document does not give you any license to commvault’s
TRANSCRIPT
Information in this document, including URL and other website references, represents the current view of Commvault Systems, Inc. as of the date of publication and is subject to change without notice to you.
Descriptions or references to third party products, services or websites are provided only as a convenience to you and
should not be considered an endorsement by Commvault. Commvault makes no representations or warranties, express or implied, as to any third-party products, services or websites.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious. Complying with all applicable copyright laws is the responsibility of the user. This document is intended for distribution to
and use only by Commvault customers. Use or distribution of this document by any other persons is prohibited without
the express written permission of Commvault. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Commvault Systems, Inc.
Commvault may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Commvault, this document does not give you any license to Commvault’s intellectual property.
COMMVAULT MAKES NO WARRANTIES OF ANY KIND, EXPRESS OR IMPLIED, AS TO THE INFORMATION CONTAINED IN THIS DOCUMENT.
©1999-2018 Commvault Systems, Inc. All rights reserved
Commvault, Commvault and logo, the “C” logo, Commvault Systems, Solving Forward, SIM, Singular Information Management, Simpana, Commvault Galaxy, Unified Data Management, QiNetix, Quick Recovery, QR, CommNet, GridStor,
Vault Tracker, InnerVault, QuickSnap, QSnap, Recovery Director, CommServe, CommCell, IntelliSnap, ROMS, Simpana OnePass, CommVault Edge and CommValue, are trademarks or registered trademarks of Commvault Systems, Inc. All
other third party brands, products, service names, trademarks, or registered service marks are the property of and used to identify the products or services of their respective owners. All specifications are subject to change without notice.
All right, title and intellectual property rights in and to the Manual is owned by Commvault. No rights are granted to you
other than a license to use the Manual for your personal use and information. You may not make a copy or derivative work of this Manual. You may not sell, resell, sublicense, rent, loan or lease the Manual to another party, transfer or
assign your rights to use the Manual or otherwise exploit or use the Manual for any purpose other than for your personal use and reference. The Manual is provided "AS IS" without a warranty of any kind and the information provided herein is
subject to change without notice.
eDiscovery Compliance Search
Commvault® Education Services Page 3 of 46
About this Document
This document is intended for all audiences and is current as of the software version and service
pack stated in the top left corner of the page.
This document is updated every three to six months depending on feature changes to Commvault®
software. The date of publish is within the document title, e.g. 170530 indicating a publish date of
May 30, 2017, and the date appears in the top right-hand side of each page. New and updated
sections are indicated in the revision history section with hyperlinks to each section and appear with
a RED heading and darker text for easy identification. For updated versions of this document, contact
us at: [email protected]
Whether an employee, partner, or customer; we all want to work collectively to provide the best
technical education material possible. If you have ideas to improve this document or corrections to
existing content, please contact us as: [email protected]
Authors
Frank Celauro, Irene Grimaldi, Carl Brault
Edited by: Madelyn Moalam
Revision History
Link Date Contributing
Author
Notes
May 30, 2017 Initial document release
September 1,
2018
Updates
For comments, corrections, or recommendations for additional content,
contact: [email protected]
eDiscovery Compliance Search
Commvault® Education Services Page 4 of 46
Contents About this Document ............................................................................................................................................... 3
Authors ................................................................................................................................................................... 3
Revision History ....................................................................................................................................................... 3
eDiscovery Overview ................................................................................................................................................ 5
The eDiscovery Process and Commvault® Software ................................................................................................... 5
Proactive and Reactive Investigations ....................................................................................................................... 7
Reactive Investigation .......................................................................................................................................... 7
Proactive Investigation ......................................................................................................................................... 8
Responsibilities for Legal and IT Teams During an Investigation ................................................................................. 9
Preservation Methods ........................................................................................................................................... 9
Effective Data Preservation .................................................................................................................................... 11
Compliance Search Interface .................................................................................................................................. 12
Features Overview of the Compliance Search Interface ......................................................................................... 12
Accessing Compliance Web Search Console ......................................................................................................... 13
Compliance Search Navigation ............................................................................................................................ 13
Content and Metadata Search ............................................................................................................................. 14
Conducting Basic Searches .................................................................................................................................. 15
Advanced Search ................................................................................................................................................... 17
Field and Inter-Field Logic ................................................................................................................................... 18
Group Logic ....................................................................................................................................................... 20
Email Search Guidelines ...................................................................................................................................... 21
File Search Guidelines ......................................................................................................................................... 22
Discovery Search Guidelines ................................................................................................................................ 22
Client Search Guidelines ..................................................................................................................................... 23
Query Builder ..................................................................................................................................................... 24
Query Sets ............................................................................................................................................................ 26
Review Sets .......................................................................................................................................................... 26
Legal Hold Sets ..................................................................................................................................................... 32
Export Sets ........................................................................................................................................................... 33
Creating and Managing an Effective Search Process ................................................................................................. 35
Case Manager ....................................................................................................................................................... 37
Creating a Case Using Case Manager ................................................................................................................... 38
eDiscovery Compliance Search
Commvault® Education Services Page 5 of 46
eDiscovery Overview eDiscovery is the process of proactively or reactively conducting content searches on information within an environment.
This is most commonly used during litigation cases to discover relevant information for an investigation. This information
is made up of custodians, individuals directly or indirectly related to the case, date ranges, and information, contained
within messages and documents. The eDiscovery process requires several steps to identify, preserve, review, and
produce responsive information.
eDiscovery investigation high level concept
The eDiscovery Process and Commvault® Software Understanding the eDiscovery process using Commvault software is essential for a complete investigation. IT and legal
communication is essential during all phases of the process.
The eDiscovery process using Commvault software includes the following steps:
• Identify data for investigation including custodians, relevant data types, and data ranges.
• Preserve data using IT holds or litigation holds.
• Content index data.
• Create a legal review workflow process.
• Conduct basic and advanced searches for relevant information.
• Move relevant items to Review sets for deeper analysis including tagging and adding comments.
• Move responsive items to legal holds or export sets.
• Produce responsive items for investigation as CAB, PST, NSF and HTML files.
• Release non-relevant data from legal holds.
Identify data for investigation
The first part of identifying data is knowing the type and location of the data. This is primarily Email but also can include
documents which may be on servers or personal computers. The legal team should communicate as much information to
the IT team so they can quickly identify the location of the data to be preserved. Along with what type of data must be
preserved, the date range and relevant custodians must also be provided.
