Using DeNist during eDiscovery

One of the often overlooked features available in the eDiscovery module of Gimmal Discover is the ability to automatically DeNIST a search result set. The National Institute of Standards and Technology (NIST.gov) has a sub-project called the National Software Reference Library, which collects a master list of known, traceable computer applications. The DeNISTing process uses this list to identify computer files known to be unimportant system files and remove them.

Discover’s DeNIST feature uses something called an “MD5 Hash Value” to identify files that are included on the NIST list and should be removed from the collection. The hash value of a file is like a digital fingerprint – every unique file will also have a unique hash value. This number allows Discover to identify the unnecessary files by comparing them to the NIST list. The hash value is calculated using the MD5 algorithm, hence the name “MD5 Hash Value.”

To implement Discover’s DeNIST feature, create a new eDiscovery search, scroll down to the area labeled as Search Default Options then check the box beside the DeNIST label on the screen.

Enabling the option shown in the screenshot above will compare the hash value of each item in the search results set against the latest reference data set provided by NIST. Any result with a hash value found in the NIST list will automatically be removed from the search results.

DeNISTing is an extremely valuable option, especially when performing a search on an endpoint such as a custodian’s workstation. Over time, these endpoints accumulate junk files as well as the core system files necessary for a computer to operate. Using DeNIST will remove this noise from your search collection and speed up the review process by ensuring you’re not wasting time filtering out all the .exe and .dll files resident on a PC.