A litigation hold is a formal directive requiring an organization to preserve all documents and electronically stored information (ESI) that may be relevant to pending or reasonably anticipated litigation. The obligation arises the moment a party knows or should reasonably know that legal proceedings are likely. This includes receiving a demand letter, becoming aware of a regulatory investigation or identifying internal conduct that will likely result in a lawsuit.
The duty to preserve is not optional. In the United States, Federal Rules of Civil Procedure Rule 37(e) authorizes courts to impose sanctions when a party fails to preserve ESI that should have been preserved in anticipation of litigation. Sanctions range from adverse inference instructions to case-dispositive measures including default judgment. In Canada, the Sedona Canada Principles Addressing Electronic Discovery establish that preservation obligations attach when litigation is reasonably anticipated and that failure to preserve may result in spoliation findings.
Email is almost always the most voluminous and most scrutinized category of ESI in civil litigation. Corporate employees generate thousands of emails per year. Those messages contain business communications, contractual negotiations, internal deliberations and financial records that are directly relevant to most commercial disputes. A litigation hold that fails to address email preservation is incomplete by definition.
Types of Email Data Subject to Preservation
Email data exists in multiple formats across multiple storage locations. A complete preservation strategy must account for all of them.
- PST files (Personal Storage Table)
- Microsoft Outlook archive files stored locally on custodian workstations. PST files contain email messages, attachments, calendar entries, contacts and task items. They are frequently the primary source of email evidence in litigation because employees use them to archive older messages from their Exchange mailbox.
- OST files (Offline Storage Table)
- Offline cache files created by Microsoft Outlook when connected to an Exchange server. OST files mirror the contents of the server-side mailbox and may contain messages that have been deleted from the server. They reside on the custodian's local workstation and are often overlooked during collection.
- EML files
- Individual email message files in RFC 5322 format. EML files are produced when emails are exported from mail clients or extracted from mail servers. Each file contains a single message with full headers and MIME-encoded content.
- Cloud mailboxes
- Microsoft 365, Google Workspace and other cloud-hosted email platforms store messages on remote servers. Preservation requires enabling litigation hold features within the platform or using eDiscovery export tools to collect mailbox contents. Cloud mailbox preservation must include sent items, deleted items, drafts and archive folders.
How to Preserve Outlook PST and OST Files for Litigation
The following procedure ensures forensically sound preservation of Outlook email data files. Each step must be documented in the chain of custody log.
| Step | Action | Details |
|---|---|---|
| 1 | Identify all custodians | List every individual whose email may contain relevant evidence. Include current employees, former employees, contractors and any shared mailbox owners. |
| 2 | Issue the litigation hold notice | Send a written directive to all custodians and IT personnel. Instruct them to cease deletion of email, disable auto-archive policies and preserve all existing PST/OST files. Document the notice date and all recipients. |
| 3 | Locate all PST and OST files | Search custodian workstations at default Outlook data paths: %LOCALAPPDATA%\Microsoft\Outlook\ and %APPDATA%\Microsoft\Outlook\. Check mapped drives, USB devices and OneDrive/SharePoint sync folders. Use file system search for *.pst and *.ost across all volumes. |
| 4 | Create forensic copies | Use write-blocking hardware or forensic imaging software (FTK Imager, dd) to create bit-for-bit copies. Never copy PST/OST files using Windows Explorer while Outlook is running as this risks file corruption and metadata modification. |
| 5 | Compute SHA-256 hashes | Hash both the original file and the forensic copy using SHA-256. Verify that hash values match. Record hash values in the chain of custody log. Use Sherlock Forensics Hash Calculator or equivalent tool. |
| 6 | Secure the original media | Store original drives or devices in a tamper-evident evidence bag with a signed seal. Record the storage location, date and responsible party in the chain of custody log. |
| 7 | Analyze using forensic tools | Open the forensic copy in Sherlock PST Viewer in read-only mode. Search, filter and export relevant messages with per-message SHA-256 hashing. |
| 8 | Generate the forensic report | Document the complete preservation methodology, custodian inventory, file inventory with hash values, search methodology, export manifest and chain of custody log. |
Chain of Custody for Email Evidence
Chain of custody is the documented record of every person who handled the evidence, every action taken upon it and every location where it was stored. For email evidence, the chain of custody begins at the moment of collection and continues through analysis, production and court presentation.
A defensible chain of custody log for email evidence must include:
- Collection record
- Date and time of collection, identity of the collecting examiner, source device identification (hostname, serial number, asset tag), file path of the original PST/OST file and the SHA-256 hash computed at collection time.
- Transfer record
- Every time the evidence changes hands or storage location, the log must record who transferred it, who received it, the date and time of transfer and the reason for the transfer. Physical media transfers should include tracking numbers if shipped.
