager

jobs.

Scheduling data collection for case

document does not give you any license to commvault’s

Documents