Which File System is Best for Mac Forensic Imaging?
HFS+ and APFS vs exFAT and NTFS: Which File System is Best for Mac Forensic Imaging? When it comes to selecting the destination drive format for Mac forensic imaging, there ...
A Driver
A group of files that enable one or more hardware devices to communicate with the computer’s operating system. Without drivers, the computer would not be able to send and receive data correctly to hardware devices, such as a printer.
A Message Digest Algorithm 5 (MD5) Hash
An algorithm that is calculated against a stream of data with the end result being a 128-bit value that is unique to that stream of data. An MD5 can be thought of as a unique fingerprint.
A Secure Hash Algorithm -256 (SHA-256) hash
A cryptographic hash function that is calculated against a stream of data with the end result being a value that is unique to that stream of data. Similar to an MD5 hash a SHA-256 hash value can be thought of as a unique fingerprint.
Achievable Resolution
Is a direct measurement of the ability of an imaging system to record detail, typically measured by its ability to maintain separation between close subject elements such as fine lines which are usually stated as ‘line pairs or cycles per millimetre’. It is often determined by imaging a resolution test chart. With some imaging systems, there may be a slight difference in the horizontal and vertical resolution. If so, the lower of the two values is considered the achievable resolution of the imaging system.
Active Data
It is the information stored on the direct access storage media of computer systems, which is readily perceptible to the operating system and/or application software with which it was created and directly available to users.
Administrative Review
A procedure used to check casework for consistency with agency/laboratory policy and editorial practice.
Adware
Software that automatically displays or downloads advertising material (often unwanted) when a user is online.
Algorithm
A mathematical relation between an observed quantity and a variable is used in a step-by-step mathematical process to compute a quantity. A step-by-step method for solving a problem or accomplishing some end. (Webster’s Dictionary)
An Index
Is similar to a search engine of the old days of the internet. These are like the early Yahoo! or sites where one has to click through categories and see the sites available with descriptions that lack much detail. These are a great source for finding the new location of sites that have been moved due to take-downs or hacks, but they must be reviewed manually to find the sought-after locations.
Antivirus Software
A program that monitors a computer or network to detect or identify major types of malicious code and to prevent or contain malware incidents. Sometimes by removing or neutralizing the malicious code.
Application
Is a more technical term for program Software programs, such as word processors and Excel spreadsheets.
Archival Data
Is information that cannot be directly accessed by a user of a computer system. Instead, the organization maintains for long-term storage and record-keeping purposes. Archival data may be written to removable media such as a CD, magneto-optical media, hard drive, tape or other electronic storage device
Archive Copy
A copy of a work intended to be preserved permanently. A copy of data placed on media appropriate for long-term storage, which can produce working copies
Archiving Image
Any image placed on media that is appropriate and designed for long-term storage. Archiving Long-term storage of information.
Artefact
A visual/aural anomaly in an image, video, or audio recording resulting from a technical or operational limitation. Examples include speckles in a scanned picture or “blocking” in images compressed using the JPEG standard. Information or data created as a result of the use of an electronic device that shows past activity. Misinterpreted information from a JPEG or compressed image. Color faults or line faults that visibly impact the image negatively
ASCII (Acronym for American Standard Code)
Is a code that assigns a number to each key on the keyboard. ASCII text does not include special formatting features and can be exchanged and read by most computer systems.
Aspect Ratio
The width-to-height ratio of an image.
Audio Enhancement
Procedures used on audio recordings to improve the quality and make it more intelligible and easier to hear.
Authentication
Procedures used on audio recordings to improve the quality and make it more intelligible and easier to hear.
Backpropagation
Backpropagation is an algorithm that is designed to test errors working backwards from the output to the input. As it conducts this, the network readjusted the colors every time the network made a mistake.
Backup
A spare copy of a file, file system, or other resource for use in the event of failure or loss of the original. Many computer networks utilize automatic backup software to make regular copies of their data on the network. Some backup systems use digital audio tape (DAT) as a storage medium.
Backup Data
Is information that is not currently in use by an organization and is consistently stored separately upon transferable media, to free up space and permit data recovery in the event of a disaster.
Backup Tape
Refer to Disaster Recovery Tape Backup Tape Recycling Is the process where an organization’s backup tapes are overwritten with new backup data, usually on a fixed schedule.
Bandwidth
The amount of data that can be transmitted via a given communications channel (e.g., between a hard drive and the host PC) in a given unit of time Bandwidth is usually stated in bits per second (bps), kilobits per second (kbps), or megabits per second (mps).
Best Evidence
The best evidence rule applies when a party wants to admit as evidence the contents of a document at trial, but that the original document is not available. In this case, the party must provide an acceptable excuse for its absence. If the document itself is not available, and the court finds the excuse provided acceptable, then the party is allowed to use secondary evidence to prove the contents of the document and have it as admissible evidence. The best evidence rule only applies when a party seeks to prove the contents of the document sought to be admitted as evidence.
Binary
Mathematical base 2, or numbers composed of a series of zeros and ones. Since zeros and one’s can be easily represented by two voltage levels on an electronic device, the binary number system is widely used in digital computing.
BIOS (Basic Input Output System)
An essential set of routines in a PC, which is stored on a chip and provides an interface between the operating system and the hardware. BIOS supports all peripheral technologies and internal services such as the real-time clock (time and date).
Bit
The smallest unit of information a computer can use. A bit is represented as a “0” or a “1” (also “on” or “off”). A group of eight bits is called a byte. Bits are often used to measure the speed of digital transmission systems.
BlackBerry PIN
An eight-character identification number is assigned to each BlackBerry device. PINs cannot be changed manually on the device (though BlackBerry technicians can reset or update a PIN server-side), and are locked to each specific BlackBerry.
BOT
A computer connected to the Internet that has been surreptitiously / secretly compromised with malicious logic to perform activities under remote the command and control of a remote administrator.
Botnet
A network of devices infected by an attacker, and then used together to perform tasks such as carrying out DDoS attacks (see below), mining Bitcoins, and spreading spam emails. Nearly any device connected to the internet, including home routers, can be infected and pulled into a botnet without its owner ever noticing.
Browser
A program like Firefox or Internet Explorer is used to view websites. A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web.
Bug
An unexpected and relatively small defect, fault, flaw, or imperfection in an information system or device.
Burn
When data is to be stored on a compact disc, the device (such as a CD-RW drive) etches the pattern of microscopic dots in a spiralling track on the CD surface, a process called ‘burning’ the CD.
BYOD
Also known as bring your device. This practice allows employees of an organization to use their computers, smartphones, or other devices for work purposes.
Byte
A series of 8 bits, also called a character.
Cache
A storage area on disk or memory used to store information during processing.
Captcha
A type of challenge–response test used in computing to determine whether or not the user is human.
Capture
The method of recording data, such as an image, video sequence, or audio.
Capture Card / Frame Grabber
A piece of computer hardware that converts an analog video signal to digital data.
Capture Device
A hardware or firmware device used to convert analog video into digital video.
Carve
The extraction of a portion of data for analysis.
CD/DVD (compact disc/digital versatile disc)
Optical disc formats are designed to function as digital storage media.
CD-ROM
Stands for Compact Disc Read-Only Memory. A small plastic disk, similar to audio compact disks, is used for storing information in digital format. The information is read from the disk by a small laser beam and displayed on a computer screen.
Cell Site Location Information (CSLI)
Is collected from cell phone towers as the phone makes calls
Cellebrite
Forensic division develops advanced mobile forensic hardware and software products, in use by law enforcement, military, intelligence, corporate security, and eDiscovery professionals.
Cellular Network Isolation Card (CNIC)
Identity module card that isolates a device from cellular connectivity. CNICs do not contain a “cipher key” thus preventing access to a cellular network.
Chain of Custody
The “chain of custody” is a concept in jurisprudence that applies to the handling of evidence and its integrity. Where it documents the chronological movement, location, and possession of evidence
Chat Logs
Can record message transmissions between two or more users. Chat logs might record the date and time a message was sent or received and the date/time individual users joined or ceased to participate in a given conversation. It is a concept in jurisprudence that applies to the handling of evidence and its integrity.
Checksum / Hash
An error-detection scheme that performs a calculation on the binary value of the packet/frame and then which is appended to the packet/frame as a fixed-length field. Once the packet/frame is received a similar calculation is performed. If the result does not match the first calculation, then a data change occurs during transmission. The calculation can be a sum (checksum), a remainder of a division (CRC-cyclic redundancy check), or the result of a hashing function.
Chrome Analysis Plus
A software tool for extracting, viewing, and analysing internet history
Clean Room/Chamber
To the extent possible, a limited particulate environment (e.g. requirements would follow ISO 5 or Class 100 standards for air quality).
