By Eric P. Blank

Email is at the core of modern electronic discovery.

Attorneys want to know who sent what messages to whom, when those messages were sent and what those messages were about. For this reason, massive volumes of email are commonly exported for further processing and searching by e-discovery vendors.

With a little investigation, it may turn out that much or all of the original culling of email can happen right inside the company, on systems the company already owns and operates and by employees who do not charge hundreds of dollars per hour for extraction, sorting and offsite processing.

Consider the capabilities of Microsoft Exchange email. More likely than not, your company or client uses Exchange. Despite the existence of many fine competitive products, Exchange has about 65 percent of the business-messaging market.

It probably comes as no surprise to learn that your Exchange administrator can selectively pull out the entire contents of an individual’s mailbox. If your litigation hold plan requires maintaining the email of eight key employees, it’s a simple step to preserve the mailboxes associated with these employees on the Exchange server. Always remember that an individual may have more than one mailbox.

What you may not know is that your Exchange administrator can also, prior to exporting any messages, sort them in any number of ways supported by Outlook. For example, messages can be sorted by sender, recipient(s), date, “flag” status (e.g., “high importance”), category, read status, existence of attachments and so forth.

This means that Exchange, without any computer forensics assistance, can produce all emails sent or received by Jenny Jones between Dec. 1 and Dec. 31 that contain at least one attachment. Knowing these capabilities can save your client thousands of dollars in fees for clumsy bulk exporting and processing.

Exchange supports two additional sets of features that help lower electronic discovery costs. First, Exchange supports robust journaling features. Journaling allows Exchange to track and report message information such as delivery status, bcc attachments and message header information that helps in backtracking messages.

Journaling is optional – that is, it may not be “turned on” – and has limitations that will be familiar to your email administrator. Still, when detail matters, check with the email administrator before investing in costly metadata mining by a computer forensics or e-discovery vendor.

Second, and much less well known, Exchange started supporting full-text indexing, including attachments, in its 2003 version. This means that your administrator may be able to find emails from Ms. Jones sent or received in December that merely mention Project Alpha. In other words, all the work of a crack e-discovery processing facility may be replaced by a few keystrokes at the administrative interface.

Note that full-text indexing, which is perceived as resource-demand-heavy, is not normally active. However, always check before you call in outside experts to do a job you may be able to do internally. Remember too that keyword searches are no better than their search terms: Email administrators, like outside vendors, need support crafting and reviewing search terms.

One final feature of Exchange is its administrative cache. This tool, which was designed to turn administrators into heroes, permits email administrators to recover deleted emails. For example, if a user deletes an email and then goes into the deleted items folder and deletes the email again, the email is permanently irretrievable, from the user’s perspective.

However, at the administrative interface, that email is visible and recoverable for a period of time that varies by Exchange settings. Typically, we’re talking about 60 days. So, again, why call in the forensics experts to scour a user’s hard drive for an email deleted last week when the email administrator can easily recover the email at the server level? It’s sort of like using a bazooka to kill a cockroach.

Long story short: Check with your email administrator before you pull out your checkbook. Much of the work that you planned on paying an e-discovery provider to do may already be done. Even if you or your client don’t use Exchange, many similar features exist on competing platforms.

One final thought: “Easily” does not mean “effortlessly.” Give your email administrator a break by recognizing his or her workload resource limitations. It may be that you turn to outside help not because you cannot do it internally, but because your internal IT staff is already overstretched, or because authentication testimony is particularly important and you want the job done by an objective outsider.

Eric P. Blank is the founder and managing attorney of Blank Law + Technology PS. His practice focuses on electronic discovery counseling, e-security response planning and implementation, investigations and computer forensics. Mr. Blank has conducted more than 300 investigations into computer and software-related torts and employee misconduct since 2001 and has frequently been a court-appointed special master or neutral in e-discovery matters.