Computer Forensic Definitions

Computer Forensic Definitions

BIOS  (Basic Input Output System) – code stored in the Read Only Memory (ROM) that is available as soon as the computer is powered on.  This code tells the computer how to read information contained on the computer’s drives.

bit – Short for binary digit.  This is the smallest unit of computer data.  A bit consists of either a 0 or 1.

boot sector – A hard drives first sector.  It contains computer start up information as well as the partition table.

byte – Short for binary term. A unit of data that consists of a single character.  A byte consists of 8 bits.

computer forensics – pertains to imaging, extracting and analyzing data and digital storage media on computers for the purpose of gaining legal evidence.

clusters – A group of sectors used to store files and folders on a hard drive.

cylinder – A cylinder can be thought of  as a cross section taken across all the platters of a hard drive at the same head position.

data culling – determining what types of files – documents, images, etc. can be recovered from the data.

disk partition – A set of consecutive cylinders on a hard drive.  A disk partition it must be formatted to create a logical volume, before files can be stored.

ediscovery – discovery in litigation that pertains to electronically stored information (ESI).

ESI – electronically stored information.

external network breach assessment (EBA) – Vulnerabilities that may exist between a customer’s external network and the Internet. This service simulates various electronic attack methods that could be launched against an Internet access point.

FAT – Short for File Allocation Table.  It is used by the Operating System (OS) to keep track of where the files are stored on a hard drive. (with the FAT file system)

file slack – This is unused space on a cluster that exists when the logical file size is less than the physical file size.  This happens when a file does not fill a full cluster, the remaining space is slack.

file system – Organization of a disk partition so that files can be stored on it.  Windows uses two common types of file systems, FAT and NTFS.

fragmented – During normal operations when files are saved, deleted, or moved; parts can be scattered in various locations on the hard drive.

internal network breach assessment (IVA) – The internal network security breach assessment can be performed in conjunction with the external test and includes an in-depth analysis of the customer’s internal network security. It is estimated that approximately 80% of security breaches occur from inside the internal network. This Network Security Breach Assessment will analyze the risks to internal devices and suggest specific hardening techniques to resolve any concerns that are identified.

IT security assessment – Identification and remediation of network vulnerabilities.

logical file space – The actual amount of space occupied by a file on a hard drive. The amount of logical file space differs from the physical file space because when a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, or previously deleted/overwritten files or fragments thereof.

logical volume – An area on the hard drive that has been formatted so that files can be stored there. A hard drive may contain a single or multiple volumes. Each volume appears as if it is a single hard drive. In Windows®, the first volume is referred to as “C:”, while subsequent letters, such as “D:”, “E:”, etc., may refer to additional volumes or may identify devices such as a CD/ROM drive.

Master Boot Record (MBR) – The first sector on a hard drive. It contains information for the computer to start up. The partition table is also located here, which describes how the hard drive is organized.

media – Refers to various devices used storage, for example; hard drives, floppy disks, and CD-ROM’s.

meta data – Bits of data stored by some software or devices.  This data can contain, among other things, the history of a document or image.  Including who has modified and/or saved it, all machines it was saved on, and names of printers it was printed on.

NTFS – Short for New Technology File System. This is a newer type of computer file system that was developed for use by Windows NT®, Windows 2000®, Windows XP®, and beyond.

page or paging file – A file located on the hard drive to temporarily store data for programs that are currently running. Some information can be left in the swap file after the programs are terminated, and in some cases retrievable using forensic techniques. (Often referred to as a swap file)

partial file – When a file is deleted on a computer, the data is not actually erased.  The space is simply marked as available. Then when a new file is stored in that location, but does not fill as much space, the result is a partial file.  The remains will still contain bits of the old data, and can be examined through the use of forensic techniques.

partition table – Indicates each logical volume contained on a drive and its location.

penetration testing – Penetration testing is a method of probing and identifying network security vulnerabilities and the extent to which they could be exploited by a hacker.

physical disk – An actual piece of hardware, such as the hard drive, CD-ROM, etc.

platter – Located in hard drives, are rotating disks that have a set of read/write heads on both sides of each platter.

RAM – Short for Random Access Memory.  This is memory used by programs/drivers and is lost each time the computer is turned off.

ROM – Short for Read Only Memory.  Permanent information stored that is vital to the computer during start-up.  ROM is permanently maintained even when the computer is turned off.

sector – The smallest area of information that can be accessed on the hard drive.

slack space – The unused space on a cluster that exists when the logical file space is less than the physical file space.  Can also be known as,  file slack.

social engineering testing – ocial engineering is a term that describes the non-technical intrusion into an organization that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional “con games” where one person is duped because they are naturally trusting, attackers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to trojans lurking behind email messages that attempt to lure the user into opening the attachments.

swap file – A file located on the hard drive to temporarily store data for programs that are currently running.  Some information can be left in the swap file after the programs are terminated, and in some cases, retrievable using forensic techniques. (Can be referred to as a page file or paging file)

unallocated space – Usually the result of a file being deleted.  When a file is deleted, it is still there, just simply no longer accessible through normal means. The area in which it occupied becomes unallocated space on the drive that can be used to store new information.  Until the unallocated space is used for new data , the old data remains, and in most cases can be retrieved using forensic techniques.

wireless network security assessment (WNA) –  identifying insecure wireless implementations and review policies and procedures, architecture, configuration, and monitoring procedures for alignment with industry best practices.


How do you get started with a Digital forensic investigation?

At Powerhouse Forensics, we have digital forensics specialists available 24/7 to answer your questions and evaluate your case for free.

Regardless of your situation or concern with digital information trapped in laptops, desktops, external drives, backup tapes, cellular phones, smartphones, servers, hosted drives, or shared drives, Powerhouse Forensics has the digital forensic expertise to harvest the ESI for forensic evidence.

Skip to content