Cluster
A group of sectors that are addressed by the operating system as a unit. The number of sectors in a cluster depends on the size of a disk as well as operating system limitations.
Codec (compressor/decompressor)
A device or program capable of encoding and decoding digital data. Codecs encode a stream or signal for transmission, storage, or encryption and decode it for viewing. Codecs are necessary for playback of encoded data. Generally, codecs from DCCTV systems are proprietary.
Cognitive Image Analysis
The process in which visual information is extracted from an image.
Collection
This involves the collection of any document (whether paper or ESI) from the client.
Color Range
The entire range of perceived colors that may be obtained under specified conditions.
Colorimetry
The science of measuring color and color appearance. The main focus of colorimetry has been the development of methods for predicting perceptual matches based on physical measurements.
Competency Test
The evaluation of a person’s knowledge and ability before performing independent work in forensic casework.
Composite Video Signal
An analog signal that contains chroma, video, blanking, and sync information and has been combined using one of the coding standards NTSC, PAL, SECAM, etc.
Compression
A method used to reduce the amount of information stored with a particular file. Graphics files and moving video files are good candidates for compression because they are generally very large in size. Compressing these files can greatly reduce the amount of information required.
Compression Ratio
Is a value used to describe the reduction in size of the data. For example, if we start with a 1 Megabyte image and compress it to 128 Kilobytes, the compression ratio is 1,048,576 divided by 131,072 or 8. This represents a compression ratio of 8:1 meaning the compressed file is 1/8th the size of the original file. Typically the higher the compression ratio value, the worse the image looks. Compression ratio comparisons are only valid when using the same image format.
Computer Forensics
The application of scientifically proven methods to gather, process, and interpret digital evidence.
Conversation Thread Message
Includes a continuous chronological order of replies or forwards from the first reply to the most recent e-mail.
Conversion
Objects of integral types can be converted to shorter signed or unsigned integral types. Such a conversion is called “standard conversion.” It can result in loss of data if the value of the original object is outside the range represented by the shorter type.
Cookies
Is a message given to a Web browser (on the computer) by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies is to identify users and possibly prepare customized Web pages for them. When you enter a Web site using cookies, you may be asked to fill out a form providing such information as your name and interests. This information is packaged into a cookie and sent to your Web browser, which stores it for later use. The next time you go to the same Web site, your browser will send the cookie to the Web server. The server can use this information to present you with custom Web pages.
Copy
As it relates to computer forensics a replica, not an exact (bit-by-bit) copy.
Crawling the deep web
This is a special type of searching that where regular indexing engines (such as Google or Bing) are unable to find as there are no links that point to them or there are preventative methods such as required logins and captchas to view any content beyond the home page. This means that data takes more time to review as it requires several manual procedures such as user creation to access.
Crypto jacking
A form of malware that hides on your device and steals its computing resources to mine for valuable online currencies like Bitcoin.
Cyber Ranges
Interactive, simulated representations of an organization’s local network, system, tools, and applications that are connected to a simulated Internet level environment. Cyber Ranges provides a safe, legal environment to gain hands-on cyber skills and a secure environment for product development and security posture testing.
Cyber Security
The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation.
Dark Web
The World Wide Web content that exists on the dark net, overlay networks that use the Internet but require specific software, configurations, or authorization to access. The dark web forms a small part of the deep web, the part of the Web not indexed by web search engines, although sometimes the term deep web is mistakenly used to refer specifically to the dark web.
DAT (Digital Audio Tape)
A form of storing data on magnetic tape used as a backup device
Data Analysis
An evaluation of information or data that has been collected.
Data Breach
When a company’s network is attacked and valuable data is stolen—usually customer log-in credentials, credit card details, and social security numbers. The stolen data can then be abused in myriad ways: held for ransom (see Ransomware below), sold on the dark net, and, of course, used to make purchases. Often hackers try to crack email passwords, and then test those login details on other popular sites, since many people use the same credentials for multiple accounts a big no-no.
Data Extraction
The process of pulling data from internal and external data sources in order to prepare a foundation of data to be shared.
Data Minimisation
Refers to the core data privacy tenet that an entity should neither collect nor maintain more information about an individual than is necessary to accomplish the purpose for which it is being collected. A contact tracing app that continues to collect users’ geolocation information in the post-pandemic era, for example, would run afoul of this principle.
To comply with it, government agencies and companies should cease collecting app users’ information and delete any stored contact tracing information once it is no longer needed for COVID-19 mitigation efforts, to comply with legal requirements, or for another appropriate purpose.
Data Mirroring
A method of protecting data from a being lost from a malfunctioning hard disk. As each file is stored on the hard disk, an exact “mirror” copy is made on a second hard disk or another partition of the same disk.
Data Smear
The modification of data by a running system during the data acquisition process.
DD Image
DD file is an image file created out of dd commands (in Linux).
DDoS Attack
Attackers use DDoS (Distributed Denial of Service) attacks to render a network unavailable. They do this by overwhelming the targeted machine with massive requests from multiple devices. The target suffers a severely clogged bandwidth, and legitimate connections become impossible. These attacks are typically carried out by botnets (see above).
De-Duplication
Removing duplicate records from a database, when two or more databases have been merged and some information has been repeated verbatim.
Deblurring
A type of image restoration used to reverse image degradation, such as motion blur or out-of-focus blur. It is accomplished by applying algorithms based on knowledge or an estimate of the cause of the original degradation.
Decryption
The process of decoding (or unscrambling) data that was encrypted to prevent unauthorized parties from reading it during Internet transmission.
Deduplication
The process by which duplicate documents are eliminated, thus cutting down on the total number of documents to review.
Deduplication by Custodian
Deduplication on a custodian-by-custodian basis.
Deep Web
This is often mistakenly called the “Dark Web”, the Deep web is a hidden network that is accessible via a specialized internet connection. The Deep Web offers its sites some protection by randomizing website names, such as hXXp://hss3uruhjo2xfogfq.Xnion (characters transposed with ‘X’ for user protection) instead of hXXp://www.notevil.com. These sites are often featured on the news for hosting the sale of illegal items, ranging from drugs to social security numbers to stolen software.
De-interlacing
Separating an interlaced frame into two discrete fields.
Deleted Data
Data that once existed as live data on a computer / network. Although, the data still remains on the hard drive unless the hard drive has been completely wiped. Even after the data itself has been wiped, files or folders may remain on the computer that used to direct to the no longer existing data.
Deleted Files
Files, which may have been deleted by the computer user or operating system. Normally deleted files are not removed from the hard drive. The deletion process only alters a directory entry in most cases. This leaves deleted files accessible to forensic examinations.
Deletion
Is the process whereby data is removed from active files and other data storage structures on computers and rendered inaccessible except using special data recovery tools designed to recover deleted data. Deletion occurs in several levels on modern computer systems.
Demonstrative Comparison
A non-opinionated method for presenting the similarities and/or differences among images and/or objects.
Desktop
Usually refers to an individual user’s desktop computer or the term for the screen.
Digital
A transmission method employing a sequence of discrete, distinct pulses that represent the binary digits 0 and 1 to indicate specific information, in contrast to the continuous signal of analog. Digital networks provide improved clarity, capacity, features and privacy compared to analogue systems.
Digital CCTV Retrieval
The process of retrieving video/images from digital CCTV systems.
Digital Evidence
Information that is stored or transmitted in binary form of zeros and ones.
Digital Forensics
The processes and specialized techniques for gathering, retaining, and analyzing system-related data (digital evidence) for investigative purposes.
Digital Image
Any image stored as numerical values on optical or magnetic media. This term is also used for any print created from such a set of stored numerical values.
Digital Media
Objects on which data can be stored.
Directory Listing
A report about files, folders, and related information contained on a computer. It may also contain information such as the size, dates, and type of files.
Disc (disk)
A magnetic disk or piece of hardware is used to store data. (Floppy disk, hard disk, or cd-rom).
Discovery Recovery Tape
The portable media used to store data that is not presently in use by an organization to free up space but still allow for disaster recovery. May also be called “Backup Tapes.
Distributed Data
A method of organizing information on multiple devices possibly in multiple locations.
DNS Attack
DNS stands for “domain name server,” which uses the name of any common website to redirect traffic to its own IP address. For instance, you’d expect “google.com” to take you to Google’s IP address. Using a DNS hijack, however, cybercriminals can translate “google.com” to their own IP address, redirecting you to malicious sites where they can collect your information or have you download malware. In an attempt to get you to click on a link, DNS hijacks can also deliver altered search results.
Domain
A unique name used to identify and locate an organization or entity registered on the Internet. DOS Disk Operating System, a simple operating system that was used on early computers before GUIs became popular. Commands are generally a line of text that is typed.
