Investigations and Holds

Once you are done on-boarding the eDiscovery portal, you will be able to access all the features that the portal provides to manage your organization's data. Additionally, you can now also customize the portal settings apart from enabling/disabling users and creating new retention policies.

Table of Contents

Investigation

An Investigation or a case is a legal probe against certain email communications or documents. When there is a legal case or a probe or an investigation pertaining to email communication, the organization needs to retain all the related emails until that investigation is completed/ closed. Zoho Mail groups the Investigations under three categories:

  • Open - Investigations in progress
  • Closed - Completed investigations
  • Trashed - Investigations deleted by the admins

The eDiscovery administrator creates a new Investigation to manage the entire investigation cycle. Sometimes the Investigation can be required for the purpose of internal investigation also.

Create Investigation in Zoho Mail

Follow the below instructions to create a new email investigation:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to the Investigations section to view or create investigations.
  3. Click the   Create Investigation button.
    create investigation
  4. Provide the Investigation name and a detailed description.
  5. Click Save. The investigation gets created.

You can now do the following actions in the Investigation you created:

  • Search - Search archived emails based on specific criteria. You can save any number of searches to create Holds or export emails.
  • Hold - Create one or more holds based on different conditions, as required for the investigation. The emails that are placed on Hold via investigations will not be deleted even after the expiry of the retention period defined by default or custom retention policy.
  • Export - Use this tab to export the emails which fall under a saved search or a hold.
  • Tags - Create tags to group emails based on the requirements of the investigation.
  • Audit logs - The activities performed by admins in a particular investigation can be viewed under the Audit logs tab of that investigation.

With Zoho Mail, administrators can create multiple searches based on preferred conditions. Creating multiple searches allows admins to reuse the same set of conditions and create Holds as per their requirements. Search helps you try various saved search conditions on the email data, preview results and validate these searches before creating the holds. 

Best practices for email investigations:

  • Before you create a Hold, list down the criteria required for the particular investigation.
  • Based on the various criteria, create different search conditions.
  • If required, share the saved search and In case you need to get this reviewed by legal or compliance or admin teams, you can get it reviewed before you create a Hold.

To create a search, follow these steps:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to the Investigations section and create a new investigation or select an existing one.
  3. From the Searches tab, click New Search.
    create a new search
  4. Enter a name for the search in the Saved Search name field.
  5. Select the desired account type:
    • All accounts - All user accounts and shared mailboxes will be included.
    • Specific user accounts - Admins can search for emails in one or more user mailboxes by entering their addresses in the User mailboxes field.
    • Specific shared mailboxes - Admins can perform a search in a specific shared mailbox alone by entering its address in the Shared mailboxes field.
  6. If required, select Include spam emails and Only deleted emails checkboxes.
  7. Select the start and end dates for the search or choose a preset range from the drop-down.
  8. If you have any Tags created, select the appropriate tag for this search.

  9. In the Condition query field, select the conditions with which you'd like to perform the search and enter the search key respective to the condition.

    Note:

    You can perform a search with multiple conditions, in which case the results returned will match all of the conditions that you have set for the search. In other words, an AND search will be performed. Refer to the tips to search section for more details.

  10. You can either Preview results or click Save search.
    save search

Tips to search archived email

  • If you choose the To condition and enter the search key times.com, then choose the Cc condition and enter the search key technews.com, and finally pick the Has attachment condition, the results returned will be emails that have attachments and have been sent to times.com, Cc'd to technews.com. The emails that match all three of the entered conditions will be returned as results of this search.
  • To search for an exact phrase, enter the search key in double-quotes. For example, if you choose the condition Contains and enter the search key as "media information", only the emails that contain the exact words 'media information', in that exact sequence will be returned as results. In case there are emails with the words 'information media', those will not be returned as results.
  • If you want to search for emails that have words beginning with specific terms, add an * (asterisk) to the end of those terms. For example, if you want to search for emails that contain words beginning with the term gat, choose the parameter and enter the search key as gat*.

Administrators can Export the data matching the search criteria by clicking the Export search results button. On clicking the button, the action will be triggered and gets listed under the Exports tab along with its current status. Once the status shows completed, you can download the file in ZIP or PST format. To know more about the actions, refer to Exports.

