Proofpoint Enterprise Archive Legal Discovery and Supervision May 2014
Proofpoint Enterprise Archive Copyright and Trademark Notices Proofpoint Archive is proprietary software licensed to you for your internal use by Proofpoint Inc. This software is Copyright 2002-2014 Proofpoint, Inc. The copying, modification or distribution of Proofpoint Archive is subject to the terms of the Proofpoint Software License, and any attempt to use this software except under the terms of that license is expressly prohibited by U.S. copyright law, the equivalent laws of other countries, and by international treaty. Proofpoint and Proofpoint Archive are trademarks of Proofpoint Inc. McAfee is a registered trademark of McAfee, Inc. and/or its affiliates in the US and/or other countries. Virus Scanning capabilities may be provided by McAfee, Inc. Copyright 2011 McAfee, Inc. All Rights Reserved. F-Secure Anti-Virus Copyright 1993-2011, F-Secure Corp. VMware, the VMware boxes logo, GSX Server, ESX Server, Virtual SMP, VMotion and VMware ACE are trademarks (the Marks ) of VMware, Inc. Voltage and Secure Messaging are registered trademarks of Voltage Security, Inc. Copyright 2003-2011 Voltage Security, Inc. All Rights Reserved. Apache 2.2 licensing information is available at http://www.apache.org/licenses. Perl (Practical Extraction and Report Language) is copyrighted by Larry Wall. It is free software and it is redistributed by Proofpoint under the terms of the Artistic License that comes with the Perl Kit, Version 5.0. Source is available at http://www.perl.com. Regular expression support is provided by the PCRE library package, which is open source software, written by Philip Hazel, and copyright by the University of Cambridge, England. Source is available at ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/. Some database support in this solution is provided by MySQL. Copyright 1997, 2011, Oracle and/or its affiliates. All rights reserved. Copyright 1986-1993, 1998, 2004 Thomas Williams, Colin Kelley Permission to use, copy, and distribute this software and its documentation for any purpose with or without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Permission to modify the software is granted, but not the right to distribute the complete modified source code. Modifications are to be distributed as patches to the released version. Permission to distribute binaries produced by compiling modified sources is granted, provided you 1. distribute the corresponding source modifications from the released version in the form of a patch file along with the binaries, 2. add special version identification to distinguish your version in addition to the base release version number, 3. provide your name and address as the primary contact for the support of your modified version, and 4. retain our contact information in regard to use of the base software. Permission to distribute the released version of the source code along with corresponding source modifications in the form of a patch file is granted with same provisions 2 through 4 for binary distributions. This software is provided "as is" without express or implied warranty to the extent permitted by applicable law. THIS SOFTWARE IS PROVIDED BY THE DEVELOPER ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE DEVELOPER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Portions of this software are Copyright 1996-2002 The FreeType Project (www.freetype.org). All rights reserved. Additional graphical support is provided by libgd: Portions copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Cold Spring Harbor Laboratory. Funded under Grant P41-RR02188 by the National Institutes of Health. Portions copyright 1996, 1997, 1998, 1999, 2000, 2001, 2002 by Boutell.Com, Inc. Portions relating to GD2 format copyright 1999, 2000, 2001, 2002 Philip Warner. Portions relating to PNG copyright 1999, 2000, 2001, 2002 Greg Roelofs. Portions relating to gdttf.c copyright 1999, 2000, 2001, 2002 John Ellson (ellson@graphviz.org). Portions relating to gdft.c copyright 2001, 2002 John Ellson Portions relating to JPEG and to color quantization copyright 2000, 2001, 2002, Doug Becker and copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, Thomas G. Lane. This software is based in part on the work of the Independent JPEG Group. See the file README-JPEG.TXT for more information.