Downloading / Exporting
The process of retrieving audio, video, and still images and transactional data from a DVR system. Can be in either the native/proprietary format or an open format.
Duplicate
An accurate and exact replica of all data apart from the physical media.
DVR (Digital Video Recorder)
A stand-alone embedded system or a computer based system used to record video and/or audio data.
Dynamic Range
Dynamic range is the ratio of contrast, tonal range or density in an image between black and white. The number 0.0 represent white and black is 4.0. A flatbed scanner may have a dynamic range of 2.4-2.7 while a drum scanner may be as high as 3.6-3.8. The numeric ranges stated is the ability of the device to record and reproduce the range of greys between black and white. The higher the number the greater the detail in shadow (black) and highlight (white) reproduced in an image.
Dynamic Range (a, v)
The ratio of the specific maximum signal level capability of a system or component to its noise level. Usually expressed in decibels and used in engineering specifications. Also known as signal to noise ration. EBay Is an online auction website, at which people from all around the world buy and sell goods and services.
E-Discovery
Refers to discovery in legal proceedings such as litigation, government investigations, or Freedom of Information Act requests, where the information sought is in electronic format (often referred to as electronically stored information or ESI). [1] Electronic discovery is subject to rules of civil procedure and agreed-upon processes, often involving review for privilege and relevance before data are turned over to the requesting party. Electronic information is considered different from paper information because of its intangible form, volume, transience and persistence. Electronic information is usually accompanied by metadata that is not found in paper documents and that can play an important part as evidence (e.g. the date and time a document was written could be useful in a copyright case). The preservation of metadata from electronic documents creates special challenges to prevent spoliation.
Electronic Mail (E-Mail)
More often called E-Mail. E-mail is a fast, easy, and inexpensive way to communicate with individuals or groups on networked computers and computers equipped for Internet access. Besides basic correspondence, with some systems you can attach and send documents and other files.
Email Signature
The forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source.
Email Spoofing
The forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. Email spoofing is a tactic used in phishing and spam campaigns because people are more likely to open an email when they think it has been sent by a legitimate source.
Email Thread
Includes a continuous chronological order of replies or forwards from the first reply to the most recent e-mail.
EnCase Forensic
One of the industry leads in digital investigation technology for conducting efficient, forensically-sound data collection and investigations using a repeatable and defensible process. It is widely recognized by law enforcement, the private sector, and the courts as a leading forensic tool in the industry
Encase Image File Format (E01)
A bit-by-bit copy of a hard drive produced with the Encase Forensic tool made by Guidance Software Inc.
Encrypt
The process of scrambling a message to ensure data secrecy. The message is encoded using an electronic key, which makes it unintelligible to anyone except to the holders of the other half of the key. There are two main types of encryption methods, private key and public key encryption
Erased File Recovery
The procedure of recovering deleted files from media.
Ethernet
A local area network used for connecting computers, printers, workstations, terminals, etc. within the same building. Ethernet operates over twisted wire and over coaxial cable at speeds up to 10 Mbps.
Events Logs
Windows operating systems maintain event logs regarding system, security, and application events. The administrator can configure the event log settings to include more or less detail, or to log only certain types of events.
EXIF (Exchangeable Image File Format) Information
A standardized storage format for camera and image metadata in JPEG and TIFF files. Included in the EXIF information is the make and model of the camera, as well as the date the picture was taken.
Extraction
A method of exporting data from a source (e.g. copying data from EnCase preview, dumping data from a cell phone).
Extranet
A word that refers to an intranet that is partially accessible to authorized outsiders. Whereas an intranet resides behind a firewall and is accessible only to people who are members of the same company or organization, an extranet provides various levels of accessibility to outsiders. You can access an extranet only if you have a valid username and password, and your identity determines which parts of the extranet you can view
Favourites
Are used in Internet Explorer to organize websites and allow you to make a quick reference to sites that are visited often without having to remember the URL.
Field
An interlaced video image is comprised of two fields, each containing half of the scan lines needed to make one frame of video. The frame is displayed by rapidly alternating the display of each field in its entirety. For example, a 525 line frame of an NTSC image is displayed by first displaying the 262.5 line odd field followed by the 262.5 line even field.
File
A collection of data of information stored under a specified name on a disk. A set of related information that a computer can access by a unique name (e.g., a text file, a data file, a DLG file). Files are the logical units managed on disk by the computer’s operating system. Files may be stored on tapes or disks.
File Extension
A tag of three or four letters, preceded by a period, which identifies a data file’s format or the application used to create the file. File extensions can streamline the process of locating data. For example, if one is looking for incriminating pictures stored on a computer, one might begin with the .gif and .jpg files. File Format the configuration of data in a file.
File Format
The structure by which data is organized in a file.
File Server
The mainframe computer that stores all information within a LAN and is the location where multiple computers network together to allow file transfer and sharing.
File Sharing
Sharing of computer data or space on a network. File sharing allows multiple users to use the same file by being able to read, modify, copy and/or print it. File sharing users may have the same or different levels of access privilege.
File Slack
The space between the ends of the logical file to the end of the cluster containing the data. This slack space will usually contain data from files that used this space before. Files are stored in clusters. Since storage is allocated in fixed sized clusters, and only one file can occupy a cluster, there is often space remaining in the last cluster in which a file exists, as most files only use a part of the last cluster allocated to them.
File Transfer Protocol (FTP)
An Internet tool/software utility that allows you to transfer files between two computers that are connected to the Internet. A standard network protocol used for the transfer of computer files between a client and server on a computer network.
Firewall
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets.
Fixed Focal Length Lens (Prime Lens)
A lens with a focal length that is not adjustable.
Floppy Disk
Floppies typically hold 1.4 Megabytes of data. They use a plastic disc coated with magnetic material to store the information. In forensic examinations we image floppy disks to preserve their data.
Focal Length
Distance from the optical centre of a lens to its point of focus at the sensor/image plane when focused at infinity. Smaller focal length values provide a wider field of view; larger focal length values provide a narrower field of view.
Forensic Audio
A sub discipline of Digital & Multimedia Evidence, which involves the scientific Examination, analysis, comparison, and/or evaluation of audio.
Forensic Cloning
The process of creating a bit stream duplicate of the available data from one physical media to another.
Forensic Copy
It is an exact bit-by-bit copy of the entire physical hard drive of a computer system.
Forensics
Relating to or dealing with the application of scientific knowledge to legal problems, especially in relation to the detection of crime.
Format
One or several combined elements that may be used to describe the video recording method. These include tape width (e.g. 8mm, ½ inch, ¾ inch, 1 inch), signal form (e.g. composite, Y/C, component), media (e.g. VHS tape, DVD, CD), data storage type (e.g. analog/digital, AVI/MPEG), and signal standard (e.g. NTSC, PAL, SECAM).
Format Conversion
Process of both encoding/decoding and re-sampling digital rates to change digital data from one format to another.
Forums
Forums are a great source of information on the deep web for investigators. While these act like normal forums, their contents are much different and often discuss illegal topics. The topics range from sales of stolen data or drugs to hiring hitmen. These often are in English or Russian and have minimal features to prevent search engine from exploring them too quickly.
Fragmented Data
Data that is not stored in a contiguous segment but rather is stored in a non-contiguous manner.
Frame
A single, complete picture in a video or film. A video frame is made up of two interlaced fields of either 525 lines (NTSC) or 625 lines (PAL). Full-motion video for NTSC runs at 30 frames per second (fps); for PAL, 25 fps. Film runs at 24 fps. For progressive scan (non-interlaced) video, the frame is written through successive lines that start at the top left of the picture and finish at the bottom right.
Free Space
Free space in a storage device. The space that in any given time does not belong to any file or the file system itself (system information). New files will be stored in the free space area.
FTP Logs
File transfer protocol logs can record and maintain information on data transfers between two computers. The logs might record the date/time a file download/upload was initiated, the duration of the transfer, the status of the transfer and the IP address of the computer that initiated the upload/download.
Full Collection
A collection of a client’s entire mailbox and/or imaging of their hard drive. This ensures that all possible data is collected but could lead to greater cost down the road.
Geo Location
Refer to data files on the device that record GPS coordinates or other location data that can be used to extrapolate the location of the device at a recorded time.
Geotag
GPS coordinates added to files as metadata.
GIF (Graphical Interchange Format)
A standard compressed graphics file format used on the Web for pictures.
Gigabyte (GB)
Is a unit of measurement in computers of one thousand million bytes (the same as one billion bytes in the short scale usage). However, because computers work on the binary system, rather than a gigabyte being 103 megabytes (1000 MBs), a gigabyte is actually 210 megabytes (1024 MBs). A gigabyte is a billion (1,000,000,000) bytes.
