Exchange 2010 e-discovery. How does it work

Here is a good overview/tutorial on e-Discovery in Exchange 2010: http://msmvps.com/blogs/andersonpatricio/archive/2009/05/15/using-exchange-server-2010-e-discovery-multi-mailbox-search.aspx

You do not necessarily need archiving enabled for e-discovery, you just won't necessarily have all the emails you require for auditing if you do.

Archiving is done on the server side, so it is independent of your Outlook client.

I saw that article already. It just goes through some basic features and show you how to find emails. It really does not explain how e-discovery works. Like I said, where are these emails being stored if you do not enable archiving. The Transport Dumpter? If so, how long do they stay there. Just looking for a good article that explains all the mechanics of how e-discovery function.s

Also, archiving is stored on the server  but you need Outlook 2010 to take advantage of the archiving feature.

The Archives are stored in the same mailbox database as the regular mailboxes: http://www.howexchangeworks.com/2009/08/archive-mailbox-in-exchange-2010.html

This has changed with SP1. You can now direct archives to a separate database and tiered storage. Also, archiving and e-discovery appear to be separate entities. You don't need one to have the other I am guessing. I just want something that explains in details how the e-discovery process works on the backend.

I don't believe such documentation exists.  The closest would be what TechNet has: http://technet.microsoft.com/en-us/library/dd335072.aspx

Some of the processes on the backend of Microsoft Servers (like Exchange and SharePoint) are not publicly documented.  (Some of them aren't even documented well internally for Microsoft, for ex: I worked with Microsoft support on a SharePoint service issue and was basically told the service was a black hole with little to no documentation on how it operates).

Fair enough but if my CIO asks me how it works, a black hole will not be an acceptable answer. This is one of the better articles I have seen but still does not answer the technical part of it. An example. I have a test environment as mentioned with about 5 mailboxes. Archiving is not configured on any of them. I sent a message to a paricular mailbox. After sending the message, I deleted it from Sent Items, emptied my Deleted Items Bin, and removed it from Recoverable Deleted Items. Did the same thing on the recipients mailbox so there is no trace of the message, yet, an e-discovery search revealed the message. OK, where did Exchange get this from. A simple question I have not found the answer to yet. My first quess is the transport dumpter. If so, do I need to increase some settings on this to include more emails? I think its important to know because when it doesn't work, you need to know how to fix it and you won't be able to.

Items deleted (from the user end) aren't really gone until Exchange cleans them up.  They still exist in the users mailbox storage, they just cannot see them and they don't count against them in their storage limits.  Here are details on that: http://support.microsoft.com/kb/249680.  You can configure the settings around this if necessary.

Just FYI: http://support.microsoft.com/kb/249680, granted this article applied to Exchange 2000, it is the same principle used for all versions of Exchange.

Here is some more updated documentation for 2007, still looking for 2010: http://technet.microsoft.com/en-us/library/aa997206(EXCHG.80).aspx

The default for both Exchange 2007 and 2010 is that it retains items for 14 days.

I haven't looked at these articles yet, but if you are talking about Deleted Items Retention, yeah the default I think is 14 days for users but I did flush this out as I stated. After emptying my Deleted Items Bin, I then deleted all the contents in Recover Deleted Items by highlighting the Deleted Items Bin, selecting Tools, and then Recover Deleted Items. From there I deleted everything that the server was holding so the message should have been erased from existence at that point.

In 2010, it has been enveloped into the Retention Policy management: http://technet.microsoft.com/en-us/library/dd297955.aspx

Like I mentioned previously, the emails aren't completely purged until the cleanup processes run.  Until that time, the eDiscovery software can find it, even though it isn't accessible otherwise.

OK, so if that is the case, I guess I am back to my original question which I think I know the answer to already. Do you need to enable Archiving to have effective e-discovery and it looks lkie the answer is yes because this "e-Discovery" that 2010 has is just a search engine on existing emails. Once the Deleted Items retention policy expires, the emails are gone so I guess you need to have all emails archived and not let the users mess with the archives so you have historical data to search through. I am guessing you can search through archived mailbox with the e-discovery tool.