In modern environments, it is quite common for user data not to be in central locations. Using Commvault features
including end user desktop and laptop agents provides a longer reach of what data can be identified. An understanding of
what users are doing with their data can assist when an investigation arises.
eDiscovery Compliance Search
Commvault® Education Services Page 6 of 46
Preserve data
Once data is identified it must be preserved. In certain cases, especially when it is unclear what data must be preserved,
an IT legal hold is implemented. This can be accomplished in several ways:
• Disabling data aging operations for storage policy copies, clients, or the entire CommCell® environment.
• Using Reference Copy to preserve files and Email messages on certain production systems. Reference Copy
configuration is typically implemented by Commvault administrators with guidance from legal teams.
• Using Case Manager to preserve files and Email messages owned by custodians. It is important to note that file
ownership is tied to system ownership which means that Case Manager is suitable when managing end user data
such as laptops and desktops. Server data such as file shares and home folders can be included but it is not tied
to a specific custodian. Filter criteria such as file types and key words can be used to determine which server data
is preserved in the case. Case Manager implementation is typically handled by legal teams.
A critical point in the data preservation process is that data is managed independently from standard corporate retention
policies. A standard policy of 30 – 60 days may be used for normal business operations which would not be adequate for
an investigation that may span multiple years. Disabling data aging is a temporary method to preserve data but can come
at a significant cost in extra storage requirements. Reference Copy and Case Manager physically copies data to an
alternate storage location providing a more efficient long term storage solution.
Content index data
Content indexing is required to conduct full content searches for Email messages and files. In some environments content
indexing is an ongoing process. This allows investigations to be conducted with minimal communication with IT teams,
although it is still critical to check with Commvault administrators to ensure all indexing operations are up-to-date based
on the scope of the investigation. Content indexes can exist for the entire retention time of the data or indexes can be
pruned prior to data exceeding retention. Any indexable data that exists in a Commvault environment can retroactively be
content indexed. It is always important to establish the data types, custodians, and date ranges to ensure all required
data is preserved and content indexed.
Legal Review Workflow Process
Although searches can immediately be conducted, a good practice is to establish a workflow process. This includes who
will be investigating and at what stage they will be actively involved. At this point a workflow can be established by
defining query sets and review sets. Multiple sets can be defined and permissions can be assigned to ensure a secure
workflow process.
Conduct basic and advanced searches for relevant information.
At the start of the review process, basic and advanced queries can be crafted to begin identifying relevant information.
Queries are then modified to remove non-relevant information and narrow the scope of search results. Multiple queries
can be crafted and saved to query sets to simplify the process and divide responsibilities when multiple legal team
members are involved. It is critical that all queries are saved in a query set to ensure a complete and defensible
investigation.
In some cases, relevant items are immediately exported or placed in legal hold retention policies. This is common for
basic investigation or in early case assessment situations where items are to be exported and presented to others or
analyzed using third party software.
eDiscovery Compliance Search
Commvault® Education Services Page 7 of 46
Move relevant items to Review sets
Once queries are crafted, relevant items can be moved to one or more review sets. Review sets provide a more granular
method of investigation where comments can be added to items and items can be tagged. Multiple review sets can be
created in a cascading manner when multiple levels of investigation are required. For example, the primary review set can
be used for a high-level investigation to identify and tag potentially relevant items. These items can then be moved to
another review set for a deeper analysis. This also is used to create a workflow where different individuals at different
phases of the investigation can analyze items for relevance, non-relevance, or attorney-client privilege.
Move responsive items to legal holds or export sets
Throughout the investigation process, relevant items are reviewed to determine if they are responsive – all items within
the scope of the investigation. These items can be moved to a legal hold or an export set. Both operations create physical
copies of items and it is important to note that depending on how many items are included, this process can take some
time.
A legal hold, in the context of the Commvault Compliance Search interface, copies items to a separate physical location
and a specific retention is placed on these items. Legal hold retention policies are defined by the Commvault
administrator with the assistance of legal teams. Legal hold retention policies can be named based on a case, retention
terms such as 5-year hold, or any other naming convention required by the organization.
A common practice is to have a legal hold policy using infinite retention. This guarantees the
preservation of data for the life of the investigation. Once the investigation is closed, the legal hold
data can be released.
Export sets take selected items and immediately exports them to a compressed file such as CAB, PST, NSF or HTML. The
export process may take some time to complete depending on how many items must be copied to the compressed file.
The export file can then be downloaded directly to the local computer. It is important to note that placing items into an
export set does not change the retention of items in Commvault protected storage.
Produce responsive items
Once all items are placed in a legal hold or and export file, they can be exported outside of the Commvault environment.
Release data from legal holds
Legal holds, implemented by IT, can be released if it is determined that all responsive information has been produced or
the investigation is closed. If it is uncertain that all information has been gathered, it may be necessary to maintain the
legal holds. Note that Commvault has additional features including Commvault OnePass archiving, storage to cloud, and
SILO storage which can be implemented to hold on to data for extended periods of time.
Proactive and Reactive Investigations When a case is initiated, it could be conducted as a reactive or proactive investigation. The differences between these will
determine how data is identified, preserved, and indexed; as well as which Commvault eDiscovery tools provide the most
efficient methods to process the case.
Reactive Investigation
A reactive investigation is typically a case where data that is preserved in storage but is not indexed or the indexes have
been pruned. An example of this would be a harassment case with a former employee and a manager. The relevant
custodians and time range for the investigation consists of Email messages dating back two years ago. The Email
messages have been preserved but they have not been content indexed. The Commvault administrators will need to run
content indexing jobs on the older data for the legal teams to conduct their searches to identify relevant items for the
investigation.
eDiscovery Compliance Search
Commvault® Education Services Page 8 of 46
Commvault® tools for a Reactive Investigation
In order to conduct a reactive investigation, the jobs the data resides in must be retained in Commvault storage. The jobs
are picked or re-picked for content indexing. This may require Commvault administrators to place an IT legal hold on the
jobs until it is known what data requires preservation and legal teams properly preserve all relevant information. Once the
jobs are content indexed, there are several tools that can be used to identify and preserve relevant information.