Holds

Each Investigation will retain emails based on one or more holds as needed for the Investigation. A Hold retains the email that is required for the investigation, based on a specific set of conditions. Since a single investigation or case may require retaining different sets of emails based on various conditions like the subject, received time, sender, attachments, custodians and so on, there may be multiple Holds created for each Investigation.

Once a Hold is created, the emails that are part of the Hold will be retained until the Hold exists. The steps to create a Hold are as follows:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Investigations and open to the desired investigation for which you wish to create a Hold.
  3. From the Holds tab, click New Hold.
    create new hold
  4. Specify the Hold name and choose the appropriate options for the hold.
    • All accounts / Specific user accounts / Specific shared mailboxes
    • Include spam emails, Only deleted emails
    • Select the start and end dates or choose a preset range from the drop-down.
    • Add Tags if required
    • Select one or more condition queries
  5. Click Preview results or Save hold.
    save hold

Administrators can Export the data matching the hold criteria by clicking Export hold results. On clicking the button, the action will be triggered and gets listed under the Exports tab along with its current status. Once the status shows completed, you can download the file in ZIP or PST format. To know more about the actions, refer to Exports.

View / Download an email (EML format)

You can view or download emails either from a saved search or from a Hold. To view or download the content of the emails, follow the below steps: 

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to a saved search or a hold.
  3. From the Searches tab, provide the Conditional query to filter the emails and click on Preview results to view all the emails that match the query.
  4. Select the email you want to view from the list.​

Download an email in EML format

  1. Click Show Original in the top right corner to view the original message.
    download eml
  2. Options to Download full Content or Copy to clipboard / Show full content are available on top of the message.
  3. Click on Download full Content to export an email in .eml format.
    download full content

Exports

The results of a Hold or a Save Search can be exported by the administrator, whenever required. These exports will be listed under the Exports tab with their current status. To quickly export a saved search or hold, navigate to the corresponding tab, hover over the search/hold and click the export icon. Provide a name and password for the export, select the export file type and click Ok. The export gets scheduled.

To create a new export, follow these steps:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to Investigations and open an existing investigation.
  3. Select the Exports tab and click New Export.
    new export
  4. Enter a name for the export and select the desired account type:
    • All accounts - All user accounts and shared mailboxes will be exported.
    • Specific user accounts - Admins can export one or more user mailboxes by adding the users in the User mailboxes field.
    • Specific shared mailboxes - Admins can export a particular shared mailbox by adding its address in the Shared mailboxes field.
  5. If required, select the Include spam emails checkbox.
  6. Choose a preset range from the drop-down or select Custom range.
  7. Select the start and end dates for the export if you chose custom range.
  8. Add one or more Condition queries as per your requirement.
  9. Encrypt with password to prevent unauthorized access to your data.
  10. Select ZIP or PST and click Export.
    save export
  11. Click Ok in the confirmation dialog that appears.
  12. Click the export to see a preview of the export details.

The export process may take some time depending on the file size. Once the status shows completed, you can download the exported file by clicking on the link given.

Tags

In a specific investigation, you can choose to tag emails from the search preview or the hold preview. To create a tag and apply it to an email, follow the instructions below:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to the Investigations section, and select the relevant investigation.
  3. Select the Tags tab.
  4. Click Create Tag, enter a tag name, pick a color, and click Save.
    create tag
  5. Alternatively, select a saved search or a hold from the Searches or Holds tab.
  6. Click the Preview Results option.
  7. Select the checkboxes across the emails that you want to tag.
  8. Select the Tag As option and choose the relevant tag.
    save tags
  9. These tagged emails can also be viewed from the Tags section. Click on a particular tag and all the emails associated with that tag will be listed.

Audit logs for an investigation

Once you have created an investigation, you can also view all the related activity in the Audit logs tab, inside that particular investigation.

Steps to view the audit logs related to a particular investigation

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Investigations and open the relevant investigation.
  3. Navigate to the Audit logs tab.
  4. Enter the dates within which you would like to view the activity.
  5. Select the checkboxes across the actions that you would like to retain. You can choose to narrow down your search by unchecking the irrelevant checkboxes.
  6. Select the Preview audit option to view the activity or click the Download audit option to download the activity onto your machine.
    investigation audit log

Note:

The Audit logs displayed here, pertain only to the activities performed with respect to the selected investigation. There is a separate Audit logs section to view or download the entire eDiscovery activities.

