eDiscovery integration guide
Available in:
Overview
The Code42 platform provides powerful tools for performing eDiscovery. This article explains the conceptual foundations of eDiscovery, how the Code42 platform can be leveraged to support it, and then guides you through concrete examples that you can adapt to your needs.
Considerations
Our Zapproved partnership enables you to use Zapproved to manage your legal hold process. Learn more about how to integrate Code42 and Zapproved for eDiscovery.
We recommend that you have the following knowledge and skills (or be willing to learn):
- The Code42 API
- Shell scripting
- Command line usage
- Basic programming concepts and skills
Support
For help working with the Code42 API, contact your Customer Success Manager (CSM) at csmsupport@code42.com to engage the Code42 Professional Services team. Or, post your question to the Code42 community to get advice from fellow Code42 administrators.
Data-related tasks supported by this article
There are overlaps between eDiscovery, data governance, analytics, and data visualization. Since these tasks have similarities and support each other, it is important to understand the following definitions:
- eDiscovery refers to the process of discovery in legal cases when the information is in electronic format.
- Data governance refers to the ways in which an organization attempts to minimize its compliance risk as well as to make sure that data is properly managed, kept secure, utilized effectively, etc.
- Analytics is the search for and presentation of useful patterns and information in data. Business intelligence, planning, metrics, and many other business activities are supported by analytics.
- Data visualization is one of the ways to present the findings and data gathered by analytics. It uses graphs, charts, and other visual aids to communicate the significance of patterns in data.
eDiscovery summary
eDiscovery consists of a number of steps and functions. The following diagram depicts the general workflow:
You may engage in some but not all of the steps, elect to carry out the steps in a different order, or cycle back to earlier steps.
Here is a list of the steps with associated sub-goals, for easy review:
- Identification:
- Beginning the legal hold process
- Locating and verifying potential sources.
- Preservation: ensuring protection against inappropriate alteration or destruction.
- Collection: gathering for further use in the eDiscovery process.
- Processing: searching and converting into forms more suitable for review and analysis.
- Review: evaluating for relevance and privilege.
- Analysis: evaluating for content and context, including key patterns.
- Production: delivering data in appropriate forms.
- Presentation: displaying results / reports.
eDiscovery functions and features
The following table explains how the Code42 platform's features can be used to accomplish tasks for each of the steps in the eDiscovery process.
| Step | Functional requirement | Code42 for Enterprise feature or resource |
| Identification | Verify or find users |
|
| Place users on legal hold |
Add custodians to a matter in the Legal Hold web app |
|
| Preservation / Collection | Change deleted file retention period | |
| Change archive retention period (also known as cold storage) |
|
|
| Change user roles |
|
|
| Change file inclusions/exclusions | ||
| Deactivate users |
|
|
| Deactivate computer |
|
|
| Deauthorize computer (require user to sign in again) |
|
|
| Process / Review / Analyze | Search for filename or folders of interest across archives | Search using Code42 File Search web app |
| Search for MD5 across archives | Search using Code42 File Search web app | |
| Analyze restore activity |
The following Code42 API resources:
|
|
| Analyze version history |
The following Code42 API resources:
|
|
| Production | Restore files |
|
| Restore archives |
|
|
| Restore versions |
|
|
| Presentation | Generate MD5 report |
|
| Generate files and versions report |
|
|
| View user restore history |
|
Remove custodians, archives, or devices
The following table explains how the Code42 platform's features can be used to remove custodians, archives, or devices from your Code42 environment.
| Code42 feature or resource | Code42 for Enterprise feature or resource |
|
Release from legal hold |
|
| DoD-wipe/shred (secure delete) |
Set system property using the Code42 API:
|
| Purge Archive |
|
Additional API information
- Code42 API Documentation Viewer
- The online API Documentation Viewer provides you with the latest documentation.
- All resources are described in detail, including methods, arguments, parameters, and examples.
- Sample Code on the Code42 GitHub site
- These code examples can provide useful examples that you can adapt to your needs.
- Contact your Customer Success Manager (CSM) at csmsupport@code42.com to engage the Code42 Professional Services team for help with adapting code examples or for the creation of customized scripts. Or, post your question to the Code42 community to get advice from fellow Code42 administrators.
- Code42 API Overview
Examples
The following examples are meant to provide insight into how the Code42 platform can be integrated with eDiscovery functions. As examples, they are not guaranteed to be suitable for any eDiscovery process without modification, review, and approval by your organization's compliance officer.
Restore history report with the administration console
As part of the eDiscovery process, you may need to determine who has restored files from a particular organization and when the restores occurred. To do this, perform the following steps:
- Sign in to the administration console.
- (Versions 6.5 and later) From the administration console, go to Organizations > Active.
(Versions 6.0.x and earlier) Select Organizations from the navigation menu. - Select an organization.
The Organization Details appear. - Click the number of Restores to view the Restore History page.
- From the action menu, select Export All to download the restore history as a CSV file.