• Create a case using Case Manager to identify custodians, data types, and keywords to preserve data by copying
relevant case items to a separate physical location.
• Use reference Copy to identify data types and keywords to preserve data by copying relevant items to a separate
physical location. Note that data in a Refence Copy would require a separate content indexing job to make the
data searchable in the Compliance Search interface.
• Conducting searches using the Compliance Search interface and move relevant items into a legal hold policy.
Proactive Investigation
A proactive investigation is when custodians and data types are known to legal teams during an ongoing investigation.
This allows a proactive preservation to occur by identifying, isolating and preserving relevant data into a secure physical
location. An example of a proactive investigation would be the collection of all data relevant to a new product that is
being developed. The preservation of data would include everyone involved with the product development as well as any
Email messages and documents that contain the name or patent information of the product.
Another method for proactive investigation is identifying various custodians and risk levels. For example, Corporate
executives will have all Email messages preserved for seven years and content indexed for the duration of the
preservation. Other users will have their Email messages preserved for three years but not have their messages content
indexed. Note that if an investigation is required for the users, their data can be reactively content indexed for the
investigation within the three year period the data is being preserved.
Commvault® Tools for a Proactive Investigation
There are several methods which can be used for proactive preservation of data:
• Disable data aging on specific end user systems. This preserves the data even if the data has not been content
indexed.
• Create a case using Case Manager to identify custodians, data types, and keywords to preserve data by copying
relevant case items to a separate physical location. This method requires data to be content indexed.
• Use Reference Copy to identify data types and keywords to preserve data by copying relevant case items to a
separate physical location. If keyword searches are not used, this method does not require content indexing.
Note that data in a Reference Copy would require a separate content indexing job to make the data searchable in
the Compliance Search interface.
• Conduct searches using the Compliance Search interface and move relevant items into a legal hold policy. This
method requires data to be content indexed.
• Create multiple subclients, isolating custodians within each subclient and direct the subclients to various storage
policies corresponding to retention requirements. Subclients can be selected to be content indexed or skipped for
indexing.
eDiscovery Compliance Search
Commvault® Education Services Page 9 of 46
Responsibilities for Legal and IT Teams During an Investigation When using Commvault software and features during an investigation, it is critical for IT and legal teams to communicate.
The responsibilities will shift during the various phases but it is important to note that no investigation is static. The scope
may change based on evidence discovered during reviews. Additional data may need to be preserved and indexed. In
some cases, this data may be in cold storage and adequate time must be provided to IT teams to make the data available
for review.
During the beginning phases of an investigation (identify, and preserve), Commvault administrators must work with legal
teams to determine the scope of the investigation. Once relevant information has been identified and preserved, the legal
teams takes over digging into the information to review and produce responsive information for the investigation. This
provides a separation of powers and reduces IT responsibilities during the legal processes (review, analyze, and produce).
If legal teams discover evidence that may affect the scope of the investigation, they must communicate with IT to ensure
additional data is available for the legal teams to search.
eDiscovery IT and legal responsibilities high level concept
Preservation Methods
There are two methods for preserving data:
• Proactive preservation
• Reactive preservation
Proactive Preservation
Proactive preservation is used to identify, preserve and content index data that is actively being protected and retained.
As new data is protected by Commvault software, indexing jobs can run to make the data immediately searchable. This
provides a big advantage as legal teams can work more autonomously without the need to check with IT teams to
content index data.
Reactive Preservation
Any indexable job in Commvault storage can be retroactively indexed. This is useful when conducting investigation that
require searches on older data. Depending on the capacity of the index engine, content indexes may not be able to be
retained if the data is being retained. For example, an investigation requiring searches on data that is five years old is
required. The retention on the data is seven years but the content index retention is only set to three years. The
Commvault administrator can re-pick the five-year-old jobs to be content indexed. Once the indexing process is complete,
legal teams can conduct searches using the Compliance Search interface.
eDiscovery Compliance Search
Commvault® Education Services Page 10 of 46
The following table details responsibilities for both legal teams and IT teams during the Identification,
Preservation, Review, and Production phases.
Identification Phase
IT Responsibilities Legal Responsibilities
• Coordinate with legal team regarding
custodians, search scope, and data types.
• IT must assess how the relevant information is currently being managed in
the Commvault environment. All data within the legal team’s defined scope
must be included in Commvault’s protected environment.
• Legal must define the scope of the search including date
ranges, relevant custodians, types of data required (Email, document types).
• Present this information to IT so they can begin preparing
data for collection, preservation, and content indexing.
Preservation Phase
• Coordinate with the legal team regarding
length of investigation.
• An IT legal hold would be required if processing and analysis of relevant data is
going to be potentially performed beyond the scope of standard retention policies.
• Configure subclients to define all relevant
data (if necessary) and direct them to a
Content Indexing enabled storage policy.
• Configure a new or existing CI enabled storage policy to content index relevant
subclient data.
• Configure a legal hold storage policy for use by the legal team.
• Legal teams must determine the length of the
investigation.
• Provide IT with the length of time data must be preserved so they can assess current data retention and destruction
policies and determine whether an IT legal hold will be required.
• If the data is going to be processed and analyzed within
the currently defined data retention policies, then the
legal team can perform any legal holds if required. Coordinate with IT so they can define legal hold policies
within the Commvault software that will be used by the legal team.
• If the length of the investigation is going to be potentially
beyond the scope of standard retention policies, IT must
place data into IT legal hold.
Review Phase
• Security can be defined to permit certain
users to have rights to searching
custodian data. Coordinate with the legal team to determine security requirements
based on each member of the legal team.
• IT can define Reference Copy policies and schedule them to run which can be used
for an ongoing investigation where new data must be collected daily. This can be
beneficial in ongoing investigations where
custodians are being actively monitored or if additional data is discovered after
the initial searches.
• Conduct initial queries using basic or advanced search.
Refinements to queries should be made to eliminate non-
relevant data. Use the advanced search options to exclude non-relevant messages, date ranges, file types, and
keywords. Strong knowledge of search and query language should be obtained through Commvault training.
• When data is moved to a review set, ensure as much non-
relevant data has been excluded from queries. The purpose of the review set is to process documents and
messages individually, comment and tag items for
relevance and follow up.
eDiscovery Compliance Search
Commvault® Education Services Page 11 of 46
• Tags can be created by the legal team or
a list can be provided to IT to create in the CommCell Console.
