Experts in Electronic Discovery & Digital Forensics
Computers and other electronic appliances, such as mobile phones and digital cameras, generate and store significantly more ESI than even the most sophisticated users realize. This ESI includes both file content (data) and file attributes (metadata). ESI is created, modified, transmitted, and/or retained (either permanently or temporarily) using electronic appliances capable of processing this type of information.
ESI is categorized according to its purpose. Files that boot, operate, or manage hardware and/or software are system programs. Files that open and run installed software are application programs. An activity tracking record is ESI that a system or application program has generated as part of its normal or routine functioning. ESI produced by a person through the use of an application program or dedicated appliance is a user file.
Regardless of its category, ESI is either active or latent. Active ESI is located on allocated clusters (or used disk space) and consists of those files that a system, application, or user can access. Latent ESI is found on unallocated clusters (or free disk space) and consists of deleted, temporary, & discarded files as well as the fragmentary remnants of partially overwritten latent data.
Recovering ESI is fairly easy as it can be filtered using mathematical algorithms and searched using keyword search terms. Printed documents, on the other hand, must be inspected manually. Although contained within a volatile environment, ESI is actually quite persistent. It is difficult to expunge entirely. Vestiges of erased files can remain on a storage drive for years. In fact, the only reliable means of destroying ESI is to destroy the drive or media on which it is located.
Operative ESI are active & dormant files. The computer can access, open, view, start, modify, or delete them. Inoperative ESI are latent files & metadata. The computer can no longer "see" or interact with them. Latent files are either intact & partially overwritten. They include deleted, temporary, & discarded files. Unallocated clusters also contain residual processing data.
OPERATIVE (ACTIVE) ESI
Operative ESI can be active or dormant. It consists of user, system, & application files as well as their metadata.
User ESI includes e-mail messages, office documents, spreadsheets, databases and digital graphics.
System ESI consists of file & operating system files, such as configuration files, utilization records, event logs, and link/shortcut files.
Application ESI includes software applications & activity records associated with their installation & utilization.
Inoperative Active ESI is corrupt or "orphaned". A file in this condition still exists and can be accessed by a program or user, but it cannot be opened and manipulated.
Dormant Files are active ESI that have been set aside by the system or an application for special handling. They are consequently not easily accessible to the user. These types of objects include backup files, virtual memory, suspend mode and sleep/hibernation files as well as the contents of a system’s erased files container (the Recycle Bin in Windows; Trash in Mac).
File Slack is the space between the end of the operative data on a cluster and the end of the cluster itself. File Slack can be thought of as filler.
INOPERATIVE (LATENT) ESI
INOPERATIVE (LATENT) ESI
Unallocated clusters contain intact & partially overwritten latent ESI, which includes deleted, temporary & discarded files. Unallocated clusters also contain residual latent ESI, which are the remnants of operating system, software application, & memory processes.
When one deletes a file, the file isn't actually deleted. The contents of a deleted file are not erased; its entry in the system table of contents (TOC) is not removed. The system simply throws a digital switch in the TOC from "on" to "off." When the switch is in the "on" position, the file is operative and the cluster containing its contents is allocated. That space is not available to any other file. When you “delete” a file, the system flips the digital switch to “off.” The cluster containing the file’s contents changes from allocated to unallocated and its space is made available to new or other files for overwriting. Until that happens, however, the contents of the deleted file remain intact.
When one opens and views a saved file or a page on a website one is not actually looking at the file on the drive or the page on the Internet. What one is looking at is a temporary file, created in the computer's onboard RAM memory by the file's associated application (a word processor for example or a web browser). The temporary file is saved (refreshed) every few minutes to disk space or when there is not enough memory available to keep the file in memory and still manipulate data. Temporary files only exist as long as the file's associated application is running. When the application is shut down, all temporary files are closed and then deleted, which means that different versions of the original file may exist in Unallocated Clusters.
Discarded files are created every time one saves an edited or modified file. When a file is opened, modified, and then saved, the temporary file created by the associated application becomes the new saved file and the original file is discarded. The cluster containing the old file becomes unallocated and the data thereon inoperative.
PenrodEllis designates all files that are potentially relevant as Evidentiary ESI. Evidentiary ESI contains data and metadata that can be incriminatory, exculpatory, or mitigating. It is normally the only data recovered in civil matters involving Electronic Discovery.
A User Activity/File Tracking Record is any system or application generated file or entry in a file that references Evidentiary ESI. File Tracking Records include system and application configuration files, link and shortcut files, event logs, web browser databases, email messages, and full-text indexing logs. In matters requiring Computer Forensics or Incident Response, a File Tracking Record is very often more important than Evidentiary ESI, as it explains the who, what, where, how and when of Evidentiary ESI.