Computer Forensic Definitions
BIOS (Basic Input Output System) – code stored in the Read Only Memory (ROM) that is available as soon as the computer is powered on. This code tells the computer how to read information contained on the computer’s drives.
bit – Short for binary digit. This is the smallest unit of computer data. A bit consists of either a 0 or 1.
boot sector – A hard drives first sector. It contains computer start up information as well as the partition table.
byte – Short for binary term. A unit of data that consists of a single character. A byte consists of 8 bits.
computer forensics – pertains to imaging, extracting and analyzing data and digital storage media on computers for the purpose of gaining legal evidence.
clusters – A group of sectors used to store files and folders on a hard drive.
cylinder – A cylinder can be thought of as a cross section taken across all the platters of a hard drive at the same head position.
data culling – determining what types of files – documents, images, etc. can be recovered from the data.
disk partition – A set of consecutive cylinders on a hard drive. A disk partition it must be formatted to create a logical volume, before files can be stored.
ediscovery – discovery in litigation that pertains to electronically stored information (ESI).
ESI – electronically stored information.
external network breach assessment (EBA) – Vulnerabilities that may exist between a customer’s external network and the Internet. This service simulates various electronic attack methods that could be launched against an Internet access point.
FAT – Short for File Allocation Table. It is used by the Operating System (OS) to keep track of where the files are stored on a hard drive. (with the FAT file system)
file slack – This is unused space on a cluster that exists when the logical file size is less than the physical file size. This happens when a file does not fill a full cluster, the remaining space is slack.
file system – Organization of a disk partition so that files can be stored on it. Windows uses two common types of file systems, FAT and NTFS.
fragmented – During normal operations when files are saved, deleted, or moved; parts can be scattered in various locations on the hard drive.
internal network breach assessment (IVA) – The internal network security breach assessment can be performed in conjunction with the external test and includes an in-depth analysis of the customer’s internal network security. It is estimated that approximately 80% of security breaches occur from inside the internal network. This Network Security Breach Assessment will analyze the risks to internal devices and suggest specific hardening techniques to resolve any concerns that are identified.
IT security assessment – Identification and remediation of network vulnerabilities.
logical file space – The actual amount of space occupied by a file on a hard drive. The amount of logical file space differs from the physical file space because when a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, or previously deleted/overwritten files or fragments thereof.
logical volume – An area on the hard drive that has been formatted so that files can be stored there. A hard drive may contain a single or multiple volumes. Each volume appears as if it is a single hard drive. In Windows®, the first volume is referred to as “C:”, while subsequent letters, such as “D:”, “E:”, etc., may refer to additional volumes or may identify devices such as a CD/ROM drive.
Master Boot Record (MBR) – The first sector on a hard drive. It contains information for the computer to start up. The partition table is also located here, which describes how the hard drive is organized.
media – Refers to various devices used storage, for example; hard drives, floppy disks, and CD-ROM’s.
meta data – Bits of data stored by some software or devices. This data can contain, among other things, the history of a document or image. Including who has modified and/or saved it, all machines it was saved on, and names of printers it was printed on.
NTFS – Short for New Technology File System. This is a newer type of computer file system that was developed for use by Windows NT®, Windows 2000®, Windows XP®, and beyond.
page or paging file – A file located on the hard drive to temporarily store data for programs that are currently running. Some information can be left in the swap file after the programs are terminated, and in some cases retrievable using forensic techniques. (Often referred to as a swap file)
partial file – When a file is deleted on a computer, the data is not actually erased. The space is simply marked as available. Then when a new file is stored in that location, but does not fill as much space, the result is a partial file. The remains will still contain bits of the old data, and can be examined through the use of forensic techniques.
partition table – Indicates each logical volume contained on a drive and its location.
penetration testing – Penetration testing is a method of probing and identifying network security vulnerabilities and the extent to which they could be exploited by a hacker.
physical disk – An actual piece of hardware, such as the hard drive, CD-ROM, etc.
platter – Located in hard drives, are rotating disks that have a set of read/write heads on both sides of each platter.
RAM – Short for Random Access Memory. This is memory used by programs/drivers and is lost each time the computer is turned off.
ROM – Short for Read Only Memory. Permanent information stored that is vital to the computer during start-up. ROM is permanently maintained even when the computer is turned off.
sector – The smallest area of information that can be accessed on the hard drive.
slack space – The unused space on a cluster that exists when the logical file space is less than the physical file space. Can also be known as, file slack.
social engineering testing – ocial engineering is a term that describes the non-technical intrusion into an organization that relies on human interaction, often involving tricking people in order to break normal security policies. Similar to traditional “con games” where one person is duped because they are naturally trusting, attackers will use any technique to gain unauthorized information. Social engineering techniques include everything from phone calls with urgent requests to people with administrative privileges to trojans lurking behind email messages that attempt to lure the user into opening the attachments.
swap file – A file located on the hard drive to temporarily store data for programs that are currently running. Some information can be left in the swap file after the programs are terminated, and in some cases, retrievable using forensic techniques. (Can be referred to as a page file or paging file)
unallocated space – Usually the result of a file being deleted. When a file is deleted, it is still there, just simply no longer accessible through normal means. The area in which it occupied becomes unallocated space on the drive that can be used to store new information. Until the unallocated space is used for new data , the old data remains, and in most cases can be retrieved using forensic techniques.
wireless network security assessment (WNA) – identifying insecure wireless implementations and review policies and procedures, architecture, configuration, and monitoring procedures for alignment with industry best practices.
