top of page

Craig Ball's Electronic Discovery Workbook Part 2 - Outline

Here's a continuation of my outline of Craig Ball's Electronic Discovery Workbook, which I first posted about on November 11, 2016. After reviewing how the Federal Rules of Civil Procedure pertain to electronic discovery, Ball turns to a review of the EDRM, and digital storage media.


Ball simply posts the Electronic Discovery Reference Model, and provides the following definitions which I have seen repeated nearly word for word in several other places:

Information Governance - Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of ESI (electronically stored information) through its final disposition. Identification Locating potential sources of ESI & determining its scope, breadth & depth. Preservation Ensuring that ESI is protected against inappropriate alteration or destruction. Collection Gathering ESI for further use in the e-discovery process (processing, review, etc.). Processing Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis. Review Evaluating ESI for relevance & privilege.

Analysis Evaluating ESI for content & context, including key patterns, topics, people & discussion.

Production Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

Presentation Displaying ESI before audiences (at depositions, hearings, trials, etc.), especially in native & near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

III. Ball then includes a copy of his article, "What Every Lawyer Should Know About E-Discovery".

A. California Bar Advisory - attorney must know:

1. How to assess electronic discovery needs.

2. Preservation

3. Analyze clients systems.

4. Identify custodians.

5. Perform appropriate searches.

6. Collect ESI preserving integrity

7. Advise client for options on collection and preservation.

8. Meet and confer

9. Produce responsive ESI in appropriate manner.

Declining representation might be the only ethical response if you don't have the right e-discovery skills. Asking the IT guy will not suffice.

Searching is a science. It requires more than just guessing which terms seems most relevant.

Competent counsel knows that it is essential to demand natives to guard against data loss and preserve utility; converting to TIFFs increases file size and cost of discovery.

A. Punched Cards

IBM 80 column, 12 row standard punch card - common through the 1970s.

B. Magnetic Tape

LTO-7 tapes introduced in 2015 - 6 TB of uncompressed data; and 15 TB of compressed data. 315 MB per second.

C. Floppy Disks

spinning plastic disks coated with magnetic oxide - have concentric rings of data called tracks that are then divided into sectors. Five common formats:

1. 8 inch

2. 5.25 inch

3. 3.5 standard

4. 3.5 high density

5. Zip

D. Optical Media

CD and DVDs 4.76 inch plastic disks. - metalized reflective coating or dye layer that can be distorted by a laser to induce pits and lands - then generate 1s and Os.

CD - 700 MB

DVD - 4.7 GB

Blu-ray - 50 GB

E. Conventional Electromagnetic Hard Drives

- round flat disks called platters - stacked on a spindle. 5400; 7200 or 10000 RPM read/write heads mounted on actuator arms . Head should never touch the platter if operating properly. If it does data will be obliterated and 'head crash' caused.

1. 3.5" desktop drive

2. 2.5" laptop drive

3. 1.8" iPod and microsystem drive.

- Hard Drive interfaces:

PATA for Parallel Advanced Technology Attachment (sometimes called EIDE for Extended Integrated Drive Electronics): SATA for Serial Advanced Technology Attachment SCSI for Small Computer System Interface SAS for Serial Attached SCSI FC for Fibre Channel

Since 2006 most computer use SATA drives for local storage.

F. Flash Drives, Memory Cards, SIMs and Solid State Drives

NAND - non-volatile memory introduced around 1995 - for thumb drive, etc.

Subscriber Identification Module SIM cards for used in cell phones.

Electromagnetic hard drives are being eliminated in favor of solid state storage. NAND memory cells in SSDs wear out rapidly so controllers must constantly re-position data - this is wear leveling. Wear leveling hampers forensic data recovery techniques.

