Deciphering the “Mystery of the PST”


Exciting news yesterday on two open-source tools released by Microsoft that now give software developers remarkable insight into .PST files.

This is vitally important and exciting to the world of e-discovery. One of the first places we look for information today is e-mail. And if we want e-mail, there’s a high probability that it will come from a Microsoft Outlook / Exchange environment. And if the e-mail comes from Microsoft Outlook / Exchange, we’ll probably receive a .PST file.

Craig Ball (as always) does a great job of explaining how we encounter .PST files in e-discovery matters in “How to Go Native Without Going South.”

Any IT professional that manages a Microsoft Exchange server can export .PST files. Anyone that uses Microsoft Outlook can export a .PST file from their desktop (File > New > Outlook Data File, or I usually click File > Import and Export).

The .PST is a common file format for transporting multiple e-mail messages, but a .PST file can also contain calendar information, notes, and contact information. When we request e-mail from a client, we either receive a complete .PST file or a “reconstituted file” (as Craig Ball puts it) that contains select, relevant e-mail messages.

The problem is that when lawyers get a .PST file, the apparently irrepressible instinct is to immediately open it in Outlook to see what it contains (since we know that’s where the juiciest stuff lives). This is a bad idea for several reasons, but no doubt it’s important to crack into that .PST file as soon as possible. This is what I call the “mystery of the .PST,” a phrase I used in my review of Wave Software’s Trident software that was never published (until I uploaded it here).

Up until yesterday, we had to have Outlook to peek inside a .PST file. Many litigation support / e-discovery tools process .PST files including Trident,  CT Summation, LAW PreDiscovery, Discovery Cracker, etc. But to do so, they had to have access to Microsoft Outlook to interpret the complexities of the .PST through the Messaging Application Programming Interface (MAPI) and the Outlook Object Model.

The new tools from Microsoft (the PST Data Structure View Tool and the PST File Format SDK released as open-source software) now negate the need to have Microsoft Outlook installed on a system that’s processing .PST files. This is a huge boon to the e-discovery software industry. No lawyer will need to touch these tools, but if you develop e-discovery software today, you should put your best folks on this immediately if you haven’t already. This will dramatically streamline many of the tools already on the market, and provide opportunities for additional, more robust, behind-the-scenes, invasive indexing of .PST files for finding the relevant messages necessary for litigation.

You know this is important for our industry becuase Microsoft’s own press release even mentions e-discovery as one of the “complex scenarios” where these tools will be useful.

The tools in their current state offer read-only capabilities, but this video promises that full write capabilities are on the roadmap.

(My appreciation to Paul Bain who posted links to related stories on The Litigation Support List)

UPDATE 2010.05.27: Another great story from CNET on Microsoft opening-up access to Outlook .PST files, including the possibility of opening .PST files in Google Apps or Thunderbird. This is significant because we will now have the ability to open .PST files in applications other than Outlook. Again, this will not always be the most prudent method of exploring the “mystery” of a .PST, but it’s fantastic to have options WITHOUT the need for squirrelly, third-party utilities.

John Henry, He Was An ESI-Drivin’ Man…

A good article (“Tech Firms Pitch Tools for Sifting Legal Records“) from the Wall Street Journal hammers out some of the tension between automated e-discovery tools and the hesitancy of lawyers and law firms to embrace “the machines.”

John HenryIn reading the piece, Carolyn Elefant on the Legal Blog Watch was reminded of John Henry, the steel-drivin’ man who beat a steam-powered machine in hammering railroad spikes, but died in the process.

Ron Friedmann believes that the article “oversimplifies the issue” of “lawyers trying to protect their billable hours, … but does alert corporate managers (think CFOs and CEOs) … to more cost-effective ways to approach litigation.” Like Ron, I’m just glad to see coverage of the topic in the WSJ.

The WSJ piece reports on how HP, Xerox, EMC, and IBM have jumped into the market of providing automated solutions for collecting, preserving and producing electronically stored information. The fact that these companies have taken a bite of the e-discovery industry tells you that they see something important and profitable.

