Glossary

32-bit register In computer architecture, a processor register (or general purpose register) is a small amount of storage available on the CPU whose contents can be accessed more quickly than storage available elsewhere.

Typically, this specialized storage is not considered part of the normal memory range for the machine.

Registers are normally measured by the number of bits they can hold, for example, an “8-bit register” or a “32-bit register.”

absolute address An explicit identification of a memory location, peripheral device, or location within a device.

For example, memory byte 413,679, disk drive 1, and sector 451 are absolute addresses.

The computer uses absolute addresses to reference memory and peripherals.

active partition The partition containing the operating system (OS), which is actively being used. The operating system will actually “boot up” the system/computer.

address Every byte in a file is assigned a number, called its address, starting at 0 for the first byte of the file, 1 for the second byte, and so on.

allocated Assigned. Typically refers to disk space (see Allocated space).

Any cluster currently assigned to a file is considered allocated.

allocated space Space on a storage device (i.e., disk), where the operating system has already written files to.

array A grouping of similar types of data, referenced as sequential locations. The absolute locations of items in an array may not truly be sequential in a managed memory environment. Some different types are strings and multidimensional arrays.

ASCII Abbreviation for American Standard Code for Information Interchange. A standard code used to store textual characters in memory, in which each character is represented by a unique eight-bit pattern.

asymmetric key encryption A cryptographic approach that involves the use of asymmetric key algorithms instead of or in addition to symmetric key algorithms.

Unlike symmetric key algorithms, it does not require a secure initial exchange of one or more secret keys to both sender and receiver. The asymmetric key algorithms are used to create a mathematically related key pair: a secret private key and a published public key.

Use of these keys allows protection of the authenticity of a message by creating a digital signature of a message using the private key, which can be verified using the public key.

It also allows protection of the confidentiality and integrity of a message, by public key encryption, encrypting the message using the public key, which can only be decrypted using the private key.

ATA interface The AT Attachment interface, one of two major standards for connecting storage media devices like hard drives to personal computers (PCs). The opposing standard is SCSI.

PATA is the Parallel ATA specification. Often incorrectly referred to as IDE (Integrated Device Electronics) by a lot of vendors. SATA is the Serial ATA specification.

ATAPI is an extension on the ATA standard for optical media, like CD, DVD, and Blu-Ray.

attribute For each file (or directory) described in the MFT record, there’s a linear repository of stream descriptors (named attributes) packed together in a variable-length record (called an attributes list), with extra padding to fill the fixed 1KB size of every MFT record, and that fully describes the effective streams associated with that file.

b-tree A balanced search tree in which every node has between m/2 and m children, where m > 1 is a fixed integer; m is the order.

The root may have as few as two children. This is a good structure if much of the tree is in slow memory (disk), since the height, and hence the number of accesses, can be kept small, say one or two, by picking a large m.

bad clusters A bad cluster is a hard disk cluster that has been flagged by the file system as being corrupted or damaged in some way and thus will no longer be used for storing data.

base-16 character code This encoding is the standard case- insensitive HEX encoding and may be referred to as “base 16” or “HEX.”

A 16-character subset of US-ASCII is used, enabling four bits to be represented per printable character.

base address The starting address (beginning point) of a program or table.

basic input/output system (BIOS) Firmware that can control much of a computer’s input/output functions, such as communications with the internal and external media drives (e.g., zip, CD, floppy, etc.) and the monitor. It is also called ROM BIOS.

best evidence rule The legal doctrine that an original piece of evidence, particularly a document, is superior to a copy. If the original is available, a copy will not be allowed as evidence in a trial.

binary search A technique for searching an ordered list in which we first check the middle item and—based on that comparison—“discard” half the data. The same procedure is then applied to the remaining half until a match is found or there are no more items left.

binary system A system of arithmetic used with computers, also called Base 2, that is based on the digits 0 and 1.

bit Abbreviation for “binary digit.” The fundamental storage unit of computer memory, a bit has one of two values: 0 or 1.

bit for bit image A bitstream image is an exact replica of each bit (or binary digit—the smallest unit of data in a computer) contained in the electronic storage media.

Bitstream images obtained from electronic storage media are essentially a snapshot of the media at that particular point in time.

block cipher An encryption scheme in which the data is divided into fixed-size blocks (often 64 bits), each of which is encrypted independently of the others.

Complete independence of blocks is cryptographically undesirable, so usually a block cipher will be used in a chaining or feedback mode in which the output from one block affects the way the next is encrypted.

boot sector Reserved sectors on disk that are used to load the operating system. On startup, the computer looks for the master boot record (MBR) or something similarly named, which is typically the first sector in the first partition of the disk.

The MBR contains a program that reads the partition table which points to the first sector that contains the operating system.

That sector contains another small program that causes the computer to read the operating system.

byte A group of bits (usually eight bits), which usually represents one character of text data, such as a letter, digit, or special character.

byte offset A byte offset, typically used to index into a string or file, is a zero-based number of bytes. For example, in the string “this is a test,” the byte offset of “this” is 0, of “is” is 5, “a” is 8, and “test” is 10.

