Advanced eDiscovery Search in Office 365 to Carve Evidence by Forensic Investigators

Creative Team | June 26th, 2015 | Forensics

Carrying out eDiscovery search in Office 365 is not an easy task because it demands a complete integrated strategy that starts from a definite and robust excavatory content search and ends in the courtroom in the form of presentable evidence. Carrying out eDiscovery search in Office 365 is not easy because it demands a complete integrated strategy that starts from a definite and robust excavatory search and ends in the courtroom in the form of presentable evidence.

To download Office 365, the users are required to have a valid and registered Microsoft Account. This comes in collaboration with SkyDrive and Office 2013 Upload center. Being one of the most common web-based platforms that provide humongous suitable features to techies, the need for forensics investigation of Office 365 emails often arises. The mailboxes of corporate personnel contain thousands of emails and carrying out search operations among those is a tiring and hectic task.

Content Search Tool in the Office 365 Security & Compliance Center
  Step 1   Provide appropriate permission to user
  Step 2   Create a new case
  Step 3   Add members into the case
  Step 4   Perform content search on the case
  Step 5   Export content search result into PST file
Solution Devised Specially for the eDiscovery & Forensic Experts
  Type 1   General Search
  Type 2   Proximity Search
  Type 3   Keyword search


First, we can see What is eDiscovery?

eDiscovery or electronic discovery is the process of identifying and extracting electronic information, which can be used as a piece of evidence in legal cases. eDiscovery tool by Microsoft office 365 is designed to search for the content in Outlook office 365, Office 365 groups, SharePoint, Skype for Business conversations, Microsoft Teams, and OneDrive for Business sites etc. All these searching can be done through content Search tool in the Office 365 Security & Compliance Center.

Content Search Tool in the Office 365 Security & Compliance Center

Follow the below mentioned steps to perform eDiscovery search in Office 365 Security & Compliance Center in order to export Office 365 Outlook mailbox to PST file.

Admin permission is necessary for the user to perform eDiscovery on Outlook Office 365.

The user account must be a member of the Discovery Management Role Group.

Unsupported Browser Alert will generate if Microsoft Edge or Internet Explorer is not used while downloading the search result.

User must have 32 bit or 64 bit Windows 7 or above versions.

Microsoft .NET Framework 4.7

Step 1: Provide appropriate permission to user

Main role groups of eDiscovery in Security & Compliance Center

  • Reviewer: This role group allow the members to view and access the case data in outlook Office 365 Advanced eDiscovery
  • eDiscovery Manager: This role group members are allowed to create and manage the eDiscovery cases and also allowed to manage the cases created by other members.
  • eDiscovery Administrator: eDiscovery administrator can do many other tasks apart from office 365 eDiscovery case management like view eDiscovery pages, access case data in Advanced eDiscovery for an organization.

After clearly understanding all the roles groups in the eDiscovery search in Office 365. Follow the process given below to assign permissions.

Security & Compliance Center.
  • Click the option Permission >> eDiscovery Manager >> Edit role group
Edit role group
  • Click on Choose eDiscovery Administrator from Edit role group & select Edit option.
eDiscovery Administrator
  • Click the button + Add to add user as an eDiscovery Administrator
add user
  • Choose the user you need to be added as a member and click on the Add button.

Step 2: Create a new case

Choose Search & Security from the Security & compliance Center. Then select eDiscovery >> + Create Case.

Create Case
  • On the dialog box enter the Case name & Case description. Then click the Save button to create a new case.
create a new case

Step 3: Add members into the case

In order to access and manage the newly created case, you need to add members to it. For that follow the below given steps.

  • Click the Search & Security option from the Security & compliance Center and select eDiscovery to see the list of created cases.
list of created cases
  • Select the newly created case and click on + Add button under the manage members section

Note: If you want to add a new role group to the case to do eDiscovery search in Office 365 click on +Add button under the Manage role group.

new role group
  • Select the members and click the Save button to select the new list of members.

Step 4: Perform content search on the case

You can perform the content search in Office 365 mailbox to extract the electronic evidence. The content search related to the case can access only by the members of the case or members of the manager role group.

  • Go to Security & Compliance Center > > Search & investigation > > eDiscovery and open the case to perform content search
Search & investigation
  • Click the + New Search from the search tab
New Search
  • On the new search page, you can create a search query by adding keywords.
  • Under the Location option select the location to perform the content search in Office 365.
  • Click the Modification option to search for any users, groups, teams, or site locations.
search query
  • Click on save & run option and provide Name and Description to save the search settings during the eDiscovery search in Office 365.
save the search

Step 5: Export content search result into PST file

After completed the process of content search in Office 365 now its the time to export Office 365 mailbox to PST file. To perform the exporting process follow the below steps.