Global Deduplication
Deduplication across an entire collection.
GPX
GPS exchange format. An XML scheme designed for a common GPS format for software applications.
Graphic Files
Pictures are stored on computers in the form of graphics files. Typical files use several different extensions (the last few letters of the file name). They include .gif for small-size or low-resolution pictures, typically part of web pages .tiff or .bmp detailed pictures .jpg or .jpeg compressed versions of detailed pictures.
Grep
A command-line utility for searching plain-text data sets for lines matching a regular expression.
GUI (Graphical User Interface)
A program interface that uses a computer’s graphics capabilities to make the program easier to use. Graphical interfaces use a pointing device to select objects, including icons, menus, text boxes, etc. A GUI includes standard formats for representing text and graphics.
Hacker
An unauthorized user who attempts to or gains access to an information system.
Hash
A one-way algorithm which maps or translates one set of bits into another (generally smaller) in such a way that the algorithm yields the same hash results every time for the same message, and it is computationally infeasible for a message to be reconstituted from the hash result. Also, two different messages cannot produce the same hash results.
A numeric value resulting from applying a mathematical algorithm against a set of data such as a file.
Hashing Function
An established mathematical calculation that generates a numerical value based on input data. This numerical value is referred to as the hash or hash value.
Hashing Value
A process of applying a mathematical algorithm against a set of data to produce a numeric value (a ‘hash value’) that represents the data.
HDD (Hard Disk Drive)
Also called a hard drive or hard disk. This is the mass storage device, holding Gigabytes of data in modern PCs. Information on the disk is in the form of binary magnetic bit representations.
Host
The main hardware on which software resides.
HTML (Hypertext Mark-up Language)
The set of mark-up symbols or codes inserted in a file intended for display on a World Wide Web browser page. The mark-up tells the Web browser how to display a Web page’s words and images for the user. Each individual mark-up code is referred to as an element (but many people also refer to it as a tag). Some elements come in pairs that indicate when some display effect is to begin and when it is to end.
HTTP Logs
Can provide data on visits to specific web pages such as how many users requested the page and at what times were the most requests for the page and its files received.
Image
A forensic image (forensic copy) is a bit-by-bit, sector-by-sector direct copy of a physical storage device, including all files, folders and unallocated, free and slack space. Forensic images include not only all the files visible to the operating system but also deleted files and pieces of files left in the slack and free space.
Image Analysis
The process of using a forensic image to analyze and determine the content of an image and/or the image itself with regards to legal and investigatory matters.
Image Averaging
The process of averaging similar images, such as sequential video frames, to reduce noise in stationary scenes.
Image Comparison (Photographic Comparison)
The act of examining disputed images of people and/or objects to known persons, objects, or images, thus identifying or eliminating a connection between these images based on their features.
Image Content Analysis
Making a decision regarding an image. This can be based upon but not limited to: subjects/objects in the image, the conditions / process in which the image was taken / made, the physical conditions of the setting (e.g. lighting or composition), and / or the origin of the image
Image Data Recovery
The act of acquiring visible image(s) from a set of data.
Image Enhancement
Any one of a group of operations, which improves the interpretability of an image or the ability to detect targets or categories in the image.
Image Output
The way in which an image is displayed for investigation or inspection.
Image Processing
The act of converting in input image into an output image.
Image Processing Log
A chronicle of each step taken while processing an image.
Image Synthesis
Realistic image synthesis is the processes of creating images that are, in some way, accurate representations of a real scene (i.e. accident/crime scene reconstruction).
Image Transmission
The act of moving images from one position to another.
Imaging Technology
Any system or process used to capture, store, process, analyze, transmit, or produce an image. Such systems include film, electronic sensors, cameras, video devices, scanners, printers, computers, etc.
IMEI (International Mobile Equipment Number)
A unique 15-digit serial number assigned to mobile devices.
Information located within the computer system
Used by software applications and users to complete various tasks.
Instant Messaging (IM)
Is a computer application which Exchanging messages in real-time between two or more people logged on to an instant messaging service.
Integrity Verification
The act of affirming that a set of data has not been modified since it was acquired.
Intellectual Property (IP)
A work or invention that is the product of human intelligence and creation. It can consist of patents, trademarks, copyrights, etc. The concept relates to the fact that certain products of human intellect should have the same protective rights as physical property.
Interlaced Scan
An interlaced-scan sends information to each pixel in the even-numbered rows of pixels on a screen, left to right and then top to bottom. Then it sends information to odd-numbered rows. This results in a slightly distorted picture, as the component parts of the image do not all appear on the television screen at exactly the same time. The 1080i (interlaced) high-definition standard is an interlaced-scanning standard.
Intermediate Storage
Any media or device that stores data temporarily until that media or device is ready to be transferred to a permanent archival storage.
Internet
Is the publicly available worldwide system of interconnected computer networks that transmit data by packet switching using a standardized Internet Protocol (IP) and many other protocols. It is made up of thousands of smaller commercial, academic, and government networks. It carries various information and services, such as electronic mail, online chat and the interlinked web pages and other documents of the World Wide Web.
Internet Header
Provides technical details about the e-mail message. These details can include who sent the message, the software that was used to compose it, IP Address, and the e-mail servers that it passed through on its way to the recipient.
Internet History Cache
Depending on the version of the operating system being used on the computer, Internet usage is tracked in various ways. One way is in the form of a database often referred to as the History file. This database keeps track of Internet usage to include web sites, graphics, re-directs and cookies. This file is very dynamic and can be overwritten on a daily basis. In an NT Windows environment, computer users are assigned profiles. The profiles contain history files specific to that user.
Internet Service Provider
Is a company that provides access to their web site and or access to the Internet. The service provider gives you a software package, username, password and access phone number. Equipped with a modem, you can then log on to the Internet and browse the World Wide Web and USENET, and send and receive e-mail. Newsgroups can also be accessed through this service.
Interpolation
Interpolation is a mathematical method of creating missing data. An image can be increased from 100 pixels to 200 pixels through interpolation. There are many methods of interpolation, but one simple method would be to generate a new pixel by using the average of the value of the two pixels on either side of the one to be created.
Intranet
A network based on TCP/IP protocols (an internet) belonging to an organization, usually a corporation, accessible only by the organization’s members, employees, or others with authorization. An intranet’s Web sites look and act just like any other Web sites, but the firewall surrounding an intranet fends off unauthorized access.
Intrusion
An unauthorized act of bypassing the security mechanisms of a network or information system.
IP Address
Internet Protocol Address is a series of four one- to three-digit numbers separated by periods. It is used to identify a computer connected to the Internet. For example, 212.6.125.76 is an IP address.
IS / IT Information Systems or Information Technology
The people who produce computers and make computer systems run.
ITunes Backup
Can be used to archive and restore the contents of a phone, as well as for the transfer of files between a computer and individual iOS applications. The iTunes backup can contain the following type data; Photos and Images; Media Files; Messages & Call Logs; Application Data; Settings; and Memos & Calendar & Bookmark.
Jailbreak
A modified smartphone or other electronic device, modified to remove restrictions imposed by the manufacturer or operator, e.g. to allow the installation of unauthorized software.
Joins
A work or invention that is the product of human intelligence and creation. It can consist of patents, trademarks, copyrights, etc. The concept relates to the fact that certain products of human intellect should have the same protective rights as physical property.
JPEG (Joint Photographic Experts Group)
Image compression typical for photograph files.
Keystroke Loggers
Are software programs and/or hardware devices which record logs for the keys you strike on the computer’s keyboard. There are two types of loggers Software and Hardware.
Keywords
Words that are used in a search. Often web users employ keywords to locate web sites. Forensic investigations also use keywords to locate important material on large hard disks.
KIK
An instant messaging mobile application
Kilobyte (K)
As a measure of computer memory or storage, a kilobyte (KB or Kbyte*) is approximately a thousand bytes (actually, 2 to the 10th power, or decimal 1,024 bytes).
Legacy Data
Data that is left over from previous technologies. The analog recordings on tape are the legacy data that the Consortium wants to address. This normally involves a conversion process.
Link Files
There are files that contain links (.lnk) to other resources such as programs, data files, and web pages. Link files refer to or “link” to target files. Target files are often applications, directories, documents, and data files. Specifically, when a user opens a document, a link file is created in the Recent folder under the logged on user profile. These links are a record that the document was opened by the user.
Litigation Hold
The initial letter that is sent to a client to ensure that the duty to preserve is complied with.
Load Files
A file included with a production that allows it (including text, images and metadata) to be loaded into a review tool.
Local Area Network (LAN)
A local computer network for communication between computers, especially a network connecting computers and word processors and other electronic office equipment to create a communication system between offices.