This is not always the same as the “character offset.” Some characters, such as Chinese ideograms, require two or more bytes to represent. Using ASCII characters only will ensure that the byte offset is always equal to the character offset.

For example, given an array of characters A containing “abcdef,” one can say that the element containing the letter c has an offset of 2 from the start of A.

carving (data) Data carving is an important tool when attempting to recover files from either unallocated drive space, or from a disk that has become very corrupted.

It can be slow, but if a file is critical, it is well worthwhile, and quicker than trying to process by hand.

The process of reassembling computer files from fragments in the absence of filesystem metadata. The carving process makes use of knowledge of common file structures, information contained in files, and heuristics regarding how filesystems fragment data. Fusing these three sources of information, a file carving system infers which fragments belong together.

File carving is a highly complex task, with a potentially huge number of permutations to try. To make this task tractable, carving software typically makes extensive use of models and heuristics. This is necessary not only from a standpoint of execution time, but also for the accuracy of the results.

chain of custody A legal term that refers to the ability to guarantee the identity and integrity of the specimen from collection through reporting of the test results.

It is a process used to maintain and document the chronological history of the specimen. (Documents should include name or initials of the individual collecting the specimen, each person or entity subsequently having custody of it, the date the specimen was collected or transferred, the employer or agency, specimen number, patient’s or employee’s name, and a brief description of the specimen.)

A secure chain of custody, together with the analytical techniques used by the investigator to acquire the evidence, leads to the production of a legally defensible report.

character code A code that pairs a set of natural language characters (such as an alphabet or syllabary, a set of written symbols that represent or approximate syllables, which in turn make up words) with a set of something else, such as numbers or electrical pulses.

Common examples include Morse code, which encodes letters of the Roman alphabet as series of long and short depressions of a telegraph key; and ASCII, which encodes letters, numerals, and other symbols as both integers and seven-bit binary versions of those integers.

child (children) In a tree, nodes can point to the roots of subtrees. The roots of the subtrees below a given node are the children of that node.

cipher In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption—a series of well-defined steps that can be followed as a procedure.

clock skew Differences in clock signal arrival times across the chip.

cluster The logical unit of file storage on a hard disk; it’s managed by the computer’s operating system.

Any file stored on a hard disk takes up one or more clusters of storage. A file’s clusters can be scattered among different locations on the hard disk.

Since a cluster is a logical rather than a physical unit (it’s not built into the hard disk itself), the size of a cluster can be varied.

CMOS [complementary metal oxide semiconductor] battery A battery that maintains the time, date, hard disk, and other configuration settings in the CMOS memory. CMOS batteries are small and are attached directly to the motherboard.

CMOS memory A small, battery-backed memory bank in a computer that holds configuration settings.

code points In character encoding terminology, a code point or code position is any of the numerical values that make up the code space.

common law rule of evidence The best evidence rule is a common law rule of evidence, which can be traced back at least as far as the eighteenth century. In Omychund v Barker (1745) 1 Atk, 21, 49; 26 ER 15, 33, Lord Harwicke stated that no evidence was admissible unless it was “the best that the nature of the case will allow.”

The best evidence rule was predicated on the assumption that if the original was not produced, there was a significant chance of error or fraud in relying on such a copy.

compiled program A “compiler” takes source code and converts it into machine code.

Compilers are simply programs that take text files as input (source code) and through logical processes do some magic to produce a single file of executable machine code (program). The result runs on the CPU directly.

compound file Compound File Binary Format (CFBF), also called Compound File for short, is a file format for storing numerous files and streams within a single file on a disk.

CFBF was developed by Microsoft and is an implementation of Microsoft COM Structured Storage.

compressed file File that has been electronically “deflated” through proprietary algorithm, to save space and reduce transmission times.

This allows the file to be downloaded faster or more data to be stored on a removable media.

Common compressed file extensions are .ZIP, .RAR, .ARJ, .TAR.GZ, and .TGZ.

concatenated The operation of joining two character strings end to end.

For example, the strings “snow” and “ball” may be concatenated to give “snowball.”

control characters A code point (a number) in a character set that does not in itself represent a written symbol.

It is in-band signaling in the context of character encoding. All entries in the ASCII table below code 32 (technically the C0 control code set) and 127 are of this kind, including BEL (which is intended to cause an audible signal in the receiving terminal), SYN (which is a synchronization signal), and ENQ (a signal that is intended to trigger a response at the receiving end, to see if it is still present).

The Extended Binary Coded Decimal Interchange Code (EBCDIC) character set contains 65 control codes, including all of the ASCII control codes as well as additional codes, which are mostly used to control IBM peripherals.

The Unicode standard has additional nonprinting characters (i.e., the zero-width non-joiner).

cyber forensics The use of specialized techniques for recovery, authentication, and analysis of electronic data to determine legal evidence.

cylinder groups When you create a Unix File System (UFS), the disk slice is divided into cylinder groups, which are made up of one or more consecutive disk cylinders.