Here’s a great example from the story:

“One company saving some cash is Comcast Corp. When outside lawyers working for the cable company recently requested thousands of archived documents for a court case, Genny Garrett, who is in charge of managing Comcast’s records, found them by doing a search from her desktop computer. The lawyers ‘were surprised,’ she says, that ‘they didn’t have to wander around a warehouse’ looking for records, a task that once generated big legal fees.

Comcast uses software from Tower Software, which was recently acquired by HP. Comcast is obviously very happy with their purchase:

“[The software] archives and classifies employee e-mails and other documents as they are created. The system also creates inventories of paper records, Ms. Garrett says, so she can locate and retrieve documents by using computer searches. She says the software has saved thousands of attorney hours over the past few years because Comcast gets about 400 legal-search requests annually, many related to claims that arise when technicians visit customers’ homes.”

I do take issue with a comment in the piece from Michael Lynch, chief executive of British software company Autonomy Corp., which last year acquired e-discovery company Zantaz for $375 million:

“Lawsuits increasingly rely on electronic documents being produced early on, feeding demand for tools that help archive and retrieve those records, a process known as e-discovery work. Much of that work requires little brainpower or legal training, says Michael Lynch.”

Perhaps Mr. Lynch is simply referring to the “hit this button” simplicity that some of these systems theoretically provide once they are properly set up and completely integrated into the enterprise-wide information systems of a company. Pressing a button does not require a lot of “brainpower or legal training.”

But implementing systems like what Zantaz offers requires an incredible level of sophistication and experience. Otherwise, the project will fail at worst, or at best bleed a lot of money. I would guess that Mr. Lynch would agree and offer the experience of the professionals at Autonomy/Zantaz to ensure a smooth rollout.

Otherwise, you might have this scenario:

Robert Brownstone, [a partner with Fenwick & West], tells of one client who declined to have attorneys oversee an email archives search, thinking internal IT staff could do a cheaper automated search. The IT workers disposed of files that, legally, had to be retained, he says. They were recovered, but only after the company paid Fenwick lawyers extra to fix the problem

I have seen this first hand – a law firm will offer to assist their big corporate clients in identifying and collecting relevant ESI for a litigation matter, only to have the client decline the help. In-house counsel are easily persuaded by internal IT resources that believe they can accomplish the job and save immensely on the associated costs.

No one can blame in-house lawyers for wanting to save on external legal expenses. And I believe that’s why we are seeing so many more corporations like Comcast taking a bigger role in managing their internal data with an eye towards being better prepared for inevitable litigation matters.

So to be fair to both sides, automation in discovery is coming and coming strong – there is no denying that. But it is immeasurably important to have the crucial legal analysis involved as well. True a machine may be able to drive railroad spikes quicker, easier, and more efficient than a man with a hammer, but someone still has to flip on the switch at the right place and at the right time.

Link to WSJ story.

UPDATE Monday, Aug. 25, 2008: Michael Lynch’s comment (“[e-discovery] is work that requires little brainpower or legal training”) got under Ralph Losey’s collar too:

“This comment demonstrates a real antipathy between Law and IT. It also illustrates a lack of understanding or appreciation as to what each side [law and IT] really does. … For most of my career, the IT guy (and yes, it always used to be a guy) received about as much respect in a typical law firm as the copy machine repair man – not very much. Even when they were later hired as full time law firm employees, techs were (and in some firms still are) considered rather dimmed witted necessary evils, with lower status than secretaries, and nowhere near the status of a paralegal.

…This antipathy leads to widespread misunderstandings and miscommunications between lawyers and computer technicians. This is just mildly annoying for most lawyers and techs, but for specialists in e-discovery it is a disaster. That is because e-discovery is a blend of the two professions. It can only work properly when lawyers and techs work together and cooperate.”

Ralph then provides an outstanding example of the communication breakdown that regularly happens between law and IT by eloquently analyzing Kevin Keithley v. The Home Store 2008 U.S. District LEXIS 61741 (August 12, 2008) (.doc format, graciously hosted on Ralph’s blog).

A few more choice quotes from Ralph (the whole entry is lengthy, but WELL worth a read-thru):

“…the practice of law is an art, not a science, and the human element can never be replaced by technology.

