Electronically Stored Information is any data created, manipulated, communicated and
stored in digital format requiring the use of computer hardware and software. It is categorized and filtered in accordance with the process or source that created it: operating system files, installed application files and user generated files. Regardless of its category, PenrodEllis FDD classifies ESI as either operative (active) or inoperative (deleted). Operative ESI is located on allocated clusters (or used disk space); inoperative ESI on unallocated clusters (or free disk space).
Recovering ESI is fairly easy as it can be filtered using mathematical algorithms and searched using keyword search terms. Printed documents, on the other hand, must be be inspected manually. Although contained within a volatile environment, ESI is actually quite persistent. It is difficult to expunge entirely. Vestiges of erased files can remain on DED for years. In fact, the only reliable means of destroying ESI is to destroy the DED on which it is stored. But Computer Forensics goes beyond the recovery of both operative and inoperative ESI. It involves an investigation of the ESI as it exists on DED.
Electronically Stored Information is stored on either allocated or unallocated clusters. Allocated Clusters contain Operative ESI and File Slack. Unallocated Cluster contain Inoperative ESI and Residual Data.
Operative ESI are files or folders a user can access and use. Inoperative ESI are files the system and user can no longer access.
Operative ESI can be either active or dormant and consists of user, system and application generated files and metadata.
User data includes e-mail messages, office documents, spreadsheets, databases and digital graphics.
System data consists of configuration files, utilization records, event logs, and link/shortcut files.
Application data includes records associated with the installation and utilization of software applications.
Operative ESI does not include system and application program files.
Dormant Files are Operative ESI that have been set aside by the system for special handling. They are consequently not easily accessible to the user. These types of objects include backup files, virtual memory, suspend mode and sleep/hibernation files as well as the contents of a system’s erased files container (the Recycle Bin in Windows; Trash in Mac).
File Slack is the space between the end of the operative data on a cluster and the end of the cluster itself. File Slack can be thought of as filler.
Unallocated clusters contain Inoperative ESI in the form of deleted, temporary and discarded files.
When one deletes a file, the file isnt actually deleted. The contents of a deleted file are not erased; its entry in the system table of contents (TOC) is not removed. The system simply throws a digital switch in the TOC from "on" to "off." When the switch is in the "on" position, the file is operative and the cluster containing its contents is allocated. That space is not available to any other file. When you “delete” a file, the system flips the digital switch to “off.” The cluster containing the file’s contents changes from allocated to unallocated and its space is made available to new or other files for overwriting. Until that happens, however, the contents of the deleted file remain intact.
When one opens and views a saved file or a page on a website one is not actually looking at the file on the drive or the page on the Internet. What one is looking at is a temporary file, created in the computer's onboard RAM memory by the file's associated application (a word processor for example or a web browser). The temporary file is saved (refreshed) every few minutes to disk space or when there is not enough memory available to keep the file in memory and still manipulate data. Temporary files only exist as long as the file's associated application is running. When the application is shut down, all temporary files are closed and then deleted, which means that different versions of the original file may exist in Unallocated Clusters.
Discarded files are created every time one saves an edited or modified file. When a file is opened, modified, and then saved, the temporary file created by the associated application becomes the new saved file and the original file is discarded. The cluster containing the old file becomes unallocated and the data thereon inoperative.
PenrodEllis refers to operative and inoperative user generated ESI, including its internal and external metadata, as Core ESI. Core ESI represents the principal evidence in any case involving Electronically Stored Information. It is normally the only data recovered in civil matters involving Electronic Discovery.
Ambient ESI is our term for any system or application generated record or file, including configuration files, link or shortcut files, event logs, indexes, and line item entries within any of the preceding. In matters requiring Computer Forensics or Incident Response, Ambient ESI is very often more important than Core ESI, as it explains the who, what, where, how and when of Core ESI.