Portions relating to WBMP copyright 2000, 2001, 2002 Maurice Szmurlo and Johan Van den Brande. Permission has been granted to copy, distribute and modify gd in any context without fee, including a commercial application, provided that this notice is present in user-accessible supporting documentation. This does not affect your ownership of the derived work itself, and the intent is to assure proper credit for the authors of gd, not to interfere with your productive use of gd. If you have questions, ask. Derived works includes all programs that utilize the library. Credit must be given in user-accessible documentation. This software is provided AS IS. The copyright holders disclaim all warranties, either express or implied, including but not limited to implied warranties of merchantability and fitness for a particular purpose, with respect to this code and accompanying documentation. Although their code does not appear in gd 2.0.4, the authors wish to thank David Koblas, David Rowley, and Hutchison Avenue Software Corporation for their prior contributions. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/) zlib.h interface of the zlib general purpose compression library version 1.2.2, October 3rd, 2004 Copyright (C) 1995-2004 Jean-loup Gailly and Mark Adler This software is provided as-is, without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions: 1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly jloup@gzip.org Mark Adler madler@alumni.caltech.edu Unifont copyright Paul Hardy of Unifoundry.com (unifoundry@unifoundry.com) released under the terms of the GNU General Public License (GNU GPL) version 2.0. Tomcat, Log4j, Apache CXF Apache Copyright 1999-2011 Apache Software Foundation Java JRE, JavaMail, Sun JavaServerFaces Copyright 1997, 2011, Oracle and/or its affiliates. All rights reserved. JBoss RichFaces Copyright Red Hat. Red Hat is a registered trademark of Red Hat, Inc. Proofpoint gratefully acknowledges contributions of the open source community to Proofpoint Archive. References to open source software used with Proofpoint Archive is collected into a single repository which can be found in the installed Proofpoint Archive package in src/opensource/opensource. That repository, consisting of the contributions from open source projects but not including the proprietary Proofpoint Archive software referred to above is a collective work that is Copyright 2002-2011 Proofpoint Inc. You will find in this repository copies of the source code, or references of where to find, every open source program not referenced in this copyright notice, that was used in Proofpoint Archive. Copyright (c) 2005, Google Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. Neither the name of Google Inc. nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Copyright (c) 1996-2010, Daniel Stenberg, <daniel@haxx.se>. All rights reserved. Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of a copyright holder shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization of the copyright holder. Proofpoint uses the following components which are licensed under the Apache License Version 2.0: Glassfish Jasper API - Copyright 2009-2011. All rights reserved. SLF4j - Copyright (c) 2004-2008 QOS.ch. All rights reserved. (Under the MIT license.) Copyright 2002-2014 Proofpoint, Inc. Proofpoint, Inc. All rights reserved. PROOFPOINT is a trademark of Proofpoint, Inc. All other product names and brands are the property of their respective owners.
Preface... 4 About this Guide... 4 Prerequisite Knowledge... 4 Other Sources of Information... 4 Contacting Proofpoint Technical Support... Error! Bookmark not defined. What s New in Version 3.5.93... 5 Introduction... 6 Proofpoint Archive: Part of the Proofpoint Family... 6 Proofpoint Archive Overview... 6 Accessing Proofpoint Archive... 7 About the Proofpoint Archive User Interface... 7 Adding Names to Entities... 7 Setting Preferences... 7 About Legal Discovery... 9 Information Management... 9 Identification, Collection and Preservation Phases of Electronic Discovery... 9 Analysis, Review and Processing Phases of Electronic Discovery... 9 Production and Presentation Phases of Electronic Discovery... 10 About Searching... 11 How Searching Works... 11 Search Steps... 11 Types of Search Criteria... 12 Using Boolean Logic for Content Searches... 14 Saving Search Criteria... 14 Performing Searches... 16 Content-Based Searching... 16 Location-Based Searching... 17 Attachment-Based Searching... 19 People-Based Searching... 19 Date-Based Searching... 20 Communication Flow-Based Searching... 21 InfoTag-Based Searching... 21 Working with Search Results... 22 How Search Results are Presented... 22 Working with Messages Found by a Search... 23 Message Properties... 23 Saving Results in Archive Folders... 24 Copyright 2002-2014 Proofpoint, Inc. 1
Creating and Modifying Legal Holds... 27 About Legal Holds... 27 Types of Legal Holds... 27 Choosing a Legal Hold Type... 28 Discovery Segmentation Impact on Legal Holds... 28 Assigning Permissions for Legal Hold Access... 28 Working with Ad-Hoc Legal Holds... 29 Working with People-Based Legal Holds... 29 Sending Legal Hold Notifications... 30 Managing Legal Holds... 31 Releasing a Hold... 32 Exporting Legal Hold Information... 32 Proofpoint Content Collection... 33 About Content Collection... 33 Adding Content Collection to a Legal Hold... 33 Managing Collection Tasks... 34 Deleting Collection Tasks and Collected Files... 34 Viewing Collected Files in the Archive... 35 Exporting Messages... 36 Encryption s Role in the Export Process... 36 Understanding the Export Process... 36 Exporting Messages from Search Result... 37 Exporting Messages from a Folder... 37 Exporting Messages to FTP Site... 38 Managing the Export Progress... 38 Completing the Export... 38 Sharing an Export Job... 39 Specifying an Export Job Retention Period... 39 Viewing Exported Messages in Outlook... 39 Performing Supervision Functions... 40 About Supervision... 40 For Reviewers: Passing and Failing Messages... 41 For Senior Reviewers: Supervision Interface... 42 For Senior Reviewers: Review Tasks... 42 For Senior Reviewers: Issue Investigation and Management Tasks... 44 Viewing the Audit Trail... 46 About the Audit Trail... 46 Viewing Audit Trail... 46 Exporting Audit Trail... 47 Copyright 2002-2014 Proofpoint, Inc. 2
