Here at Technology Pointe we work with a lot of law firms and thus have been involved in lots of discovery situations, specifically email. There is often a fundamental misunderstanding of how email is retained and controlled. Unfortunately most people do not understand why IT cannot snap their fingers and recover every email related to the discovery criteria.
Most of the following content applies to Microsoft's Office 365 as well (differences are noted where possible), but is written from the standpoint of a company having either an in-house or hosted Exchange server.
Deletions, Dumpsters and Purges
The process of deleting emails in Exchange involves multiple stages. The phase most users are familiar with is the classic deleting from the inbox (or another folder) and the message going to deleted items. When you want to delete a message from Delete Items, it goes to another hidden folder called the Dumpster. This is user accessible via a Recover Deleted Items option it Outlook or Webmail/Web Access. Once a message resides in the dumpster, the next step depends on the company's email policies. The default Exchange setting is that it can be recovered for the next 14 days before it is purged permenantly from the system and becomes unrecoverable except via backup. If there is currently a litigation hold set on the mailbox any messages in the dumpster will be stored there permenantly until litigation hold is removed.
On Office 365, the maximum dumpster age is 30 days.
For any companies with compliance requirements, retention policies are a must have. Exchange provides server side settings to enforce retention of data.
eDiscovery with Exchange
Exchange 2010 and newer provide a convenient eDiscovery search tool that lets you target multiple mailboxes as well as multiple search terms, and provides a way to neatly package searches for export, including a log