Resource Library

Chain of Custody (Continuity of Storage of Evidence)

This refers to records of the location of and control over evidence from the time of preservation and collection until the time the evidence is presented in court. It records the evidence’s location, management status, and movement. It is a testament that the collected evidence has been conserved without any changes or modifications. It is one of the elements that determines the evidence’s admissibility (admissibility of evidence).

Computer Forensics (Digital Forensics)

This is a generic term to describe the technologies and techniques used to collect and analyze electronic records (digital data) and to collect legally valid evidence in criminal investigations and litigation. It refers to investigation techniques necessary for IT related criminal investigations and eDiscovery. Targeting various digital devices such as the computers and mobile phones of a custodian or suspect, this technique is used to restore information that has been tampered with or intentionally erased, or to obtain a record of unauthorized access from the server log. Because electronic data is easily copied, deleted, and tampered with, it is mandatory to use electronic data integrity techniques such as hash value and digital signatures to prove that no modification of the data has occurred.

Culling, Case Data Culling

Culling is the umbrella term used to describe the technical tactics or processes employed to reduce a large document population to a much smaller set before the document review. It usually means the processes or techniques to remove non-responsive files from ESI and to reduce the file size by using keyword search etc. before document review.


This refers to the person who owns and manages the relevant document, the data holder. He/she becomes a subject of disclosure. For example, a custodian of an email is the owner of the mailbox that the email is stored in.


De-duplication (“de-duping”) is the process of comparing electronic records based on their characteristics and removing duplicate record from the collected ESI to keep the original file and one copy of the original file.
There are several types of de-duplication. The typical case is that of the custodian. For example, in the case that one custodian keeps the same document in multiple, de-duplication keeps only one copy of the document. In the alternative case in which the same document copy is kept by several custodians, de-duplication keeps the document of the first custodian.

Discovery (Evidence Disclosure)

This is the evidence disclosure system in the United States. The interested party has the duty to disclose the information related to the incident in civil litigation in the United States. This system is called the discovery system. Under this system, the litigant can obtain a wide range of information regardless whether it is favorable or not. Discovery includes: “Interrogatories”, “Requests for Production”, “Depositions”, etc.

eDiscovery (Electronic Evidence Disclosure, Electronic Information Disclosure)

eDiscovery is the discovery system that targets electronically stored information.
As a result of the revision of the Federal Rules of Civil Procedure in December 2006, a party is obliged to keep electronic information as evidence and to submit it as appropriate.
All relevant data that is stored in computers, etc. must be submitted by the companies at the correct time as evidence according to legal requirements. In the case of Japanese companies, the data stored in Japan also must be submitted and huge amounts of information must be processed. If the information cannot be found and presented properly, this has sometimes led to severe sanctions or lost cases.
In order to disclose the digital information as evidence, it is necessary to prove that the data has not been tampered with in any way. Preservation of evidence together with the appropriate legal processing of the enormous amounts of data in the enterprise (analysis, reporting, and eventual electronic information disclosure (e-discovery)) definitely requires professional assistance.

EDRM (The Electronic Discovery Reference Model)

As a workflow of eDiscovery (electronic information disclosure) EDRM was developed by the EDRM project which was launched in 2005.
Currently, EDRM has been adopted by law firms and service vendors as a practical global standard.


This refers to “Electronically Stored Information”, the information that is stored electronically such as digital data, electronic information, and electronic data.

Hash Function

This refers to an algorithm that creates a value to verify duplicate electronic documents. A hash mark serves as a digital thumbprint.
Hash function is a function that generates pseudo-random numbers of a fixed length string that is used to summarize the text, such as documents and numbers. It is also known as summary function or message digest function. The numbers created by hash function are called hash value. Typical hash functions are “MD5” and “SHA-1”. It has a one-to-one correspondence to the original text, document and numbers. If there is a change in the original, the hash value also changes. It is theoretically considered impossible to create multiple original documents with the same hash value. It is also not possible to reproduce the original text from a hash value. In addition, hash function is used in an auxiliary function for encrypted communication and digital signatures.

Hash Value

This refers to a unique identifying number of a file that confirms and proves that the file has not been changed from the original. Hash value is calculated by a hash function.


An incident refers to accidental events and troubles. It usually refers to events and troubles regarding computer and network security, broadly speaking the field of information security. It is sometimes referred to as a security incident or a computer security incident.
The definition of an incident is different for each area. For example, an incident in the support and system operation area refers to enhancement requests and issues received from the users. In RFC2350, the following are listed as a general incident

– Loss of confidentiality of information
– Infringement of the integrity of the information
– Denial of service
– Abuse of service, information, and system
– Damage to the system

In whichever case, it is considered important to take rapid and appropriate responses to the incident after the occurrence of the incident (incident response).

Litigation Hold

Litigation hold is a communication issued as a result of current or anticipated litigation, audit, government investigation or other such matter that suspends the normal disposition or processing of records. If the related electronic document is deleted during a litigation hold, it is regarded as destruction of evidence and a severe sanction is imposed.

Network Forensics

This refers to one of the digital forensic technologies. Network forensics technology records and analyzes the communication packets that flow through the network, and restores the contents of communications, if necessary. Computer forensics in general refers to the investigation of the records of devices such as HDDs. Network forensics refers to the collection of information regarding incoming and outgoing email, the operation log, system log, and packet data on a regular basis, and to the prevention of the occurrence of incidents without inhibiting the corporate activities. Network forensics sometimes allows for the detecting of a symptom of an incident. In many cases, forensic investigation such as HDD investigation is outsourced to experts, but regarding network forensics, there are many examples in which it is managed internally with an enterprise management tool. Before outsourcing the forensic investigation to 3rd party experts, network forensics is used to analyze the logs and packets to focus on the suspicious HDD.


This refers to small chunks of data flowing over the network. A communication system that sends and receives data divided into a plurality of packets is called packet communication. Because it does not continuously occupy the communication line between two points, the communication line can be used efficiently. Even if a communication error occurs frequently, only error packets have to be retransmitted. There is also the advantage of flexible communication channel selection in a web network communication path. Sometimes transmitted data themselves are referred to as packet data.