Overview
The CrashPlan platform provides powerful tools for performing eDiscovery. This article explains the conceptual foundations of eDiscovery, how the CrashPlan platform can be leveraged to support it, and then guides you through concrete examples that you can adapt to your needs.
Considerations
You should have knowledge of the following:
- The CrashPlan API
- Shell scripting
- Command line usage
- Basic programming concepts and skills
Support
For help working with the CrashPlan API, contact your Customer Success Manager (CSM) to engage the Professional Services team.
Terminology
There are overlaps between eDiscovery, data governance, analysis, and data visualization. Since these tasks have similarities and support each other, it is important to understand the following definitions:
- eDiscovery refers to the process of discovery in legal cases when the information is in electronic format.
- Data governance refers to the ways in which an organization attempts to minimize its compliance risk as well as to make sure that data is properly managed, kept secure, utilized effectively, etc.
- Analysis is the search for and presentation of useful patterns and information in data. Business intelligence, planning, metrics, and many other business activities are supported by analysis.
- Data visualization is one of the ways to present the findings and data gathered by analytics. It uses graphs, charts, and other visual aids to communicate the significance of patterns in data.
eDiscovery summary
eDiscovery consists of a number of steps and functions. The following diagram depicts the general workflow:
You may engage in some but not all of the steps, elect to carry out the steps in a different order, or cycle back to earlier steps.
Here is a list of the steps with associated sub-goals, for easy review:
-
Identification:
- Begin the legal hold process
- Locate and verify custodians and archives
- Preservation: ensure protection against inappropriate alteration or destruction
- Collection: gather data for further use in the eDiscovery process
- Processing: search and convert data into forms more suitable for review and analysis
- Review: evaluate data for relevance and privilege
- Analysis: evaluate data for content and context, including key patterns
- Production: deliver data in appropriate forms
- Presentation: display results and reports
eDiscovery functions and features
The following table explains how the CrashPlan platform's features can be used to accomplish tasks for each of the steps in the eDiscovery process.
Step | Functional requirement | CrashPlan feature or resource |
Identification | Identify custodians and archives |
|
Preservation and Collection | Create or confirm preservation policy | |
Place users on legal hold | ||
Process, Review, and Analyze |
Analyze restore activity
Restore history details are restricted. You can view only the restore history to which you have access based on your role and permissions. |
The following CrashPlan API resources:
|
Analyze version history |
The following CrashPlan API resources:
|
|
Production | Restore files |
|
Restore archives |
|
|
Restore versions |
|
|
Presentation | Generate MD5 report |
|
Generate files and versions report |
|
|
View user restore history Restore history details are restricted. You can view only the restore history to which you have access based on your role and permissions. |
|
Remove custodians, archives, or devices
The following table explains how the CrashPlan platform's features can be used to remove custodians, archives, or devices from your CrashPlan environment.
CrashPlan feature or resource | CrashPlan feature or resource |
Release from legal hold |
|
Purge archive |
|
Additional API information
-
Sample Code on the CrashPlan GitHub site
- Provides useful examples that you can adapt to your needs.
- Contact your Customer Success Manager (CSM) to engage our Professional Services team for help with adapting code examples or for the creation of customized scripts.
- CrashPlan API overview
Examples
The following examples are meant to provide insight into how the CrashPlan platform can be integrated with eDiscovery functions. As examples, they are not guaranteed to be suitable for any eDiscovery process without modification, review, and approval by your organization's compliance officer.
Restore history report with the CrashPlan console
As part of the eDiscovery process, you may need to determine who has restored files from a particular organization and when the restores occurred. To do this, perform the following steps:
- Sign in to the CrashPlan console.
- Select Administration > Environment > Organizations.
- Select an organization from the Active tab.
The Organization Details appear. - Click the number of Restores to view the Restore History page.
These details are restricted by role. You can view only the restore history to which you have access based on your role permissions. - From the action menu, select Export All to download the restore history as a CSV file.
Search the logs
As part of the eDiscovery process or other forensics needs, you may need to search the logs stored on your endpoint devices running the CrashPlan app.
CrashPlan app logs
You can access CrashPlan app logs in the following ways:
- Have the user send you the CrashPlan app logs.
- Access the device remotely and acquire the logs from the specified directory.
- From the CrashPlan console:
- Select Administration > Environment > Devices.
- Select a device from the Active tab.
The Device Details appear. - From the action menu, select Retrieve Logs.
- Find the logs in the client log directory.
CrashPlan app log example
The endpoint file system is the only place to find a persistent copy of the path names of the files restored by a user with the CrashPlan app. The information is stored in the file restore_files.log.*, which can be retrieved using the console as described above, or by accessing the file system on the device. Here is an example of the information available about the path names of restored files:
I 03/05/14 06:01AM 622091232443159553 Starting restore from CrashPlan PROe Server: 1 file (80KB)
I 03/05/14 06:01AM 622091232443159553 Restoring files to /Users/joe.johnson/Desktop
I 03/05/14 06:01AM 622091232443159553 /Users/joe.johnson/Desktop/test.pdf
I 03/05/14 06:01AM 622091232443159553 Restore from CrashPlan PROe Server completed: 1 file restored @ 26.6Kbps
Search logs from the command line
Search the logs using sed, grep, egrep, or another utility.
List of devices
You may need to produce a list of all active (or deactivated) devices as part of the eDiscovery process.
To create and download a list of all active devices in your CrashPlan environment:
- Sign in to the CrashPlan console.
- Select Administration > Status > Reporting.
- On the Device Status tab, select Active from the Device Status list.
- Click Run Report.
Custom scripts
The code examples below are meant to provide examples of use of the CrashPlan API in ways that can support eDiscovery. CrashPlan does not provide any guarantee on the suitability of any script or code example for any particular application. Contact sales about engaging our Professional Services team for assistance with custom scripts.