Appendix A Search Criteria and Indexing... 48 Search Criteria: Keywords and Phrases... 48 Search Criteria: Special Characters... 48 Indexing Size Considerations... 50 Glossary... 51 Index... 53 Copyright 2002-2014 Proofpoint, Inc. 3
Preface About this Guide This guide introduces Proofpoint Enterprise Archive and provides step-by-step instructions for using the system to perform advanced searches of your own or other peoples mail stored in the archive. This guide also explains specific functions related to legal holds and message review. These functions are available only to users who have the appropriate user access. Prerequisite Knowledge This document is intended for a business user with technology experience. You should be familiar with functions common to user interfaces, such as selecting multiple items using the Shift key and checking or clearing options. You should understand your company s electronic messaging policy. While Proofpoint Archive is a critical element of any message compliance system, you play an important role in ensuring that information is used appropriately. Access to the archive of messages comes with a responsibility to understand and apply the standards outlined in your company s electronic messaging policy. To take full advantage of advanced search functionality, some basic understanding of Boolean logic is helpful. While the Proofpoint Archive user interface attempts to shield you from these complexities, understanding the difference between A and B or C and A and (B or C) helps to ensure that you achieve expected results when searching the archive. Other Sources of Information This guide covers a number of topics addressing procedural information for day-to-day use. For other information, see: Online Help: Click the "help" button to display online help for the product. Finding Your Own Messages: Explains basic search processes available from Microsoft Outlook or OWA. Intended for users who will search the archive for messages from their own mailboxes. Reports: Explains available reports and how to generate them. Contacting Support If you need help resolving an issue, please contact your local help desk. Copyright 2002-2014 Proofpoint, Inc. 4
Preface What s New in Version 3.5.93 Revised explanation of disposition placeholder. Added Internet Explorer 11 (in compatibility mode) to supported browsers. Messages archived from social networks or other sources identified by icon. Improved description of some of the UI-based procedural steps. Copyright 2002-2014 Proofpoint, Inc. 5
Introduction This chapter introduces Proofpoint Enterprise Archive and its main interface elements. The chapter includes the following topics: Proofpoint Archive: Part of the Proofpoint Family 6 Proofpoint Archive Overview 6 Accessing Proofpoint Archive 7 About the Proofpoint Archive User Interface 7 Adding Names to Entities 7 Setting Preferences 7 Proofpoint Archive: Part of the Proofpoint Family Proofpoint offers a comprehensive solution for data protection and governance through an integrated, security-as-a-service platform. Complementing the Proofpoint data protection and security solutions, Proofpoint Archive allows your organization to archive and discover communication across all major communication channels including on-premise and cloud-based email, instant messaging, social media and other web-based applications. Proofpoint Archive Overview Proofpoint Archive provides a complete message archiving solution that can protect your organization from legal liabilities and regulatory risks while improving email storage management and end-user productivity. Its easy-to-implement, easy-to-use web interface offers fully secure email archiving with robust search and discovery, supervision, and enforcement features. Proofpoint Archive securely stores your electronic messages for the retention period you specify, while keeping them fully searchable and retrievable in real-time (or with a batch process). At any time, archived messages can be easily viewed, retrieved to a user s email inbox or exported to an Outlook data file or EDRM XML file. Proofpoint Archive includes features used to: design, edit and maintain an electronic messaging policy, including retention, enforcement and supervision rules perform advanced and comprehensive searches of a message s header, body, or attachments, easily meeting even the most stringent discovery requirements generate reports that help properly assess email patterns and behavior, and help evaluate the effectiveness and enforcement of your policies manage mailbox sizes, removing storage-intensive attachments from Exchange while keeping those attachments accessible to Outlook users (stubbing) implement a systematic supervision process for selecting and reviewing the content of electronic messages based on your organization s policy for acceptable use of email Note: Some functions are optional and may not be available to all users. Copyright 2002-2014 Proofpoint, Inc. 6
