Handling Deleted E-mail Messages during e-Discovery Processing

By June 5, 2012Articles

Most mailboxes contain both active and deleted e-mail messages. By “deleted e-mail messages”, I am referring to messages that were permanently deleted. For example, a message that was deleted using SHIFT+Delete in Outlook or a message that was deleted from the “Deleted Items” folder. In some e-mail platforms, deleted e-mails are not immediately purged and can easily be recovered. For example, Ms Outlook does not purge deleted e-mail messages from a Personal Storage Table (PST) file until the PST is compacted.

When it comes to handling deleted e-mail messages, e-Discovery processing software typically fall into two camps:

Software Solutions That Only Process Active E-mails:

Some e-Discovery processing software solutions only extract and process active e-mails. For example, products that use Messaging Application Programming Interface (MAPI) to access Ms Outlook e-mails would typically only retrieve and process active e-mails and disregard permanently deleted (but not yet purged) messages. Please note that these software tools still process the contents of the “Deleted Items” folder since e-mails in this folder are not yet permanently deleted.

Software Solutions That Process Both Active and Deleted E-mails:

Some e-Discovery processing products process both active and permanently deleted (but not yet purged) e-mail messages by default. These tools usually employ their own processes to parse mailboxes.

As you can imagine, it is crucial to have a good understanding of how the e-Discovery software or service provider that you use handles deleted e-mails. Depending on the case, it may or may not be desirable to process deleted items. Consider the following example scenarios:

  • Opposing counsel produces a PST containing responsive e-mails. As it turns out, they conducted a manual review of the mailbox within Outlook (bad idea), deleted e-mails that were privileged or non-responsive and produced the PST file without compacting it. In this scenario, whether or not deleted e-mails are included in e-Discovery processing would determine if the inadvertently produced privileged and non-responsive e-mails would make their way into your review database.
  • Similar to the first example above, an attorney from your firm opened and reviewed a PST file within Outlook without consulting with the litigation support department (again, bad idea). He deleted the e-mails that were privileged and gave you the PST for processing and production. Unless the processed data set is reviewed one more time by the attorney before production, processing deleted e-mail messages in this scenario can result in inadvertent production of privileged documents.
  • Mailboxes of multiple custodians were forensically collected from each custodian’s local computer. Some of the mailboxes contain deleted e-mails that are relevant to the case. In this scenario, you could miss critical information unless deleted e-mails were included during e-Discovery processing.

Conclusion

  • It is critical to know how your e-Discovery software or service provider handles deleted e-mail messages. Lack of this information can result in missing critical documents or inadvertent production of privileged information.
  • If possible, it is recommended to use software that provides the flexibility to specify how you would like to handle deleted e-mails on a case by case basis. Otherwise, you may find yourself looking for a different solution depending on case requirements.
  • In-house litigation support teams as well as outside service providers should pay attention to mailboxes that produce much less content than their size implies. A big discrepancy usually points to a large amount of deleted e-mails that were not purged.
  • When working with e-Discovery service providers, make sure to indicate your preference regarding how deleted e-mails should be handled.
Arman Gungor

About Arman Gungor

Arman Gungor is a certified computer forensic examiner (CCE) and an adept e-Discovery expert with over 21 years of computer and technology experience. Arman has been appointed by courts as a neutral computer forensics expert as well as a neutral e-Discovery consultant. His electrical engineering background gives him a deep understanding of how computer systems are designed and how they work.