• When jobs are submitted to legal hold or
export, these jobs may take some time to run and there is the possibility of object
failures if data cannot be retrieved from
backups and archives. It is essential to monitor jobs, configure alerts, and
reports. Determine what type of reports and alerts are required and which legal
team members should receive them.
• Case Manager can be used to proactively identify and
preserve items by legal teams. Items for custodians, data types, and review set items can be preserved for ongoing
investigations.
• Once all relevant data has been processed, items can be moved to a legal hold or export set.
• When jobs are submitted to legal hold or export, the jobs
may take some time to complete and there is the
possibility of object failures if data cannot be retrieved from backups and archives. Coordinate with IT so they
can set up all required alerts and reports for the legal team to receive.
Production Phase
• Once all relevant data has been
processed it is important for IT to remove any IT legal holds to ensure data
protection requirements are complying with standard data retention and
destruction policies.
• Data can be exported to CAB files, PST (Exchange), or
NSF (Lotus Notes).
• Once all relevant data has been processed coordinate with IT so they can remove any IT legal holds to comply with
defined data retention and destruction policies.
Effective Data Preservation Commvault software provides several methods for preserving data. It is important to note, from a legal and compliance
perspective, that the physical separation of compliance data from normal backup data is essential. Consider locking down
specific items for an investigation that may last five years on a disk array which is also storing normal backup data. These
disks are working hard, backing up new data, running restore operations, auxiliary copy jobs, and pruning old data off.
The potential for disk failures and data loss could result in losing months of investigative work. Commvault software
provides several methods of locking data in place and also copying data to separate physical locations.
In place preservation methods:
• IT legal holds implemented by disabling data aging operations.
• Case Manager cases where custodian data is not associated with a storage policy.
Physical copy preservation methods:
• Reference Copy implemented from the CommCell® console.
• Legal hold initiated from the Compliance Search interface.
• Case Manager cases where custodian data is associated with a storage policy.
eDiscovery Compliance Search
Commvault® Education Services Page 12 of 46
Compliance Search Interface The Commvault Compliance Search interface is a web based tool used to conduct searches, review items, export data,
and place items into legal holds. It is also used to create and manage Case Manager policies.
Features Overview of the Compliance Search Interface
Query Sets
Complex queries can be crafted, shared and saved. Multiple queries can be used to ensure the full scope of the
investigation is being achieved. Relevant information can be moved to review sets, legal holds, or export sets.
Review Sets
When information is moved to a review set each object is typically reviewed in greater detail. At this point the items can
be tagged, filtered, or comments can be made. Multiple review sets can be used to further process information. Items in
review sets can be moved to legal hold, export sets, or additional review sets.
Comments
Comments can be added to items in a review set. Multiple comments can be added, each date and time stamped along
with who added the comment.
Tags
Items in a review set can be tagged for follow up. Along with the built-in tags, custom tags can be created by the
reviewer. Multiple tags can be assigned to individual items or by multiple items by selecting all items for tagging.
Legal hold
When the legal team places items into legal hold they will be able to associate the items with a selected legal hold policy.
The legal hold policy is a storage policies designated as a legal hold policy. When items are moved into a legal hold they
will be retrieved from previous backup or archive jobs and a new job will write them to the legal hold policy. This means
data is physically moved in Commvault protected storage which requires the media to be in libraries for a legal hold
operation to complete successfully.
Export
Members of the legal team can also add items to an export set. The export can be in CAB (compressed files), PST
(Exchange), or NSF (Lotus Notes) format. This is an operation that will retrieve the items from Commvault protected
storage and save them in the export file. The exported file can then be downloaded and managed independently of the
Commvault environment.
eDiscovery Compliance Search
Commvault® Education Services Page 13 of 46
Accessing Compliance Web Search Console
• The Compliance web search interface is accessed from any supported web browser.
• Enter URL to access search interface (provided by Commvault administrator) http://<host name>/<web alias
name>.
• Login using Active Directory credentials. Select the domain or use <domain\username> format.
Accessing the Compliance Search interface
Compliance Search Navigation
The web interface is intuitive and easy to use on any device with a web browser. Links are clicked on from a PC or tablet
to access all options. Multiple tabbed windows are used to provide simplified navigation. Items within a search are
displayed in the center window. Contents of a selected item appear in the right window. Additional refinements based on
search results can be made in the left window.
Compliance search interface overview
eDiscovery Compliance Search
Commvault® Education Services Page 14 of 46
My Sets
My sets are displayed in the left window by clicking the My Sets icon. Review set, legal hold, query set, export set, tag
set, job status, and case manager are displayed within my sets. Each section can be clicked on and expanded to access
information contained within the section.
Viewing My Sets
Content and Metadata Search
Commvault software manages both metadata and content indexes. Metadata includes information such as: file name and
type, date range, Email address, from, to, subject, CC, and BCC fields. Content search includes text strings within
documents, Email body, and attachments. When a search is conducted, it will seek items based on metadata search
criteria and content search criteria at the same time.
Key points regarding metadata and content index searches:
• Basic content keyword search using Boolean logic (AND, OR, NOT). Search terms are NOT case sensitive but
Boolean operators are case sensitive.
• Metadata searches use metatags for search criteria such as From:[email protected].
• Search can combine both content and metadata such as From:[email protected] AND “illegal gambling”.
• Email Metadata searches for Email address, To, From, Subject, CC, BCC, Received Time.
• File Metadata searches for type, location, modified date, and size.
• Advanced search provides a simplified method to combine both metadata and content searches.
• When searching for metadata and content, the metadata criteria is joined with the content with an AND.
eDiscovery Compliance Search
Commvault® Education Services Page 15 of 46
Conducting Basic Searches
Basic searches require no advanced query building knowledge. A quick search returns results within milliseconds,
depending on the scope of the search. Refinements on data types, file types, custodians, and additional metadata.
Basic searches can be conducted by entering the criteria and clicking Search. Results display in the center window.
Selecting an item in the search results will display detailed content in the right window. Multiple searches are conducted
by clicking the Search tab. Note that multiple searches appear as separate navigation tabs at the top of the window.