Information Technology and the Law are both honorable occupations. We must learn to work together to meet the challenges of e-discovery. This is a plea for mutual respect and cooperation.”

Link to Ralph’s post entitled Tech v. Law – a Plea for Mutual Respect.

Don’t Forget the Text Messages!

I hear so many attorneys declare that they don’t have to worry about e-discovery – either because they do not have huge corporate clients or that their clients aren’t “sophisticated” enough to use a computer.

My next question to them is usually “does your client use a cell phone?”

text messages.jpgWhere there’s a cell phone, there’s probably a text message. Text messaging is a simple, convenient, seemingly innocuous method of trading quick messages when a phone call or e-mail message might not be proper or possible. And because a text message seems like a private, innocent, little digital conversation between two tiny, insignificant mobile phones, inhibitions are routinely left at the keypad. But text messages, just like e-mail and all other electronic files, have a knack for sticking around, even through superficial attempts at deleting them.

The mayor of Detroit, MI found all this out the hard way. Mayor Kwame Kilpatrick and his female Chief of Staff, Christine Beatty, were apparently involved in an extra-marital affair several years ago. When a Detroit policeman on the mayor’s guard duty “blew the whistle” on the couple, he lost and job. He sued the city and when the mayor and Ms. Beatty took the stand, they denied that any relationship ever existed.

Last month, the Detroit Free Press obtained and released excerpts from at least 14,000 text messages sent between Mayor Kilpatrick and Ms. Beatty during 2002 and 2003 and now displays those excerpts for your convenience in both text and photos.

While I realize that many attorneys won’t have the mayor of Detroit as a client, it is important to remember that cell phones from anyone can hold relevant, discoverable information. As stated in a story from Crain’s Detroit Business (via edd blog online):

Kilpatrick and Beatty are public figures with fewer rights of privacy than most citizens. But once even private citizens start using company equipment in their communications — whether it’s e-mail from the office computer or text messages from the company cell phone or BlackBerry — expectations of privacy disappear.

Archiving or Complying? appears to be an IT e-newspaper out of India and they have a short interview with Anil Chakravarthy who is VP of Symnatec India in "Making data easily accessible is a major need."

It’s a bit of a sales piece for Symantec’s Enterprise Vault which is "a software-based intelligent archiving platform" for e-mail systems and file server environments. This is the same Symantec that produces the Norton line of consumer products, but I keep hearing more and more about their business/enterprise products, and especially Enterprise Vault.

Back to the "interview" – I do like the way Mr. Chakravarthy succinctly describes the benefits of archiving (not just e-mail, but electronic files and databases too):

"Archiving helps in offloading historical data from production resources [and] reduce[s] the time it takes for in-house counsel to retrieve electronic evidence in response to a discovery request."

I also found a good blog post noting the "Difference between Email Archiving and Email Compliance" from Cryoserver (a company I’ll write more about soon).

"Email archiving is the management of your exponentially growing email archives onto a different storage media, this might be a local drive, into a .pst file, printing off the email onto paper and sticking it in the client files, or possibly moving the email onto alternative storage media. … [E]mail compliance … requires the emails to be kept for compliance and legislative purposes in a central repository … [which] should not be able to be tampered with in any form. [A]ny access … to this central repository should form part of a formal procedure with auditing to comply with the privacy legislation."

I think this distinction is too simplified (probably to fit it inside the blog post), but it certainly illuminates the glaring struggles that IT administrators have to grapple with in designing their systems for compliance/e-discovery/risk management purposes, all the while working with attorneys, records managers, etc.

I’m going to think about this some more, but perhaps the best way to conceptualize this is to think of "compliance" as providing the rules and regulations for what to save and when, and "archiving" provides the means/methods/tools for following the compliance rules. provides a good definition of "e-mail archiving" but I like how concisely states it:

"Retaining e-mail messages for historical purposes or to be in compliance with many industry regulations."

Link to story and Cryoserver blog post.

EDD FUD (Fear, Uncertainty and Doubt about E-Discovery)

As an e-discovery consultant, one might presume that I would take umbrage with Mr. Perkowski’s first paragraph in "Coping with the EDD Drumbeat," but I am positively assured he is not the only in-house attorney that feels this way:

"For the past several years, in-house litigators have been bombarded by swarms of consultants, vendors, and outside counsel reciting the potentially catastrophic effects of the 2006 amendments to the Federal Rules of Civil Procedure (FRCP)."

