Glossary
A
Address Resolution Protocol (ARP) A protocol used on the Internet to map computer network addresses to hardware addresses.
admissible evidence Evidence that meets all regulatory and statutory requirements and has been properly obtained and handled.
allocation unit Another term for cluster.
ASCII (American Standard Code for Information Interchange) A single-byte character encoding scheme used for text-based data.
asymmetric key algorithm An encryption algorithm that uses one key to encrypt plaintext and another key to decrypt ciphertext. Also called public key algorithm.
auditing The process of tracking who’s logging in and accessing what files.
B
Basic Input Output System (BIOS) Responsible for booting the computer by providing a basic set of instructions.
best evidence rule Whenever a document is presented as evidence, you must introduce the original document if at all possible. A copy may be introduced only if the original is not available.
best practices A set of recommended guidelines that outline a set of controls to improve internal and business processes, performance, quality, and efficiency.
bit stream backup Bit stream backups (also known as mirror image or evidence grade backups) are used to create an exact replica of a storage device.
Bluetooth A standard developed to allow various types of electronic equipment to make their own connections by using a short-range (10 meter) frequency-hopping radio link between devices.
body language Communication using body movements, gestures, and facial expressions.
brute force attack Attack that systematically tries every conceivable combination until a password is found or until all possible combinations have been exhausted.
C
cache Space on a hard disk used to improve performance speed by storing recently accessed data so that future requests for that data can be served faster locally.
CD/DVD-ROM/RW drive A drive, either internal or external, that is used to read and/or write CDs and DVDs. A compact disc (CD) can store large amounts of digital information (650 MB to 750 MB) on a very small surface. Single-sided, single-layer DVDs hold 4.70 GB, while double-sided double-layer DVDs hold more than 17 GB of digital information. CDs and DVDs are incredibly inexpensive to manufacture.
chain of custody Documentation of all steps that evidence has taken from the time it is located at a crime scene to the time it’s introduced in a courtroom. All steps include collection, transportation, analysis, and storage processes. All accesses to the evidence must be documented as well.
checksum A value that can help detect data corruption. A checksum is derived by summing the number of bytes or other criterion in a string of data. At a later time, especially after the data has been transmitted or copied, the same calculation is performed. If the resulting value does not match the original value, the data is considered to be corrupt.
chosen plaintext attack An attack to decrypt a file characterized by comparing ciphertext to a plaintext message you chose and encrypted.
cipher An algorithm for encrypting and decrypting.
cloning A process used to create an exact duplicate of one media on another like media.
cluster Operating systems normally write in clusters. An entire cluster is reserved for each file even if the file’s data requires less storage than the cluster size. The space that is not used by the file is called slack space.
Complementary Metal Oxide Semiconductor (CMOS) chip On-board semiconductor chip used to store system information and configuration settings when the computer is either off or on.
computer evidence Any computer hardware, software, or data that can be used to prove one or more of the five Ws and the H for a security incident—namely, who, what, when, where, why, and how.
computer forensics Computer investigation and analysis techniques that involve the identification, preservation, extraction, documentation, and interpretation of computer data to determine potential legal evidence.
connector The part of a cable that plugs into a port or interface to connect devices. Male connectors are identified by exposed pins. Female connectors are identified by holes into which the male connector can be inserted.
cookie Small text file placed on a computer’s hard drive as users browse Web sites. Each cookie file contains a unique number that identifies users to the Web site’s computers upon the user’s return to the site.
covert channel Method by which an entity receives information in an unauthorized and obscure manner.
cross examination Questions asked by opposing counsel to cast doubt on testimony provided during direct examination.
cryptography The science of hiding the true contents of a message from unintended recipients.
cyclic redundancy check (CRC) A common technique for detecting data transmission errors. Each transmitted message carries a numerical value based on the number of set bits in the message. The receiving device then applies the same formula to the message and checks to make sure the accompanying numerical value is the same, thereby verifying data integrity.
D
dd utility Copy and convert utility. Originally included with most versions of UNIX and Linux, versions now exist for Windows as well.
decrypt To translate an encrypted message back into the original unencrypted message.
demonstrative evidence Evidence that illustrates or helps to explain other evidence. Usually demonstrative evidence consists of some kind of visual aid.
deposition Testimony that is reduced to written form. (Video recorded depositions are also transcribed and reduced to written form, and both the written transcription as well as the video recording of the testimony may be admitted in court.)
desktop A PC designed to be set up in a permanent location because its components are too large or heavy to transport easily.
dictionary attack An attack that tries different passwords defined in a list or database of password candidates.
direct examination Initial questions asked of a witness to extract testimony.
disaster recovery The ability of an organization to recover from an occurrence inflicting widespread destruction and distress.
distributed denial of service (DDoS) attack An attack that uses one or more systems to flood another system with so much traffic that the targeted system is unable to respond to legitimate requests for service or access.
documentary evidence Written evidence, such as printed reports or data in log files. Such evidence cannot stand on its own and must be authenticated.