Digital Forensics: The use of scientific methods and techniques to identify, collect, preserve, and analyze digital evidence in order to establish facts in legal or criminal investigations.
Evidence: Any information that is used to prove or disprove a fact in a legal or criminal investigation.
Live Forensics: The process of collecting evidence from a running computer system, without shutting it down or altering its state.
Imaging: The process of creating an exact copy of a storage device for the purpose of preserving and analyzing its contents.
Hash Value: A numerical value that is used to uniquely identify a specific file or piece of data.
Encryption: The process of converting plain text into a coded or scrambled format in order to protect its contents from unauthorized access.
Recovery: The process of restoring data or files that have been lost, deleted or damaged.
Network Forensics: The process of collecting, analyzing, and preserving network traffic and other data for the purpose of investigating network-related incidents.
Mobile Forensics: The process of collecting, analyzing, and preserving data from mobile devices for the purpose of investigating mobile-related incidents.
Cloud Forensics: The process of collecting, analyzing, and preserving data from cloud-based systems and services for the purpose of investigating cloud-related incidents.
Malware: A type of malicious software that is designed to harm or exploit a computer system or network.
Digital Evidence: Any information that is stored or transmitted electronically that can be used in legal or criminal investigations.
Chain of Custody: The chronological documentation or paper trail that records the sequence of custody, control, transfer, analysis, and disposition of physical or electronic evidence.
File Carving: The process of extracting files from unallocated space or slack space on a storage device.
Live Response: The process of collecting and analyzing data from a live system in real-time, with the goal of identifying and containing an ongoing incident.
Timestamp Analysis: The process of analyzing the timestamps of files and other data in order to establish a chronology of events or to identify inconsistencies.
File System Analysis: The process of analyzing the structure and contents of a file system in order to identify deleted, hidden or malicious files.
Memory Forensics: The process of analyzing the contents of a computer's volatile memory in order to identify and extract information about running processes, network connections, and other activity.
Steganography: The process of hiding data within other data, such as hiding a message within an image.
Digital Signature: An electronic signature that is used to authenticate the identity of the sender of a message or the integrity of a document.
Disk Cloning: The process of creating an exact copy of a storage device, including its contents and file system structure.
Reverse Engineering: The process of analyzing and understanding the internal workings of a software program or hardware device in order to identify vulnerabilities or to replicate its functionality.
Forensics Report: A document that summarizes the findings of a digital forensics investigation and includes details about the methods and techniques used, the evidence collected, and the conclusions reached.
Cybercrime: Criminal activities that involve the use of computer networks or technology.
E-Discovery: The process of identifying, collecting, and preserving electronic evidence in the context of civil litigation.
Remote Forensics: The process of collecting and analyzing digital evidence from a remote location, such as a remote server or cloud-based system.
Cloud-to-Cloud Forensics: The process of collecting and analyzing digital evidence from one cloud-based system or service to another.
Internet of Things (IoT) Forensics: The process of collecting and analyzing digital evidence from IoT devices such as smart home devices, wearables and other connected devices.
Artificial Intelligence Forensics: The process of using artificial intelligence and machine learning techniques to analyze and extract information from digital evidence in a forensic investigation.
Virtual Machine Forensics: The process of collecting and analyzing digital evidence from virtualized environments such as virtual machines, virtual desktop infrastructure and virtual servers.
Database Forensics: The process of collecting and analyzing digital evidence from databases, including both structured and unstructured data.
Cloud Forensics Preservation: The process of preserving digital evidence in a cloud-based environment in order to maintain its integrity and authenticity for later analysis.
File System Forensics: The process of analyzing the structure, contents and metadata of a file system in order to identify deleted, hidden or malicious files.
Memory Dump Analysis: The process of analyzing the contents of a memory dump, which is a snapshot of the contents of a computer's volatile memory, in order to identify running processes, network connections, and other activity.
Data Carving: The process of extracting specific types of data, such as images or documents, from unallocated space or slack space on a storage device.
Forensic Duplication: The process of creating an exact copy of a storage device or other digital evidence in order to preserve its contents for analysis without altering the original evidence.
Live Data Collection: The process of collecting digital evidence from a live system in real-time, with the goal of identifying and containing an ongoing incident.