Introduction Accessing Proofpoint Archive Note: Use Internet Explorer 8, 9, 10, or 11 (in compatibility mode) on the PC. You must have JavaScript enabled. 1. Open your web browser. 2. Enter the URL of the Archiving Appliance in the address bar of your web browser. The Login Screen appears. If it is blocked by a pop-up blocker, you need to allow pop-ups from this site before proceeding. Note: Your administrator can provide you with the URL of the Archiving Appliance. You may be able to access it using a similar URL to the one you use to access your mail server. For example, if you normally enter https://www.mycompany.com/exchange, you would enter https://mail.mycompany.com/archive. You may need to add the URL to your trusted sites list. 3. Optionally, choose the language you want used for the user interface. 4. Enter the user name and password you use to log in to your computer and click Enter. Note: You can also log in using your primary SMTP address or UPN. The Proofpoint Archive interface opens. Note: User names and passwords for Proofpoint Archive are fully integrated with your network user name and password. Whenever you change your password on the network, your password used to log in to Proofpoint Archive is also changed. After a period of 60 minutes of inactivity, you will be logged out automatically. If you attempt to perform a task using your open browser window after you have been automatically logged out, you will be prompted to log in again. Once you do, the action is performed. About the Proofpoint Archive User Interface Choose from the available modules by clicking on the module name in the top right of the interface. Choosing a module opens a new screen with a navigation menu of choices on the left. To return to the main screen where the different modules are shown, click the Proofpoint logo. When you click an item in the navigation menu, the workspace (right side of the screen) changes as a result. Adding Names to Entities When setting up some entities in Proofpoint Archive, you need to add names of Active Directory users and/or groups. The same mechanism is used everywhere this is necessary: 1. Enter all or part of the appropriate name. 3. Click Check Name. A list of suggested names appears for you to choose from, on two tabs: one listing names currently in Active Directory, the other listing names that were in Active Directory but have since been deleted. 4. Select the desired name and click Add. Setting Preferences Proofpoint Archive user interface preferences allow you to choose: the opening screen you see when you log on (for example, if you most often search messages, you can have the interface open with the E-Discovery module opened) preferred language defaults for standard (Personal Archive) or advanced (E-Discovery) searches (sort order, mailbox scope and date range) Copyright 2002-2014 Proofpoint, Inc. 7
Introduction default sort order for Supervision review message lists 1. Click the in the top right corner of the interface, then click Preferences. The Preferences screen appears. 2. Click the appropriate tab and set your preferences. 3. Click Save. Copyright 2002-2014 Proofpoint, Inc. 8
About Legal Discovery This chapter provides background information about electronic legal discovery. It includes the following topics: Information Management 9 Identification, Collection and Preservation Phases of Electronic Discovery 9 Analysis, Review and Processing Phases of Electronic Discovery 9 Production and Presentation Phases of Electronic Discovery 10 Information Management One of the best ways to reduce risk during legal discovery is to implement proactive information management practices. The foundation of such an approach is the establishment and enforcement of retention policies. Without clearly defined, and consistent applied, retention of information, it becomes very hard to prove that information was disposed of in the course of normal business as opposed to a malicious destruction of evidence. With Proofpoint Archive s policy component you can define, communicate and enforce retention of electronic communications. Capturing all communications in a searchable repository in an unalterable, de-duplicated form provides on-going litigation readiness. Identification, Collection and Preservation Phases of Electronic Discovery At the point that your organization suspects that a matter may arise, you want to be able to assess the risk to your organization. Collecting data from various sources just to perform early case assessment is often cost-prohibitive, so many firms fail to appreciate their position at this point. With a searchable repository, you can easily search for items that may be relevant and make appropriate plans for addressing the matter. This investigation capability also makes it easier to identify the scope of information that should be covered under a preservation order. With all content captured in the archive for some time period, it becomes the best place to implement a preservation hold (a legal hold, in Proofpoint Archive. Not only can Proofpoint Archive be used to hold existing content that is relevant to the matter, it can also be configured to actively evaluate and hold new messages as they are archived. This avoids the expensive, error-prone manual processes typically required for litigation holds. As information is collected on an ongoing basis, rather than at the point of a litigation hold, the process is quick and painless. Analysis, Review and Processing Phases of Electronic Discovery While the case progresses, you may need to perform ongoing assessment of the contents of the legal hold, for example, to prepare for meetings. The contents of all or just specific legal holds can be searched the same way as the archive can be. Advanced searching capabilities can be used to cull the dataset to focus on the relevant materials, which can then be exported to PST or EDRM XML files for integration into a litigation review platform. Copyright 2002-2014 Proofpoint, Inc. 9
About Legal Discovery Production and Presentation Phases of Electronic Discovery For cases that do not require sophisticated review functionality, items that should be produced can be exported to PST or EDRM XML files for delivery directly to opposing counsel. Copyright 2002-2014 Proofpoint, Inc. 10