When conducting a search, up to 50 results are displayed on the screen. Use the navigation controls to explore search
results. Use the Show Option to display either files, email messages or both. Multiple items can be selected by clicking the
check box to the left of the item or using the Control or Shift keys. Selected items can be downloaded, exported to CAB,
PST or NSF files, or added to Review, Legal Hold or Export Sets.
Basic searches provide the following:
• Basic search is used to run quick queries for content and metadata.
• Searches can use Boolean logic (AND, OR, NOT), nested statements grouped by parenthesis, and additional
search functionality (proximity, fuzzy and wildcards).
• Content searches can be entered as multiple single words separated by an operator or multiple words as a string
joined by double quotes “one two” to return exact string.
• Metadata search criteria must always be preceded by the token identifier followed by a colon such as
From:[email protected] OR To:Ksmith@*.
• When using the advanced search option, any content entered in the basic search text field will appear under the
keyword search tab.
Conducting a basic search
eDiscovery Compliance Search
Commvault® Education Services Page 16 of 46
Selecting to view files, Emails or both
Customizing Search Columns
You can add or remove columns from the results list and sort your search results into ascending or descending order. Simply click on
the down arrow button and choose an option from the drop-down menu.
Customize search columns
eDiscovery Compliance Search
Commvault® Education Services Page 17 of 46
Advanced Search Advanced Search provides a great deal of flexibility by providing metadata and content searches in a tabbed window
format. Clicking on the Advanced Search link will display the Advanced Search window. Metadata searches can be
conducted for email messages, files stored on a server or workstation, and files embedded within email messages.
Content searches are conducted within email messages and files using simple keyword search or complex query
construction.
The query builder provides an area to craft complex queries and validate queries prior to running them. Both content and
metadata search criteria can be entered in the query builder. When using the query builder tab, any search terms in the
keyword tab are ignored.
Advanced Search Options and Tips
• Tabs are used to navigate and enter metadata and content search criteria.
• Search criteria for all pages are combined into a single search query.
• Content searches entered in the query builder or keyword tab are joined with an AND against all metadata search
criteria.
• When using the query builder tab, criteria entered in the keyword tab is ignored.
• Use the Search Criteria page to view a summary of the entire query.
• All fields in each search page are customizable.
• When entering search criteria into a field, multiple criteria can be entered separated by a semicolon.
• Wildcards * and ? are supported when entering field criteria.
Advanced search interface overview
eDiscovery Compliance Search
Commvault® Education Services Page 18 of 46
Field and Inter-Field Logic
Understanding how fields are populated with content, the operator to join multiple criteria within a field, and how multiple
fields are joined is essential to ensure accurate results are displayed.
A field contains three components:
• Token - Allows you to select the search object for the field such as email address, subject field, domain user, or
filename. Tokens can be modified by selecting the drop-down box. If a token is changed, any criteria entered in
the field is discarded.
• Operand - Allows you to enter search criteria such as [email protected] or file *.PDF or john smith. Multiple
entries can be made within the operand component of a field with a semicolon separating each entry.
• Operator - Determine the logic AND, OR, NOT that will be used for multiple criteria within the same operand
field.
Fields can be added with the + button to the right of the first field or removed with the X button to the right of the field
you want to remove. To simplify the search interface, consider removing any fields that are not required.
Field logic
Field logic determines how multiple criteria is joined based on the token selected. You can use AND, OR, or NOT for most
field tokens.
Example:
A search is being conducted for the email addresses JDoe* AND [email protected]. Since it is uncertain what domain
JDoe belongs to, an asterisk wildcard is used. Each entry in the operand field is separated with a semicolon. The field
logic is set to AND, which means only messages that contain both email addresses are displayed.
The search logic is: (JDoe* AND [email protected])
Example of multiple search criteria within an operand field
eDiscovery Compliance Search
Commvault® Education Services Page 19 of 46
Inter-field logic
The Inter-Field Operator determines the logic in which multiple fields will be joined. This means an individual field can
have multiple search criteria joined by an AND, and multiple fields can be joined with an OR.
Example:
A search is being conducted for the email addresses JDoe* OR [email protected]. Any messages that contain the word
‘gambling’ must be returned. However, to limit results, any subject that includes the words ‘football’ or ‘hockey’ should
not be displayed. We also want to eliminate any messages from any address from xyz.com or [email protected].
Each field is populated with the proper criteria and the Inter Field Operator is set to AND.
The search logic is: (JDoe* OR [email protected]) AND NOT (football OR hockey OR From:*@xyz.com OR
From:[email protected])
eDiscovery Compliance Search
Commvault® Education Services Page 20 of 46
Group Logic
Multiple field groups can be added within a metadata search tab. This is most commonly used when multiple fields within
a group must be joined with a different operator. This can also be used to simplify the view of complex queries.
• Groups allow for additional sets of fields to be used.
• This allows separate Inter-Field operators to be used for different groups.
• The Group Operator determines the logic in which multiple groups are joined.
• Use groups for logic such as: ((a AND b AND c) OR (d AND E)) AND ((f OR g) AND (h AND I)).
Example:
A search is being conducted for Email addresses [email protected] AND [email protected] that contains ‘vacation’ in
the subject. In addition, any message from jdoe* AND contains the subject “trip to vegas” should be included. To
accomplish this, two separate inter-field operators are required. An AND for student and jsmith that must contain
“vacation” in the subject, and an OR for any message from jdoe or any message that contains “trip to vegas”.
The search logic is: (([email protected] AND [email protected]) AND ((Conv:vacation”)) OR ((From:Jdoe) OR
Conv:”trip to vegas”))
Group logic example
eDiscovery Compliance Search
Commvault® Education Services Page 21 of 46
Email Search Guidelines
• Email tab is used to search Email metadata – use the keyword or query builder tab to search Email body and attachment contents.
• Use the token fields: From, To, Cc, or Bcc to search for email addresses or display names specifically in those
fields.
• Use the Email address field to search for specific Email addresses regardless of what token field they appear in.
• Enter multiple search terms on the same line by using a semicolon to separate each value: jdoe; jane smith; *@cv.com
• Methods for entering Email addresses: Full Address: [email protected]
Partial address domain not known: jdoe@*
Partial address user not known, domain known: *@cv.com
• Methods for searching display names or aliases:
Search for display name: John Doe (must be exactly as appears)
Search for display name (last, first name): “doe, john”
Search for display name partially known: john
• Use the field operator AND, OR, NOT to determine the logic for multiple search terms within the same field. Jdoe*; jane smith with AND operator returns results that contain both terms.
