Simplified Google Vault Terminology

Matter

• You create matter to investigate a case, it helps you organize everything about that case.
  
  
• You can think of matter in Google Vault as a “Folder” where you would put all information or evidence for a case such as emails, files chats etc.
  
  
• Matter allows you search Vault data to find information (evidence) that you need for your investigation (Note – You can not search Google Vault without creating a matter first)

Though I will talk about permissions in details in next section, but for now keep in mind that you can assign (i) “View All Matters” permission to any of your users OR (ii) Assign “Manager Matters” to any user with Organization Unit scope.

Below is a screenshot from Google Vault matter interface for your reference.

Hold

• While you are running your investigation and finding information about a case, you do not want any of your Vault’s default or custom retention rules to delete concerned user’s data, right…? well that’s exactly where “Holds” help.
  
  
• Holds override any default and custom retention rules, and scoped data of users on hold is kept indefinitely (until you remove hold OR delete user’s mailbox OR your Google Workspace / Vault contract with Google expires)
  
  
• You can assign “Manage Hold” permission to any user in your Google account and it can also be scoped to an Organization Unit.Here is a screenshot from Google Vault Hold interface for your reference.

Search (Data in Vault)

• You might have seen in movies where lawyers ask a lot of questions to their clients to collect as much information (or evidence) as they can about the case, Similarly, here you can ask those questions to Google Vault.
  
  
• However, unlike we humans, Vault only understands a specific “questioning language” which includes “search operators”. For e.g to find all emails sent by Larry, your search query will be “FROM:larry@domain.com”
  
  
• You can perform granular searches by tightening your criteria, for e.g you can make your search based on-:
  
  
• Product (e.g Gmail or Drive)
  
  
• Organization Unit
  
  
• Specific User
  
  
• Type of data (e.g held data, unprocessed data)
  
  
• Date Range (e.g From 26-FEB-2016 TO 31-DEC-2018)
  
  
• You can also combine your queries (e.g using AND, OR etc)
  
  
• Using Search Operators (e.g “has:attachment” to find emails with attachments only), You can learn more about these operators at Google’s documentation here
  
  
• You can also save your “search queries” so you can use them next time with one click instead of writing them again, I find this feature really handy to save time.
  You can see Google Vault’s search interface and available search options in the screenshot here-:

Export Data

• You need a way to present the information (or evidence) around a case, though Google Vault does not have any presentation capabilities other than sharing your screen, so what do you do?
  
  
• Well, you use “Export Data”, which allows you to export all of search result data into multiple formats based on the product type.
  
  
• For emails –: You can export them in PST or Mbox format, you may have export in multiple files if your file size is more than 1 GB for PST (or 10 GB for Mbox) or if it has data for more than one user.
  
  
• Exports are available for 15 days from when they are started before Google deletes them, You can also choose the geographic region (United States or Europe) to save your exports, but do not forget to download them within 15 days.