FEAR Mr. Perkowski accurately characterizes the FUD that has surrounded the e-discovery industry for several years now and likens it to the apocalyptical panic of Y2K.  There’s a reason that 2006 commercial EDD revenues were $2 billion, up 51% from 2005, and expected to be around $4 billion by 2009. Yes those numbers mean that there is a true need for e-discovery, but as Mr. Perkwoski states, "e-discovery is not too different from any other form of discovery," so there has to be a better explanation for the millions of dollars burned on e-discovery services every year – perhaps there’s a little FUD infecting the industry if we were honest about it. Fear is an effective and motivating marketing tool.

Mr. Perkowski’s pivotal point in his column is that you should involve and educate your IT group, which is a most noble suggestion.

"…engage the IT department. Make it your best friend … they have a much better chance than you of knowing where the employees store data."

Interacting with your IT department is absolutely imperative in my opinion. But I would guess the reality is that most in-house attorneys couldn’t even tell you where their company’s IT department is located, much less be able to tell you the full name of a help desk grunt, or a network administrator. Attorneys and techies have historically abided as oil and water; and in my experience, that’s a big hurdle to overcome.

I appreciate how Mr. Perkowski states, "once you have found your IT department, … charge them with locating electronically stored information (ESI)" (emphasis mine). Simply finding the IT department is a good first step for many in-house counsel.

Towards the end of his column, Mr. Perkowski offers some beneficial nuggets of advice for dealing with outside counsel on your e-discovery projects:

"To keep a lid on the scope, you need to keep a keen eye on outside counsel. All too often, outside counsel collaborate with opposing counsel and agree to overly broad word searches. Sometimes that’s due to an abundance of caution. But it’s also because law firms assign e-discovery responsibilities to relatively inexperienced lawyers. Tell them you don’t think much of that staffing practice."

I’m sure Mr. Perkowski speaks from experience when he laments that many "law firms assign e-discovery responsibilities to relatively inexperienced lawyers," but why is this true? I offer two reasons:

  1. the "e-discovery responsibilities" are not considered as important as other tasks on a litigation matter at a law firm, and
  2. most of the experienced partners at a law firm are utterly confused and probably terrified about e-discovery concepts so they delegate to "inexperienced" associates who will NOT say no.

I was thrilled to see Mr. Perkowski’s column provide some insight on the tough issues of e-discovery from an in-house perspective, and I would be grateful to see more attorneys in his position share their thoughts.

Link to column.

P.S. Readers might also be interested in my recent article for Inside Counsel magazine’s InsideTech section entitled “E-mail Emergencies” where I discuss some simple steps for managing the risk found in employee e-mail.

Avoiding Paper Cuts From E-mail

E-mail is like a grade-school tattletale – it never forgets the bad things you type and it doesn’t hesitate to point the finger at you when someone asks “who wrote that?”

It is with that thought in mind that I authored “E-mail Emergencies” for Inside Counsel magazine’s InsideTech section (I would highly recommend subscribing to the free e-mail newsletter). No matter how fantastic a product may sound in promising to collect, archive, and scour your company’s e-mail stockpiles, nothing will protect you from the irresponsible (however innocent) e-mailed blurt of an employee except consistent training (gag) and heightened awareness (do we have to?).

e-mail delivery

People just don’t perceive e-mail as an official form of business communication. E-mail seems so personal, so intimate, so covert, so furtive. Most people think nothing of forwarding a dirty joke to a few select friends. And an e-mail message seems like the perfect way to retaliate against a co-worker while avoiding an in-person confrontation.

But e-mails don’t go anywhere. Even while you might have done all to delete a message on your end, and maybe the backup tape rotation has long forgotten your bombastic rant, the recipient probably saved a copy or even printed it out.

There is no shortage of companies getting tripped up by errant employees who take the longevity of e-mail for granted. Two of my favorite examples are KPMG and Merck. Granted, these two stories are older (2002 and 2000 respectively), but I am not convinced that corporate America has not completely learned the lesson that e-mail keeps no secrets.

