Telephone Call Log Discovery

In traditional eDiscovery matters telephone call records usually do not form part of the review dataset. The call records (information on who called who, when and for how long) would need to be collected specifically from telephony companies and can be out of scope of the eDiscovery requests. As the world has steadily moved to using VOIP conferencing as a replacement for traditional telephony services, call information is logged in more accessible manners and may be unknowingly collected. This is especially true for Microsoft 365 tenants. Every call made and every meeting attended using Microsoft Teams is logged as part of a custodian’s data and can easily be retrieved through normal Microsoft Purview eDiscovery collections. This article provides more insight into this common scenario and how eDiscovery professional can adjust their practices to identify and handle this sensitive information.

Microsoft Teams

Microsoft Teams has seen a phenomenal uptake since the Covid pandemic sent most workers to home offices. Over one million organisations use Microsoft Teams as their default messaging platform. Current Microsoft reports estimate 270 million and growing monthly Teams users, 80 million of which use the calls feature to carry out person to person and group call. On March 31st 2020, Microsoft saw a record 2.7 billion meeting minutes experienced in Teams meetings in just one day. Although Covid lockdowns have been relaxed, remote and hybrid work is here to stay, as are the virtual calls and meetings.

Depending on the license level, Teams can provide both VOIP and traditional telephony services from one interface. Such is the ease of use that some companies are replacing traditional telephone infrastructure with services provided purely by Microsoft Teams. Integrating telephony services into the Microsoft365 ecosystem has meant that this information comes under the umbrella of Microsoft365 Security & Compliance systems. For eDiscovery purposes that means that the call logs and all associated data is easily found and collected using Microsoft’s powerful Purview eDiscovery system.

Imagine the scenario of doing a collection of Microsoft365 data for a custodian in an organization that uses Teams for all telephony services. The typical collection criteria is usually simply a date range. Buried in the dataset, amongst the emails and files, will be entries for every call that team member made or was part of during the collection date range. Information on calls made to prospective or existing clients, friends and family made with the company phone will be discoverable.

This information is collected by default from Microsoft365 without any notification to the collections team. These logs refer to telephone calls with corresponding telephone numbers and as such may be considered more sensitive than other types of data. As a result, clients should know that such telephony information may be part of their collections sets and take appropriate action to address the issue if needed.

Microsoft 365 Teams Call Detail Records

In Microsoft 365, call logs are stored as Call Detail Records (CDRs) and can be exported from both Purview Standard and Premium in the same way as any other data Microsoft Purview maintains. A CDR is saved for each call in every participant’s mailbox and comes out as an email in PST format in Standard and MSG format in Premium. Below is an example of a CDR. The From field represents the organizer of the meeting or initiator of the call and the To field contains the list of all participants who joined the meeting or call. Note that the Sent Date in the record is not the same as the Start Time of the call.

Microsoft defines the following concepts:

  • Calls: any one-to-one call
  • Meeting: any group call, scheduled meetings, channel meetups, ad hoc meetings, group chats turned into meetings with > 2 people

Both scenarios record the following metadata:

  • Meeting start time, end time, and duration
  • Meeting join and leave events for each participant
  • VOIP joins/calls
  • Anonymous joins
  • Federated user joins
  • Guest user joins

 

Microsoft’s plan is to eventually record more relevant events that happen during a Microsoft Teams meeting or call within this summary. Tangible elements associated with a call are not found within the CDR but elsewhere and can still be collected independently.

Identifying the CDRs

Call Detail Records can be identified at many stages of the eDiscovery process. Here we will go through two main stages, at collection time in Microsoft365 and review using Relativity.

Microsoft 365

Call Detail Records can be identified and filtered out in Microsoft Purview eDiscovery Standard or Premium at collection time so that they are never collected in the first place. The collection criteria can be amended by adding the following condition:

  • NOT(ItemClass:IPM.AppointmentSnapshot.SkypeTeams.Call OR ItemClass:IPM.AppointmentSnapshot.SkypeTeams.Meeting)

 

The conditions are identical for both Purview Standard and Premium.

Microsoft Purview Collection Condition Screen

 

Relativity

In Relativity, CDRs look exactly like an Outlook calendar item. They are given an Outlook email icon and have some familiar email metadata (FromToDate etc). The Subject line follows a pattern and is derived to describe the type of call and meeting. The pattern is as follows:

<Call | Meeting>(<Status>)/Thread Id: /Communication Id: <GUID>/<Custodian Name>

The Status value varies and is used to describe the type of call being recorded. The following are just some examples:

  • Call (Complete)/Thread Id: /Communication Id:….
  • Call (Missed)/Thread Id: /Communication Id:….
  • Call (None)/Thread Id: /Communication Id:….
  • Call (Unknown)/Thread Id: /Communication Id:….
  • Call (Voicemail)/Thread Id: /Communication Id:….
  • Meeting (AdHocMeeting)/Thread Id: /Communication Id:….
  • Meeting (ChannelMeeting, ScheduleMeeting)/Thread Id: /Communication Id:….
  • Meeting (Escalation, ScreenSharingCall)/Thread Id: /Communication Id:….
  • Meeting (Escalation, ScheduledMeeting)/Thread Id: /Communication Id:….
  • Meeting (Escalation)/Thread Id: /Communication Id:….
  • Meeting (RecurringMeeting)/Thread Id: /Communication Id:….
  • Meeting (ScheduledMeeting)/Thread Id: /Communication Id:….
  • Meeting (ScreenSharingCall)/Thread Id: /Communication Id:….
  • Meeting (Unknown)/Thread Id: /Communication Id:….

 

To identify CDRs in Relativity, the recommended approach is to search the subject line for “Thread Id” or “Communication Id”.

Summary

There are other places where Call Records may also be found. Zoom and Google Workplace both log calls and make them discoverable. Call logs are routinely found when doing mobile phone acquisitions. The difference in all these cases is that the collection personnel must explicitly select the logs for them to be extracted from these sources. In Microsoft Teams, the call logs are extracted by default as part of mailbox collections. Tenants may be forgiven for thinking they are only getting emails in their collections, when they are also getting additional possibly sensitive information. The purpose of this article is to highlight the presence of these logs, and to allow clients to make an informed decision as to how to handle them in their discovery matters.

 

ProSearch’s Microsoft365 Advisory Services can provide much more information on this and may other topics in Microsoft365. Please contact ryan.hemmel@prosearch.us, damir.kahvedzic@prosearch.us or visit prosearch.com for more information.

 

Filed under:

Blog
Ryan Hemmel

Ryan Hemmel

Ryan is a legal technology professional with 7+ years of experience (including project management). Well-versed in various platforms and environments including AWS, Relativity, MySQL, Oracle and Microsoft SQL Server, Ryan is also an aspiring data scientist with proficiency in Python, R and Tableau.