Electronic Discovery and Digital Evidence in a Nutshell - Chapter 1 Outline
Here's another installment in my outline of Electronic Discovery and Digital Evidence in a Nutshell, the second edition of the West Academic guide to electronic discovery law in the United States authored by Judge Shira Scheindlin (the judge in the Zubulake v. UBS Warburg) and members of the Sedona Conference. The first was posted on October 30, 2016.
CHAPTER 1: ELECTRONIC DISCOVERY - TYPES AND SOURCES
A. TYPES OF ELECTRONICALLY STORED INFORMATION
1. Custodian v. Enterprise ESI
- Custodian controls creation, storage and disposition of ESI.
- Enterprise ESI - individual custodian has little or no control.
2. Program Data
Word processing; spreadsheets; databases; ect.
3. Messaging Systems
Email; electronic calendaring; voicemail.
4. Organization Specific Applications
special-purpose, company-specific application programs; enterprise in nature.
5. Generic Enterprise Applications
Accounting, tax, and payroll packages • Business Process Management (BPM) applications • Customer Relationship Management (CRT) systems • Records and Information Management (RIM) systems • Supply Chain Management (SCM) systems
holding information in a structured fashion.
internet access point may be connected directly to a database.
tied into corporate applications and databases in an attempt to provide a single-source interface to the company.
virtual business communities where business partners come together to share information.
Data about data. information inserted into a file by its creators or users, but not visible in the ordinary display of the file or in printed form.
11. Backup Data
a. local back-ups
b. network back-ups
c. cloud-based back-ups
Full; incremental; continuous and mirrored (full functionality) backups.
Magnetic tape back-ups not stored forever; it's rotated.
12. Fragmented or Residual Data
a. data randomly placed throughout available storage space on drive.
b. residual data left behind even after file has been deleted.
c. preserved by creating a forensic image.
d. no obligation to preserve or review residual data.
B. HOW AND WHERE ELECTRONIC INFORMATION IS STORED
magnetic, optical and solid state storage media.
1. Storage Schema
a. Custodian-centric Data Storage
b. Virtual Workgroup-Centric Data Storage
c. Business Unit-Centric Data Storage
d. Enterprise-Centric Data Storage
e. Third Party-Centric Data Storage
2. Accessibility of ESI
a. Local and Online Storage of ESI - hard drives and solid state drives. Online storage would be on a network or in the cloud.
b. Near-Line Storage of ESI - physically accessible removeable media.
c. Offline Storage of ESI - e.g. magnetic tape. Time and cost of restoration is substantial.
C. COMPUTER FORENSICS
a. ESI deleted, but still recoverable.
b. ESI tampered with and this can be detected.
c. Show ESI usage
d. Authentication of a file.
1. Forensic Disk Images - bit image, bit-stream image, or cloned image. Includes residual data.
2. Recovering Deleted Files - Specialized software utilities built into the operating system allow for the recovery of a deleted file provided that a new file or data set has not been overwritten. In addition, data recovery software can be used to “undelete” particular files.