Perhaps there is a little promise, however. ran a story entitled “E-Mail Carries the Power of Paper” a few days ago reporting that a Massachusetts Appeals Court upheld a lower court’s ruling that the two parties agreed to a settlement in an e-mail exchange for a contractual dispute. While at least one of the parties didn’t think they were bound by the terms of the e-mail exchange, the court found that the e-mail messages contained the business terms essential to a successful agreement.

Hopefully, that decision will help boost the traditional “cavalier” perception of e-mail to a legitimate business communication tool that must be taken seriously.

Link to my article “E-mail Emergencies.”

P.S. I wanted to say a special thank-you to Tom Mighell at inter alia for naming ediscoveryinfo the Blawg of the Day on Monday, January 14, 2008.  Tom is the Planning Board Chair for this year’s ABA TECHSHOW and he is doing a fabulous job of getting everything together for March 13-14.

“When You Shop For Storage Hardware, Bring A Lawyer”

A great headline from that briefly looks at the effects the amended FRCP has on IT professionals who are tasked with purchasing storage platforms for their companies.

I don’t totally agree with this quote by author Mario Apicella, but I can certainly appreciate his perspective:

“… hosted services that offer remote access for e-discovery and similar activies are a worthwhile alternative to building a layer of compliance applications in-house.”

True it may be easier (and more efficient) for a company to outsource some of their storage/compliance responsibilities, but it is still imperative that the IT professionals and company attorneys discuss the issues revolving around the storage and preservation of electronic records (i.e. e-mails, e-docs, etc.).

Even though a hosted service may adequately handle the logistics of preserving e-mail, the amended rules still impose a quasi-duty upon lawyers to be familiar enough with their clients’ information systems so they can intelligently discuss the exchange of electronic data with the opposing party.

Link to article.

Can E-mail Analysis Be Easy?

My article “The Easy Button” recently posted on where I take a look at four vendors that provide tools for searching and analyzing e-mails. The four vendors mainly sell their products to in-house counsel with the alluring appeal that in-house attorneys can search employee e-mail and discover potential smoking guns before the litigation trigger is pulled.

At symbol for e-mail

The four vendors I talked to for the article were AXS-One, InBoxer, Clearwell Systems, and Estorian. Each vendor enjoys a certain sweet spot.

I wanted to talk to AXS-One after I read the great story on about how KeyBank adopted the AXS-One Compliance Platform to help manage the laborious process of collecting and producing e-mails from their 300TB e-mail archive. The story provides a rare insight into how major corporations are dealing with the stress of complying with e-discovery requests.

I am very impressed with InBoxer and have blogged about the company in the past. The big seller to me with InBoxer is that it’s so easy to deploy – you either pop in a rack mounted server or install the software in a virtual appliance and it’s ready to go within an hour, or even a few minutes. In-house counsel search and analyze employee e-mail through an online interface (you can visit to test out InBoxer for yourself).

I’ve been following Clearwell for a while now, and I believe they have one of the most intuitive interfaces of the group. They made it very clear to me that they are not an e-mail archiving system, but that they work complementary to systems you may already have set up from Symantec or EMC. A Clearwell system can also get up and running very fast, and provides such a comfortable interface that I can see where some users may not even need training.

And lastly Estorian offers an interesting alternative to the slick-ness of InBoxer and Clearwell. Estorian’s LookingGlass software may not look as pretty, but I found that it provides an extensive array of options for searching, monitoring and saving potentially risky e-mail messages. The company views LookingGlass as more of a compliance tool because users can easily set up searches to automatically and continuously monitor employee e-mail for risky keywords.

I foresee in the near future that every corporation will have some sort of e-mail analysis tool constantly monitoring employee e-mail. And why not? In this country, the company owns the e-mail and has the right to read every message sent by an employee through the company-owned servers. Companies that purchase tools such as the ones mentioned above will enjoy a) the comfort of knowing that something is policing the e-mail servers for naughtiness, and b) the ability to quickly search and secure e-mail messages that are relevant to the latest litigation matter that flys across their desk.

Link to my article.

