Glossary
Glossary
advanced forensics format (AFF): An open source file format developed by Simson
Garfinkel and supported by Autopsy and The Sleuth Kit forensics software.
allocation block: A unit of space that is typically 512 bytes for a hard drive.
android manifest file: A file that contains the application’s package name, its functionality,
permissions, hardware and software requirements for installation.
antiforensics: A set of techniques used to fight against forensics analysis. It tries to stop and
mislead investigations by making acquiring and analyzing digital evidence difficult or even
impossible. Antiforensics techniques aim to destroy or conceal digital evidence, thus
frustrating forensic investigators and increasing the time needed to perform the initial
analysis.
best evidence rule: This rule states that secondary evidence, or a copy, is inadmissible in
court when the original exists.
binary: Computers store data in binary format, which is the base-2 numeral system
represented by 1’s and 0’s
bitlocker: An encryption tool that was introduced with the Ultimate and Enterprise editions
of Microsoft Windows Vista, which allows for encryption at the file,
bit-stream imaging tool: A tool that produces a bitfor-bit copy of original media, including
files marked for deletion.
bootloader: A program that automatically runs when a device is powered on and engages
the operating system.
brute-force attack: An attack that involves checking all possible keys to decrypt data
chain of custody: Documentation of each person who has been in contact with evidence,
from its seizure, to its investigation, to its submission to court. Proper chain of custody
must declare clearly how digital evidence was discovered, acquired, transported,
investigated (analyzed), preserved, and handled between different parties involved in the
investigation.
compactflash: A memory card that was first developed by SanDisk for use in portable
electronics such as digital cameras.
computer forensics: This is the oldest type of digital forensics; it is concerned with
investigating digital evidence found on desktop computers, on laptops, on digital storage
devices.
computer systems incident response team (CSIRT): A unit within an organisation that is
responsible for providing support for investigations that require skilled computer forensics
examinations.
cookie: A text file sent from a web server to a client computer for the purposes of
identification and authentication.
covert investigation: A process used to acquire information without an individual or a
suspect knowing the true identity of the investigator.
cryptanalysis: The process of attempting to target weaknesses in protocols and
cryptographic algorithms to try to break a system or gain access to data.
cybercrime: In a nutshell, cybercrime includes any illegal activity committed using a type of
computing device or computer networks such as the Internet.
data fork: Part of files from older Macintosh file system that consist of data.
data or file carving: Data carving is an advanced type of data recovery, usually used in
digital forensic investigations to extract a particular file (using file’s header and footer
information) from unallocated space (raw data) without the assistance of any file system
structure (e.g., MFT).
data protection: A feature developed by Apple to keep all files encrypted in flash memory
while allowing the user to receive phone calls, text messages, and emails when the device is
locked.
dd: A UNIX command that produces a raw data image of a storage medium, such as a hard
drive or magnetic tape, in a forensically sound manner.
dictionary attack: A type of attack that involves using a predetermined list of words to
decrypt data or authenticate a user
digital forensics: A branch of forensic science that uses scientific knowledge, methodology,
and rigor to aid the solving of crimes and incidents by collecting, analyzing, and presenting
digital evidence to use in remedial action or a court of law. The primary goal of digital
forensics is to perform a structured investigation of digital evidence and prepare this
evidence for presentation in a court of law.
disk clone: An exact copy of a hard drive that can be used as a backup for a hard drive
because it is bootable, just like the original.
disk image: A file or a group of files that contain bitfor-bit copies of a hard drive but cannot
be used for booting a computer or other operations.
dynamic IP address: An IP address assigned by an Internet service provider (ISP) each time
one of its clients connects to the Internet.
dynamic link library (DLL) files: Windows system files that contain procedures and drivers
that are executed by a program.
ediscovery: The recovery of digitally stored data for the purposes of litigation.
electronically stored information (ESI): Digitally stored information, including email, Word
documents, spreadsheets, databases, and any other types of digitally.
evidence container: Collected storage media that contain original digital evidence (like
HDD, SSD, flash drive, SD cards, smartphone, tablets, CD/DVD) must be stored in a secure
locked room within a safe closed cabinet. The cabinets in the evidence storage room must
protect against fire and flood, and must withstand if the lab collapses as a result of an
earthquake; the cabinet must also protect the contents from electromagnetic emanations to
avoid damaging seized equipment.
evidence locker: A metal cabinet with individual compartments that can be locked
individually.
exclusionary rule: States that evidence seized and examined without a warrant or in
violation of an individual’s constitutional rights will often be inadmissible as evidence in
court in a criminal case.
exculpatory evidence: Evidence used to prove the innocence of a defendant.
file carving: The process of identifying a file by certain characteristics, like a file header or
footer, rather than by the file extension or metadata.
file format identification: A signature analysis is a process where file headers and
extensions are compared with a known database of file headers and extensions to discover
whether an attempt to conceal original file type has been made (changing the file extension
to something else to hide it from the investigators’ eyes). As we know, each file under
Windows has a unique signature, usually stored in the first 20 bytes of the file. We can
check the original file signature of any file by examining it with Notepad or through using a
Hex editor.