Log
A list of recorded events, communications or other details of computer operation. Records can be entered manually or can be automated by a computer program. Logs are typically stored in files but may be found on the local computer or on a remote computer or server. Logs can be used to troubleshoot computer/program operations, detect misuse or intrusion attempts, or to gather information on user activity or access. Logs might be found in a plain text format or in a proprietary format.
Log File
Files maintained on a server showing actions, events and related data. Computer forensic log file analysis can reveal the visitors to your site, where they came from, and which queries were used to access your site.
Logical Copy
An accurate reproduction of information contained within a logical volume (e.g. mounted volume, logical drive assignment, etc.).
Lossless Compression
A data compression technique that reduces the size of a file without sacrificing any of the original data. In lossless compression, the expanded or restored file is an exact replica of the original file before it was compressed.
Lossy Compression
Refers to data compression techniques in which some amount of data is lost. Lossy compression technologies attempt to eliminate redundant or unnecessary information. Most video compression technologies, such as MPEG, use a lossy technique
Lost Files
In the MFT (Master File Table) in NTFS (standard DoS configuration), all files and folders are marked as a folder or file, and they are marked as belonging to a “parent”. So say you have a folder with a bunch of files within it. Those files are its “children”. For those files to become “lost”, let us pretend the user deletes those files and then deletes the folder itself. The user then creates a new folder. The entry in the MFT for the old folder is overwritten. So it, the original “parent” folder, and its entry in the MFT, are gone. But its “children”, while deleted, have not been overwritten and their entries are still in the MFT.
“Lost Files”
In EnCase refer to deleted files with unknown parent, they are often called orphan files in other tools. When a folder with files are deleted, all MFT entry will be marked as deleted. However, if the deleted folder entry is being reused, the deleted files can longer trace back to their parent.
Malware
Malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Marketplaces
These are like eBay or Amazon, where the sale of products is conducted. Mostly on the deep web these are used for illegal drug sales (approximately 80%) and the remainder is made up of stolen credit cards, social security numbers, passports, ids, pirated software, dumps of documents, and other miscellaneous items. This is an ever-changing landscape due to many governmental initiatives to remove them, so the addresses, names, and details are always influx and non-permanent.
Media Characterization
The procedure of inspecting, identifying, and noting the properties of the media.
Megabyte (Meg)
An amount of computer memory consisting of about one million bytes. The actual value is 1,048,576 bytes.
Memory Smear
The modification of data by a running system during the memory acquisition process.
Metadata
Is contained inside of a file and is not normally visible to the user, but can contain detailed information about the file. Metadata describes, for example, how, when, and by whom it was received, created, accessed, and/or modified, and how it is formatted. Metadata can be hidden or embedded and therefore unavailable to computer users who are not technically adept.
MicroSD
Is a type of removable flash memory card used for storing information. SD is an abbreviation of Secure Digital. The cards are used primariliy in mobile phones and other mobile devices.
Migrated Data
Migrated Data is information that has been transferred from one database or format to another, this occurs when a change from one hardware or software technology has been change to another, Mirroring One disk acts as the primary storage disk, while the other provides a mirror image of the primary disk, providing redundancy in the event of a disk failure.
MIS
Is the designation for the field of computer solutions internal to an organization. An MIS department is typically responsible for administering the computer hardware, software, and networking within a company or group. Modem Hardware that is used to connect computers, often by a phone line. Typical modems can transmit or receive data at up to 5,000 bytes per second.
Mobile Banking Trojans
It looks like your trusted banking app, but that’s just an overlay. Underneath, a mobile banking Trojan tricks you into entering financial credentials and personal information. It can also gain administrative rights to intercept SMS messages, making it possible to record two-factor authentication codes as well.
Mobile Device
A portable device that has an embedded system architecture, processing capability, on–board memory, and may have telephony capabilities (e.g., cell phones, tablets, and smartphones).
Mobile Forensic Examiner PLUS
Is Access Data’s mobile forensics software solution. Supporting more than 7000 cell phones and mobile devices, including Legacy GSM/CDMA devices, iOS, Android, Blackberry, Windows Mobile™ and Chinese devices. Access Data’s computer forensic software is recognized among law enforcement, the private sector, and the courts as one of the leading forensics tools.
Mobile Phone Forensics
For legal purposes, the utilization of scientific methodologies to recover data stored by a cellular device.
Motherboard
The main printed circuit board in microcomputers. It holds and allows communication between many of the crucial electronic components of a system, such as the central processing unit and memory, and provides connectors for other peripherals.
Multi-Factor Authentication (MFA)
Also referred to as two-factor authentication or 2FA. A security enhancement that forces you to present two pieces of evidence – your credentials – when logging in to an account. Credentials are generally categorized by: something you know (like a password or PIN), something you have (like a smart card), or something you are (like your fingerprint). To enhance security, credentials must come from two different categories.
Multimedia Evidence
Analog or digital media, such as, film, tape, magnetic and optical media, and/or the information containers.
Native File Format
An electronic system that can accept a number of camera inputs and record them virtually simultaneously. They can also provide multi-screen displays with four, nine, sixteen etc. cameras on the screen at once. Multiplexers can be used to transmit up to sixteen pictures down a single video line whether it is a coaxial cable, microwave, infrared link etc. This requires a multiplexer at each end of the line.
Newsgroups
Newsgroups may also be referred to as a forum or an on-line discussion group. On the Internet, there are literally thousands of newsgroups covering every conceivable interest. To view and post messages to a newsgroup, you need a newsreader (which can be provided by an ISP), a program that runs on your computer and connects you to a news server on the Internet.
Node
Multiple computers are connected with a network in a distributed processing system (or a parallel processing system). Each computer of such a system is called a `node’. In a centralized system, one host computer manages the whole system. In a distributed-parallel processing system, on the other hand, every node cooperates with each other to manage the system.
Noise
Variations or disturbances in brightness or color information in an image that do not arise from the scene. Sources of noise include film grain, electronic variations in the input device sensor and circuitry, and stray electromagnetic fields in the signal pathway. It frequently refers to visible artifacts in an image.
Nominal Resolution
The numerical value of pixels per inch as opposed to the achievable resolution of the imaging device. In the case of flatbed scanners, it is based on the resolution setting in the software controlling the scanner. In the case of digital cameras, this refers to the number of pixels of the camera sensor divided by the corresponding vertical and horizontal dimension of the area photographed.
Normal Lens
A lens designed to approximate the field of view of the human eye without magnification or reduction. The focal length of a normal lens is based on the sensor size in the camera.
NTSC
National Television System Committee also referred to as National Television Standards Committee.
NTUSER.DAT Files
Store settings that are specific to the currently logged-in user. These files are located in each user’s Documents and Settings subfolder.
OCR
Optical Character Recognition Aka Searchable Text
Offline
When your computer performs an operation when it is not connected to any other computers, it is working offline.
Offline Storage Table (.OST)
A Microsoft Outlook data file that enables users to access their email data when offline.
OneDrive
A file hosting service and synchronization service operated by Microsoft as part of its suite of Office Online services. It allows for backup, storage and sharing of files – anywhere, on any device.
Online
A general term for when one computer is interacting directly and simultaneously with another computer. Many sources of information are available online.
Open Wi-Fi
Open Wi-Fi networks are unencrypted, which is why they’re risky. Anyone can create a fake hotspot and trick your device into joining it automatically. When you use open Wi-Fi without protection like a VPN (see tips below), anyone on that network can see the sites you visit, your log-in passwords, your financial and personal data, and more. Hackers often name their phony Wi-Fi networks after popular spots (like “Starbucks”), knowing that most devices automatically re-join hotspots they’ve used in the past. Hackers can even redirect your unencrypted traffic, sending you to malicious sites.
Operating System (OS)
The most important program that runs on a computer. Every general-purpose computer must have an operating system to run other programs. Operating systems perform basic tasks, such as recognizing input from the keyboard, sending output to the display screen, keeping track of files and directories on the disk, and controlling peripheral devices such as disk drives and printers.
Optical Character Recognition (OCR)
The technology that allows computers to ‘read’ text from physical objects. OCR requires a graphical representation of text to interpret, which usually comes from a scanned image.
Original Image
An accurate and complete replica of an original image.
Original Recording
The first manifestation of sound in a recoverable stored format.
Orphaned File
A file that no longer has a parent; the parent being the folder they were in. If a folder is deleted, the files within it are deleted as well but are not orphans. The folder and children files are potentially recoverable with the information intact in the Master File Table ($MFT). A file becomes an orphan, when the parent folder is overwritten.