  • Go to Security & Compliance Center >> Search & investigation >> eDiscovery
  • Choose the case and click n the Open button.
eDiscovery
  • Select the Search tab >> Choose the content search result you wanted to export >> View result
search result
  • click on More option and select Export Results to export the result of eDiscovery search in Office 365 into PST.
Export Results
  • From the export result tab user can change Output option, Export exchange content as etc and then click the Export button.
export result tab
  • Select Export tab to see the list of exported result.
  • Choose the Export result which you needed to download and click on Download results button.
Download results
  • Copy and past the export key in the popup window and browse the destination location to which you wanted to save search result.
  • Then click Start button to start the downloading process.
eDiscovery export test
  • When the process is completed click close button and finishes the downloading process.
Process completed

The above mentioned process of content search and exporting the result Via eDiscovery tool on Office 365 is a time consuming method. During the Forensic Investigation searching the content and export Office365 mailbox to PST format is helpful in legal purpose. To perform the eDiscovery in Office 365 without too much time consuming and effort, the forensic experts need an appropriate tool that allows them to dig into the mailbox as well as allows them to present the carved evidence in suitable and appropriate formats in the courtroom.

Solution Devised Specially for the eDiscovery & Forensic Experts

An eDiscovery tool that has been specially devised for investigators to perform eDiscovery search in Office 365 and other web-based email mailboxes is MailXaminer. From head to toe, the software follows all the eDiscovery investigation guidelines and assures investigators with suitable approaches for presenting the evidence in the courtroom.

Peculiarities attained by the tool in Office 365 search operation: –

  • To add Office 365 Outlook mailbox data into the software then click on the Add Evidence button and select the Office 365 from the web email section.
  • The provide Use account credential such as User name and Password in the respective field.
Add file
  • The software displays the entire set of mailbox data available in the Office 365 user mailbox. The tool allows to display the entire email data recursively or the data present in a particular folder.
office 365 mail

To perform eDiscovery search in Office 365 with email analysis tool, the investigators need to move into the Search panel of the software.

  • The tool provides two option to perform the content search in Office 365 user mailbox data that are: General search & Proximity search. To obtain the results more precisely and accurately Investigator can add Filter criteria within the tool.
search option

General Search

General search is used to fetch the email data related to the keyword used to search over the entire mailbox or selected attributes.

  • The general search operation is acquainted with the various search algorithms such as General, Wildcard, Regular Expression, Stem & Fuzzy search which help the investigators to search and extract the evidence from Office 365 Outlook mailbox during the eDiscovery process.
General search

To perform content search more specifically the general search allows to filter the data more specifically with the help of Logic operators such as AND, OR & NOT and metadata such as Subject, To, From, etc.

Logic operators

Proximity Search

Proximity search allows the investigator to perform a eDiscovery search in Office 365 mailbox based on the approximate word combination. That is this search operation is useful when the known with more than one keyword and the approximate character distance between them. This will help to filter the results more specifically.

Proximity Search

Keyword search

The keyword search helps to search the content with a list of keywords. Either the user can insert a set of keywords manually into the tool can add as the CSV file. Click on Add keywords button to insert keyword list for performing content search in Office 365 mailbox.

Keyword search

While working on a large forensic case, saving the search results will help the investigators to further investigation process. User can easily save these search result by clicking on the Save button of the eDiscovery supporting tool and provide the Search Result Name & Note.

save search

After completing content search in Office 365 Outlook mailbox by using various search mechanism via the Digital Forensics Tool. The final process of eDiscovery is Exporting Office 365 mailbox to PST file.

The most helpful part of the tool that come into use for the investigators during office 365 eDiscovery case management is Export feature. Which helps in presenting the evidence in the courtroom. Various file formats supported by the software that can be accepted in the litigatory proceedings include PST PDF, Concordance and many more.

export result

Exporting Office 365 Outlook mailbox into PST file format help to overcome any type of unfavourable situations. This makes the users for selecting PST format as the first option for exporting the result of eDiscovery Search in Office 365. But selecting the best option to export the result is a tough task for the users. Manual methods are normally time consuming and need more effort to obtain an accurate result. This makes the users feels that the manual methods as a tiring process. The eDisocvery search operation via MailXaminer ensures user friendly experience in addition to the dedicated and sophisticated algorithms that try to carve the reasonable evidence in various angles. And also support to export office 365 mailbox to PST format in a feasible way.