top of page

Electronic Discovery and Digital Evidence in a Nutshell - Chapter 1 Outline

Here's another installment in my outline of Electronic Discovery and Digital Evidence in a Nutshell, the second edition of the West Academic guide to electronic discovery law in the United States authored by Judge Shira Scheindlin (the judge in the Zubulake v. UBS Warburg) and members of the Sedona Conference. The first was posted on October 30, 2016.



1. Custodian v. Enterprise ESI

- Custodian controls creation, storage and disposition of ESI.

- Enterprise ESI - individual custodian has little or no control.

2. Program Data

Word processing; spreadsheets; databases; ect.

3. Messaging Systems

Email; electronic calendaring; voicemail.

4. Organization Specific Applications

special-purpose, company-specific application programs; enterprise in nature.

5. Generic Enterprise Applications

Accounting, tax, and payroll packages • Business Process Management (BPM) applications • Customer Relationship Management (CRT) systems • Records and Information Management (RIM) systems • Supply Chain Management (SCM) systems

6. Databases

holding information in a structured fashion.

7. Websites

internet access point may be connected directly to a database.

8. Intranet

tied into corporate applications and databases in an attempt to provide a single-source interface to the company.

9. Extranet

virtual business communities where business partners come together to share information.

10. Metadata

Data about data. information inserted into a file by its creators or users, but not visible in the ordinary display of the file or in printed form.

11. Backup Data

a. local back-ups

b. network back-ups

c. cloud-based back-ups

Full; incremental; continuous and mirrored (full functionality) backups.

Magnetic tape back-ups not stored forever; it's rotated.

12. Fragmented or Residual Data

a. data randomly placed throughout available storage space on drive.

b. residual data left behind even after file has been deleted.

c. preserved by creating a forensic image.

d. no obligation to preserve or review residual data.


magnetic, optical and solid state storage media.

1. Storage Schema

a. Custodian-centric Data Storage

b. Virtual Workgroup-Centric Data Storage

c. Business Unit-Centric Data Storage

d. Enterprise-Centric Data Storage

e. Third Party-Centric Data Storage

2. Accessibility of ESI

a. Local and Online Storage of ESI - hard drives and solid state drives. Online storage would be on a network or in the cloud.

b. Near-Line Storage of ESI - physically accessible removeable media.

c. Offline Storage of ESI - e.g. magnetic tape. Time and cost of restoration is substantial.


a. ESI deleted, but still recoverable.

b. ESI tampered with and this can be detected.

c. Show ESI usage

d. Authentication of a file.

1. Forensic Disk Images - bit image, bit-stream image, or cloned image. Includes residual data.

2. Recovering Deleted Files - Specialized software utilities built into the operating system allow for the recovery of a deleted file provided that a new file or data set has not been overwritten. In addition, data recovery software can be used to “undelete” particular files.

bottom of page