Tag Archives: forensics

The EDRM Isn’t Broken; It’s Misunderstood.

18 Wednesday Mar 2026

Posted by in Uncategorized

4 Comments

Tags

, , , ,

Disclaimer: I serve as General Counsel of EDRM, but this message is mine alone: Nothing that follows speaks for EDRM or its leadership.

I recently received a marketing email that contained this gem: Organizations are “asking if EDRM is structurally prepared for investigations.”

Short answer: Yes. Obviously. Because the EDRM was never a structure to begin with.

That’s not a knock. That’s the point.

The Electronic Discovery Reference Model is–wait for it–a reference model—not a workflow, not a platform architecture, not an operational blueprint. A reference model is a conceptual framework that identifies the principal stages and relationships in a process. It doesn’t tell you how to do something; it maps what needs doing. Think of it as a compass, not a GPS turn-by-turn. It orients you. It doesn’t drive for you, and it ain’t broke.

The EDRM diagram—that familiar left-to-right ribbon of stages from Information Governance through Presentation—has never pretended otherwise. It emerged before we had a framework to talk sensibly about the conceptual components of exchanging ESI as evidence. It has always depicted a reference arc, not a rigid assembly line. Wise practitioners always understood that the stages overlap, iterate, and telescope depending on the matter. You don’t march from Identification to Collection to Processing like soldiers in formation. You loop, you backtrack, you run stages in parallel, recurse and iterate. The model accommodates all of that because it describes the territory, not the trail. You want to merge or collapse several stages in your preferred workflow? Go for it! The EDRM doesn’t proscribe that, just as cramming several stages into a single super-stage doesn’t do away with the need to complete the tasks the sub-stages describe.

So when someone asks whether EDRM is “structurally prepared for investigations,” the premise is the problem. They’re evaluating a map by asking whether it can carry luggage.

The shift toward “governed internal workflows where legal, security, and compliance operate from a shared investigation infrastructure” is a legitimate operational development. Organizations should be thinking about unified investigation infrastructure. But that’s a workflow conversation—a conversation about tooling, governance, access controls, and process design. It is emphatically not a conversation that requires or benefits from declaring the EDRM obsolete or unprepared.

The EDRM doesn’t compete with your investigation workflow. It informs it. The moment you need to think about what data sources to identify, how to preserve without spoliation risk, how to collect defensibly, how to process for review, how to analyze and produce—there’s the EDRM, as useful and orienting as it has ever been.

What the EDRM can’t do—and was never meant to do—is be your ticketing system, your case management platform, or your chain-of-custody log. If your investigation workflow is broken, that’s not the EDRM’s fault for failing to be software. It’s a planning failure for expecting a reference model to do a workflow’s job.

The schematic is fine (circa 2014). The thinking around it sometimes isn’t.

Use the EDRM for what it is: a durable, vendor-neutral conceptual foundation that helps you ask the right questions in the right sequence. Then build or buy whatever workflow infrastructure serves your organization’s needs. The two aren’t in tension unless you insist on making them so.

Still on Dial-Up: Why It’s Time to Retire the Enron Email Corpus

15 Friday Aug 2025

Posted by in Computer Forensics, E-Discovery, General Technology Posts

11 Comments

Tags

, , , , ,

Early this century, when I was gaining a reputation as a trial lawyer who understood e-discovery and digital forensics, I was hired to work as the lead computer forensic examiner for plaintiffs in a headline-making case involving a Houston-based company called Enron.  It was a heady experience.

Today, everywhere you turn in e-discovery, Enron is still with us. Not the company that went down in flames more than two decades ago, but the Enron Email Corpus, the industry’s default demo dataset.

Type in “Ken Lay” or “Andy Fastow,” hit search, and watch the results roll in. For vendors, it’s the easy choice: free, legal, and familiar. But for 2025, it’s also frozen in time—benchmarking the future of discovery against the technological equivalent of a rotary phone. Or, now that AOL has lately retired its dial-up service, benchmarking it against a 56K modem.

How Enron Became Everyone’s Test Data

When Enron collapsed in 2001 amid accounting fraud and market-manipulation scandals, the U.S. Federal Energy Regulatory Commission (FERC) launched a sweeping investigation into abuses during the Western U.S. energy crisis. As part of that probe, FERC collected huge volumes of internal Enron email.

In 2003, in an extraordinary act of transparency, FERC made a subset of those emails public as part of its docket. Some messages were removed at employees’ request; all attachments were stripped.

The dataset got a second life when Carnegie Mellon University’s School of Computer Science downloaded the FERC release, cleaned and structured it into individual mailboxes, and published it for research. That CMU version contains roughly half a million messages from about 150 Enron employees.

A few years later, the Electronic Discovery Reference Model (EDRM)—where I serve as General Counsel—stepped in to make the corpus more accessible to the legal tech world. EDRM curated, repackaged, and hosted improved versions, including PST-structured mailboxes and more comprehensive metadata. Even after CMU stopped hosting it, EDRM kept it available for years, ensuring that anyone building or testing e-discovery tools had a free, legal dataset to use. [Note: EDRM no longer hosts the Enron corpus, but for those who like hunting antiques, you may find it (or parts of it) at CMU, Enrondata.org, Kaggle.com and, no joke, The Library of Congress].

Because it’s there, lawful, and easy, Enron became—and regrettably remains—the de facto benchmark in our industry.

Why Enron Endures

Its virtues are obvious:

  • Free and lawful to use
  • Large enough to exercise search and analytics tools
  • Real corporate communications with all their messy quirks
  • Familiar to the point of being an industry standard

But those virtues are also the trap. The data is from 2001—before smartphones, Teams, Slack, Zoom, linked attachments, and nearly every other element that makes modern email review challenging.

In 2025, running Enron through a discovery platform is like driving a Formula One race car on cobblestone streets.

Continue reading

Safety First: A Fun Day at the “Office”

16 Monday Dec 2024

Posted by in Computer Forensics, E-Discovery, General Technology Posts, Personal

4 Comments

Tags

, , , , , ,

As a forensic examiner, I’ve gathered data in locales ranging from vast, freezing data centers to the world’s largest classic car collection. Yet, wherever work has taken me, I’ve not needed special equipment or certifications beyond my forensic skills and tools.  That is, until I was engaged to inspect and acquire a Voyage Data Recorder aboard a drilling vessel operating in the Gulf of Mexico.

A Voyage Data Recorder (VDR) is the marine counterpart of the Black Box event recorder in an airliner.  It’s a computer like any other, but hardened and specialized.  Components are designed to survive a catastrophic event and tell the story of what transpired.

Going offshore by helicopter to a rig or vessel demands more than a willingness to go.  The vessel operator required that I have a BOSIET with CAEBS certification to come aboard.  That stands for Basic Offshore Safety Induction Emergency Training with Compressed Air Emergency Breathing System.  It’s sixteen hours of training, half online and half onsite and hands on.  I suppose I was expected to balk, but I completed the course in Houston on Thursday.  Now, I’m the only BOSIET with CAEBS-certified lawyer forensic examiner I know (for all the good that’s likely to do me beyond this one engagement).  Still, it was a blast to train in a different discipline.

A BOSIET with CAEBS certification encompasses four units:

  1. Safety Induction
  2. Helicopter Safety and Escape Training (with CA-EBS) using a Modular Egress Training Simulator (METS)
  3. Sea Survival including Evacuation, TEMSPC, and Emergency First Aid
  4. Firefighting and Self Rescue Techniques
Continue reading