Oxygen Software
A maker of the advanced forensic data examination tools for smartphones and other mobile devices. Oxygen provides forensic solutions covering mobile devices running Android, iOS, Blackberry, Windows Phone, Symbian and other operating systems. Law enforcement and government agencies, institutions, corporations and private investigators use this software.
Pagefile.sys
A windows system files, acts as swap file and was designed to improve performance. Windows uses it as RAM in case the application you’re running on your computer ends up needing more RAM than actually available.
PAL
Phase Alternating Line (PAL) is a color encoding system for analog television. It features 624 horizontal lines per frame with a rate of 25 frames per second. PAL is used in broadcast television systems in many countries and is one of the three major broadcast standards, along with the NTSC and SECAM systems.
Partition
In computer engineering, hard disk drive partitioning is the creation of logical divisions upon a hard disk that allows one to apply operating system-specific logical formatting.
Password Recovery
The practice of locating and identifying a series of characters used to limit access to data.
Password Spraying
A type of brute-force attack in which a malicious actor uses a single password against targeted user accounts before moving on to attempt a second password, and so on. This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts.
PC
Personal computer
PCB Printed Circuit Board
A board used in electronics.
PDA (Personal Digital Assistant)
A portable computing device for organizing personal data such as telephone numbers, appointments, and notes. Capable of transmitting and receiving data when equipped with a wireless module
PDF (Portable Document Format)
An Adobe product that displays documents in the form in which they will be printed. Acronym for Portable Document Format, the PDF file format created by Adobe Systems, Inc. uses the PostScript printer description language and is highly portable across computer platforms. PDF documents are created with Adobe Acrobat or other programs and can be viewed with Adobe Acrobat Reader and other PDF reader programs.
Personal Storage Table (.pst)
An open proprietary file format used to store copies of messages, calendar events, and other items within Microsoft Outlook. This file contains messages and other Outlook items and is saved on the local computer.
Personally Identifiable Information (PII)
Also known as Sensitive Personal Information (SPI), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
Petabyte (PB)
A petabyte is a unit of measurement in computers of one thousand million million (short-scale quadrillion) bytes. Its abbreviation is PB. 1 Petabyte equal to 1024 terabytes or approx. 1,000,000,000,000,000 bytes. 1 PB has the value of 2 to the power of 50.
PGP
This stands for Pretty Good Privacy. It’s actually very good privacy. It is a public key encryption program that has become the most popular standard for email encryption.
Phishing Schemes
Used by cybercriminals to trick people into giving up sensitive information, phishing scams pose as emails from an organization or person you know. There is usually a link or attachment included, which it tries to get you to click so that you’ll unwittingly allow malware to download to your system. Sometimes phishing scams look indistinguishable from the sites they’re imitating, and they attempt to trick you into entering your password info.
Photogrammetric Analysis
Gathering dimensional information about objects and/or people shown in an image.
Photogrammetry
An aerial remote sensing technique, which employs a high-resolution aerial camera with forward motion compensation using global satellite navigation technology for pilot guidance over the designated photo block. It is also used as a measurement technology in which the three-dimensional coordinates of points on an object are determined by measurements made in two or more photographic images taken from different positions. Photogrammetry can also form the baseline of many Geographic Information Systems (GIS) and Land Information System (LIS) studies and endeavours.
Photometry
The measurement of the intensity of light or of relative illuminating power. In forensics this applies to objects in an image.
Physical Copy
An accurate replica of information enclosed on the physical device.
Physical Image
A bit stream reproduction of data contained on a physical device.
Pixel
Picture element, the smallest component of a picture that can be individually processed in an electronic imaging system
Plaintext
Text that is the least formatted and easiest to read; unencrypted.
Play Store
Google’s official pre-installed app store on Android-certified devices. It provides access to content on the Google Play Store, including apps, books, magazines, and music, movies, and television programs.
Playback
Recorded material viewed and heard as recorded, facilitated by camcorder, cassette recorder, or other device.
Playback Optimization
The act of choosing what equipment and settings are most appropriate when examining a particular output signal. Playback Watching and/or listening to previously recorded data as it was recorded, via a playback device, such as a camcorder or cassette recorder.
Pointer
An indicator in the directory of a disk (or other storage medium) that identifies the area in which an electronic document or piece of data resides, which prevents that space from being overwritten by other information. When a document is “deleted,” the pointer is deleted, which permits the file to be overwritten, but the document is not actually removed.
Prefetch File
The windows operating system keeps track of how a computer starts, and what programs you most frequently open. It saves this data to files in the prefetch folder. The folder contains the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run.
Preservation
The efforts that follow the litigation hold. Preservation involves turning off automatic deletion processes, the identification of key custodians and the interfacing with those custodians and the client’s IT manager.
Preview
A sub-process of triage where a cursory review of items is performed to assess the need for collection and/or further examination.
Primary Image
The first occurrence that an image is recorded onto any media that is a distinct, identifiable object. Examples include a digital image recorded on a flash card or a digital image downloaded from the Internet.
Primary Keys
Unique links to information in database tables. They are logical constructs that uniquely identify a row in a table. Primary keys can be represented as a set of characters, a variable set of characters, an integer, or even a string.
Private Network
A network that is both connected to, but isolated from the Internet.
Private Wi-Fi
A private network, unlike an Open or Public network contains restrictions and access rules in order to relegate access to a select few.
Production
The method by which documents are selected for production to opposing or co-counsel. This involves the OCR’ing, bates stamping and delivery of TIFFs (Images), OCR (Text) and load files.
Production Specifications
A set of options that typically appear in Requests for Production of Documents. Specifications cover the metadata fields to be produced, types of load files and whether documents will be produced in TIFF form.
Production Switcher
Device and/or software that accepts inputs from a variety of video/audio sources and allows the operator to select a particular source to be sent to the switcher’s output(s). May also include circuits for video mixing, wiping, keying, and other special effects.
Proficiency Test
An evaluation of analysts, technical support personnel, and the agency, in order to demonstrate their ability of to perform at a level of quality. (Four examples are provided). Open test – the analyst(s) and technical support personnel are aware they are being tested. Blind test – the analyst(s) and technical support personnel are unaware they are being tested. Internal test – conducted by the agency itself. External test – conducted by an agency independent of the agency being tested.
Profiles
Based on Department of State protocol, an individual computer user is assigned his or hers log on name and password. This process also establishes a profile on the computer being logged onto by the user. This profile is then populated with the computer users’ computer settings and history.
Progressive Scan
A method of image scanning that processes image data one line of pixels at a time, creating frames composed of a single field (as opposed to interlaced scanning, which meshes two fields, each composed of alternating scanned lines, per frame).
Proprietary File Format
A distinctive file format that is specific to a manufacturer and/or product (such as Microsoft Word’s .doc format).
Protected Health Information (PHI)
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.
PST File
Is associated with Microsoft Outlook software. The file contains e-mail folders, addresses, contacts and anything else that Outlook collects. The file has a 2-gigabyte file size limit and is depicted with the three-letter “.pst” file extension.
Public Network
A network that is connected to the Internet that is designed for open, public access.
Public Wi-Fi
Like an Open Wi-Fi network Public Wi-fi’s are unencrypted, and risky. Anyone can create a fake hotspot and trick your device into joining it automatically. When you use open Wi-Fi without protection like a VPN (see tips below), anyone on that network can see the sites you visit, your log-in passwords, your financial and personal data, and more. Hackers often name their phony Wi-Fi networks after popular spots (like “Starbucks”), knowing that most devices automatically re-join hotspots they’ve used in the past. Hackers can even redirect your unencrypted traffic, sending you to malicious sites.
Publishing/Migration/Loading
The process by which search terms are applied to a collection and the results are loaded to a review database.
Quality Assurance
Planned and systematic actions necessary to provide sufficient confidence that an agency’s/laboratory’s product or service will satisfy given requirements for quality.
Quantitative Image Analysis
The act of gathering from an image measurable data.
RAID 5 (Redundant Array of Independent Disks)
Is configured to use multiple hard drives to create one (1) logical volume. RAID 5 uses a process called disk striping. Disk striping divides the data into block and distributes the data blocks across multiple configured hard drives. If one hard drive fails, the array maybe able to be rebuild by reading the data from all the remaining hard drives. If more than two (2) hard drives fail, there is a possibility the entire array will be loss.
RAM (Random Access Memory)
The short-term memory of the computer where application programs can be loaded and executed. RAM is lost when the power is shut off. The place in a computer where the operating system, application programs, and data in current use are kept so that they can be quickly reached by the computer’s processor.
Ransomware
Ransomware is malware that takes hold of your system and encrypts it, sometimes attacking individual files. Trying to access the encrypted files triggers a note that claims you are locked out until you make a payment (more than $600, on average). The messages sometimes appear to be from an official government agency accusing you of committing a cybercrime, which scares many into paying the ransom. Payment is often demanded in Bitcoins.