G. RAID Arrays

Redundant Array of Independent Disks - operate together for backup and performance. Performance is achieved through striping: data divided across multiple drives, so each drive can deliver data simultaneously, increasing the amount of information handed off to the computer’s microprocessor, termed superior “throughput.” RAID 0 provides a backup for this process; RAID 1 does not. A single logical drive letter on your client’s server may be composed of many drives in a RAID array.

H. Computers

ROM BIOS - read only memory used for Basic Input and Output System peripherals - permits processor to access more and more data from the hard drive. Heat generated by the microprocessor is dissipated by a heat sink.

Graphics Processor Unit (GPU) supports display of information from the processor to the monitor.

I. Servers

computer dedicated to a specialized task.

J. Local, Cloud, and Peer-to-Peer Servers

- Local servers reside in a computer room on the business's premises.

- Cloud - consumer buys services via the internet that emulate services of a set of machines. Webmail is the most familiar form of Cloud computing - SaaS - software as a service.

- Peer to Peer (P2P) - each computer on a P2P network acts as a computer and server. Technology behind file sharing applications like BitTorrent.

K. Virtual Servers

Hardware virtualization - single physical server hosts multiple virtual servers. Computing resources to be added or retired commensurate with demand. Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).

L. Server Applications

Computers dedicated to server roles typically run operating systems optimized for server tasks and applications specially designed to run in a server environment. File Servers; Printer servers; Mail servers; Web servers; and Database servers.

M. Network Shares

Network shares are not local to the user's computer they are addressed using drive letters as if they were local drives, for the purpose of backing up data.

N. Practice Tips for Computers, Hard Drives, and Shares

ESI Inventory

- computing and physical storage devices. Typically unnecessary to sequester any component of the machine other than its hard drive(s) since the ROM BIOS holds little information beyond the rare forensic artifact.

V. Getting Your Arms Around the ESI Elephant

Big Six Sources of Digital Evidence for Responsive ESI

1. Key Custodians' Email (Sources: server, local, archived and cloud)

MS Exchange and Lotus Domino mail servers.

SaaS webmail. Webmail may be as simple as a single user’s Gmail account or, like the Microsoft Office 365 product, a complete replication of an enterprise e-mail environment, sometimes supporting e-discovery preservation and search capabilities

Determine types of messages; temporal range of messages; and volume of messages.

2. Key Custodians' Documents and Data: Network Shares

In addition to network file shares,, enterprises employ virtual workspaces called deal rooms or work rooms where users "meet" and collaborate in cyberspace. Deal rooms have their own storage areas and other features, including message boards and communications tools--they’re like Facebook for business.

3. Mobile Devices: Phones, Tablets, IoT

More people access the internet via phones than all other devices combined. Litigants often falsely assume that data accessed on a phone will be backed up elsewhere.

4. Key Custodians' Documents and Data: Local Storage

Don't assume no local storage policy is the local storage reality.

5. Social Networking Content

The average Facebook user visits the site 14 times daily and spends 40 minutes looking at Facebook content.

6. Databases (server, local and cloud)

If standard reports aren’t sufficient to meet the needs in discovery, inquire into the databases schema (i.e., its structure) and determine what query language the database supports to explore how data can be extracted.


Cloud Sources because of he shift of corporate applications and IT infrastructure to leased cloud environments like Amazon Web Services and Microsoft Azure or the tendency of individuals to store data in tools like Box, Dropbox, Google Drive, Microsoft OneDrive, Apple’s iCloud and others, the cloud must be considered alone as adjunct to the other six sources when seeking to identify and preserve potentially responsive ESI.

Pitfalls and Sinkholes parties don't have to search and produce all responsive ESI in legal data, but businesses do have to quantify legal data so they can determine burden and cost of reviewing it. They often fail in this effort. "Where ESI is concerned, custodians and system administrators assume too much, do too little or simply say whatever will make the lawyers go away." More effort will show ESI exists and its not hard to access.

Lather, Rinse and Repeat -

First collect and produce data from key custodians, then use that data to guide discovery requests.

bottom of page