E
electromagnetic fields Produced by the local buildup of electric charges in the atmosphere. They can damage computer components. They are present everywhere in our environment but are invisible to the human eye.
electronic discovery or e-discovery The process whereby electronic documents are collected, prepared, reviewed, and distributed in association with legal and government proceedings.
electrostatic discharge (ESD) Buildup of electrical charge on a surface that is suddenly transferred to another surface when it is touched.
e-mail header Data at the beginning of an electronic message that contains information about the message.
encrypt To obscure the meaning of a message to make it unreadable.
encryption key A code that enables the user to encrypt or decrypt information when combined with a cipher or algorithm.
expert witness A person called to testify in a court of law who possesses special knowledge or skill in some specific area that applies to a case.
Extended Binary Coded Decimal Interchange Code (EBCDIC) A character encoding set used by IBM mainframes. Most computer systems use a variant of ASCII, but IBM mainframes and midrange systems, such as the AS/400, use this character set primarily designed for ease of use on punched cards.
extended FAT (exFAT) Sometimes (and incorrectly) called FAT64, this extended version of the FAT file system was developed to keep FAT working with the kinds of large hard disks (1 TB and larger) now so widely installed in modern desktop and notebook PCs.
extension checker A utility that compares a file’s extension to its header. If the two do not match, the discrepancy is reported.
external hard drive A hard disk in an external enclosure with its own power supply and data interface(s). Nearly all external hard disks support USB; many support higher-speed interfaces such as eSATA or FireWire (IEEE 1394).
external Serial Advanced Technology Attachment (eSATA) Interface technology that permits external hard drives to use the same high-speed SATA interface that internal hard drives use.
F
Federal Rule of Civil Procedure 26 Federal Rule 26 states the General Provisions Governing Discovery and Duty of Disclosure. Section (a) states Required Disclosures and Methods to Discover Additional Matter.
File Allocation Table (FAT) A simple file system used by DOS but supported by later Microsoft (and other) operating systems. The FAT resides at the beginning of a disk partition and acts as a table of contents for stored data.
file viewer A utility that provides thumbnail images of files. Such tools are useful for scanning a group of files visually.
file system An operating system’s method for organizing, managing, and accessing files through logical structures on a hard drive.
FireWire An IEEE-1394 technology that implements a high-performance, external bus standard for rapid data transfer and streaming multimedia (such as video).
forensic compression The compacting of an image file by compressing redundant sectors to reduce the amount of space it takes up.
forensic duplicate A process used to copy an entire hard drive that includes all bits of information from the source drive stored in a raw bit stream format.
forensic suite Set of tools and/or software programs used to analyze a computer for collection of evidence.
forensically sound Procedures whereby absolutely no alteration is caused to stored data. All evidence is preserved and protected from all contamination.
H
hard evidence Real evidence conclusively associated with a suspect or activity.
hardware write blocker A hardware device that is plugged in between the disk controller and the physical disk and blocks any write requests.
hash A mathematical function that creates a fixed-length string from a message of any length. The result of a hash function is a hash value, sometimes called a message digest. Hash functions are one-way functions. That is, you can create a hash value from a message, but you cannot create a message from a hash value.
host protected area (HPA) Area of a hard drive created specifically to allow manufacturers to hide diagnostic and recovery tools. (Sometimes referred to as hidden protected area or hardware protected area.)
hybrid attack A modification of the dictionary attack that tries different permutations of each dictionary entry.
I
imaging The process of creating a complete copy of a disk drive where the disk is copied sector-by-sector.
incident A threatening computer security breach that can be recovered from in a relatively short period of time.
incident response The action taken to respond to a situation that can be recovered from relatively quickly.
incident response plan The actions an organization takes when it detects an attack, whether ongoing or after the fact.
incident response team (IRT) A team of individuals trained and prepared to recognize and immediately respond appropriately to any security incident.
input/output (I/O) Data transfer that occurs between the thinking part of the computer, or CPU, and an external device or peripheral. For example, when you type on a keyboard, that device sends input to the computer. Usually software directs the computer to output what you type on a screen.