About Searching This chapter provides an overview of the advanced searching feature in Proofpoint Archive. The chapter includes the following topics: How Searching Works 11 Search Steps 11 Types of Search Criteria 12 Using Boolean Logic for Content Searches 14 Saving Search Criteria 14 How Searching Works You can search within your own mailbox or across some or all of the mailboxes to which you have been granted access. Discovery users can search across the entire archive. If Discovery Segmentation is enabled, when searching the active archive or retention series, Discovery users can only search within the divisions to which they have been granted access. When searching their own mailbox or within legal holds, divisional filtering is not applicable. Discovery Administrators continue to have full access to the entire archive. To have Discovery Segmentation enabled, contact Proofpoint Professional Services. Searching falls into two types: standard (Personal Archive) or advanced (E-Discovery). Standard searching (Personal Archive) is intended for end users searching their own mailboxes. It offers the same features as those offered from within Outlook/OWA, and is described in Finding Your Own Messages. Advanced searching (E-Discovery) provides greater flexibility and control than standard searching. An advanced search contains one or more types of criteria that are combined, allowing you to constrain the search results to specific messages. While each type of search criteria (see "Types of Search Criteria" on page 12) is optional, a message must meet all of the specified criteria to be considered a match. To repeat a search, you can simply save its criteria and perform it again. The results of a search are displayed for you to work with. Search Steps Step 1: Open the Search Screen Open the E-Discovery module and, if necessary, in the navigation menu, click Search. The search screen opens. Note: You can choose a different language for the interface from the Language list. Copyright 2002-2014 Proofpoint, Inc. 11
About Searching Step 2: Enter the Appropriate Search Criteria Specify search criteria using one of the available methods and click Search or press ENTER. For details about which special characters (such as punctuation marks) are and are not preserved in the archive, see "Appendix A Search Criteria and Indexing" on page 48. Note: You can, if you wish, simply leave all criteria blank, but this is not usually desirable because it may retrieve a large set of messages. Alternatively, you can repeat a recent or saved search: click Saved Searches (in the navigation menu) and navigate to and select the desired search name. Note: Executing a saved search rather than a new search simply applies the saved search criteria to the current data set. Since new messages are added to the archive all the time, search results are likely to be different each time you execute a saved search. Step 3: View Results Search results show both the criteria used for the search and the list of messages the search found. You can modify the search criteria and perform the search again, save the search criteria (see "Saving Search Criteria" on page 15), clear the criteria and start again, or work with the messages the search retrieved. Note: For users of Proofpoint Archive batch searching, search results are stored in a folder instead of being displayed on the screen. Types of Search Criteria You can choose to search using one or all of the following criteria: Content-Based Search Criteria Search for keywords (optionally, using Boolean AND/OR logic) that must appear in the message content, in the fields that you specify (subject, body, attachment and/or SMTP header). See "Content-Based Searching" on page 16. Location-Based Search Criteria Search for: only messages in a specific mailbox or mailboxes only messages that are part of a specific retention series only messages that are in a legal hold only messages that are in a specific legal hold, with the further ability to search only messages that were added to that hold manually only messages that are in the active archive messages in either the active archive or any legal hold. If you are searching based on retention series or active archive, you can also search the divisions to which you have access, provided that Discovery Segmentation has been enabled. See "Location-Based Searching" on page 17. Copyright 2002-2014 Proofpoint, Inc. 12
About Searching Attachment-Based Search Criteria Search for messages that contain an attachment at all, or only for those with an attachment of a specific type. For example, you can search only for messages with Microsoft Word documents attached. See "Attachment-Based Searching" on page 19 This search looks only at attachment presence and/or type: if you want to search for the actual content of an attachment, use content-based search criteria. Note: You can combine attachment-based search criteria with content-based search criteria to look for a particular type of document that features particular words or phrases. For example, you can search for messages with Microsoft Word document attachments that contain the word Confidential. Date-Based Search Criteria Search for messages based on the date they were: sent archived (normally the same as the send date, but may be different for imported messages) available for disposition. See "Date-Based Searching" on page 20. Note: Messages available for disposition need to be removed from the archive using a process explained in the Policy Creation and Management document People-Based Search Criteria Search based on the people who sent or received the message (the parties), and on their participation in the communication (for example, whether they sent it or received it). Messages must match both the specified parties and their type of participation. See "People-Based Searching" on page 19. Communication Flow-Based Search Criteria Search for messages based on whether they were exchanged internally, received from an external address, or sent to an external address. See "Communication Flow-Based Searching" on page 21. InfoTag-based Scope Criteria Search for messages tagged with specific InfoTags (used to categorize a message). See "InfoTag-Based Searching" on page 21. Copyright 2002-2014 Proofpoint, Inc. 13
