21 Key Takeaways of Electronic Storage

When it comes to eDiscovery, the guru is Craig Ball.

Craig recently posted about the upcoming 2019 Georgetown eDiscovery Training Academy, a week-long, immersive boot camp in electronically stored information (ESI).

The technology of e-discovery is its centerpiece, and I’ve lately added a 21-point synopsis of the storage concepts, technical takeaways and vocabulary covered.

Here is Craig’s synopsis verbatim:

  1. Common law imposes a duty to preserve potentially-relevant information in anticipation of litigation
  2. Most information is electronically-stored information (ESI)
  3. Understanding ESI entails knowledge of information storage media, encodings and formats
  4. There are many types of e-storage media of differing capacities, form factors and formats:a) analog (phonograph record) or digital (hard drive, thumb drive, optical media)b) mechanical (electromagnetic hard drive, tape, etc.) or solid-state (thumb drive, SIM card, etc.)
  5. Computers don’t store “text,” “documents,” “pictures,” “sounds.” They only store bits (ones or zeroes)a) ASCII or Unicode for alphanumeric characters;b) JPG for photos, DOCX for Word files, MP3 for sound files, etc.
  6. Digital information is encoded as numbers by applying various encoding schemes:
  7. We express these numbers in a base or radix (base 2 binary, 10 decimal, 16 hexadecimal, 60 sexagesimal). E-mail messages encode attachments in base 64.
  8. The bigger the base, the smaller the space required to notate and convey the information
  9. Digitally encoded information is stored (written):a) physically as bytes (8-bit blocks) in sectors and partitionsb) logically as clusters, files, folders and volumes
  10. Files use binary header signatures to identify file formats (type and structure) of data
  11. Operating systems use file systems to group information as files and manage filenames and metadata
  12. File systems employ filename extensions (e.g., .txt, .jpg, .exe) to flag formats
  13. All ESI includes a component of metadata (data about data) even if no more than needed to locate it
  14. A file’s metadata may be greater in volume or utility than the contents of the file it describes
  15. File tables hold system metadata about the file (e.g., name, locations on disk, MAC dates): it’s CONTEXT
  16. Files hold application metadata (e.g., EXIF geolocation data in photos, comments in docs): it’s CONTENT
  17. File systems allocate clusters for file storage; deleting files releases cluster allocations for reuse
  18. If unallocated clusters aren’t reused, deleted files may be recovered (“carved”) via computer forensics
  19. Forensic (“bitstream”) imaging is a method to preserve both allocated and unallocated clusters
  20. Because data are numbers, data can be digitally “fingerprinted” using one-way hash algorithms (MD5, SHA1)
  21. Hashing facilitates identification, deduplication and de-NISTing of ESI in e-discovery

If you don’t follow Ball in Your Court, you should.

All Rights Reserved 2019 – Beverly Michaelis