Search the logs
As part of the eDiscovery process or other forensics needs, you may need to search the system logs of your Code42 server or the logs stored on your endpoint devices running the Code42 app.
Code42 app logs
You can access Code42 app logs in the following ways:
- Have the user send you the Code42 app logs.
- Access the device remotely and acquire the logs from the specified directory.
- From the administration console:
- Select Devices.
- Select a device.
The Device Details appear. - From the action menu, select Retrieve Logs.
- Find the logs in on your authority server in the client log directory.
Code42 app log example
The endpoint file system is the only place to find a persistent copy of the path names of the files restored by a Code42 app-initiated restore. The information is stored in the file restore_files.log.*, which can be retrieved using the console as described above, or by accessing the endpoint device file system. Here is an example of the information available about the path names of restored files:
I 03/05/14 06:01AM 622091232443159553 Starting restore from CrashPlan PROe Server: 1 file (80KB) I 03/05/14 06:01AM 622091232443159553 Restoring files to /Users/joe.johnson/Desktop I 03/05/14 06:01AM 622091232443159553 /Users/joe.johnson/Desktop/test.pdf I 03/05/14 06:01AM 622091232443159553 Restore from CrashPlan PROe Server completed: 1 file restored @ 26.6Kbps
Advanced log file analytics with third party tools
Log files also can provide a source of data for third-party data analysis and visualization tools such as Splunk. We provide instructions on integrating your Code42 platform with Splunk. You can also forward your Code42 server's logs to a Splunk server.
List of devices from the Reporting web app
You may need to produce a list of all active (or deactivated) devices as part of the eDiscovery process.
To create and download a list of all active devices in your Code42 environment:
- Sign in to the administration console.
- Navigate to the Reporting web app.
- (Version 6.5.x and later) Choose Reporting in the left menu.
- (Version 6.0.x and earlier) From the application selector in the upper right, choose Reporting.
- Select the Device Status report.
- Under Device Status, choose either Active or Deactivated.
- Click Run Report.
Custom scripts
The code examples below are meant to provide examples of the use of the Code42 API in ways that can support eDiscovery. Code42 does not provide any guarantee on the suitability of any script or code example for any particular application. Contact sales about engaging our Professional Services team for assistance with custom scripts.
Script 1: Traverse the restore tree for a specific file
Purpose
This script can be used to traverse or "walk" a restore tree for a particular file or folder that is located on a storage server, in order to gather metadata about those files and folders.
Considerations
Only available in Code42 environments with private storage servers.
In depth
The technique used in this script could be used as part of an effort to investigate which files have been restored from the archives of a particular storage server. This could be useful in an eDiscovery effort to find out which files and versions of files have been accessed by initiating a restore. Restores initiated by a user using the Code42 app, as well as restores initiated by an admin from the administration console (web restores and push restores), can be analyzed in this manner.
The process of traversing the restore tree is summarized below. Please see the actual script for the full details. This script is a good basis for an application for searching the restore tree for a particular destination or storage server.
- Enter the authority server's URL and your admin credentials.
- Enter the source GUID of the device you wish to investigate.
- The source device GUID must be known, but you can retrieve that using the search feature of the administration console, or use the "User" resource of the Code42 API to get a list of devices belonging to a user.
- Enter the GUID of the destination you are searching. This can be found on the Destinations Details of the administration console.
- The script outputs the data in JSON format for the storage server that contains the source device's archive.
- Enter the URL of the storage server you wish to search.
- Enter the authentication token if necessary.
- Enter the data key token for the session, to allow the storage server to use the data encryption key. The encryption key is necessary in order for the storage server to retrieve the desired metadata.
- From the list of restore sessions, choose and enter a particular restore session ID.
- The script outputs data in JSON format that includes the file ID for the root level folder.
- Enter the file ID for the root level folder of the restore session.
- The script outputs data in JSON format that includes all of the files and folders under the root folder.
- Choose and enter a file ID for a folder or file of interest.
- If you want to view metadata for a subfolder, repeat step 12 until you reach the level of the directory tree you wish to view.
- The file metadata in JSON format includes all available information for the file or folder, including:
- Creation date
- Last modification date
- Checksum
- Full path
- File size
- The file metadata in JSON format includes all available information for the file or folder, including:
Source code
You can download the latest version of the restore tree script from the Code42 GitHub site.
An in-depth example with sample output is also available.
Script 2: Automate push restores
Purpose
It may be necessary to perform push restores of select files or user data, in order to secure and preserve the data for eDiscovery.
In depth
Please read our article on automating push restores, which includes a sample script, detailed examples, and sample output with explanations.
Source code
You can download the latest version of the push restore script from the Code42 GitHub site.
Script 3: Data leak prevention and detection with the Code42 API
Purpose
This script monitors and protects the archives of selected users in your Code42 environment against unauthorized or suspicious restore activity.
In depth
Read the detailed article.
Source code
You can download the latest version of the restore watch script from the Code42 GitHub site.
Other Code42 API examples
Please browse the Code42 API examples on our GitHub site for more examples of ways to use the Code42 API in your eDiscovery projects.