Posted on: September 01, 2016in Blog
Uncovering Enterprise Vault Stub Files and Their Missing Attachments
Most people are generally unaware of Enterprise Vault Shortcuts (aka “stub files”) until they find their way into document collections, reviews or ultimately productions. If you encounter stub files before or during a document review it is important to have a basic understanding of what they are and how to identify any that may be lurking in your ESI collection.
What is a stub file in Enterprise Vault?
For the purpose of this article, stub files are shortcut files created by Symantec Enterprise Vault (“EV”). EV is used by organizations to archive and store ESI - specifically email messages and attachments. Using a defined rule set, EV moves messages and/or attachments from the user’s mailbox into the EV archive location. What’s left behind in the user’s mail-store is a stripped down message without attachments or graphics, which is a message that is a stub of its former self.
To the IT professional this may seem wonderful, as it reduces the size of the mailbox. However, to a lawyer or an eDiscovery professional that needs to review the full message with its attachment(s), it may not be ideal.
eDiscovery Best Practices: Identify Collected Stub Files
Talk to your client’s IT department and inquire if they use EV or another archiving solution. This may seem obvious, but it’s a question or point of inquiry that is often overlooked.
Some large organizations have many locations in which email can reside; such as Office 365, email servers or locally on the custodian’s workstations. Be sure to identify all of these locations from your client so you can direct the collection of ESI.
During review you come across an email that states “see attachment for x” and there is no attachment. This may be an indication that the message was stubbed.
Another indication could be an image file that displays a “@” symbol in the attachment line, but the file is presented as a single file without attachments. The commercial @ symbol is one way to identify it’s an EV stub.
Metadata searches may be the quickest way to identify a larger set of stub files. Searching for all files containing “EnterpriseVault” in the Message Class field may yield the stubbed files. Building on these results, the user can create a series of searches to assist with identifying stubs with full email matches and stubs without matches. Some examples of the full verbiage of message class for stub files are:
There are dozens of stub message classes but the three examples listed above seem to be the most common.
Locate Missing Attachments from Email Archives
How does one get the full message with the attachment? One solution may be to collect directly from the EV archive. Depending on the organization’s document retention policy, the full message and its attachments may be hiding in plain sight. Additionally, the user may have a separate mail-store archive on a network share, removable drive or stored locally that has the complete message.
Once again, talk to your IT department and find out how EV operates within the organization. This is the best way to ensure all files, if available, have been collected.
Considerations for Stub Files During Document Review
It is possible that inconsistent coding may result in a stub being marked responsive and the complete message the opposite or vice versa. Don’t assume that if a stub is relevant or not privileged that its full counterpart is as well. An attachment may contain privileged material or the un-truncated message may contain work product.
Again, the best options to remediate are recollection or a full search of the collected data and hopefully the full emails are captured in one of the many archives in the custodian’s mailbox. There is a chance that it can be found as a loose file somewhere on the custodian’s home drive or local drive.
Document any steps or discussions around the process used to address stubbed messages. It may be something that is shared with the court or opposing parties if stubs ever become an issue.
The best time to address stubs (or the potential of them) is during collection and prior to the start of review. Be sure to talk about it within your team and you may even consider raising the topic with the opposition to get in front of any questions. At the end of the day, always remember: the legal standard is reasonableness, not perfection.
D4 Weekly eDiscovery Outlook
Power your eDiscovery intellect with our weekly newsletter.
Posted April 12, 2018
Recent Accolades Reinforce Why D4’s Powered by People
Posted April 05, 2018
Checking Out Batches in Relativity
Posted March 29, 2018
Control the Cost of eDiscovery: Do You Know What to Outsource?
Posted March 22, 2018
Quick Guide to Coding Records in Relativity
Posted March 15, 2018
From One End to the Other: The True Benefits of an End-to-End eDiscovery Solution
Posted March 08, 2018
Helpful Tips and Tricks for Searching in Relativity
Posted March 01, 2018
7 Tips for Managing Remote Teams for eDiscovery Projects
Posted February 15, 2018
Types of eDiscovery Data to Consider for Your Retention Policy
Posted February 15, 2018
Guide to GDPR Success
Posted February 08, 2018
What is eDiscovery? 4 Common Questions for Beginners