Recovery Emails

Email Recovery is a feature by which an administrator can restore lost or accidentally deleted emails back to the user's mailbox from the archival. As an administrator, you can choose either 'all user accounts' or 'specific user accounts' to recover and restore the archived emails back to the mailbox, when required.

Steps to recover an email from eDiscovery

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Recovery under the Data Management section.
    recover emails
  3. Insert a name relevant to the case under the Recover emails tab.
  4. Select the desired account type:
    • All accounts - Recovers the emails in all user accounts and shared mailboxes.
    • Specific user accounts - Admins can recover selected user mailboxes by adding the users in the User mailboxes field.
    • Specific shared mailboxes - Admins can recover a particular shared mailbox by entering its address in the Shared mailboxes field.
  5. Click the drop-down menu to select a preset range or a Custom range for which you want to recover the emails.
  6. Specify the Start and End dates for the recovery if you chose the Custom range option.
  7. Insert the search criteria under the Condition query.

  8. Enter a folder name to which you wish to recover the emails.

    Note:

    Emails that satisfy the recovery conditions will be restored to this new folder under the "eArchiveRestored" folder. If a folder already exists with the entered folder name, emails will be restored to that folder.

  9. Select the checkboxes as per your requirement:
    • Include spam emails - Choose this option if you want to recover the spam emails for the entered condition query.
    • Only deleted email - Recovers only the deleted emails that match the condition query.
  10. Choose Preview results, if you wish to ensure the search conditions are matched.
  11. Click Recover to restore the emails back to the user mailbox.
    recover emails

Note:

On recovering an email from eDiscovery, the mail will be restored back to the user mailbox while retaining a copy of the same in the archives. However, the copy of the mail will be deleted from backup.

Recovery History

All the recovery actions performed along with the details are logged chronologically under the Recovery History tab. By default, the Retention history will be cleaned post 90 days. However, the cleanup duration can be set by the admin under the Settings tab.

Expunge Emails

Expunge is a feature which allows an administrator to delete a particular email from the user's mailbox. As an administrator, you can either delete a mail with or without any user request (in case of any virus or phishing emails).

Steps to expunge an email from eDiscovery

Follow these steps to expunge emails:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Expunge under the Data Management section.
  3. Provide a name relevant to the expunge case under the Expunge emails tab.
  4. Select the desired account type:
    • All accounts - All user accounts and shared mailboxes will be included in the expunge.
    • Specific user accounts - Admins can delete a particular user mailbox by adding the user in the User mailboxes field.
    • Specific shared mailboxes - Admins can delete emails in shared mailboxes by entering its address in the Shared mailboxes field.
  5. Include spam emails, if applicable. This will include spam emails as well in the search.
  6. Specify the start and the end dates for the search and mention the search criteria.
  7. Perform conditional search to filter out an email from the user’s archive.
  8. Click on the Preview Results to view the filtered emails.
  9. If the results match, click on Expunge to delete the mail from the user's mailbox.
    expunge emails

Note:

On Expunge, the mail will be deleted from the user's mailbox. However, a copy of the mail will be retained in the Archive.

Expunge History

All the expunge actions performed along with the details are logged chronologically under Expunge History tab.

Export And Purge

The Export and purge section under Data Management lists all the export & purge operations performed by the administrator along with the current status of the action. Admins can create a new export and purge from here. It may take some time to complete this action depending on the file size. Once the exported file is ready for download, the status will be shown as completed. Click on the file to view the details and the download link. The exported file will be cleaned up after 90 days and so, it is recommended to download the file within the said period.

As the Export & Purge action will permanently and irrevocably remove the data from eDiscovery portal and leaves no copy behind, it is highly recommended to promptly download the file on time. It will also delete emails which are on hold or whose retention period is not yet expired, hence this option needs to be used with caution.
export and purge emails

Note:

The export and purge action can be used to manage the eDiscovery storage of users. If a user's storage nears the maximum limit, you can either purchase additional storage or export and purge old emails to free-up storage space. Navigate to the Manage eDiscovery Storage section to create a new export and purge.

Audit logs

All the actions of the administrators in this portal will be recorded in the Audit logs section. Instead of viewing the activity specific to an investigation, you can view all the activity in the eDiscovery portal here.

ediscovery audit logs

Still can't find what you're looking for?

Write to us: support@zohomail.com