Jdoe*; jane smith with OR operator returns results with either term.
Jdoe*; jane smith with NOT operator returns results that do NOT contain these terms.
• Use the inter-field operator to determine the logic for ALL fields within a field group.
TO field with jdoe*; Jane smith with the OR operator and FROM field with Hwhite* with NOT operator and the inter-field operator set to AND will return messages sent TO jdoe OR jane smith, but NOT if they came from hwhite*.
• Use multiple groups to specify different inter-field logic AND, OR, NOT for fields within each group.
• Design searches to limit search scope to relevant data. Run query, assess results and modify query to focus
search results. Subject Field
• Enter phrase or keywords contained in the subject field.
• Use double quotes “this is a phrase” to search for an exact phrase.
Attachment Name
• To search for messages with specific attachments use this field to search for document titles.
• To search for attachments with specific file types enter *.<file extension> such as *.jpg or *.doc (which will also return DOCX results).
Received Time
• Use these fields to narrow the search scope to specific date ranges.
Keyword Page
• Use the keyword search options to search for specific terms within the body or attachments of the message.
eDiscovery Compliance Search
Commvault® Education Services Page 22 of 46
Query Builder Page
• The Query builder allows for elaborate search options for body and attachments using Boolean and proximity
searches to narrow search scope.
File Search Guidelines
• File names and / or file extensions can be added to search criteria using wildcards: *.pdf or *.DOC*.
• Wildcards can be used to search partial filename with extension: holiday*.pdf returns all PDF files that start with
holiday.
• Specify a folder to limit the file search.
• Keyword or query builder can be used to search specific files or file types containing content search criteria: *.pdf
in file tab and “top secret” in keyword search returns all PDF files with “top secret” in the content.
• Use the size settings to limit results based on file size.
File Search tab search criteria
Discovery Search Guidelines
• Use the discovery tab to search based on domain users, domain groups, or files accessed by specific users or
groups.
• When typing characters into a field, suggestions matching characters are displayed.
• Domain users and group searches can be refined to return files, Emails, or both.
eDiscovery Compliance Search
Commvault® Education Services Page 23 of 46
Discovery Search tab search criteria
Client Search Guidelines
• The client search tab is used to search for files and / or Emails on a specific client or items preserved in a Case
Manager case.
• Files, Emails or both can be searched.
• Use ‘Filter by client name’ field to locate a specific client system or Case Manager case.
Client Search tab search criteria
eDiscovery Compliance Search
Commvault® Education Services Page 24 of 46
Query Builder
The Query Builder tab is used to craft more complex content queries. Although metadata search criteria can be entered in
the query builder, it is a best practice to enter metadata search criteria in the metadata tabs such as Email and File.
When using the query builder, any search criteria that was entered in the Keyword field is ignored.
Key points using the Query Builder:
• Search criteria can be entered in the basic search, keyword search, or query builder.
• Once the search criteria is entered in the query builder tab, keyword criteria is ignored.
• Enter operator logic terms AND, OR, NOT in capital letters to make queries easier to read.
• If no operator is entered between words that are not in double quotes, an AND is used to join terms.
• Searches can be conducted for content and metadata . Metadata searches are conducted using token name
followed by a colon and then the search criteria (From:[email protected]).
• Always test a query by clicking the Validate Query button prior to executing the query.
Search example:
((From:jdoe@* OR From:*@abc.com) AND (“illegal” OR “football betting”)) AND NOT ((To:[email protected] OR
To:[email protected]) AND (conv:”hockey betting” OR hockey))
This search will return messages from jdoe@* (domain not known) or from anyone at abc.com that must contain the
word “illegal” or string “football betting” but NOT to jsmith or Bcarter at xyz.com and not with the subject line “hockey
betting” or “hockey”.
eDiscovery Compliance Search
Commvault® Education Services Page 25 of 46
Common search options using the query builder tab
How it works Examples Notes
AND Returns results that contain ALL
search terms
Blue AND red Returns items that contain both blue and red
Blue AND “red green” Returns items that contain both blue and ‘red green’ as an exact string
OR Returns results
that contain Any search terms
Blue OR red Returns items that contain either blue or red
Blue OR “red green” Returns items that contain either blue or ‘red green’ as an exact string
NOT Returns results
that do NOT contain search
terms
Blue OR red NOT green Returns items that contain either blue or red but do
not contain green
Blue OR red AND NOT green Returns same result as above
Search groupings
Use parenthesis to group terms
(blue OR red) AND green Returns items that have either blue or red and also must contain green
((blue OR red) AND (green OR orange)) NOT (purple or
yellow)
Returns items with either blue or red but must also contain either green or orange but not contain
purple or yellow
Searching exact strings
Use double quotes e.g. “ one two “
“big fish” AND blue Returns items that have the exact string ‘big fish’ and contain the word blue
Proximity
search ~<number>
Search for multiple
words that must appear within
defined proximity
“big fish”~3 Returns items where big and fish are within three
words e.g. “big blue fish” or “big blue swimming fish”
Fuzzy search ~
Search terms that are similar in
spelling
Blu~ AND fsh~ Returns items with words spelled similar such as blue and Fish
Wildcard search
* Or ?
? Replaces one character
* Replaces any characters before
or after
?et Returns items bet, get, vet, set…
Bet* Returns items that start with ‘bet’ e.g. bet, betting, better
*ing Returns items that end in ‘ing’ e.g. betting,
gambling, swimming, etc…
Metadata
Token searches
Used to search
metadata fields
From:[email protected] Searches for Email messages from [email protected]
“blue fish” and Datatype:2 Returns Email messages that contain the string ‘big
fish’ . Datatype:1 = files and 2=Email
eDiscovery Compliance Search
Commvault® Education Services Page 26 of 46
Query Sets You can conduct simple queries by entering search criteria in the main search field. When conducting queries using the
Advanced Search options, queries become a bit more complex. As queries are constructed and results viewed, the query
can be modified to exclude non-relevant results. When constructing more complex queries, you can save the queries in a
Query Set to run again later. Saving a query also provides details about the scope of the query for legal and compliance
purposes. If multiple queries are being conducted for a specific investigation, create a Query Set for the investigation and
save all queries within the set.