About Searching Using Boolean Logic for Content Searches In addition to entering words and phrases, you can also use basic Boolean logic to refine or expand searches. The following elements are supported: Term AND OR Meaning Indicates that the words/phrases are both required. As spaces between words and/or phrases are treated as an AND, use of this keyword is generally not required. Usage: Bob Smith AND factory Indicates that one or the other of the words/phrases is required, but they don t both have to be in the message for it to match. Usage: Bob Smith OR factory - hyphen Indicates that the following word or phrase must not be in the message. Usage: Bob Smith factory () brackets Indicates a grouping of logical elements for evaluation. Generally brackets are only required when you combine AND and OR logic in a single search. Usage: ( Bob Smith OR Mary Jones ) AND factory ~ tilde Inserting a tilde followed by a number lets you do a proximity search to find matches within the proximity of the original results. In the example, all documents that contain search terms within 3 words of searchtermb will be found. Usage: searchterma searchtermb ~3 Note: The operators AND" and "OR" must be entered with capital letters. The lower case versions are used to search for content containing the words and and or themselves. Saving Search Criteria Your three most recent sets of search criteria are automatically saved and available by clicking Saved Searches in the navigation menu of the E-Discovery module, in a system-created folder called Recent Searches. Searches are identified by their occurrence (most recent, next most recent and third most recent). If you find yourself frequently searching for the same things, it may be useful to create the criteria for future use: each time you use a saved search (by clicking on its name), the search is carried out as defined in the criteria. The results may vary, depending on which messages are currently in the archive. To keep your saved searches organized, store the search criteria in a folder. You can optionally share a folder with other users. To create a folder to organize saved searches: 1. Open the E-Discovery module and, if necessary, in the navigation menu, click Search. 2. In the navigation menu, click Saved Searches, The Saved Searches screen appears. 3. Click New Folder. 4. When prompted, enter a name for the new folder and click OK. The folder is created. Note: Within a given level, folder names must be unique. For example, you cannot have two folders directly under Saved Searches that are both called "Complaints", but you can have a "Complaints" folder in a Customer folder and a "Complaints" folder in an Internal folder. Note: To remove or rename a folder, right-click on it and choose Delete or Rename. Copyright 2002-2014 Proofpoint, Inc. 14
About Searching Saving Search Criteria To save search criteria: 1. Execute a search, then click Save Search. The Save Search screen appears. 2. In the Save search in tree, select the folder in which the search criteria should be saved. - or - Create a folder in which to save the search criteria by clicking New Folder and entering a folder name. 3. Enter a Name for your saved search criteria. Note: Within a given folder, the names of saved searches must be unique. 4. Click Save. The Save Search screen closes. Note: To remove or rename a saved search, click on the Rename. To share search criteria: 1. Save search criteria in a folder (as described above). 2. In the navigation menu, click Saved Searches. 3. Click on the on the right side of the screen and choose Share. The Sharing Details screen appears. to the right of the saved search and choose Delete or 4. Enter the user with whom you want to share the search criteria folder and click Add. 5. Click Save. Copyright 2002-2014 Proofpoint, Inc. 15
Performing Searches Performing Searches This chapter explains how to perform searches using different types of criteria. It includes the following topics: Content-Based Searching 16 Location-Based Searching 17 Attachment-Based Searching 19 People-Based Searching 19 Date-Based Searching 20 Communication Flow-Based Searching 21 InfoTag-Based Searching 21 Content-Based Searching To enter individual content-based search criteria: 1. Check the options for the parts of the message (body, subject, attachment and/or header) that should be searched. 2. In the "Enter word or phrases..." field, enter the words or phrases (in quotation marks) to search for. Note: You can use basic Boolean logic in your searches. See "Using Boolean Logic for Content Searches" on page 14. 3. Click Search. To enter a set of keywords as content-based search criteria: 1. Click Helper (to the right of the field used to enter words or phrases). The Keyword Editor screen appears. 2. Enter the keywords to search for. Multiple words on one line are interpreted as a phrase. Note: You can paste a list of keywords from the Clipboard into the Find box. 3. Choose whether the search should include exact matches, exact matches and potential matches, or only exact matches (see below). 4. Click Save. The keywords you specified appear, in the correct syntax, In the "Enter word or phrases..." field. 5. To add additional words/phrases for searching, click Helper again. Calling out potential matches is useful when you have messages that could not be fully indexed by Archive. There are several reasons why a message cannot be fully indexed: a message is encrypted, an attachment is corrupted, an attachment is password protected, and so on. When searching for a message, the default behavior for Archive is to return only messages that match exactly the keyword search criteria. But with advanced search, you have the option to modify the default behavior to include potential matches or only return potential matches. This is useful when potential matches need to be identified so that they can be processed separately. The Keyword Editor contains a Query Builder function: 1. In the Keyword Editor, click Query Builder. The keywords specified in the editor (if any) appear in the bottom portion of the screen. You can enter or paste from the clipboard additional keywords in the top portion of the screen. 2. Choose whether the message must contain one (OR) or all (AND) of the keywords. 3. Choose how the two lists work together: messages must either match both lists (AND) or either list (OR). 4. Click Save. Copyright 2002-2014 Proofpoint, Inc. 16
