publication of the International Legal Technology Association
Issue link: https://epubs.iltanet.org/i/669172
LITIGATION AND PRACTICE SUPPORT 34 WWW.ILTANET.ORG | ILTA WHITE PAPER Gotchas Related to Email Forensics backup is made of the database, ensuring a copy of all deleted email messages can be preserved in that backup. Only then is the reference to that email permanently deleted from the index. However, even then the pages storing the email will remain intact and forensically discoverable until they are reallocated for some other purpose by the email system. On a poorly administered email system, deleted email messages will not be backed up and, therefore, might be missing from the collection. On the other hand, if the email system is well-administered but the collection is still incomplete, you might be missing deleted email messages preserved on backups. Indexes corrupted when an email database is improperly copied or collected. Email messages in data pages of the database cannot be accessed by the index pages in the following cases: » The copy is made on an active but non-quiesced email server » The email messages in question have not been commied to the database at the time of the copy and the transaction log containing the non-commied email is not part of the collection » The tool in use cannot process transaction logs » The backup of the email spans more than one backup tape and one or more of those tapes are missing from the collection Some of these issues exist in every e-discovery data collection. If you use tools that rely on the integrity of the database index to process collections, you are likely missing email messages. Forensic Indexing The solution is to use a forensics tool that examines every database page and reconstructs the email messages it finds without requiring the database index to locate them. Enterprise email databases are designed with built-in redundancies and data integrity safeguards that allow them to find and reconnect pages accidentally removed from the index. Using this knowledge, a forensic indexing tool can, by mere inspection of a page, tell whether it contains valid data, even if the information is inaccessible from the index. Don't get caught by these email forensics gotchas! ILTA TIM WILLIAMS Tim Williams is the CEO and founder of information management company Index Engines. Previously, Tim participated in the development of the UNIX operating system at Bell Laboratories and held a number of engineering and C-level positions at high-growth and startup computer companies. Contact him at tim.williams@indexengines.com. 2