Google Apps Vault is an add-on for Google Apps that lets you retain, archive, search, and export your organization’s email for your eDiscovery and compliance needs. If you’ve never worked with this kind of software before it can be intimidating. This is part 2 of a series to help Google Apps Administrators to understand the basics of Google Vault.
Part 2 – Investigation using Google Vault
Terms to know:
1) Matter – In Google Apps Vault, a matter is a container for all of the data related to a specific topic, such as a litigation case or investigation. A matter includes:
- Any saved search queries
- A list of accounts with data on litigation hold
- A list of the accounts that can access the matter
- Any export sets for the matter
- An audit trail for the matter
2) Litigation Hold – If a user deletes held data, the data is removed from the user’s view, but it is not deleted from Google servers until the hold is removed. You can access held data in Google Apps Vault via search.
Signing Into Google Vault:
You can sign in to Google Apps Vault only if your organization’s Google Apps administrator has granted you access to the service.
To sign in:
-
Go to https://ediscovery.google.com
-
Sign in with your Google Apps username and password.
Creating Matters:
Note: Before you create a matter, you should determine what to name it. If your organization doesn’t already have a naming convention for matters, it should establish one to ensure that every matter’s name clearly identifies its purpose (such as the associated litigation case).
To create a matter:
-
Click Create. The Create New Matter dialog appears.
-
Provide a name and description for the matter and click Create new matter.
To add or remove collaborators:
After you create a matter, you might want to share it with other individuals who are working on the same case and need to view the data you gather. For example, a legal assistant might create a matter and search for data, and then share the matter with counsel, who need to view and export the search results.
To add a collaborator:
-
Click on the matter name to open it.
-
Click Share in the upper right corner of the screen. The Sharing Settings dialog appears.
-
In the Add people field, specify the users you want to add as collaborators in this matter. Click Save and close.
To remove a collaborator:
-
Open the matter.
-
Click Share. The Sharing Settings dialog appears.
-
In the Permissions field, find the collaborator you want to remove and click the Remove button next to that collaborator.
-
Click Save & Close.
Search Mail Data:
After you create a matter, you can search your domain’s Gmail data for information related to the matter.
To search for data within a matter:
-
Click on the matter name to open it.
-
Click Search in the left pane. Fields for the search appear.
-
In the Source field, select one of the following:
-
-
All data: Search all data in your organization’s Google Apps account.
-
Held data: Search all data on litigation hold for the matter.
-
Unprocessed data: Search the metadata of attachments that could not be indexed.
-
-
Specify one or more search terms in the Terms field. You can use search operators to build complex queries(ie. to:administrator@test.com, from:smithj@test.com or subject:Hello World).
-
Specify one or more user accounts to search in the Accounts field.
-
Note: If you don’t specify any users, Google Apps Vault searches the data of all user accounts that exist within the Source you specified.
-
Provide values for any combination of the remaining search fields to focus your search.
-
Click the Search button.
-
Google Apps Vault displays up to the 25 most recent items that match your search.
-
If your search returns more than 25 items, use Next and Prev to navigate multiple pages of results.
-
Note: Expired messages are available in archive search results for up to 30 days before the messages are permanently expunged.
-
To perform a new search, click Search in the left pane.
View search results:
When you search for data in Google Apps Vault, your results appear in a list on the Search page. The list shows the following for each message or document:
-
The title of the result
-
The owner of the result
-
The date the result was created
You can view a short portion of each result without opening it by clicking Snippet view above the result list.
Note: Expired messages are available in archive search results for up to 30 days before the messages are permanently expunged.
Click a search result to open it.
Viewing an email result:
When you open an email result, the message’s entire conversation is displayed. Messages that contain the text of your search query are expanded, and messages that do not contain the query are collapsed. Click the heading of a message to expand or collapse it.
To view basic header information for a message, click show details.
To view a message in its entirety, including all header information, click original.
To print an individual message, click print. To print all messages in a conversation, click Print all.
Export Search Results:
If you need to provide your search results to a third party, you can export them to files. You can export results for any account, including those that aren’t on litigation hold.
The file format of the exported results depends on the data type you export. Each set of results you export also includes a metadata file, an exception report, and file checksums.
To export search results:
-
From your list of search results, click Export results. The Export to file dialog appears.
-
Enter a name for the export. Then click Begin Export.
-
The Exports page appears and displays the status of your export. You can continue working within Google Apps Vault while the export is in progress.
-
The status of your export refreshes periodically. You can also refresh the status at any time by clicking Refresh.
-
When your export is complete, you’ll see a green checkmark next to name of your export.
To download your exported search results:
-
After the export completes, click View completed files under the name of your export.
-
If your export has completed and you don’t see this link, try refreshing the page.
-
Click the Download link next to a file to download it.
How does Vault Export Data:
Gmail data is exported to an MBOX (.mbox) file. MBOX is an industry-standard mailbox format that stores one or more exported messages in a single text file. You can open a MBOX file in:
-
Some email programs, such as Mozilla Thunderbird. If your email program can’t open MBOX files, you can convert the files to another format—such as PST (Microsoft Outlook Personal Storage)—using a third-party utility.
-
A text editor, such as Microsoft Notepad or Wordpad. Usually, you’ll be able to see the headers, sender, recipients, subject, and body text for each message. However, file attachments appear in their encoded form only, so you can’t view them in a text editor.
-
Some litigation support systems. Some of these systems include email conversion tools.
Note:
Google Apps Vault exports data to a single MBOX file, up to just under 10 GB, which you can transfer to physical storage. If you export more than 10 GB of Gmail data, Google Apps Vault creates multiple MBOX files.
Litigation Holds:
To place a user account on litigation hold:
-
Create or open the matter that the hold applies to.
-
Click Preserve in the left pane.
-
Click the Create Hold button.
-
In the text field, provide the display name or email address of the user account(s) you want to place on hold.
-
Click Add users.
Each account you place on hold is listed by email address. You’ll see a progress bar for each account that indicates the percentage of data that has been placed on hold for that account.
To remove a litigation hold from a user’s account:
-
From Preserve, select the checkbox to the left of the user’s email address.
-
Click Remove hold.
Which data is preserved in a litigation hold?
-
All email messages and attachments in the user’s mailbox at the time the hold is placed, including messages in Sent Mail, Drafts, Trash, and Spam.
-
Any on-the-record chat messages in the user’s mailbox at the time the hold is placed.