- Analysis record
- The examiner who opens the forensic copy must document their identity, the date and time of each analysis session, the tools used (including version numbers), all search queries executed, all filters applied and all exports performed. Sherlock PST Viewer Forensic Edition generates this record automatically from its internal audit log.
- Integrity verification
- SHA-256 hashes must be recomputed at each significant event: after collection, before analysis, after analysis and before production. Any hash mismatch indicates potential evidence tampering and must be investigated and documented immediately.
Common Mistakes in Email Preservation
These errors routinely result in evidence exclusion, spoliation sanctions or weakened litigation positions. Every one of them is preventable.
- Forwarding emails instead of creating forensic copies
- Forwarding creates a new message with new metadata. The original Received headers, sender IP addresses, SPF/DKIM/DMARC authentication results and original timestamps are lost. A forwarded email cannot be authenticated to the original sender. Courts have rejected forwarded emails as unreliable evidence. Always collect the source PST/OST file or use forensic export from the mail server.
- Opening PST files in Outlook
- Microsoft Outlook opens PST files in read-write mode by default. Simply opening a PST in Outlook modifies the file's last-accessed timestamp and may alter internal data structures. This changes the file's SHA-256 hash and breaks the chain of custody. Use a forensic viewer that operates in read-only mode.
- Modifying timestamps through improper handling
- Copying files using Windows Explorer, opening them in non-forensic applications or storing them on file systems that update access times all modify file metadata. These modifications may be undetectable without pre-collection hash values and can undermine the evidentiary weight of the entire collection.
- Collecting only the inbox
- Email evidence exists in sent items, deleted items, drafts, calendar entries and custom folders. Collecting only the inbox misses critical communications. Forensic collection must capture the entire PST/OST file to preserve all folders and their contents.
- Failing to preserve cloud mailboxes
- Organizations that migrated to Microsoft 365 or Google Workspace may assume that cloud data is automatically preserved. Cloud platforms apply retention policies that delete messages after a set period. Litigation hold features must be explicitly enabled within the cloud platform to prevent automated deletion.
How Sherlock PST Viewer Maintains Forensic Integrity
Sherlock PST Viewer was built specifically for forensic examiners who need to preserve and analyze email evidence for litigation. Every design decision prioritizes evidentiary integrity.
- Read-only file access
- Sherlock PST Viewer opens PST and OST files in strict read-only mode. The tool never writes to the source file. No timestamps are modified. No metadata is altered. The file remains byte-for-byte identical before and after analysis. This is verifiable by comparing SHA-256 hashes.
- SHA-256 per-message hashing
- The Forensic Edition computes a SHA-256 hash for every individual email message. This creates a cryptographic fingerprint for each piece of evidence. If opposing counsel questions whether a specific email was altered, the examiner can present the hash value computed at analysis time and demonstrate it matches the original.
- Automated chain of custody reports
- The Forensic Edition generates chain of custody documentation that records the examiner identity, examination date, source file hash, every search query, every filter applied and every message exported with its individual SHA-256 hash. No manual note-taking required.
- Court-ready PDF reports
- Mark relevant emails and generate a multi-page PDF report with per-message evidence cards including sender IP attribution from RFC-822 Received headers, SPF/DKIM/DMARC authentication results and SHA-256 hash values. The same quality report that firms charge $5,000 in billable hours to produce manually.
PIPEDA and Canadian Privacy Law Considerations
Canadian organizations must balance litigation preservation obligations against privacy rights established under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.
PIPEDA Principle 4.4 limits the collection of personal information to what is necessary for the identified purpose. When preserving email for litigation, this means organizations should target collection to identified custodians and relevant date ranges rather than performing bulk collection of entire mail servers. Over-collection exposes the organization to privacy complaints and regulatory scrutiny by the Office of the Privacy Commissioner of Canada.
PIPEDA Principle 4.5 limits the use, disclosure and retention of personal information. Email evidence preserved for litigation should be retained only for the duration required by the legal proceeding. Once the matter concludes, preserved data that is not subject to other retention obligations should be securely destroyed with documentation of the destruction.
Provincial privacy legislation including British Columbia's Personal Information Protection Act (PIPA) and Alberta's Personal Information Protection Act (AB-PIPA) impose parallel requirements. Organizations with employees in multiple provinces must comply with the most restrictive applicable legislation.
Sherlock PST Viewer's targeted search and selective export capabilities support proportional collection that satisfies both litigation preservation and privacy compliance requirements. Examiners can search for specific keywords, date ranges and custodians without exporting irrelevant personal communications.
External Resources
For additional guidance on email preservation and litigation holds:
- The Sedona Conference - eDiscovery and Digital Information Management
- Federal Rules of Civil Procedure - Rule 37(e) Failure to Preserve ESI
- Office of the Privacy Commissioner - PIPEDA Overview
- NIST Computer Forensics Tool Testing Program (CFTT)
- DOJ Searching and Seizing Computers and Obtaining Electronic Evidence