Arman Gungor's Blog Litigation Support and Technology


How to Shrink SQL Database Logs

SQL database logs have the tendency to get very large if you are using SQL in full recovery mode. If you have come to a point where you are certain that you will not need point in time recovery and if you would like to reclaim the space log files are taking, you can issue the following command in SQL 2005 or before. This will truncate the transaction log and shrink the log file. For the purposes of this example, let's assume that our log file is named "Sample_log.ldf" and our database is called Sample.

DBCC SHRINKFILE(Sample_log, 1)
DBCC SHRINKFILE(Sample_log, 1)

If you are using SQL 2008, you will notice that the TRUNCATE_ONLY backup option has been discontinued. The only way I was able to find to truncate the log in SQL 2008 was to temporarily switch the database recovery model to simple, shrink the log and switch back to full recovery mode. You can accomplish this as follows:

DBCC SHRINKFILE(Sample_log, 1)

From a best practices standpoint, truncating log files is not recommended.  If you need full recovery, you should ideally invest into sufficient disk space to accommodate the log files.


Opening Older Ms Word Documents in Word 2007

We occasionally run into Word documents created with older versions of Ms Word (i.e. Word 2.0). When we attempt to open such files in Word 2007, we get an error message along the lines of: "You are attempting to open a file that was created in an earlier version of Microsoft Office. This file type is blocked from opening in this version by your registry policy setting." Here is a quick fix:

Create a new key called "FileOpenBlock" under:

Create a DWORD value under this key called "FilesBeforeVersion" and set its value to 0.

This should allow Word 2007 to open files created on older versions.


Text Split Merge 1.0 Beta

Text Split Merge 1.0 Beta

Text Split Merge 1.0 Beta

I have lately been working on a small utility for manipulating text files.  I have come to a point where most of the functionality I have been planning on implementing is there, but not yet fully tested. Feel free to give it a whirl if you would like. Here is briefly what it can do:

  • Inserts Law, Ringtail or custom page markers into single page text files.
  • Combines single-page text files into document-level text files by using a text based list of document breaks (page markers can also be inserted at the same time)
  • Identifies page breaks in document-level text files (by the page break character, a custom anchor, Law or Ringtail style page markers), inserts page markers at page breaks and splits the text file into page-level text files.
  • Accepts a text reference file (similar to an Opticon load file) and merges page-level text files by the document breaks provided in the load file  (The text reference file can be automatically validated prior to processing).
  • Supports Unicode.
  • Outputs an OCR list file.
  • Mirrors input folder structure or splits text files into subfolders.

A few words of caution:

  • While splitting a document-level text file into page-level text files, Text Split Merge assumes that there are no gaps in the bates numbering scheme as it assigns bates numbers to each individual page. It also assumes that there is no bates overlap between two document-level text files.
  • Having named your text files as their starting bates numbers is a requirement.
  • When merging page-level text files via a document break list, Text Split Merge first sorts the document breaks as well as the input files alphabetically. File names should be zero-filled properly in order for the text files to be combined in the correct order.

To Do:

  • The application needs to be tested thoroughly in different scenarios.
  • Exception handling needs to be improved.
  • Performance improvements.
  • Detailed help file.

Download Text Split Merge Beta 1.0 [36 KB]
Requires .NET Framework 3.5


Preventing Field Results from Updating in Microsoft Word

Printing a Word Document correctly can be a hassle if you have fields that update automatically during printing. Fields are codes that instruct Microsoft Word to insert text, graphics, page numbers, and other information into a document automatically. For example, the { DATE } field inserts the current date and { FILENAME \p \* MERGEFORMAT } inserts the full file path into a document. To work around this issue, you can choose to lock certain fields:

  • To lock a field so that field results are not updated, click the field, and then press CTRL+F11.
  • To unlock a field so that field results can be updated, click the field, and then press CTRL+SHIFT+F11.


