eDiscovery Content Search Results

m365-azureData Access & StorageCloud Admin Portal

Location

Microsoft Purview > eDiscovery > Content search

Description

Preserved and exported search results from Microsoft Purview eDiscovery spanning Exchange mailboxes, SharePoint sites, OneDrive accounts, and Teams conversations, enabling keyword-based or date-range-based evidence collection.

Forensic Value

eDiscovery is the authoritative method for legal-hold evidence preservation and targeted content collection in M365 environments. It enables searching across all content sources with a single query, placing results on legal hold to prevent spoliation, and exporting PST/ZIP bundles for offline analysis. For insider threat cases, eDiscovery searches can reveal the full scope of sensitive data a user accessed or shared.

Tools Required

Microsoft Purview Compliance PortaleDiscovery Manager roleMicrosoft Graph API (Compliance)

Used in Procedures

Covert Evidence Capture for Insider Threat

preserve

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical