cancel
Showing results for 
Search instead for 
Did you mean: 

Discovery accelerator results

Hi everyone, I have a question about Discovery Accelerator

I'm new to DA (I've got as far as installing it in the lab, configuring, starting to read the Admin guide and setting up a new case, but I've not done any searches yet). Now a colleague who uses DA for legal discovery has presented me with a scenario

My colleague wants to search for emails sent from several people, during a date range, searching for certain words or expressions 

They want the results to reflect only emails sent by the target users, but the results seem to show emails both sent and recieved. My colleague believes this is incorrect

In the Search parameters page, I see the Search Terms as 'Subject or content' and below that, 'From' is specified, with users listed, following the format 'c:user name goes here'

When I review the search results I can see an email that is From a completely different user, sent TO one of the users I specified in the From field

 

Can anyone help me understand where I'm going wrong?

 

1 Solution

Accepted Solutions
Accepted Solution!

Hmm.... I know I responded to

Hmm.... I know I responded to this post a few minutes ago, but it's not showing up.

 

EVSpinner, the search criteria screen shot looks to have the criteria properly configured.  The issue I see as the cause is likely the SMTP addresses used by the 3 custodians you've specified.

By default, DA will use only the SMTP address(es) of the chosen custodians in the search criteria.  As such, the SMTP addresses of your 3 custodians will be listed in the criteria passed to the search engine along with the subject or content and date range criterial

Now, DA does a literal pattern match on any criteria passed to the search engine.  As such, an SMTP address for another author that contains the SMTP address of one of the 3 custodians would cause a match to occur.  For example.  Let's say that custodian Craig (C:Craig) has an SMTP address of 'Craig.Smith@mydomain.local'.  Let's also say that there is another author with an SMTP address of 'James.Craig.Smith@mydomain.local'.  Any emails sent by James Craig Smith would be included in the items captured by the search because his SMTP address contains the SMTP address of custodian Craig.  The search criteria would match on the 'Craig.Smith@mydomain.local' portion of James's SMTP address, thus causing it to be included in the search hits.

Take a close look at the SMTP address of the author of the unexpected hit (or authors of those hits).  I believe you'll see this is the cause for their inclusion in the captured items.  If this is the cause of those hits and you must be able to exclude them, you'll need to run a new search in a new case or research folder with the SMTP address(es) of the unexpected author(s) excluded (i.e., -James.Craig.Smith@mydomain.local) on a separate line (each).

If you find this does not explain your unexpected hits, please open a support case so we can provide a tool to use to capture the indexed metadata of those unexpected hits and to configure captures of the search criteria in a new search using the same criteria as the search in which those items were captured.

View solution in original post

5 Replies

can you post a screen shot of

can you post a screen shot of your search criteria page?  Would be easier to help if we could see the screen.

https://www.linkedin.com/in/awsterling/

Thanks Tony

Thanks Tony

 

scr1.png

Accepted Solution!

Hmm.... I know I responded to

Hmm.... I know I responded to this post a few minutes ago, but it's not showing up.

 

EVSpinner, the search criteria screen shot looks to have the criteria properly configured.  The issue I see as the cause is likely the SMTP addresses used by the 3 custodians you've specified.

By default, DA will use only the SMTP address(es) of the chosen custodians in the search criteria.  As such, the SMTP addresses of your 3 custodians will be listed in the criteria passed to the search engine along with the subject or content and date range criterial

Now, DA does a literal pattern match on any criteria passed to the search engine.  As such, an SMTP address for another author that contains the SMTP address of one of the 3 custodians would cause a match to occur.  For example.  Let's say that custodian Craig (C:Craig) has an SMTP address of 'Craig.Smith@mydomain.local'.  Let's also say that there is another author with an SMTP address of 'James.Craig.Smith@mydomain.local'.  Any emails sent by James Craig Smith would be included in the items captured by the search because his SMTP address contains the SMTP address of custodian Craig.  The search criteria would match on the 'Craig.Smith@mydomain.local' portion of James's SMTP address, thus causing it to be included in the search hits.

Take a close look at the SMTP address of the author of the unexpected hit (or authors of those hits).  I believe you'll see this is the cause for their inclusion in the captured items.  If this is the cause of those hits and you must be able to exclude them, you'll need to run a new search in a new case or research folder with the SMTP address(es) of the unexpected author(s) excluded (i.e., -James.Craig.Smith@mydomain.local) on a separate line (each).

If you find this does not explain your unexpected hits, please open a support case so we can provide a tool to use to capture the indexed metadata of those unexpected hits and to configure captures of the search criteria in a new search using the same criteria as the search in which those items were captured.

View solution in original post

Really appreciate the help

Really appreciate the help guys, thank you both very much for your time

Just to update this. A

Just to update this. A support cases was raised with Symantec as changing from Custodian to SMTP address for the FROM search variable did not change the search results. Symantec helped to surface metadata which showed that in fact the results were correct. When we ran a search it was expected to only see results FROM the listed Custodian or SMTP users, but we saw results TO as well. It transpires that an incorrect name space was being added to the Journal messages coming out of Exchange. For anyone else experiencing odd DA results and finds this post, Kenneth's post above describes thoroughly the processes involved - if you pick FROM it should return FROM results. If you get weird results outside of this, be aware the scenario I've experienced could be a factor. Cheers all