cancel
Showing results for 
Search instead for 
Did you mean: 

External email EV search

tad_17
Level 3
Hi, Looking for a bit of help. I need to search EV for a particular email sent to or from an external email, ie somebody@gmail.com. I know I can do this in the advanced search function but can I use the 'EV Search Task' to do this? Thanks, Triona
1 ACCEPTED SOLUTION

Accepted Solutions

JimmyClearwell
Level 5
Employee Accredited Certified

Hello tad_17,

 

The aforementioned info that Jriemsma posted is correct in how to create an EV Search Task to search by email address. However, the Search emails by feature is only available when searching an EV Mailbox Archive Source and NOT an EV Journal Archive Source. I wanted to make the difference because you previously mentioned selecting an EV Journal Source.

 

  • If you perform EV Mailbox archiving, you can utilize the Search emails by feature to search by external email.
  • If you only perform EV Journal archiving, you could utilize the Keyword search filter IF you're searching for external email included in the body of an email, otherwise, I believe the search doesn't include the email header info. 

 

I hope the info I provided comes in handy. If so and you feel that your question has been answered, kindly mark the post are solved :)

Best Regards,
James Harris
Business Critical Engineer Veritas eDiscovery Platform
Business Critical Services
Veritas Technologies LLC

View solution in original post

11 REPLIES 11

AndrewB
Moderator
Moderator
Partner    VIP    Accredited

I think you would be best served by Discovery Accelerator or Clearwell. Do you have either of those?

tad_17
Level 3

yes sorry, I am using Clearwell to collect from EV. Do I just add the external email address as a custodian? It is showing up in my employee list then which doesn't seem right. 

Daly
Level 5
Partner Employee Accredited Certified

Hello tad_17,

Under EV Search Tasks it has the tab 'Filtering', this would allow you to filter by:

  • Sender or Recipient (To, From, CC, BCC)
  • Sender (From)
  • Recipient (To, CC, BCC)

If you've not processed the collection set, it won't be possible to search under advanced search to do this as the EV data will not be present in the eDiscovery platform.

 

tad_17
Level 3

Hi Daly Whyte,

Thanks for your reply. Our system is synched with Active Directory so when I filter by Sender or Recipient etc I get the employee list. Do I add the external email address to the employee list? 

Apologies, I know I am missing something obvious here.. 

Daly
Level 5
Partner Employee Accredited Certified

Hello tad_17,

 

Where are you doing this filtering? This needs to be at the collection task level, as you set up the search parameters for the EV collection task.


Please let me know if this is what you're already doing or if I am misunderstanding.

tad_17
Level 3

Hi Daly Whyte,

 

Yes I am doing the filtering at collection task level. The steps I'm taking are as follows:

  • Selecting Case
  • Collections Ribbon
  • Collections task
    • Enterprisevault Journal
    • Selecting archives
  • Under filtering tab:
    • Clicking 'Browse' under 'Email to custodian mapping'  - this is where I'm unsure if I add the external email address here as a custodian? 

 

Hope this makes sense?

 

 

JRiemsma
Level 3

You're close.

You haven't mentioned what version of Clearwell you are using, but I we are running 8.0.  I don't think this dialog has changed since 7.1.3 though.

So, You

  1. Create your EV Search Task
  2. You will be on the Edit/View Task tab in the Archives sub-tab. Here you select either the specific archives you want to search, or an entire vault store(s)
  3. In the Same row as the Archives sub-tab, select the Filtering tab.
  4. A third tab row appears.  You are now in Edit/View Task > Filtering > Sender / Recipient
  5. Here you can enter the gmail address you wanted to find and select one of 3 radio buttons.  I would leave the Option 1 default which will find both inbound emails and responses to that address.
    1. Sender or Recipient
    2. Sender
    3. Recipient
  6. Save and Start your collection task.

I've attached a screenshot showing all the tabs I'm referring to.

Edit: The screens are the same if you are doing an actual collection, instead of an EV Search task.

JimmyClearwell
Level 5
Employee Accredited Certified

Hello tad_17,

 

The aforementioned info that Jriemsma posted is correct in how to create an EV Search Task to search by email address. However, the Search emails by feature is only available when searching an EV Mailbox Archive Source and NOT an EV Journal Archive Source. I wanted to make the difference because you previously mentioned selecting an EV Journal Source.

 

  • If you perform EV Mailbox archiving, you can utilize the Search emails by feature to search by external email.
  • If you only perform EV Journal archiving, you could utilize the Keyword search filter IF you're searching for external email included in the body of an email, otherwise, I believe the search doesn't include the email header info. 

 

I hope the info I provided comes in handy. If so and you feel that your question has been answered, kindly mark the post are solved :)

Best Regards,
James Harris
Business Critical Engineer Veritas eDiscovery Platform
Business Critical Services
Veritas Technologies LLC

JimmyClearwell
Level 5
Employee Accredited Certified

Nearly forgot to include screen shots from the EV Search Task that I ran in my CW v80 lab.

  • Here's how I used the Search by email feature:

Ev Search Task  - Search by email.png

  • Here's the result as shown in the Sample Preview:

EV Search Task  - Sample Preview.png

Best Regards,
James Harris
Business Critical Engineer Veritas eDiscovery Platform
Business Critical Services
Veritas Technologies LLC

tad_17
Level 3

Jimmy Harris you are right, I was trying to do the search over an EV Journal Archive Source. 

Thanks everyone for your replies.

JRiemsma
Level 3

Thanks for clarifying that Jim.  I just have one more informational comment related to searching for a gmail account specifically. 

1. Under Gmail > Settings > Accounts and Import, a gmail user can add additional (valid) e-mail addresses which they own to their gmail account.  Gmail allows them to send e-mails from these other accounts.  If they 'reply' to an e-mail from within gmail, the reply always comes 'from' the address it was sent to.  However, if they were trying to be deceptive, they could just forward an e-mail.  On a forwarded e-mail they can select any of their other e-mail addresses as the address to send from.  This type of e-mail should still get caught in an e-mail search, but would not show up in a sender/recipient search.

2. If you are sending to a gmail account 'someone@gmail.com' You can append +sometext to the end eg. someone+fake1@gmail.com and the e-mail will still be delivered.  Gmail just ignores the text after the '+'.  This trick is commonly used to register to sites or services multiple times using the same gmail account.  It could also be used to send to 'someone@gmail.com' and potentially avoid identification by software like Clearwell if the investigator is only searching for the exact email address of the gmail account.