Performing Searches Location-Based Searching Searching Based on Retention Series or Legal Hold 1. Click Active Archive. A new screen appears. 2. Choose the scope of the search. To search: within a specific retention series, select it from the retention list both the active archive and all legal holds, click Active archive and all legal hold (Discovery Administrators only) just legal holds click All legal holds (Discovery Administrators only) within a specific legal hold select from the holds list and choose whether or not you want to show only items manually added by users Note: When searching based on retention series or active archive, you can also search the divisions to which you have access, provided that Discovery Segmentation has been enabled. Divisions that are grayed out in the list are those to which you do not have access. Note: If searching across all legal holds, the same message may be found in several of those holds. As a result, the message will appear several times in the results list. If in place of a message you see this message has been disposed, the message has been removed from the legal hold (because it belonged to a custodian who has been removed): such messages cannot be viewed. 3. Click Save. The selection screen closes. 4. If desired, specify the mailboxes you want to search by following one of the procedures below. Specifying mailboxes will limit your search results to those messages in the legal hold that are associated with those mailboxes. Typically, specifying mailboxes requires you to be a Discovery user, however, if you have been granted access to a legal hold, you can search all mailboxes in that legal hold. Note: Even if Discovery Segmentation is enabled, it is not applicable if you are searching your own mailbox. You can search a maximum of 1024 mailboxes. Searching Imported Data Pending Verification (Discovery Administration Users Only) Note that messages found using these procedures cannot be exported, retrieved, or copied to an archive folder. 1. Click Active Archive. A new screen appears. 2. Click Imports in Staging - Archive. - or - Click Imports in Staging - Legal Hold and choose the legal hold in which to search. 3. Click Save. Copyright 2002-2014 Proofpoint, Inc. 17
Performing Searches Searching Based on Mailbox To search all or just your mailbox: 1. Click All Mailboxes (just below the field used to enter words or phrases). A new screen appears. 2. To search all mailboxes, leave the default All mailboxes selected. - or - To search just your mailbox, click My Mailbox. 3. Click Save. The selection screen closes. To search specific mailboxes by group: 1. Click All Mailboxes (just below the field used to enter words or phrases). A new screen appears. 2. Click Only search in the following mailboxes. 3. Specify the group name, following the steps in "Adding Names to Entities" on page 7. All mailboxes belong to members of that group are included in the search. Note: You can search on a maximum of 1024 mailboxes. 4. Click Save. The selection screen closes. To search specific mailboxes by user: 1. Click All Mailboxes (just below the field used to enter words or phrases). A new screen appears. 2. Click Only search in the following mailboxes. 3. Copy and paste up to 150 SAM account names or email addresses into the box (duplicates are automatically removed). - or - Specify the user name, following the steps in "Adding Names to Entities" on page 7. 4. Repeat until all mailboxes are added. Note: The mailboxes that you can see are controlled by the permissions assigned to your user account. You can search on a maximum of 1024 mailboxes. 5. Click Save. The selection screen closes. To search mailboxes identified in imported list (Discovery Users Only): 1. Prepare the list of mailboxes to be imported, with a maximum of 150 SAM account names or email addresses separated by newlines or semicolons (;). Optionally, copy the names to the clipboard. 2. Click All Mailboxes. A new screen appears. 3. Click Import. 4. Click Browse to navigate to the location of the file containing mailboxes to be searched and click Open. - or - Click Paste from clipboard and paste the list of mailboxes. The names appear in the box (duplicates are automatically removed). 5. Continue to import or add mailboxes as desired, to a maximum of 1024 mailboxes. 6. Click Save. The selection screen closes. Copyright 2002-2014 Proofpoint, Inc. 18
Performing Searches Attachment-Based Searching 1. Check the Has Attachment checkbox. 2. Choose the scope of the search. To search for messages with: any type of attachment, choose <any type> (the default) a specific type of attachment, choose a file type from the list or, if the type is not shown, choose Other from the list and then, in the text area, type the file extension of attachments for which to search Note: You can enter multiple file extensions with a space between them. Do not enter periods or wildcards, such as *. 3. Click Search. People-Based Searching 1. From the list under the Mailbox/Archive selection area, select the type of participation (see below). 2. You are prompted to choose the party for the search: click Add and identify the party as described below. If you chose Then you need to Internal Person Department, Role, Partner (searches for email belonging to the people in the selected user group) External Person Display Name (searches for messages sent or received by the person or group matching the selected display name) Domain (searches for messages sent by anyone in the selected domain) Specify the name - or Enter a personal Internet email address for the person. From the Select a list, choose the department, role or partner. Enter the person s Internet email address and click Add. Repeat for additional email addresses for the person. Enter the display name. Enter the Internet domain name. When evaluating a message, if any of the elements that define a party match, then the message is said to include that person. For example, if a party was defined as being the Active Directory user John Smith with the Internet mail address jsmith@hotmail.com, a message sent to either jsmith@hotmail.com or any of the email addresses associated with the Active Directory user John Smith would be said to include that party. 3. Click Save. The screen closes and the selected party is added to the list. Specifying the Participation To do this Find messages where at least one of the selected parties is either the sender or recipient of the message. Use if you don t care whether the parties are senders or recipients. Select this criteria From or To ANY of these parties Find messages where all of the selected parties are either the sender or recipient of the message. Use if you want to match only messages where all the specified parties are participating as either senders or recipients. From or To ALL of these parties Find messages where at least one of the specified parties is the sender of the From ANY of these Copyright 2002-2014 Proofpoint, Inc. 19