Recent Folder
Is a folder set up by Windows software. The folder tracks the most recently used (MRU’s) files, folders and other software-related features accessed by the computer user.
Reconstruction
The method in which damaged media is repaired facilitating the retrieval of data
Recycle Folder
The software to store deleted files uses the Recycle folder, which is usually set up by the Windows operating system. This folder gives the computer one last chance to undelete a file or folder that the user may not have wanted to delete in the first place. This folder is dynamic and can be manipulated by the user. When the folder is full, the operating system may prompt the user to empty it. The operating system may also continue to write over older deleted files and folders as the recycle folder fills up.
Recycle Bin
The default location that a file upon being deleted by a user is stored. When a file is in the Recycle Bin, the user can restore it to its original location; can deleted it from the Recycle Bin or deleted the entire Recycle Bin.
Registry
Microsoft defines as a centralized database used to store information necessary to configure the system for one or more users, applications, and hardware devices.
Regular Expression
A specific pattern that provides concise and flexible means to match strings of text, such as particular characters, words, or patterns of characters.
Reliability
The measure of how trustworthy a given piece of information is.
Reproducibility
The extent to which a process yields the same results on repeated trials.
Residual Data
Is inactive data on a computer system. Residual data includes information found on available media space, including data within files that has functionally been deleted in that it is not visible using the application with which the file was created, without use of undelete or special data recovery techniques.
Residue
Enclosed data in unused space or file slack. When referring to a filtered signal, residue is the algebraic difference between the filter output and its signal input.
Resolution
The act, process, or capability of distinguishing between two separate but adjacent parts or stimuli, such as elements of detail in an image, or similar colors.
Restoration
The process of repairing data from an image that has been damaged, due to a known cause (such as defocus or motion blur), so that the effects of the damage can be eliminated or decreased.
Review
The analysis performed on documents after publishing to a database. The review takes place in a review tool such as Concordance or Relativity. The analysis usually includes responsiveness to document requests, attorney-client privilege and key issues.
Route
A series of waypoints.
Router
A communications device that connects networks and transfers data between them.
Routing Switcher
A piece of equipment or software allowing one or more signal to be delivered to one or more devices.
S-Video
A signal in which the luminance and chrominance are separate.
SAM File
Contains information about users and groups associated with the computer. The SAM file found in local machines, on Windows NT and 2000, contains information about that specific machine, and only that machine. A machine that is connected to the network may have tow default accounts in the local SAM file, even if 10 different persons have logged onto it. The network logon process requires that users authenticate the user names and passwords through the domain sever. When a person logs onto a workstation computer, the information is sent to the domain server where it is authenticated. IF the authentication passes, the server sends a message back to the computer, which allows the logon to occur.
Sandbox
Is a safe place for running semi-trusted programs or scripts? The sandbox security model provides a tightly controlled set of resources for foreign programs to run in, such as a small “scratch-space” on the disk and a section of memory to carry out instructions.
Search Engines
A program that searches documents for specified keywords and returns a list of the documents where the keywords were found. Although search engine is really a general class of programs, the term is often used to specifically describe systems like Alta Vista and Excite that enable users to search for documents on the World Wide Web and USENET newsgroups. Typically, a search engine works by sending out a spider to fetch as many documents as possible. Another program, called an indexer, then reads these documents and creates an index based on the words contained in each document. Each search engine uses a proprietary algorithm to create its indices such that, ideally, only meaningful results are returned for each query.
Search Terms
Terms that are developed for targeted collection or review of documents…or both. Search terms are used in order to cut down on costs associated with reviewing full collection of documents.
Sector
A portion of a hard disk or floppy that may contain 512 bytes of data.
Security Identifier (SID)
The security identifier is used by Windows as unique number to differentiate one security entity from another. As an example, unique values are assigned to each new account associated with each user on the computer
.
Self-Collection
A self-collection occurs when the client chooses what documents will be collected for eventual review and production. The Court of Chancery has strongly advised against this See. Roffe v. Eagle Rock.
Server
On a network, the computer that contains the data or provides the facilities to be accessed by other computers on the network.
Sharpening
A process used to emphasize edge detail in an image by enhancing the high frequency components.
Shell Bags
Registry keys utilized by windows that tracks the size, position, and icons when using Windows Explorer.
Short Message Service
A text messaging service component of phone, Web, or mobile communication systems
Signature
Wiped Media that has been securely wiped in accordance with acceptable standards, such as those by NIST, utilizing a sector character signature that is unique.
SIM (A Subscriber Identity Module) Card
A portable memory chip used mostly in cell phones that operate on the Global System for Mobile Communications (GSM) network. These cards hold the personal information of the account holder, to include phone number, address book, and can contain limited text messages, and other data. The type or amount of data stored on a SIM card is limited and is also dependent on the carrier.
SIMS
Stands for “Short Message Service” also known as text messages.
Skimmer
A magnetic card reader used for illegal purposes.
Skype
A messenger application to transmit both text and video messages.
Software
Written programs or procedures and associated documentation pertaining to the operation of a computer system and that are stored in read/write memory. The two major categories of software are system software and application software.
Source Code
A computer program in its original, human-readable form. Source code is turned into binary code, which can be used by a computer in different ways depending on whether the language is compiled or interpreted.
Spear Phishing
Is a targeted phishing attack.12,13 Spear-phishing is a popular infection vector for malicious actors.14 Spear-phishing messages are tailored to the target recipient (e.g., individual or groups within an organization).15 There is a plethora of information available online about companies, their employees and contractors, current and past projects, policies and procedures, and their vendors and business associates. Spear-phishing messages may be particularly convincing when they contain “insider information” relevant to the targeted organization or individual. In addition, spear-phishing has been made more effective through the use of stolen vendor credentials.16 Thus, spear-phishing has been used to target healthcare organizations, either directly or indirectly (such as through vendors)
Spyware
Spyware is malware used by hackers to spy on you, so they can access personal information, banking account details, online activity, and anything else they may find valuable. On mobile devices, spyware can know your whereabouts, read your text messages, redirect calls, and much more.
Stand Alone Computer
A personal computer unconnected to any other computer or Network.
Standard Conversion
The transformation of one television system signal to another. For example, NTSC to PAL
Storage Media
Any physical device on which data is stored.
System Administrator (Sysadmin, sysop)
The individual in charge of managing a network, as well as over-seeing daily operations.
Systems Administrator
A person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers. The system administrator seeks to ensure that the uptime, performance, resources, and security of the computers they manage meet the needs of the users, without exceeding a set budget when doing so.
Targeted Collection
A collection of client’s data using narrow parameters such as date restrictions and search terms. This is normally done in an attempt to cut down on costs. This type of collection has its own risks; if it occurs before a meet and confer all custodians and search terms may not be known and may be subject to change.
Technical / Peer Review
The evaluation by experts of the quality and pertinence of reports, notes, data, conclusions, and other documents, produced by other experts in the same field.
Temporary Internet Files Directory
Is used by web browsers to cache pages and other multimedia content, such as video and audio files, from websites visited by the user
Temporary Internet Files Folder
Is sometimes referred to as a cache folder, stores graphics from web sites that are visited by the computer user. This is done automatically without any input from the computer user. This folder saves the graphics so the next time the computer user visits the web site, the loading of the web site will be faster because the graphic files are already on the computer.
Terabyte (TB)
One thousand billion (1,000,000,000,000) bytes; a measure of computer data storage capacity
The Falcon
A forensic imaging device that is used to acquire data in a forensically sound manner and verifies that the capture of the data is accurate and complete
The International Mobile Station Equipment
Identity is a number, usually unique to identify the device.
The Universal Forensic Extraction Device (UFED)
Tool is created by Cellebrite Mobile Synchronization. UFED is an industry standard iPhone imaging tool.
Thumbs.db Files
A thumbnail view is also commonly seen as a miniature picture that represents a larger graphic. The Microsoft Windows Operating System® generates thumbnails of larger graphic files and displays them to the user in the explorer window. Starting with Windows ME, the user could select View > Thumbnails from the drop down menu. This allowed the user to view thumbnails of the graphics in that folder instead of the details or icons normally viewed. When the user accesses this view a hidden file in created by the operating system in the folder where the graphic files are stored. These operating system created files are not visible to the common user. This system file is called a thumbs.db and is actually a database of the miniature images that exist in the folder from which they are initiated. An interesting aspect of the thumbs.db files is that when a graphic is viewed and an entry made for it in the database, it is maintained indefinitely by the operating system. If the graphic file is deleted, the image will remain unless the thumbs.db file or the entire folder is deleted.
