Investigations and Holds

Once you are done on-boarding the eDiscovery portal, you will be able to access all the features that the portal provides to manage your organization's data. Additionally, you can now also customize the portal settings apart from enabling/disabling users and creating new retention policies.

Table of Contents

Investigation

An Investigation or a case is a legal probe against certain email communications or documents. When there is a legal case or a probe or an investigation pertaining to email communication, the organization needs to retain all the related emails until that investigation is completed/ closed. Zoho Mail groups the Investigations under three categories:

  • Open - Investigations in progress
  • Closed - Completed investigations
  • Trashed - Investigations deleted by the admins

The eDiscovery administrator creates a new Investigation to manage the entire investigation cycle. Sometimes the Investigation can be required for the purpose of internal investigation also.

Create Investigation in Zoho Mail

Follow the below instructions to create a new email investigation:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Navigate to the Investigations section to view or create investigations.
  3. Click the   Create Investigation button.
    create investigation
  4. Provide the Investigation name and a detailed description.
  5. Click Save. The investigation gets created.

You can now do the following actions in the Investigation you created:

With Zoho Mail, administrators can create multiple searches based on preferred conditions. Search helps you try various saved search conditions on your organization's data, preview results and validate these searches before creating holds. Refer to the below help pages for more details on how eDiscovery Search works.

Holds

Each Investigation will retain emails, messages and files based on one or more holds as needed for the Investigation. A Hold retains the data required for the investigation, based on a specific set of conditions. A single investigation or case may require retaining different sets of data based on various conditions. Hence there may be multiple Holds created for each Investigation. Refer to the below help pages for more details on Holds:

Exports

Admins can export the retained data whenever required. The list of export actions done by admins will be listed under the Exports tab with their current status. Refer to the below help sections for more details:

Tags

Create tags to group emails based on the requirements of the investigation. In a specific investigation, you can choose to tag emails from the search preview or the hold preview. Refer to the Create Tags help section for details.

Investigation Audit Logs

The activities performed by admins in a particular investigation can be viewed under the Audit logs tab of that investigation. Refer to the below help sections to learn more:

Recovery Emails

Email Recovery is a feature by which an administrator can restore lost or accidentally deleted emails back to the user's mailbox from the archival. As an administrator, you can choose either 'all user accounts' or 'specific user accounts' to recover and restore the archived emails back to the mailbox, when required.

Steps to recover an email from eDiscovery

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Recovery under the Data Management section.
    recover emails
  3. Insert a name relevant to the case under the Recover emails tab.
  4. Select the desired account type:
    • All accounts - Recovers the emails in all user accounts and shared mailboxes.
    • Specific user accounts - Admins can recover selected user mailboxes by adding the users in the User mailboxes field.
    • Specific shared mailboxes - Admins can recover a particular shared mailbox by entering its address in the Shared mailboxes field.
  5. Click the drop-down menu to select a preset range or a Custom range for which you want to recover the emails.
  6. Specify the Start and End dates for the recovery if you chose the Custom range option.
  7. Insert the search criteria under the Condition query.

  8. Enter a folder name to which you wish to recover the emails.

    Note:

    Emails that satisfy the recovery conditions will be restored to this new folder under the "eArchiveRestored" folder. If a folder already exists with the entered folder name, emails will be restored to that folder.

  9. Select the checkboxes as per your requirement:
    • Include spam emails - Choose this option if you want to recover the spam emails for the entered condition query.
    • Only deleted email - Recovers only the deleted emails that match the condition query.
  10. Choose Preview results, if you wish to ensure the search conditions are matched.
  11. Click Recover to restore the emails back to the user mailbox.
    recover emails

Note:

On recovering an email from eDiscovery, the mail will be restored back to the user mailbox while retaining a copy of the same in the archives. However, the copy of the mail will be deleted from backup.

Recovery History

All the recovery actions performed along with the details are logged chronologically under the Recovery History tab. By default, the Retention history will be cleaned post 90 days. However, the cleanup duration can be set by the admin under the Settings tab.

Expunge Emails

Expunge is a feature which allows an administrator to delete a particular email from the user's mailbox. As an administrator, you can either delete a mail with or without any user request (in case of any virus or phishing emails).