International Association of Computer Investigative Specialists (IACIS) International volunteer corporation comprised of federal, state, local, and international law enforcement professionals who are committed to education in the field of forensic computer science.
intrusion Any unauthorized access to a computer, including the use, alteration, or disclosure of programs or data residing on the computer.
intrusion detection Using software and hardware agents to monitor network traffic for patterns that may indicate an attempt at intrusion.
IP address A unique identifier for a computer or device on a TCP/IP network.
J
Jaz disk Older form of portable storage media consisting of a removable hard disk in a protective plastic shell introduced by Iomega in 1995. Production was discontinued in 2003.
K
key logger Device that intercepts, records, and stores everything typed on a keyboard into a file. This includes all keystrokes, even passwords.
KISS method KISS stands for “Keep It Simple, Stupid.” This acronym reminds us to avoid making things more complicated than they need to be.
known plaintext attack An attack to decrypt a file characterized by comparing known plaintext to the resulting ciphertext.
M
MAC time Set of time stamps associated with a file. The time stamps describe the last time the file was modified (mtime), accessed (atime), and created (ctime).
malware Another name for malicious code. This includes viruses, logic bombs, and worms.
Message Digest 5 (MD5) MD5 is a one-way hash function, meaning that it takes a message and converts it into a fixed string of digits, which is then used to verify that the message hasn’t been altered.
metadata Data component that describes other data. In other words, it’s data about data.
mobile device A catch-all term that refers to handheld computing and communications devices, including cell phones, smartphones, handheld computers, and even so-called personal digital assistants (PDAs). All handheld devices have some of the following capabilities: general computing including web access and compact local applications (called apps), wireless Internet and networking components, wireless telecommunications, global positioning systems (GPS), e-mail access, and phone/address book capabilities. Mobile devices generally use flash memory instead of a hard drive for storage to keep them as light and small as possible.
modem A shorthand version of the words modulator-demodulator. A modem is used to send digital data over a phone line. The sending modem converts digital data into a signal that is compatible with the phone line (modulation), and the receiving modem then converts that signal back into digital data (demodulation).
multiboot system System that can boot, or start, and then run more than one operating system (though only one at a time).
N
Netstat A utility that displays the active port connections on which the computer is listening.
Network File System (NFS) Provides remote access to shared file systems across networks. The primary function of NFS is to mount directories to other computers. These directories can then be accessed as though they were local.
New Technology File System (NTFS) A file system supported by Windows NT and higher-level Windows operating systems, including Windows Server 2000, 2003, and 2008, and Windows XP, Vista, and 7.
O
open source Code that the code creator makes available under a license that permits end users to freely redistribute the source code, make modifications to the source code, and create derivative works.
operating system Acts as a director and interpreter between the user and all the software and hardware on the computer.
P
packet Unit of information routed between an origin and a destination. A file is divided into efficient-size packets for transmission.
passcode A character string used to authenticate a user ID to perform some function, such as encryption key management.
password A string of characters that security systems use to authenticate, or verify, a user’s identity. Security systems compare passwords a user provides during login to stored values for the user account. If the value provided (password) matches the stored value, the security subsystem authenticates the user. Most operating systems store passwords when users create login accounts.
password cracking Attempting to discover a password by trying multiple options and continuing until you find a successful match.
PC A personal computer intended for generic use by an individual. PCs were originally known as microcomputers because they were built on a smaller scale than the systems most businesses used at the time.
personal digital assistant (PDA) Tightly integrated handheld device that combines computing, Internet, and networking components. A PDA can use flash memory instead of a hard drive for storage.
port scanner Program that attempts to connect to a list of computer ports or a range of IP addresses.
private key algorithm An encryption algorithm that uses the same key to encrypt and decrypt. Also known as symmetric key algorithm.
protocol A set of rules and conventions that govern how computers exchange information over a network medium.
public key algorithm An encryption algorithm that uses one key to encrypt plaintext and another key to decrypt ciphertext. Also called asymmetric algorithm.
R
real evidence Any physical objects you can bring into court. Real evidence can be touched, held, or otherwise observed directly.
relevant evidence Evidence that serves to prove or disprove facts in a case.
Request for Comments (RFC) Started in 1969, RFCs are a series of notes about the Internet. An Internet document can be submitted to the Internet Engineering Task Force (IETF) by anyone, but the IETF decides when and if a document becomes an RFC. Each RFC is designated by an RFC number. Once published, an RFC never changes. Modifications to an original RFC are assigned a new RFC number.
router Device (or software) that determines the next network point to which a packet should be forwarded on the way to its destination.