Filed under: Litsupport, Software 1 Comment

Turning off the Show Repairs Dialogue Box in Microsoft Word 2007

One of the common annoyances during batch processing of Word documents is the "Show Repairs" dialogue box. While most modern e-discovery applications dismiss such dialogues successfully, you may need to disable these pop-ups one day. Here is how:

Add a new DWORD value called "BulletProofOnCorruption" under HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Options and set it to 1.

While turning this dialgoue may come in handy for batch processes, I would recommend that you leave it active on your QC stations. It is important to know that there were errors detected in the native file during QC.


IPRO eCapture de-Duplication

IPRO_logoMany of you are familiar with eCapture as an ESI processing tool. It can be frustrating at times that you have to run a data extract or processing job on discovered material to be able to identify duplicates. What if you need to run a quick report prior to processing? If you are not de-duplicating compound documents (i.e. not maintaining compound document structure), then this is fairly easy. You go to the Items table in your eCapture database and de-duplicate the documents based on the MD5Hash column.

However, if you are looking to de-duplicate on an attachment family level, you will find that the FamilyHash column is not populated until a data extract or processing job is run. This is still not a big deal as you can create family level hashes outside and run your report. However, if you need to de-duplicate against a previous job, you will have to make sure that your family hashes are calculated exactly the same way as eCapture calculates them. As of version 4, eCapture calculates family hashes by individually hashing each document, concatenating the hash values in an attachment family in ItemID order and hashing the resulting string.

For example, if your attachment family consists of files F1, F2 and F3 (in ItemID order) with MD5 hashes H1, H2 and H3 and md5() is an MD5 hash function, the family hash value will be md5(H1&H2&H3).  Once you establish a workflow to do this efficiently, I would highly recommend running your own de-duplication outside of eCapture on a previous project and verifying the results.

Another important point to consider

When eCapture calculates family hashes, it combines the hashes of every item in the attachment family. This includes extracted embedded documents if the option is selected. This has two consequences worth considering:

1- If you are de-duplicating against a previous job where embedded document extraction options were set differently (i.e. jobs have a different number of extracted embedded items), eCapture will naturally produce different family hashes for the two attachment families with different extracted embedded item counts. This will obviously prevent the same original native document group to be de-duplicated, simply because it was handled differently during the two processing sessions.

2- I have also run into cases where extracting embedded items from the same file results in extracted items that look identical but have different MD5 hashes. This will also prevent two identical e-mail families from being properly de-duplicated against each other.

Filed under: Litsupport, Software 1 Comment

USB Write Protect

USB_Write_ProtectBeing in the litigation support industry, we work with USB devices almost every day. When working with customer-furnished data, it is very critical to prevent data spoilation by using a write-blocking device. Actions as simple as plugging the hard drive into a computer running Ms Windows and taking a look around are sufficient to alter metadata.

I recommend using OS independent, hardware based write blockers. The brands that I prefer are Tableau and WiebeTech. These products act as a bridge between your computer and the device that you are working with and block write requests at a hardware level while allowing you to read from the device.

Even though these devices are fairly affordable, unfortunately not every litigation support professional has one in his/her arsenal. There are different strategies for those of you who do not have access to such hardware. One of the easiest ways of blocking write requests to USB devices on a Ms Windows computer is by changing the storage device policy in the registry. The following key, starting with Windows XP Service Pack 2, controls whether or not Windows is allowed to write to USB devices:


I made a very small utility yesterday to automate this task and make it a little bit more user friendly. It is called USB Write Protect. All it does is to check whether or not you have a compatible operating system and to allow you to toggle the registry key mentioned above. Please feel free to download it via the link below and let me know if you have any questions or concerns. Please note the following:

  • This method blocks write access to USB devices that are connected after the registry key is set. In other words, you need to make sure the device you will be working with is disconnected prior to running USB Write Protect or changing the registry key manually.
  • This method only works with Microsoft Windows XP Service Pack 2 and up.

