Using Office 365 IM Conversation Records for eDiscovery

Posted on August 28, 2018 by Tony Redmond in Microsoft Teams, Office, Office 365 with

The Exciting World of eDiscovery

eDiscovery is an activity based on seeking answers to questions. Who did something and when did they do it? Who was involved? How were they involved? Where is the evidence and how strong is the evidence? And so on.

Lots of Data to Search

When it comes to performing eDiscovery in an Office 365 tenant, a lot of data is available to search to find answers. The two basic workloads, Exchange and SharePoint, began adding compliance features in their 2010 on-premises versions.

The on-premises technology is now largely superseded by newer and more capable cloud-specific implementations in the Office 365 data governance framework. For example, content searches are much faster and more capable than their on-premises counterparts because they can search multiple locations. Office 365 retention policies make sure that all workloads keep information based on the same criteria. Some older methods, like Exchange litigation holds, continue in use, but overall, Office 365 is a good place to go hunting for information.

Compliance Records for Communications

Given that an increasing number of organizations use Teams for internal communications and that Teams will replace the Skype for Business Online client, anyone interested in eDiscovery needs to understand how the two applications record information that might turn up in searches. As summarized in Table 1, both Skype for Business Online and Teams capture records for text-based communications (Skype calls these IM, Teams uses chats or conversations). Neither application captures compliance records for video or audio content.

Application Mailbox folder Visible to Clients Record type
Skype for Business Conversation History Yes Threaded transcript
Teams (personal) Conversation History\Team Chat (personal mailbox) No Individual items
Teams (channel) Conversation History\Team Chat (group mailbox) No Individual Items

Table 1: Conversation Items captured by Office 365 applications

The Conversation History\Team Chat folder is only available online. As mentioned in this article, you can use the PowerShell Get-MailboxFolderStatistics cmdlet to check the number of items in the folder. If you want to examine the items with a utility like MFCMAPI, make sure that your Outlook profile is not configured in Exchange cached mode as otherwise you will not see the folder contents.

Skype for Business Compliance Records

In the case of Skype for Business, the same method captures conversations for meetings and personal chats. Skype for Business records the interaction between people in a conversation in a transcript format. You can find the transcripts in the Conversation History folder in the mailbox of each participant. In fact, depending on the length of the conversation and other factors, several versions of a transcript might exist. For eDiscovery purposes, you always look for the most recent version as that holds the most complete record.

Teams Compliance Records

Teams takes a different approach to capture compliance records for conversations. As people contribute to conversations, Teams takes copies of each contribution using “the Office 365 substrate” (in this case, Exchange Online) to create mailbox items. These copies are compliance records. The “real” chat data stays in the Teams chat service on Azure.

Items for personal chats go the Team Chat folder in participant mailboxes while items captured for channel conversations are in the same folder in group mailboxes. Teams captures records in phantom mailboxes for messages sent by hybrid users with on-premises mailboxes or guest users.

For example, if you have a conversation in in General channel of the “Planning 2018” team, compliance records are in the Conversation History\Team Chat folder of the “Planning 2018” group mailbox. If you then have a conversation in the Budget channel in the same team, the records also go into the same folder. In other words, all the compliance records for all channels in a team go into the same folder.

There is nothing wrong with having all the records for a team gathered in one place. The compliance items are safe from interference because clients do not reveal the folder in their user interface. The items are indexed and  discoverable, and the most interesting information in a compliance record is likely to be the content.

Figure 1 shows the results of an Office 365 content search. The results include records captured for personal chats and channel conversations. The difference between personal chats (labeled IM) and records for channel conversations is obvious. Compliance records for channel conversations include the team and channel name in titles. The exception is for records for conversations in the General (default) channel as these do not include the channel name in the title.

Teams compliance records

Figure 1: Searching for Teams compliance records (image credit: Tony Redmond)

What is not so good is that if you want to find the original item in place within a channel, the information recorded in the item does not tell you the name of the channel. Instead, you get a number (like 1512994553582) generated by Teams. In fact, this number is the reply chain identifier and you can use it to find all the messages that make up a conversation.

If you are lucky and the topic includes a title, you see that too. In short, if an investigator wants to understand the ebb and flow of a conversation, they might have to search all channels in the team (manually) using the date and time of a found item to recover all the compliance records for the conversation and be able to see how a discussion developed.

Transcripts versus Individual Records

The format used for compliance records creates another eDiscovery challenge. Because Skype for Business conversations are time-limited (in other words, they finish), the application can generate a complete transcript showing the full context of the conversation. Figure 2 shows an example. If an eDiscovery search uncovered this item, an investigator can easily understand how the conversation develops between the two participants and what they discuss.

Skype IM conversation transcript

Figure 2: A Skype for Business Online conversation transcript (image credit: Tony Redmond)

Teams conversations are persistent. They are open-ended and can restart at any time, which then means that it is harder to create a transcript like the form used by Skype for Business. Teams therefore captures compliance records as a series of items, one for each contribution. Although the items are fully searchable, the fact that multiple individual items exist for a conversation creates a reassembly challenge for investigators.

Take the example where a search uncovers an interesting item from a Teams conversation. The content of the item might be enough for the investigation, but it is more likely that the investigators need extra information to understand how the conversation developed. They must therefore retrieve items captured before and after the item of interest and then assemble the items in time order to create the kind of transcript available in Skype for Business Online. This is a manual process.

The problem with manual processes is that they are both expensive and open to challenge in court. To satisfy a judge, it is likely that investigators must prove that they have the correct items (and did not omit any) and present the information in the correct order. Although I know how to use Skype for Business transcripts in legal actions, I have not yet experienced how the legal eagles deal with search results from Teams.

Compliance is Difficult

Generally speaking, compliance is a difficult and costly topic. The growing amount of data accumulated through computer interactions makes it harder for searches to find precisely the right information. On the upside, Teams captures information about conversations that is searchable. The downside is that the transition from Skype for Business Online to Teams might make searching and satisfying lawyers just a bit harder.

Follow Tony on Twitter @12Knocksinna.

Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.

Tagged with , , , , , ,