TIFF
An image format file for high-quality graphics. Also called .TIFF, which stands for “Tagged Image Format File.” The standard file format for the production of document images.
TIFF (Tagged Image File Format)
One of the most widely supported graphic file formats. Files in TIFF format often end with a. tiff extension.
Time-Base Corrector (TBC)
An electronic device used to correct timing inconsistencies and stabilize the playback of the video signal for optimum quality. It also synchronizes video sources allowing image mixing.
Time Lapse Video Recording
Process by which images are recorded at less than the standard rate of frames per second (NTSC – 29.97; PAL – 25.00) thus extending the period of time that can be covered by the storage medium.
Timed Expiry
A feature of DVRs that allows the equipment to adhere to data retention policies that may be mandated in certain parts of the world which results in video data becoming inaccessible after a certain date. This may happen even when the unit is switched off.
Timeline / Sequence Reconstruction
The chronological order of succession of images, audio, or other data.
Track Log
A complete list of track points that a GPS device has created.
TrackPoint
A location automatically created and stored by a GPS device without user interaction as a record of where it has been.
Traditional Enhancement Techniques
Techniques that have direct counterparts in traditional darkrooms. They include brightness & contrast adjustment, color balancing, cropping, and dodging & burning.
Transcode
To convert between formats or encoding methods.
Transmission Control Protocol / Internet Protocol (TCP/IP)
The protocols that define how data is transferred between two computers over the Internet or a private network.
Triage
The process by which items considered for collection or analysis are prioritized to determine the order in which they should be collected and/or analyzed, if at all.
Trojan
Can enter a computer secretly and quietly and can be destructive in nature. A Trojan typically installs a virus or worm on to the computer it has entered. Trojans can also install programs that allow someone else to have control over the user’s computer. Trojans usually come attached to another file, such as an .avi, or .exe, or even a .jpg. Computer users fail to see full file extensions, so what may appear, as games.zip in reality could be games.zip.exe. Once the computer user opens up the file, the Trojan will activate.
Trusted Media
Media of a known state and risk to the examination.
Unallocated Space
Clusters within a logical volume or partition that are not currently allocated to a file, folder, or object within the volume. Unallocated space or unallocated clusters may contain data from previous file, folder, or object.
Unallocated Space / Free Space
Defined as the unused portion of the hard drive or free space. File slack is the unused space that is created between the end-of-file marker and the end of the hard drive cluster.
Unused Space
Sectors on the media that have not been allocated to a given partition or volume on the physical media and may contain data from a previous partition.
URL (Uniform Resource Locator)
A way of specifying the location of something on the Internet. A uniform resource locator, abbreviated URL, also known as web address, is a specific character string that constitutes a reference to a resource.
User Created File
A file that was created because of the actions of the user, with or without intent or awareness, creating data by a person or person’s interacting with a computer system.
User Profile
Windows compartmentalizes a user’s configurations, environment, and document files into subfolders. By applying security credentials and permissions to each user’s folder, one user is generally precluded from accessing another user’s data, unless the user is granted such privileges.
User Assist Key
Contains information about the executable files and links that you open frequently complete with running count and last execution date and time.
Validation
The action (or process) of proving that a procedure, process, system, equipment, software, or method used works as expected and achieves the intended result.
Validation Testing
An evaluation to determine if a tool, technique or procedure functions as expected and achieves the intended result.
Variable Focal Length Lens (Zoom)
A lens that the focal length can be continuously changed between set limits. It can range from wide angle to telephoto.
Vector scope
An electronic device that measures a video signal’s chrominance (color) performance.
Verification
The process of confirming the accuracy of an item to its original. In the context of hardware and software systems, formal verification is the act of proving or disproving the correctness of a system with respect to a certain formal specification or property, using formal methods.
VHDX
A file format which represents a virtual hard disk drive
Video
The electronic representation of a series of images in sequence, to simulate motion and interactivity.
Video Analysis
The examination of digital and multimedia evidence, which involves the scientific assessment, comparison, and/or evaluation of video involving legal matters.
Video Distribution Amplifier
A device used to divide single video signals, while boosting their strength for delivery to multiple video devices.
Video Enhancement
A procedure intended to improve the visual appearance of video sequences or specific features within video sequences.
Video Stabilization
The process of positioning individual frames so that a selected object or person will remain in the same location as the video is played.
Virtual Private Network
Virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Applications running across a VPN may therefore benefit from the functionality, security, and management of the private network.
Virus
A program or a string of code which can infect other programs by modifying their code to replicate itself or cause the modification or destruction of software or cardholder data.
Volume Shadow Copy
Is a service that creates and maintains snapshots (“shadow copies”) of disk volumes in Windows 7 and Vista. It enables the restore of system files to a previous state in case of a system failure. Volume Shadow Copy maintains snapshots of entire volumes. It protects all the data on that volume, including all the system files, program files, user settings, documents, etc.
Volume Slack
Sectors remaining at the end of the volume or partition that cannot be allocated to a cluster.
VPN (Virtual Private Network)
A private network that utilizes a public telecommunication infrastructure. A VPN uses “tunnelling” to encrypt all information ensuring the network remains private and secure
Waveform Monitor
An electronic device that provides a graphic display of a video signal.
Waypoint
A location that is stored by a GPS device based on user interaction.
Web
The World Wide Web implied by the www prefix in many web site URLs. On the web, using browsers, who often communicate using Hypertext Mark-up Language (HTML), transfers information.
Web-Based Email
Usually free email accounts that are operated from a website. Examples include Hotmail, Gmail and Yahoo Mail. Webmail allows the users to access their emails as long as they have access to an Internet connection and a web browser.
Websites
Web sites and newsgroup addresses are very dynamic and change on a monthly, weekly or daily basis. The web site addresses found in the Internet Explorer history viewer (subsections of this report) can be visited by typing in the addresses into any Internet browser. Referenced images may be located by doing this but there is no way to tell if the site was the same as the day the suspect may have visited the site.
Whaling
A targeted phishing attack that is aimed at wealthy, powerful, or prominent individuals (e.g., C-suite executives such as chief financial officers and chief executive officers, politicians, and celebrities). 18, 19, 20 But, others use the term “whaling” to mean an attack that involves malicious actors masquerading as such individuals.21 As an example, a malicious actor may masquerade as a hospital’s chief financial officer (“CFO”) and trick the recipient into divulging bank account information, employee information, corporate financial information, and/or transferring funds to an account that is controlled by the actor.
Windows
Microsoft Windows is a group of graphical operating systems, all of which are developed, marketed, and sold by Microsoft. Some of the well-known client versions include Windows 98, ME, XP, Vista, and 7. Windows 10 is the most recent version. Server versions include Windows NT Server, 2000 Server, 2003 Server, and Server 2008 R2. Windows Server 2016 is the most recent server version.
Windows Events
Are records of alerts given by various programs. Each Windows Event belongs to one of three categories: Application – Events triggered by third-party applications (i.e. Application Errors). Security – Actions taken by Window to secure its environment (i.e. Login). System – Internal actions of the Windows OS (i.e. Control Panel Information).
Work Copy
A reproduction of a recording or data that can be used for the ensuing of processing and/or analysis of data
World Wide Web
Often referred to as WWW or the Web, this usually refers to information available on the Internet that can be easily accessed with software usually called a “browser.” Organizations publish their information on the Web in a format known as HTML. The “Web” is capable of delivering multimedia materials such as text, graphics, sound and moving video. Hypertext links allow a quick and easy way to move seamlessly from one source of information to another across computers from all around the globe.
WORM (Storage) Write Once, Read Many
A storage technology that allows media to be written only once but read an unlimited number of times.
Write Block / Write Protect
Hardware and/or software methods of preventing alteration of media content.
.ZIP
A computer file whose contents of one or more files are compressed for storage or transmission, often carrying the extension.
Tagged as: Volatility, data recovery, Cyber Investigations, Forensic Lab, Chain of Custody, Forensic Tools, Forensic Expert, CyberSecurity, Cybercrime Analysis, File Carving, Malware Analysis, Steganography, Digital forensics, Forensic Imaging, Timestamp, Network forensics, Memory Forensics, File System Analysis, Investigative Techniques, Forensic Examination, Digital Forensic Glossary, Forensic analysis, Forensic Reporting, Incident response, Forensic Acquisition, Hawk Eye Forensic, Data Preservation, Hashing, hawk eye forensic lab, Electronic Evidence.
Computer Forensics Anjali Singhal
HFS+ and APFS vs exFAT and NTFS: Which File System is Best for Mac Forensic Imaging? When it comes to selecting the destination drive format for Mac forensic imaging, there ...
Copyright 2023 all rights reserved by Hawk Eye Forensic.
Post comments (0)