file metadata: Information about a file that can include the creation, modified, and last
access dates, and also the user who created the file.
file structure: Digital files are composed of a sequence of bits: each file type has a particular
encoding scheme that describes how information is stored within this file.
file systems: File systems provide a mechanism (logical construction map) for the
operating system to keep track of files in a partition.
firewall: Software or hardware mechanism used to inspect data packets on a network and
determine, based on a set of rules, whether each packet should be allowed through.
hearsay: A statement other than one made by the declarant while testifying at the trial or
hearing, offered in evidence to prove the truth of the matter asserted.
hexadecimal (Base-16): Also known as Hex, this numbering system uses 16 digits or
symbols to represent its values. It contains the following numbers and letters: 0, 1, 2, 3, 4, 5,
6, 7, 8, 9, A, B, C, D, E, F
hierarchical file system (HFS): A file system that was developed by Apple in 1985 to
support its hard disk drive
host protected area (HPA): The region on a hard disk that often contains code associated
with the BIOS for booting and recovery purposes
hosts file: A text file found on Windows that maps hostnames to IP addresses.
keybags: The area on a disk that stores encryption information for an Apple Macintosh or
iOS device, including the encryption keys.
lossless compression: A process that eliminates un-needed data from a file without loss of
the original data.
lossy compression: A process that makes a picture smaller, with some image quality
compromise and loss of data.
media partition: The data partition on an iOS device; contains both user data and some
system files.
metadata: Metadata is data about data. Most digital file types have metadata associated
with them.
mobile forensics: Mobile forensics is a type of digital forensics concerned with acquiring
digital evidence from mobile devices.
multimediacard: Storage memory that was developed by Siemens AG and SanDisk for use
in portable devices such as cameras.
network address translation (NAT): A protocol that allows multiple network devices on a
network to share a single IP address.
network forensics: This type of digital forensics is concerned with monitoring and
analyzing traffic flow in computer networks to extract incriminating evidence (e.g.,
discovering the source of security attacks) or to detect intrusions.
online proxy: A computer used to mask a user’s identity so that the third party cannot
recognize the IP address of the originating communication.
password cracking: It is almost certain that all digital forensics examiners will come across
encrypted files/ volumes during their investigative work. When there is no way to acquire
the needed key to decrypt subject data, using password cracking tools becomes the last
hope to acquire something useful out of suspect encrypted data.
pcap (packet capture) file: A wireless packet that contains user data and network data
related to the sender and receiver of that data.
persistent cookie: A text file identifying an Internet user that is sent to the browser and
then stored on a client computer.
prefetch: A folder in the Windows system folder that contains files used in the boot process
and also files regularly opened by other programs.
random access memory (RAM): Volatile memory that is used for processes that are
currently running on a computer.
raw format: The most used file format, Raw format is a bit-by-bit copy of the raw data of
the drive under investigation, and it can be used to image either the complete drive or a
single volume (partition) within it. Raw file format’s main advantages lie in its ability to
ignore minor read errors from the source drive in addition to its fast data transfer. Raw
format cannot store metadata within it.
resource fork: In an older Mac file system, the part of a file that consists of the file metadata
and associated application information.
root partition: The first partition in an iOS device, which contains the operating system.
search and seizure: Law enforcement officers need a search warrant to search and seize
digital devices.
search warrant: This is the most powerful search and seizure procedure; investigators use
this when there is a high probability that informing the subject person (e.g., when he is the
owner of the digital device or is involved with the suspect) will result in destroying digital
evidence.
secure digital card: A file storage device that was developed for use in portable electronics
such as cameras.
serial ata: An interface that connects devices such as hard disk drives to host bus adapters
session cookie: A text file sent to a browser and stored on a computer in order to identify
and authenticate an Internet user. It is removed when the user’s browser is closed.
small computer system interface (SCSI): A protocol for both the physical connection of
devices and the transfer of data.
steganalysis: The process of identifying the use of steganography in a file and extracting the
concealed data.
steganography: The process of concealing data, like an image or a file or a message within a
file.
subpoena: When you do not have a permit from the device owner to search and seize
digital equipment related to the case at hand, you can ask to have a court order or a permit.
tor: Free open source software and an open network that enables a user to surf the Internet
with anonymity.
uninterruptible power supply (UPS): A power supply containing a battery that maintains
power in the event of a power outage.
virtual machine: A computer running software that allows for an instance of an operating
system, or multiple operating systems, without making any changes to the user’s computer.
volatile memory: Volatile memory keeps information for a short time; actually, it needs
power to retain data.
wear-leveling: The process by which areas of a storage medium become unusable over
time.
web server: Delivers HTML documents and related resources in response to client
computer requests.
workstation: A work surface that is used to prepare hardware devices for investigative
analysis.
write-blocker: A hardware device that allows an individual to read data from a device such
as a hard drive without writing to that device.
zero-day exploit: A security vulnerability that is a threat on the day that it is discovered
because a software patch, to fix the exploit, does not yet exist.