S
search warrant A court order that allows law enforcement to search and/or seize computer equipment without providing advance warning to its owner.
searching tool A tool that searches for patterns (mostly string patterns) in large file collections.
Second/Third Extended Filesystems (ext2/ext3) State-based file systems used by the Linux operating system.
security policies Specifications for a secure environment, including such items as physical security requirements, network security planning details, a detailed list of approved software, and human resources policies on employee hiring and dismissal.
server A computer with sufficient processing power and storage capacity to provide services to other computers over a network. Servers often include multiple processors, large amounts of memory, and many sizable hard drives. They also often incorporate two or more high-speed network interfaces (Gigabit Ethernet, also known as GbE, or better).
signature analysis Technique that uses a filter to analyze both the header and the contents of the datagram, usually referred to as the packet payload.
site survey Notes, photographs, drawings, and any other documentation that describes the state and condition of a scene.
slack space Space on a hard disk between where the file ends and where the disk storage cluster ends.
social engineering A method of obtaining sensitive information (for example, about a company) through exploitation of human nature.
software write blocker Software that sits between the operating system and the disk driver that blocks all write requests.
spanning across multiple discs Breaks the image file into chunks of a certain size so the image file can be backed up onto multiple CDs or other media.
steganography Process of passing information in a manner that hides the existence of one message inside another file or message.
subpoena A court order that compels an individual or organization to surrender evidence.
substitution cipher A cipher that substitutes each character in the original message with an alternate character to create the encrypted message.
summons A court order that compels a witness to appear in court and answer questions.
swap file Space on the hard disk used as the virtual memory extension of a computer’s actual memory.
symmetric key algorithm An encryption algorithm that uses the same key to encrypt and decrypt. Also known as private key algorithm.
T
temporary Internet files Copies of all HTML, GIF, JPG, and other files associated with the sites a user has visited on the Internet.
testimonial evidence Evidence consisting of witness testimony, either in verbal or written form. Testimonial evidence may be presented in person by a witness in a court or in the form of a recorded deposition.
trace evidence Traces of data either left behind or found with a criminal that can be used to prove that a crime was committed.
traceroute A command used to see where a network packet is being sent and received in addition to all the places it goes along the way to its destination.
Transmission Control Protocol/Internet Protocol (TCP/IP) network A network that uses the TCP/IP protocol.
Trojan horse program In computers, a type of program or code that appears to be legitimate or harmless but contains malicious or harmful instructions that may allow unauthorized users access to the victim’s computer system.
U
unerase tool A utility that assists in recovering previously deleted files. In some cases, files can be completely recovered. At other times, only portions of a file can be recovered.
Universal Serial Bus (USB) A connectivity standard that allows for the connection of multiple devices without the need for software or hardware.
UDP datagram A message sent using the User Datagram Protocol (UDP), a network protocol used on the Internet. UDP allows applications to send datagrams to other hosts on an Internet Protocol (IP) network without requiring prior communications to set up special transmission channels or data paths.
USB flash drive (UFD) A small, portable, high-capacity flash memory device that attaches to a computer or mobile device via a Universal Serial Bus (USB) port.
user ID A string of characters that identifies a user in a computing environment.
V
Virtual FAT (VFAT) Also called FAT32, an enhanced version of the FAT file system that allows for names longer than the 8.3 convention and uses smaller allocation units on the disk.
virus A program or piece of code that is loaded onto a computer without the user’s knowledge and is designed to attach itself to other code and replicate. The virus replicates when an infected file is executed or launched.
voluntary surrender Permission granted by a computer equipment owner to search and/or seize equipment for investigative purposes.
W
war dialing Automated software that attempts to dial numbers within a given range of phone numbers to determine if any of those numbers are actually used by modems accepting dial-in requests.
wireless access point (WAP) Network device that contains a radio transmitter/receiver that is connected to another network. A WAP provides wireless devices access to a regular wired network.
workstation A high-end desktop computer that delivers enhanced processing power, significant memory capacity, and performs special functions, such as software or game development, CAD/CAM design, finite element analysis, and so forth.
worm Similar in function and behavior to a virus, except that worms do not need user intervention. A worm takes advantage of a security hole in an existing application or operating system and then finds other systems running the same software and automatically replicates itself to the new hosts.
Z
Zip disk Older form of portable storage media, somewhat larger than a floppy disk. Stores hundreds of megabytes of data.