Bloomsburg University in PA is hosting the 2024 BloomCON - 0x08. Vestige is guest speaking on March 1 on Careers in Digital Forensics & Cybersecurity.

PRESERVATION – Electronic Evidence: End User, File System, Operating System, Application


PRESERVATION – Electronic Evidence: End User, File System, Operating System, Application

Author photo
Vestige Digital Investigations, President, CEO and Founder

The last piece of technical information that is needed in order to properly design and execute a defensible preservation plan relates to the entities that automatically created information whenever an electronic device is used.  Most people are surprised when they learn that in addition to the information that an end-user enters into a device, the device itself, creates a lot of information.  In particular, the file system, operating system, and applications on a device each create information that may be relevant to a particular matter.

A. Content Data, File System and Application Data; Operating System Data

Content data is not the only discoverable and relevant electronically stored information attorneys must consider. In addition to content data (ex. Work, Excel, etc. and its associated file name and metadata), and attorney must consider the Electronically Stored Information that records the manner in which computers were used in a case is determined by interpreting File System, Application, and Operating System data.

File System data allows an operating system or program to run more efficiently. Generally, file system data is not essential to the storage and retrieval of any of the data types; however, metadata related to file system data may be very important in a case. For example, data created before a change to a file system’s metadata occurs (termed “journaling”) may record recent changes that are relevant to a case or matter.

Application and operating system data may be very important in a case.  Basically, these sources of data record the actions of end users when using the computer. Operating system data includes: System registry data, analysis of which can easily identify sources of discoerable information that hae not been produced; mass deletion activity caused by wiping utilities; custodians of discoverable information that have not been identified; and a wealth of information that is used to identify who knew what, and when did they know it.

B. Who/What is Creating Electronically Stored Information

Everyone understands that an end user can create content data and store it as a named file on a computer hard drive. The file system used on the particular computer organizes the content data by linking the content data to several metadata files and to specific file name data. The file system metadata files are created automatically and usually without any input or knowledge of the end user. Some metadata files automatically created included the time and date stamps of the creation of the file in the file system.

Operating systems and applications also automatically create data as essential features of their functions.  The Windows operating system automatically creates and stores in the “System Registry” substantial data regarding the software and devices connected to a computer. System Registry analysis indentifies the existence and/or use of data deletion utilities, concealment of hard drives and external storage devices, and the manner in which a computer has been used during relevant, critical time periods.

C. Strategic Considerations

The duty to preserve may extend to content and artifact data created by en users, file systems, operating systems, and applications used by key players in a matter to operate electronic devices. The duty to preserve is broader that the duty to produce, and consequently, preservation may be measured by a different test than production.  It is essential to understand the types of data resident on the electronic devices involved in a matter so that counsel can properly preserve relevant data.  Indeed, relevant data may even include data that exists in RAM, that portion of memory that is lost when the computer is shut down. (i)

All E-Discovery issues can be analyzed by first identifying the proper category of data that is related to any particular issue.  For example, the law of privilege may apply to information in metadata fields which can be accessed by an end-user, such as the comment field in a Microsoft Word document.  If an end-user (i.e. a key player) entered privileged information in the comment “meta-data” field, that information could be protected from discovery.  Not all metadata fields, however, are populated with data by an end-user. Some of the fields may be populated by the operating system, such as the Creation Date of a Word document.  The law privilege, which requires a communication from or to a client, would not apply to the Creation Data “metadata” because the Creation Date is electronic data written by the operating system, not by a human being.

(i) See: Columbia Pictures v. Bunnell, 2007 WL 2080419 (C.D. Cal. May 29, 2007) for discussion of the duty to preserve RAM in a case involving the identification of users of a peer to peer network to download copyright protected materials.