Performing Searches To do this message. Use if you want to match only messages coming from specific parties. Find messages where at least one of the specified parties is the recipient of the message. Use if you want to match only messages received by specific parties. Find messages where all of the specified parties are the recipient of the message. Use if you want to match only messages where all of the parties are recipients. Select this criteria senders To ANY of these recipients To ALL of these recipients Using the From ANY of these senders criteria to identify the senders, find messages only where one of the specified parties is a recipient of the message. Using the From ANY of these senders criteria to identify the senders, find messages only where all of the specified parties are a recipient of the message. From ANY of these senders & To ANY of these recipients From ANY of these senders & To ALL of these recipients Find messages exchanged between the selected roles or departments. Use if you want to find messages exchanged between any member of a role or department and any member of another role or department. Between ANY of these role/department pairs Note: A "sender" is the name shown in the FROM field of the message. A recipient is a name shown in any of the TO, CC or Bcc fields. Date-Based Searching Entering Sent or Archive date-based search criteria: 1. From the Date/Time list, choose the type of date criteria. To search based on the date messages were sent, choose Send Date. - or - To search based on the date messages were added to the archive, choose Archive Date. 2. Leave the default of "any date" or choose one of the following modifiers: To specify... Choose... the date that messages must have been sent on the last date that messages must have been sent on the earliest date that messages must have been sent on the earliest and the latest date that a message must have been sent on messages sent during the current week messages sent during the current month messages sent during the current year On Before After Between This Week This Month This Year. messages sent during the last specific number of days Last 30 days. Last 90 days. Last year The system displays the appropriate number of calendar fields (for example, if you chose Between, it will display two fields). 3. Click in the appropriate calendar field, then click the desired date. Use the arrow keys if necessary to navigate through months and years. Note: Between date range criteria are inclusive of the end dates. All other date range criteria are exclusive of the specified date. If you specify a search for anything between today and tomorrow, messages from both days will be included. If you specify a search for anything before or after today, today s messages are NOT included. 4. Click Search. Copyright 2002-2014 Proofpoint, Inc. 20
Performing Searches To enter Disposition or Retention date-based search criteria: 1. From the Date/Time list, choose the type of date criteria: To search based on the date messages can be disposed, choose Target Disposition Date. - or - To search based on the date messages were archived for indefinite retention, choose Indefinite Retention. 2. Choose the date as above. Note: You cannot search based on target disposition date if searching within a legal hold, since all items in the legal hold have the same disposition date. Communication Flow-Based Searching From the Flow list, choose: Internal (messages sent between people within the company) Inbound (messages sent from an external address) Outbound (messages sent by someone within the company to at least one external address) InfoTag-Based Searching In the InfoTags area, click beside one or more InfoTags. Clicking sets one of three possible states: selected, excluded and not selected. Select InfoTags to retrieve any messages tagged with any of the selected InfoTags (for example, if you select both News and Travel, you retrieve messages tagged with either of those InfoTags). Exclude InfoTags to ignore messages tagged with any of the excluded InfoTags. Copyright 2002-2014 Proofpoint, Inc. 21
Working with Search Results This chapter explains the various functions that can be performed on messages retrieved by a search. It includes the following topics: How Search Results are Presented 22 Working with Messages Found by a Search 23 Message Properties 23 Saving Results in Archive Folders 24 How Search Results are Presented By default, the messages found by the search are listed on the left of the search screen, and, once a message is selected, the Preview of the selected message appears on the right. The toolbar can be used to change this. Note: Messages from social networks or other sources are identified by a unique icon. The list shows basic information about 15 messages at a time, sorted by the criteria specified in your preferences (see "Setting Preferences" on page 7). To move through the pages of a multi-page result list, use the navigation buttons at the bottom of the list. Note: If your search retrieves many matches, consider narrowing your search criteria to avoid having to navigate through pages. The results list is temporary and will be replaced by your next search. To gather the results for further analysis, save the search results in a folder: see "Saving Results in Archive Folders" on page 24 Copyright 2002-2014 Proofpoint, Inc. 22