0% found this document useful (0 votes)
47 views11 pages

Glossary

The document provides definitions for over 100 terms related to digital forensics and cybersecurity. It includes explanations of technical terms like advanced forensics format, advanced persistent threat, allocation block, and android manifest file.

Uploaded by

n02019697m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
47 views11 pages

Glossary

The document provides definitions for over 100 terms related to digital forensics and cybersecurity. It includes explanations of technical terms like advanced forensics format, advanced persistent threat, allocation block, and android manifest file.

Uploaded by

n02019697m
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 11

Glossary:

advanced forensics format (AFF): An open source file format developed by Simson
Garfinkel and supported by Autopsy and The Sleuth Kit forensics software.

advanced persistent threat (APT): A sophisticated, relentless, coordinated attack on a


computer network, with the goal of stealing intellectual property.

allocation block: A unit of space that is typically 512 bytes for a hard drive.

android manifest file: A file that contains the application’s package name, its functionality,
permissions, hardware and software requirements for installation.

anti-forensics: A concerted effort to manipulate files on a system to cover up a hacker’s


activity.

antiforensics: A set of techniques used to fight against forensics analysis. It tries to stop and
mislead investigations by making acquiring and analyzing digital evidence difficult or even
impossible. Antiforensics techniques aim to destroy or conceal digital evidence, thus
frustrating forensic investigators and increasing the time needed to perform the initial
analysis.

application programming interface (API): A computer program that facilitates the


interaction between two computer applications or programs.

best evidence rule: This rule states that secondary evidence, or a copy, is inadmissible in
court when the original exists.

binary: Computers store data in binary format, which is the base-2 numeral system
represented by 1’s and 0’s
bitlocker: An encryption tool that was introduced with the Ultimate and Enterprise editions
of Microsoft Windows Vista, which allows for encryption at the file,
bit-stream imaging tool: A tool that produces a bitfor-bit copy of original media, including
files marked for deletion.

bootloader: A program that automatically runs when a device is powered on and engages
the operating system.

brute-force attack: An attack that involves checking all possible keys to decrypt data

chain of custody: Documentation of each person who has been in contact with evidence,
from its seizure, to its investigation, to its submission to court. Proper chain of custody
must declare clearly how digital evidence was discovered, acquired, transported,
investigated (analyzed), preserved, and handled between different parties involved in the
investigation.

client computer: A computer that requests a resource from a server computer.

compactflash: A memory card that was first developed by SanDisk for use in portable
electronics such as digital cameras.

computer forensics: This is the oldest type of digital forensics; it is concerned with
investigating digital evidence found on desktop computers, on laptops, on digital storage
devices.

computer systems incident response team (CSIRT): A unit within an organisation that is
responsible for providing support for investigations that require skilled computer forensics
examinations.

cookie: A text file sent from a web server to a client computer for the purposes of
identification and authentication.
covert investigation: A process used to acquire information without an individual or a
suspect knowing the true identity of the investigator.
cryptanalysis: The process of attempting to target weaknesses in protocols and
cryptographic algorithms to try to break a system or gain access to data.

cybercrime: In a nutshell, cybercrime includes any illegal activity committed using a type of
computing device or computer networks such as the Internet.

cyber-security: Prevention of unauthorized access to computers and their associated


resources.

data fork: Part of files from older Macintosh file system that consist of data.

data or file carving: Data carving is an advanced type of data recovery, usually used in
digital forensic investigations to extract a particular file (using file’s header and footer
information) from unallocated space (raw data) without the assistance of any file system
structure (e.g., MFT).

data protection: A feature developed by Apple to keep all files encrypted in flash memory
while allowing the user to receive phone calls, text messages, and emails when the device is
locked.

dd: A UNIX command that produces a raw data image of a storage medium, such as a hard
drive or magnetic tape, in a forensically sound manner.

dictionary attack: A type of attack that involves using a predetermined list of words to
decrypt data or authenticate a user

digital forensics: A branch of forensic science that uses scientific knowledge, methodology,
and rigor to aid the solving of crimes and incidents by collecting, analyzing, and presenting
digital evidence to use in remedial action or a court of law. The primary goal of digital
forensics is to perform a structured investigation of digital evidence and prepare this
evidence for presentation in a court of law.
disk clone: An exact copy of a hard drive that can be used as a backup for a hard drive
because it is bootable, just like the original.

