Glossary of Terms

Keyword searching

File:  A collection of organized computer code stored on some electronic storage device. A file may contain information such as videos or audio recordings, text, pictures, etc.

File Path:  The location a file is found on a storage device.

Folder-Directory:  A directory is a means of organizing electronically stored files. The top most directory or folder, is called the ‘Root’ directory. Typically other directories called ‘sub-directories’ are nested beneath the root directory in order to group files of similar content or purpose. On a storage device they do not necessarily reside physically alongside each other though to the user of the device they may appear to.

Forensic image-copy:  electronically

Bit stream copy: The process of creating an exact ‘bit for bit’ duplicate of an electronic storage device. Otherwise known as forensic image, forensic duplicate or exact duplicate copy. A bit stream copy duplicates everything in a cluster including anything that is in slack space or outside of the file system’s reach such as unallocated space. Common methods of copying a file (such as within the Windows operating system) only copy the file leaving the slack space behind. In a forensic digital investigation it is paramount that every area of a storage device is extracted otherwise critical evidence such as deleted files in unallocated space, will be lost.

Metadata: Also referred to as the 'data about the data.'  This term refers to additional pieces of information about the file or communication that is supplied by the computer or native application but may not appear in standard views of an electronic document.  Common examples of metadata include the file access date, file path, size or name. While an email is abounding in metadata including transport headers (information about the route an email took between sender and recipient), metadata can also be embedded in a document as part of a formula or comments to revisions (such as in a Microsoft Word document).  Metadata is a prime motivator for native production as these properties can be lost when a file is printed, or copied using inappropriate methods.

Attachment:  An electronically stored file that is included and sent with an email.  It is considered a 'child' of the message and is often produced along with it. 

Culling: Minimizing the size of a set of electronic data using mutually defined criteria (dates, keywords, etc.) to minimize  volume while increasing relevancy of the information. 

Custodian:  A significant party in litigation. This is often a particular employee identified by counsel, whose electronically stored information (ESI)  is collected for litigation purposes. 

Deduplication: Also called 'deduping.' The process of identifying and/or removing identical files from a data set. Hashes are often used on standalone files in order to identify duplicates, while specific properties are often used for comparison in emails.

deNisting:  This is a process of removing software, system and support files from a set of data using hash values available from a reference library maintained by the National Institute of Standards & Technology (NIST). This process is useful because these files are usually irrelevant to a case. They need to be addressed because they often make up a large portion of a collected set of the ESI.

Electronic Discovery:  Also known as electronic data discovery or EDD, this is the process of identifying, collecting, reviewing, and producing relevant information for litigation purposes. 

Electronically Stored Information [ESI]:  Not just limited to email and computer files, this term can also refer to data found in hard drives, CDs, memory sticks, online social networks,  smart phones (Blackberry/Galaxy/iPhone), voice mail and other electronic data storage devices. 

Hashing:  A small, fixed-length, digital string of characters created by using a mathematical algorithm. Hashes are often used for item validation and deduplication as any changes in the internal contents of a file will produce extremely different hash values. Hashing is a key component of deduplication and data validation. 

Privilege:  Certain communications held to be confidential and are exempt from production. Attorney-client is an example of privileged communication that is identified as a part of the eDiscovery process.

Spoliation:  This refers to the alteration, destruction or failure to preserve electronic evidence whether done inadvertently or intentionally.  It may carry significant penalties ranging from fines to adverse judgments.

Thread:  Also known as a 'string' is an email conversation which includes the initiating email and all emails related to it including the replies and forwards between senders and recipients in the same email chain. Typical places seen are in blogs, Gmail-webmail, and smart phones.