USB HD Download USB Write Protect 1.0 [140 KB]
Requires .NET Framework 3.5


How to Disable Windows Update Restart Prompt

Windows-UpdateAfter performing automatic Windows updates, Windows starts nagging for a restart. In some cases, it even restarts your computer unless you respond to the notification and postpone the restart on time. This can obviously get very annoying if you are doing something important (for example, while performing an e-Discovery export!). I found out recently that the restart can be avoided by stopping the Windows service called "Automatic Updates" in Windows XP or "Windows Update" in Vista. You can go to the services snap-in by executing services.msc and stop the service or type the command net stop "windows update" for Windows Vista or sc stop wuauserv for Windows XP. The service will start back up next time you reboot your computer.

If you are looking for a more permanent solution, the notification schedule can be changed or it can be disabled altogether via Group Policy.

1. Click Start\Run and open the Run Window.

2. Type “gpedit.msc” to open the Group Policy

3. Click Local Computer Policy\Computer Configuration\Administrative Templates\Windows Components\Windows Update and open “Re-prompt for restart with scheduled installations”

Here you can choose to disable the notification or change its schedule to a longer period such as 24 hours.


IPRO eCapture TZVersion Errors

You may run into a Daylight Saving Time (DST) patch error in eCapture along the lines of:

System.Exception: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\TZVersion value of X does not match the ConfigurationProperties.ConfiguredTZVersion value of Y.

DST is the practice of advancing clocks by one hour in spring and adjusting them back in autumn in a way that afternoons have more day light and mornings have less. The start and end dates of DST have changed several times in the past. Recently, the Energy Policy Act (EPAct) of 2005 introduced changes to the start and end dates of DST starting in 2007.

Unless certain updates are applied to your computer, the time zone settings for your system clock may be incorrect. Additionally, inconsistent DST settings between the eCapture workers may cause inaccurate results during ESI processing. eCapture requires that all workers have the same DST patch and that it is the same version as that of the controller.

The most current DST patch available from Microsoft as of this writing is update 970653: August 2009 cumulative time zone update for Microsoft Windows operating systems and is available via

The correct way of fixing the problem above is making sure both the eCapture controller and all workers have the latest DST patch installed. The value set by the patch can be checked using a registry editor (i.e. regedit.exe) and navigating to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\TZVersion. The August 2009 update should set the TZVersion binary key to the decimal value "590080" (0x00090100 hex). Manually editing the TZVersion binary key to work around this issue is NOT recommended.


Adding Windows Vista to Windows 7 Boot Manager

I have been running an evaluation version of Windows 7 on a virtual machine for a while. This weekend, I decided to do a clean install of Windows 7 x64 RTM on an empty partition and make the switch from Windows Vista Business x86 to Windows 7 Professional x64. I chose to format the partition that contained an old Windows XP installation (dual boot with Vista) and install Windows 7 there. As expected, when the installation finished and the computer rebooted, it did not find the existing Windows Vista installation and booted straight into Windows 7. Having a few 32-bit only programs that I need for work,  I still need my Vista partition every now end then.

Windows 7

Here is what I did to bring it back:

* Determined which partition my Vista installation was at. In my case, Windows 7 and Vista are installed onto the same physical disk. The Windows 7 partition is assigned C: and Windows Vista partition is assigned F: drive letters (because of other physical disks, partitions etc.).

* Launched a command prompt with Administrator privileges.

* Ran the following commands (note that /d is to specify a description. It has nothing to do with drive letters etc.)

C:>bcdedit /copy {current} /d "Windows Vista"
The entry was successfully copied to {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}.
C:>bcdedit /set {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx} device partition=F:
The operation completed successfully.
C:>bcdedit /set {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx} osdevice partition=F:
The operation completed successfully.

The {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx} part changes from system to system. You need to copy it from the acknowledgment to the first command and re-use it for the subsequent two commands.

Filed under: Software No Comments