disk image: A file or a group of files that contain bitfor-bit copies of a hard drive but cannot
be used for booting a computer or other operations.

dynamic IP address: An IP address assigned by an Internet service provider (ISP) each time
one of its clients connects to the Internet.

dynamic link library (DLL) files: Windows system files that contain procedures and drivers
that are executed by a program.

ediscovery: The recovery of digitally stored data for the purposes of litigation.

electronically stored information (ESI): Digitally stored information, including email, Word
documents, spreadsheets, databases, and any other types of digitally.

encryption: The process of scrambling plaintext into an unreadable format using a


mathematical formula thus making it unreadable for unintended recipients.

evidence container: Collected storage media that contain original digital evidence (like
HDD, SSD, flash drive, SD cards, smartphone, tablets, CD/DVD) must be stored in a secure
locked room within a safe closed cabinet. The cabinets in the evidence storage room must
protect against fire and flood, and must withstand if the lab collapses as a result of an
earthquake; the cabinet must also protect the contents from electromagnetic emanations to
avoid damaging seized equipment.

evidence locker: A metal cabinet with individual compartments that can be locked
individually.
exclusionary rule: States that evidence seized and examined without a warrant or in
violation of an individual’s constitutional rights will often be inadmissible as evidence in
court in a criminal case.
exculpatory evidence: Evidence used to prove the innocence of a defendant.

exigent circumstances: A set of conditions that allow agents to conduct a warrantless


search in an emergency situation when there is risk of harm to an individual or risk of the
possible destruction of evidence.

file carving: The process of identifying a file by certain characteristics, like a file header or
footer, rather than by the file extension or metadata.

file format identification: A signature analysis is a process where file headers and
extensions are compared with a known database of file headers and extensions to discover
whether an attempt to conceal original file type has been made (changing the file extension
to something else to hide it from the investigators’ eyes). As we know, each file under
Windows has a unique signature, usually stored in the first 20 bytes of the file. We can
check the original file signature of any file by examining it with Notepad or through using a
Hex editor.

file metadata: Information about a file that can include the creation, modified, and last
access dates, and also the user who created the file.

file structure: Digital files are composed of a sequence of bits: each file type has a particular
encoding scheme that describes how information is stored within this file.

file systems: File systems provide a mechanism (logical construction map) for the
operating system to keep track of files in a partition.

firewall: Software or hardware mechanism used to inspect data packets on a network and
determine, based on a set of rules, whether each packet should be allowed through.

firewire: A serial bus interface standard for high-speed data transfer.


firmware: Programs that control electronic devices like hard disk drives, game consoles, or
mobile telephones.
flasher box: A device used to make physical dump of a cellphone.

forensics readiness: Forensics readiness is about the ability of a particular organization to


collect, preserve, protect, and analyze digital evidence in a forensically sound manner.

forensics: Suitable for a court of law.

hearsay: A statement other than one made by the declarant while testifying at the trial or
hearing, offered in evidence to prove the truth of the matter asserted.

hexadecimal (Base-16): Also known as Hex, this numbering system uses 16 digits or
symbols to represent its values. It contains the following numbers and letters: 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, A, B, C, D, E, F

hierarchical file system (HFS): A file system that was developed by Apple in 1985 to
support its hard disk drive

host protected area (HPA): The region on a hard disk that often contains code associated
with the BIOS for booting and recovery purposes

hosts file: A text file found on Windows that maps hostnames to IP addresses.

inculpatory evidence: Incriminating evidence often used to convict a criminal.

index.dat: A collection of files generated by Microsoft Internet Explorer that contains


websites visited and Internet searches.

indicators of compromise (IOC): hallmarks of an APT attack


integrated drive electronics (IDE): A drive interface, largely based on IBM PC standards, for
devices such as hard disk drives, tape drives, and optical drives.
internet protocol (IP) address: A 32-bit or 128-bit number that uniquely identifies a host
on the Internet.

ip address: An IP address is a unique address that distinguishes a computing device when


connected to the IP network.

keybags: The area on a disk that stores encryption information for an Apple Macintosh or
iOS device, including the encryption keys.

lossless compression: A process that eliminates un-needed data from a file without loss of
the original data.

lossy compression: A process that makes a picture smaller, with some image quality
compromise and loss of data.

media partition: The data partition on an iOS device; contains both user data and some
system files.