It is critical that queries are saved to a query set as the query is not saved automatically
Saving a query to a query set
Review Sets • Review sets are used to individually investigate items.
• Individual or multiple items can be tagged for further review. Standard and custom tags can be applied to items.
• Comments can be added to items, each with user, date and time stamps.
• Items from one review set can be moved to another review set to create an investigation workflow.
• Security to review sets can be configured to grant and restrict user rights based on the following: add/append,
delete, retrieve/download, and view.
eDiscovery Compliance Search
Commvault® Education Services Page 27 of 46
Adding items to a review set
Create a New Review Set
When creating a review set, the options to create a ‘Classic’ or ‘Custom’ review set are available. The ‘Custom’ review set
provides the ability to remove duplicate items from the review set. Removing duplicate items can be further customized
by Email metadata or file metadata to determine how duplicate items are identified.
Creating a new review set
eDiscovery Compliance Search
Commvault® Education Services Page 28 of 46
Viewing items in a review set
Customizing review set columns
eDiscovery Compliance Search
Commvault® Education Services Page 29 of 46
Comments
Comments can be added to individual items by selecting it and clicking the Comment link. Each comment is date and time
stamped and includes the name of the reviewer who entered it. Multiple comments are displayed within the comment
window for easy viewing of multiple comments. Comments can also be edited and deleted.
Adding comments to an item in a review set
eDiscovery Compliance Search
Commvault® Education Services Page 30 of 46
Tags
One or more items can be tagged by selecting the items and clicking ‘Manage Tag’. Tags are categorized by common,
discovery, health safety records, and personal records. Additional tags and tag categories, referred to as Tag Sets can be
added. To view tags associated with items in the review set, add the ‘Tag(s)’ column to the review set window.
Adding and managing tags in a review set
eDiscovery Compliance Search
Commvault® Education Services Page 31 of 46
Add Items to Review Sets
Items can be added from one review set to another by selecting items and clicking ‘Add To’ and then ‘Review Set’. Using
multiple review sets within an investigation provides a means to create a full review process where different reviewers at
different stages of the investigation can review just items they are responsible for.
Adding items from a review set to a new review set
eDiscovery Compliance Search
Commvault® Education Services Page 32 of 46
Legal Hold Sets Legal Holds are used to apply specific retention policies to items to ensure their availability for legal and compliance
purposes. Items can be placed in Legal Hold from Review Sets or search results. When items are placed in a Legal Hold,
the items are physically retrieved from Commvault protected storage and copied to the Legal Hold location. The items are
retained based on the Legal Hold policy settings or until the case is closed.
Legal Hold policies must be set up by Commvault administrators. Policies can be set to create one or more copies of the
items and retention can be defined for each copy. This provides the option of storing hold items onsite and offsite for
complete protection and preservation of compliance data. It is recommended to always have at least one copy onsite and
one offsite.
Different Legal Hold policies can be created for different purposes. Standard Legal Hold policies can be created for
specific time ranges such as five year, ten year, or infinite. Legal Hold policies can also be purpose based, such as the
name of an investigation or a policy to hold all executive email messages. The most common method of using legal hold
sets is to set the legal hold retention policy to infinite. This ensures all data is preserved for the duration of the case.
Coordinate with your Commvault® administrators to effectively plan and implement Legal Hold policies.
Key points for legal holds:
• Legal Hold sets can be used to copy items to a legal hold retention policy.
• Retention policies (storage policies) must be configured in the CommCell® console.
• Items are physically moved to legal hold sets. Depending on the number of items copied, this operation can take
a lot of time.
• Legal hold operations can be monitored in the job status view.
• Items in legal holds can later be exported as a CAB file from the web search console or through the CommCell
console.
Adding items to a legal hold
eDiscovery Compliance Search
Commvault® Education Services Page 33 of 46
Creating a new legal hold
Export Sets Export Sets are used to collect multiple items and compress them for export for external processing. Items can be moved
to an Export Set from search results, Review Sets or Legal Holds. When items are moved to an Export Set, they are
retrieved from Commvault storage and copied to a location where the items are compressed into a CAB, PST or NSF file.
Once the export process completes, the compressed file can be downloaded.
Key points for export sets:
• Export sets can be used to copy items to a compressed CAB, PST, or NSF file.
• Compressed files are stored on the web search server and can be downloaded to the local system once complete.
• Items are physically moved to export sets. Depending on the number of items copied, this operation can take a
lot of time.
• Items successfully moved or failed during export can be viewed.
• Manifest of export set can be viewed and downloaded.
eDiscovery Compliance Search
Commvault® Education Services Page 34 of 46
Exporting items to an export set
Viewing export sets
eDiscovery Compliance Search
Commvault® Education Services Page 35 of 46
Creating and Managing an Effective Search Process Although a complicated search process is not required in many situations, it can be useful for complex investigations or
when defining a comprehensive search process involving multiple personnel. It is important to note that in many
investigations the scope may expand based on evidence discovered during the search process. Additional custodians, data
types, and date ranges may be required. This would result in additional data preservation, possible content indexing of
the data, and adjusting queries or creating additional queries.
Sample search workflow process
Preliminary Searches
Prior to crafting complex queries, a preliminary search should be conducted. In some cases, this may be all that is
required. For example, all items that have “illegal gambling” may require investigation. A basic search is all that is
needed. Another example would be identifying all Email messages that have [email protected]. In this case, enter the
user’s mailbox in the Email Address field.
The following provides a more detailed breakdown of the search process:
Identify
• Identify custodians including: Email address, display name, titles, and folder locations for owned data.
• Determine relevant data types including: document types, PST files and if mailbox journaling has been
implemented.
eDiscovery Compliance Search
Commvault® Education Services Page 36 of 46
Search
• Conduct basic keyword searches to include and/or exclude search terms and patterns.
Refine
• Use refinements to search for specific file types.
• Use the option Show to show only documents, email, or show both.
• Search within results to further refine search results by adding search terms and patterns.
Process
• Use Advanced Search to reduce search scope to specific custodians, folder locations, or Domain users/groups.
• Use the Query Builder to craft complex queries.
• Repeat query and refinement processes to limit results that will be moved to review set.
Review
• Review Sets are created to move relevant query results to review set.
• Items can be individually reviewed.
