Beyond E-Mail: Performing Reconnaissance On Your Own Network

Many of those who wear their e-discovery scars as badges of honor may feel they have conquered the e-mail beast and can collect key witnesses' hard drives in their sleep. However, these battle-tested warriors need to beware of lurking danger elsewhere in the enterprise — file shares.
File shares often go by many names — file servers, home directories, U drives (any letter assigned to a mapped file server), among others — and virtually every organization relies on them to some degree. Individual users typically have space reserved on a file share for their own network storage. They may also utilize this space as a minidisaster recovery site. Users typically upload or synchronize their 'My Documents' folders and pst files or nsf e-mail archive files in the same manner. There are bound to be countless examples of parties who have certified that all e-mail was searched and produced (focusing on e-mail servers and desktops), only to have missed the file servers.
File servers sometimes serve as landfills for data that has no clear destination (typically because no one supplied IT with a policy for how to handle various collections of data that they deal with all the time). For example, if a user resigns and leaves a company, IT will generally collect the contents of their hard drive and post it to a file server, giving that person's manager a link to the data.
Perhaps an even more common usage of file servers is for departments or working groups to designate a folder on a file share as a central repository. This practice can be incredibly efficient in facilitating collaboration; however, if the producing party has created an e-discovery system based solely on the concept of a 'custodian,' this kind of request can be problematic. For instance, just who is the custodian for a shared folder called 'Marketing' on a central file server that exists on the floor of a data center?

The Solution Is Document Management Systems
Today's leading document management systems represent an excellent solution to this problem. These systems are constantly tracking, indexing, and reporting on files that are under management of the system. But what about the data that is not under management — the standard file share? It is perhaps inevitable that the only true method for classifying unstructured data residing on an unmanaged shared resource in a shared folder is to 'crack' open the files and analyze their content. A new family of applications is emerging to do just this.
There are now tools available that will 'snoop' or 'crawl' around on a network looking for responsive data in file shares (and other data types such as Exchange Servers and SharePoint iterations). During this phase, the application will discover these file shares and begin to create a topology based on metadata attributes of the file population. It is this kind of topology that is invaluable in helping legal teams navigate their obligations and negotiations pursuant to the new FRCP (Federal Rules of Civil Procedure).
These tools will also index the located file shares, read hundreds of disparate file types, and give you the ability to run enterprise-wide searches for keywords and other metadata attributes. An investigator can simply log in to a user interface and run searches against enormous populations of file shares and other data.
Once data that is responsive to an e-discovery process, internal investigation, security classification, or record retention criterion is located, these tools can perform a number of actions. If the data is slated for e-discovery preservation or collection, copies of the data can be made and placed in a secure evidence repository with full audit trails. If the files identified are of such a confidential nature that they should not even exist on unsecured storage media like file shares in the first place, the files can be locked down or even deleted. Finally, records managers, who are often challenged with environments that do not permit them to apply their record retention policies for want of technology powerful enough to get the job done, can now create classes of data and copy that data to true document management systems.
IT managers can deploy this type of application to identify files that have not been accessed for extended periods of time. They can then implement file virtualization — a process where the file's shell, or a pointer or stub, is left where the file existed (on expensive tier-one storage). The actual file is moved to a less expensive storage medium. This hierarchical storage management (HSM) often provides enough ROI via utilizing a lower tier of storage and reduced file share demand to fund the entire project.