metadata: Metadata is data about data. Most digital file types have metadata associated
with them.

mobile forensics: Mobile forensics is a type of digital forensics concerned with acquiring
digital evidence from mobile devices.

multimediacard: Storage memory that was developed by Siemens AG and SanDisk for use
in portable devices such as cameras.

network address translation (NAT): A protocol that allows multiple network devices on a
network to share a single IP address.
network forensics: This type of digital forensics is concerned with monitoring and
analyzing traffic flow in computer networks to extract incriminating evidence (e.g.,
discovering the source of security attacks) or to detect intrusions.

online proxy: A computer used to mask a user’s identity so that the third party cannot
recognize the IP address of the originating communication.

packet sniffers: Used to capture data packets on a wireless or wired network.

packet: A block of data transmitted across a network.

password cracking: It is almost certain that all digital forensics examiners will come across
encrypted files/ volumes during their investigative work. When there is no way to acquire
the needed key to decrypt subject data, using password cracking tools becomes the last
hope to acquire something useful out of suspect encrypted data.

pcap (packet capture) file: A wireless packet that contains user data and network data
related to the sender and receiver of that data.

persistent cookie: A text file identifying an Internet user that is sent to the browser and
then stored on a client computer.

port: Communication channel that is specific to a running process or application on a


computer.

prefetch: A folder in the Windows system folder that contains files used in the boot process
and also files regularly opened by other programs.

protocol analyzer: Used to analyze and interpret traffic over a network.


proxy server: A computer that relays a request for a client to a server computer.
raid (Redundant Array of Independent Disks): Two or more disks used in conjunction with
one another to provide increased performance and reliability through redundancy.

random access memory (RAM): Often referred to as short-term memory or volatile


memory because its contents largely disappear when the computer is powered down. A
user’s current activity and processes, including Internet activity, are stored in RAM.

random access memory (RAM): Volatile memory that is used for processes that are
currently running on a computer.

raw format: The most used file format, Raw format is a bit-by-bit copy of the raw data of
the drive under investigation, and it can be used to image either the complete drive or a
single volume (partition) within it. Raw file format’s main advantages lie in its ability to
ignore minor read errors from the source drive in addition to its fast data transfer. Raw
format cannot store metadata within it.

resource fork: In an older Mac file system, the part of a file that consists of the file metadata
and associated application information.

root partition: The first partition in an iOS device, which contains the operating system.

search and seizure: Law enforcement officers need a search warrant to search and seize
digital devices.

search warrant: This is the most powerful search and seizure procedure; investigators use
this when there is a high probability that informing the subject person (e.g., when he is the
owner of the digital device or is involved with the suspect) will result in destroying digital
evidence.

secure digital card: A file storage device that was developed for use in portable electronics
such as cameras.
serial ata: An interface that connects devices such as hard disk drives to host bus adapters
session cookie: A text file sent to a browser and stored on a computer in order to identify
and authenticate an Internet user. It is removed when the user’s browser is closed.

small computer system interface (SCSI): A protocol for both the physical connection of
devices and the transfer of data.

solid state drive (SSD): A non-volatile storage device found in computers.

spoliation of evidence: Hiding, altering, or destroying evidence related to an investigation.

steganalysis: The process of identifying the use of steganography in a file and extracting the
concealed data.

steganography: The process of concealing data, like an image or a file or a message within a
file.

subpoena: When you do not have a permit from the device owner to search and seize
digital equipment related to the case at hand, you can ask to have a court order or a permit.

tor: Free open source software and an open network that enables a user to surf the Internet
with anonymity.

uninterruptible power supply (UPS): A power supply containing a battery that maintains
power in the event of a power outage.

virtual machine: A computer running software that allows for an instance of an operating
system, or multiple operating systems, without making any changes to the user’s computer.

volatile memory: Volatile memory keeps information for a short time; actually, it needs
power to retain data.
wear-leveling: The process by which areas of a storage medium become unusable over
time.

web server: Delivers HTML documents and related resources in response to client
computer requests.

workstation: A work surface that is used to prepare hardware devices for investigative
analysis.

write-blocker: A hardware device that allows an individual to read data from a device such
as a hard drive without writing to that device.

zero-day exploit: A security vulnerability that is a threat on the day that it is discovered
because a software patch, to fix the exploit, does not yet exist.

You might also like