• Comments can be added for follow up and further investigation.
• Tags such as responsive, non-responsive, or privileged can be applied to items.
Analyze
• Audit processes for integrity, reviewer productivity, and quality assurance.
• Assess the scope of the review and determine if results meet the scope of the investigation.
• Based on analysis determine if additional searches, queries, and reviews will be necessary.
• Use multiple review sets to delegate search responsibility to proper team members.
Preserve
• Place responsive data into legal hold or export set.
• Custodian items can be locked down by Case Manager.
Produce
• Export data from query, review set, or legal hold.
• Export in CAB, PST, or NSF format.
• Items can also be exported by the Commvault administrator from the CommCell® Console.
eDiscovery Compliance Search
Commvault® Education Services Page 37 of 46
Case Manager Case Manager is used to identify custodian data protected by Commvault® software and apply a legal hold to all items
defined within the case. All custodian items managed by the case are ‘locked’ in storage until the custodian is removed
from the case or the case is deleted. The items can be locked in place or copied to a separate physical location. Case
Manager is designed to be a short to intermediate term legal hold until relevant items can be identified and preserved
through export sets or legal hold sets.
Key points for using Case Manager:
• Cases are created and associated with a retention storage policy. Items can be held in place or moved to another
storage policy.
• Custodians added to the case will have legal hold retention policies applied to all relevant items. Retention length
is determined by the storage policy associated with the case.
• Additional custodians can be added to the case at any time.
• Preserved custodian data can be viewed and searched. Selected items can be moved to review sets for
comments, tagging and to create a legal workflow process.
• Custodian data can be exported to a CAB file. This would create a separate copy of selected items that can be
downloaded for data preservation, additional analysis outside of the search console, or to provide to opposing
counsel.
• Custodian data can be copied to a legal hold set. This would create a separate copy of selected items from the
case for long term archive.
• When custodians are removed from the case the legal hold will be released and files will age based on normal IT
retention policies.
• When cases are deleted, all custodian files will be released from legal hold and the files will age based on normal
IT retention policies.
• Information about deleted cases will remain in the system for auditing and reporting purposes.
eDiscovery Compliance Search
Commvault® Education Services Page 38 of 46
Creating a Case Using Case Manager
Case Manager is a component of the Compliance Search interface. Cases, can be created, edited, and deleted.
Access Case Manager in the Compliance Search interface
l
Overview of Case Manager Sections
To create a case, there are several categories where case criteria is entered:
• Basic details is used to enter the name, case number, and notes of the case. The setting to create a legal copy
of data or preserve data in place is also entered in the basic details.
• Custodian data source is used to enter the names of case custodians. When typing in the name of a custodian,
based on Active Directory membership, names matching the typed characters will appear for simplified selection
of custodians. Custodian data sources including Email, desktop/laptops owned by the custodian, journal hold
Email, and additional file servers can be added.
• Non custodian data source is used to add existing review sets to the case. It is important to note that review
sets do not place a hold on data so including review set items in a case will lock down relevant items.
• Filter criteria provides keyword and metadata search criteria. It is important to note that only relevant items
that meet filter criteria will be included in the case.
• Add reviewers allows the case to be shared with other reviewers.
• Schedule is used to set a schedule for item collection and preservation.
• Preview and save is used to review to ensure the case has been properly configured. Note that settings within
the case can be modified after the case is created.
eDiscovery Compliance Search
Commvault® Education Services Page 39 of 46
Case Manager sections view
Creating a new case
eDiscovery Compliance Search
Commvault® Education Services Page 40 of 46
Custodian Data Sources
Custodians relevant to the case are added by clicking the plus (+) button in the upper-right side of the case window.
Begin typing the custodians name and domain users matching the typed characters are displayed to simplify custodian
selection. Multiple custodians can be added using a comma to separate each name.
Adding Custodians to a case
Data sources define what source locations custodian data will be searched in. Custodian sources includes desktops and
laptops owned by the custodian, Email messages, and journaled Email messages. Additionally, file servers can be included
as a data source, but the data from this source is not tied to a specific custodian. When defining file server data sources,
only items that meet the filter criteria are preserved as part of the case.
eDiscovery Compliance Search
Commvault® Education Services Page 41 of 46
Adding data sources to a case
eDiscovery Compliance Search
Commvault® Education Services Page 42 of 46
Non Custodian Data Source
Review sets are used to place selected items into a review where comments and tags can be added to items. Review sets
do not preserve or modify retention on items. This means that normal retention rules still apply to the data. This can
result in items in the review set being pruned from storage before a review is complete. Case Manager can be used to
preserve items from a specific review set. It is important to note that when adding a review set to a case, all case criteria
including custodians, content search criteria, and metadata search criteria are factored into which items are preserved
within the review set. If all items need to be preserved, do not set any other search criteria in the case.
Adding a review set to a case
eDiscovery Compliance Search
Commvault® Education Services Page 43 of 46
Filter Criteria
The filter criteria section is used to add content and metadata search criteria to the case. One or more fields can be
added to determine specific search criteria within the case. Filter criteria applies to all custodian data sources, non-
custodian data sources, and review sets.
Adding content and metadata filter criteria to case
eDiscovery Compliance Search
Commvault® Education Services Page 44 of 46
Add Reviewers
A case can be shared with other reviewers by using the Add Reviewers section in Case Manager. One or more reviewers
can be added by typing the name in the ‘Type Reviewer name’ field. A list of users matching the characters entered into
the field are displayed to simplify the process. Multiple reviewers are displayed in the text field.
Sharing a case with other reviewers
eDiscovery Compliance Search
Commvault® Education Services Page 45 of 46
Schedule
Creating a case defines what criteria is used to collect and preserve case items. The process of collecting the items must
be scheduled. Schedules can be set to run daily or weekly at a specific time. If the case is configured to use a storage
policy to physically copy items, each time the job runs, relevant items are physically copied to a separate storage location.
This process can take some time depending on how many items match the search criteria. It is important to coordinate
case schedules with Commvault administrators to determine the best schedule frequency and time to run Case Manager
jobs.
Scheduling data collection for case
COMMVAULT.COM | 888.746.3849 | EA.COMMVAULT.COM
©2017 COMMVAULT SYSTEMS, INC. ALL RIGHTS RESERVED.
eDiscovery Compliance Search