Steps to expunge an email from eDiscovery

Follow these steps to expunge emails:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Expunge under the Data Management section.
  3. Provide a name relevant to the expunge case under the Expunge emails tab.
  4. Select the desired account type:
    • All accounts - All user accounts and shared mailboxes will be included in the expunge.
    • Specific user accounts - Admins can delete a particular user mailbox by adding the user in the User mailboxes field.
    • Specific shared mailboxes - Admins can delete emails in shared mailboxes by entering its address in the Shared mailboxes field.
  5. Include spam emails, if applicable. This will include spam emails as well in the search.
  6. Specify the start and the end dates for the search and mention the search criteria.
  7. Perform conditional search to filter out an email from the user’s archive.
  8. Click on the Preview Results to view the filtered emails.
  9. If the results match, click on Expunge to delete the mail from the user's mailbox.
    expunge emails

Note:

On Expunge, the mail will be deleted from the user's mailbox. However, a copy of the mail will be retained in the Archive.

Expunge History

All the expunge actions performed along with the details are logged chronologically under Expunge History tab.

Export And Purge

The Export and purge section under Data Management lists all the export & purge operations performed by the administrator along with the current status of the action. Admins can create a new export and purge from here. It may take some time to complete this action depending on the file size. Once the exported file is ready for download, the status will be shown as completed. Click on the file to view the details and the download link. The exported file will be cleaned up after 90 days and so, it is recommended to download the file within the said period.

As the Export & Purge action will permanently and irrevocably remove the data from eDiscovery portal and leaves no copy behind, it is highly recommended to promptly download the file on time. It will also delete emails which are on hold or whose retention period is not yet expired, hence this option needs to be used with caution.
export and purge emails

Note:

The export and purge action can be used to manage the eDiscovery storage of users. If a user's storage nears the maximum limit, you can either purchase additional storage or export and purge old emails to free-up storage space. Navigate to the Manage eDiscovery Storage section to create a new export and purge.

eDiscovery Audit logs

All the actions of the administrators in this portal will be recorded in the Audit logs section. Instead of viewing the activity specific to an investigation, you can view all the activity in the eDiscovery portal here. Navigate to the corresponding help sections to learn more:

Note: You can choose All under the Service name section to view the audit logs for all the WorkPlace services.

Mail Audit Logs

Follow these steps to view the admin actions performed for Mail in the eDiscovery portal:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Audit Logs and choose Mail under service name.
    ediscovery audit logs
  3. Select the Start date and End date.
  4. If required select the desired user accounts to view the logs for specific users.
  5. Choose one or more actions for which you want to view the logs. The available options are:
    1. Select all actions
    2. Retentions
    3. Investigations
    4. Saved search
    5. Holds
    6. Exports
    7. Export and purge
    8. Search
    9. Tags
    10. Recovery
    11. Expunge
    12. Audits
    13. Filter
    14. eDiscovery settings
    15. Roles
    16. eArchive search
  6. Click Preview audit to view the logs.
    preview ediscovery mail audit logs
  7. Click Download audit to save the logs to your computer.
    download mail audit logs
  8. If required, encrypt the file with a password to prevent unauthorized access to your data and click Download audit.

You have successfully downloaded the eDiscovery Mail logs in CSV format.

Cliq Audit Logs

Follow these steps to view the admin actions performed for Cliq in the eDiscovery portal:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Audit Logs and choose Cliq under service name.
  3. Select the Start date and End date.
  4. If required select the desired user accounts to view the logs for specific users.
  5. Choose one or more actions for which you want to view the logs. The available options are:
    1. Select all actions
    2. Retentions
    3. eDiscovery settings
    4. Saved search
    5. Search
    6. Holds
    7. Exports
    8. Audits
  6. Click Preview audit to view the logs.
    preview cliq audit logs
  7. Click Download audit to save the logs to your computer.
  8. If required, encrypt the file with a password to prevent unauthorized access to your data and click Download audit.
    download cliq audit logs

You have successfully downloaded the eDiscovery Cliq logs in CSV format.

WorkDrive Audit Logs

Follow these steps to view the admin actions performed for WorkDrive in the eDiscovery portal:

  1. Log in to Zoho Mail Admin Console and select eDiscovery on the left pane.
  2. Select Audit Logs and choose WorkDrive under service name.
  3. Select the Start date and End date.
  4. If required select the desired user accounts to view the logs for specific users.
  5. Choose one or more actions for which you want to view the logs. The available options are:
    1. Select all actions
    2. Retentions
    3. eDiscovery settings
    4. Saved search
    5. Search
    6. Holds
    7. Exports
    8. Audits
  6. Click Preview audit to view the logs.
  7. Click Download audit to save the logs to your computer.
  8. If required, encrypt the downloaded file with a password to prevent unauthorized access to your data and click Download audit.
    download cliq audit logs

You have successfully downloaded the eDiscovery Cliq logs in CSV format.

Still can't find what you're looking for?

Write to us: support@zohomail.com