Twenty-One Key Concepts for ESI and So Much More: eDiscovery Best Practices

This is certainly going on my Educational Resources page that I eventually will be adding to this site!  The latest post in Craig Ball’s excellent Ball in Your Court blog is perhaps one of the longest ones he’s published, and for good reason.  It’s a comprehensive look at all of the topics the students in his E-Discovery and Digital Evidence course at the University of Texas School of Law need to study to prepare for the Final Exam.  It’s a laundry list of topics an eDiscovery professional needs to know and his Appendix on Twenty-One Key Concepts for Electronically Stored Information is so excellent, I just have to cover it again here.

In his post Final Exam Review: How Would You Fare?, Craig identifies a variety of topics about which his students need to demonstrate understanding and knowledge, including: meeting the preservation duty and proportionality, making effective use of the FRCP Rule 26(f) meet-and-confer process, at least 22 eDiscovery case law opinions (many of which I’ve covered over the years), terminology, the EDRM model, encoding, storage, e-mail, forms, search and review, accessibility and good cause, FRE Rule 502 (which I discussed in my last “for newbies” post), and the 2006 and 2015 FRCP rules amendments.  And much more.

Craig ends with his Appendix on Twenty-One Key Concepts for Electronically Stored Information.  Craig originally published a post about the Twenty-One Key Concepts a couple of years ago, which I covered back then.  But, that was my former blog and many of you who follow eDiscovery Today may not have seen it.  So, I’m covering it again here below as it’s such a terrific resource.  Even though that part is below, check out his post here as it has so much additional useful information.  It’s a must read for anyone who wants to understand what they need to know about eDiscovery!

Craig Ball’s Twenty-One Key Concepts for Electronically Stored Information

  1. Common law imposes a duty to preserve potentially relevant information in anticipation of litigation.
  2. Most information is electronically stored information (ESI).
  3. Understanding ESI entails knowledge of information storage media, encodings and formats.
  4. There are many types of e-storage media of differing capacities, form factors and formats:
    1. analog (phonograph record) or digital (hard drive, thumb drive, optical media).
    2. mechanical (electromagnetic hard drive, tape, etc.) or solid-state (thumb drive, SIM card, etc.).
  5. Computers don’t store “text,” “documents,” “pictures,” “sounds.” They only store bits (ones or zeroes).
  6. Digital information is encoded as numbers by applying various encoding schemes:
    1. ASCII or Unicode for alphanumeric characters.
    2. JPG for photos, DOCX for Word files, MP3 for sound files, etc.
  7. We express these numbers in a base or radix (base 2 binary, 10 decimal, 16 hexadecimal, 60 sexagesimal). E-mail messages encode attachments in base 64.
  8. The bigger the base, the smaller the space required to notate and convey the information.
  9. Digitally encoded information is stored (written):
    1. physically as bytes (8-bit blocks) in sectors and partitions.
    2. logically as clusters, files, folders and volumes.
  10. Files use binary header signatures to identify file formats (type and structure) of data.
  11. Operating systems use file systems to group information as files and manage filenames and metadata.
  12. Windows file systems employ filename extensions (e.g., .txt, .jpg, .exe) to flag formats.
  13. All ESI includes a component of metadata (data about data) even if no more than needed to locate it.
  14. A file’s metadata may be greater in volume or utility than the contents of the file it describes.
  15. File tables hold system metadata about the file (e.g., name, locations on disk, MAC dates): it’s CONTEXT.
  16. Files hold application metadata (e.g., EXIF geolocation data in photos, comments in docs): it’s CONTENT.
  17. File systems allocate clusters for file storage, deleting files releases cluster allocations for reuse.
  18. If unallocated clusters aren’t reused, deleted files may be recovered (“carved”) via computer forensics.
  19. Forensic (“bitstream”) imaging is a method to preserve both allocated and unallocated clusters.
  20. Data are numbers, so data can be digitally “fingerprinted” using one-way hash algorithms (MD5, SHA1).
  21. Hashing facilitates identification, deduplication and de-NISTing of ESI in e-discovery.

So, what do you think?  Do you think you could pass Craig Ball’s final exam? It sure looks comprehensive to me!  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


  1. Really? I know I reside in New Orleans and make no judgments about anyone being who they are, but wearing a skirt? And purple on blue? What, no pearls? 🤣

Leave a Reply