Exploring Tough Questions on E-Mail Confidentiality

I found a couple of other blog posts today linking to the story (“GCs to Employees: Think Before You Send“) I posted about yesterday.

First, the White Collar Crime Prof Blog has an interesting post (“The Three Most Dangerous Buttons: Send, Forward, and Reply All“) where they segue from the article to the the indictment of Department of Homeland Security Bernie Kerik. The link appears in the indictment where it’s revealed that Kerik sent e-mails complaining how he felt like he was on “welfare.”

Next, Sean Doherty (Editor of’s Legal Technology Center) posts a few paragraphs on the EDD Update blog entitled “The Good and Bad News About E-mail.” Sean asks why we see so many problems with employees sending e-mails with the belief that they are private and confidential. He concludes:

“It comes down to policy and training, or lack thereof.”

Not only does he link to the article referenced above, but Sean points to a couple of other excellent stories on how to handle e-mail confidentiality.

Christopher Caparelli of Torys LLP authors an excellent short treatise entitled “Employee e-mail and the attorney-client privilege.” It may sound like another article beating a dead horse topic, but Caparelli makes some excellent contemporary points such as:

“Before e-mail, it was well-settled that an attorney-client communication was not confidential — and, therefore, not privileged — if it was made in the presence of a third party who was not an agent of the attorney or client. But in the electronic age, does the employer’s computer system serve as the third party that eliminates the privilege?”

Caparelli explains that there is both a subjective test (was the message intended to be confidential) and an objective test (was there a reasonable expectation of privacy) for determining the confidentiality of an e-mail message. It’s regularly accepted that an e-mail (even unencrypted) sent from a client to their lawyer is subjectively intended to be confidential, so the objective question remains whether an employee holds a reasonable expectation of privacy in an e-mail that resides on a company’s e-mail server or backup tape.

Caprelli provides an excellent legal analysis of the issue based on the 4 factors outlined in the New York City Bankruptcy Court opinion In re Asia Global Crossing Ltd 322 B.R. 247 (Bankr. S.D.N.Y. 2005). The factors basically revolve around whether or not the company has an e-mail usage policy and to what extent they actively enforce that policy.

Caprelli concludes:

“Employees … should assume that any e-mail sent through an office computer to his or her personal lawyer will not be privileged. … [T]he court in the Asia Global Crossing said it best when it observed that ‘sending a message over the [company’s] e-mail system was like placing a copy of that message in the company files.'”

Link to article.

For additional guidance on creating an effective e-mail policy, turn to “Make Sure Reading Employee’s Personal E-Mail is OK” by Barbara A. Lee of Edwards Angell Palmer & Dodge LLP.

After exploring the relevant case law on the subject, Ms. Lee offers some specific tips:

“To ensure their electronic monitoring is proper, employers should establish a policy that any message created on or sent through the company’s computer network and/or company-owned computers is subject to monitoring, and that employees have no expectation of privacy in such communications.”

Ms. Lee also suggest regular and consistent reminders of the policy to employees and obtaining their signatures acknowledging their receipt or even a “read” receipt if the notice is sent to employees via e-mail. Further, “employers should consider creating a similar message that appears each time the employee logs onto the company’s Internet or e-mail system.”

Link to article.

“GCs to Employees: Think Before You Send”

More cautionary words of wisdom about how employees routinely disregard the public nature of e-mail in “GCs to Employees: Think Before You Send” posted on

email craziness.gif

Matthew W. Clarke, a partner at Smith, Gambrell & Russell, is quoted:

“The main problem that occurs over and over is that people have such a casual attitude and approach when it comes to writing and sending e-mails.”

And the article provides some examples of what’s been found in e-mails:

“Don’t put this in writing, but …

“can you believe that [expletive] is complaining about this?”

“I can’t believe she’s pregnant at such an inconvenient time at work.”

“we need to get rid of the dead wood.”

If you want to explore this incredible phenomenon first hand, you can visit and search through the multitude of e-mail messages collected during the Enron litigations. The site is set up by a company called InBoxer (which I’ve written about before) as a way to demonstrate their product, but it’s a sobering example of what can go wrong when employees use e-mail.

Link to story.