The cylinder groups are then further divided into addressable blocks to control and organize the structure of the files within the cylinder group.

Each type of block has a specific function in the file system.

cylinders Comprises the same track number but spans all such tracks across each platter surface that is able to store data (without regard to whether or not the track is “bad”). Thus, it is a three-dimensional object.

cylinder, sector, head (CHS) An early method for giving addresses to each physical block of data on a hard drive.

A method of referencing the sectors on a drive as a collection of unique cylinder, head, and sector addresses.

Each block on the drive will have a unique cylinder, head, and sector address.

data block A physical unit of data that can be conveniently stored by a computer on an input or output device. The block is normally composed of one or more logical records or a portion of a logical record. Synonymous with physical record.

data propagation delay The length of time data takes to travel from one point on the segment (node) to another point.

decrypt(ion) Decoding; the activity of making clear or converting from code into plain text; “a secret key or password is required for decryption.”

Process of “unscrambling” an encrypted or coded message.

depth The longest path from the root node to a leaf node.

descendant Any node that can be reached from the current node by following the children branches.

directory entries Each entry records the name, extension, attributes (archive, directory, hidden, read-only, system, and volume), the date and time of creation, the address of the first cluster of the file/directory’s data, and finally the size of the file/directory.

directory structure The way an operating system’s file system and its files are displayed to the user.

Files are typically displayed in a hierarchical tree structure.

disk array An arrangement of two or more hard disks, in RAID or daisy-chain configuration, organized to improve speed and provide protection of data against loss.

disk signature A unique identifier for a disk.

For a master boot record (MBR)-formatted disk, this identifier is a four-byte value stored at the end of the MBR, which is located in sector zero on the disk.

For a GUID partitioning table (GPT)-formatted disk, this value is a GUID stored in the GPT disk header at the beginning of the disk.

.DLL The DLL file type is primarily associated with “Dynamic Link Library.”

A .DLL file is a support file and is used by one or more programs.

As an example, if several parts of a program need to perform the same action that action may be placed into a .DLL file (library) that the various program parts can all use. This saves space and makes it easier when that particular routine needs to be updated.

dwords bit = ...1 bit...

encrypted files Encrypting File System (EFS) provides the core file encryption technology used to store encrypted files on NTFS file system volumes. Once you encrypt a file or folder, you work with the encrypted file or folder just as you do with any other files and folders.

Encryption is transparent to the user that encrypted the file. This means that you do not have to manually decrypt the encrypted file before you can use it. You can open and change the file as you normally do.

Using EFS is similar to using permissions on files and folders. Both methods can be used to restrict access to data. However, an intruder who gains unauthorized physical access to your encrypted files or folders will be prevented from reading them. If the intruder tries to open or copy your encrypted file or folder he receives an access denied message. Permissions on files and folders do not protect against unauthorized physical attacks.

You encrypt or decrypt a folder or file by setting the encryption property for folders and files just as you set any other attribute such as read-only, compressed, or hidden. If you encrypt a folder, all files and subfolders created in the encrypted folder are automatically encrypted. It is recommended that you encrypt at the folder level. (“Encrypting File System Overview,” Windows XP Professional Product Documentation, Microsoft Corp., retrieved February 2010, www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/encrypt_overview.mspx?mfr=true.)

encryption The transformation of plain text into an apparently less readable form (called ciphertext) through a mathematical process.

The ciphertext may be read by anyone who has the key that decrypts (undoes the encryption) the ciphertext.

encryption key In cryptography, a key is a piece of information (a parameter) that determines the functional output of a cryptographic algorithm or cipher.

Without a key, the algorithm would have no result.

In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption.

EPROM A memory chip that maintains its contents without electrical power, and whose contents can be erased and reprogrammed by removing a protective cover and exposing the chip to ultraviolet light.

evidence integrity (via a hash) Provides assurance that the original evidence has not been modified or altered from its original state.

evidence uniqueness (via a hash) Assurance that the evidence is unique onto itself, such that no two pieces of evidence can be identical or similar at the same time or in the same occurrence.

executables Files that contain a program; that is, a particular kind of file that is capable of being executed or run as a program in the computer.

In a disk operating system or Windows operating system, an executable file usually has a file name extension of .bat, .com, or .exe.

expert witness A person who is permitted to testify at a trial because of their special knowledge or proficiency in a particular field that is relevant to the case.

An expert witness, professional witness, or judicial expert is a witness, who, by virtue of education, training, skill, or experience, is believed to have expertise and specialized knowledge in a particular subject beyond that of the average person, sufficient that others may officially and legally rely upon the witness’s specialized (scientific, technical, or other) opinion about an evidence or factual issue within the scope of his/her expertise, referred to as the expert opinion, as an assistance to the fact-finder.

extended boot record (EBR) Is a descriptor for a logical partition under the common DOS disk drive partitioning system.

In that system, when one (and only one) partition record entry in the Master Boot Record (MBR) is designated an “extended partition,” then that partition can be subdivided into a number of logical drives.

The actual structure of that extended partition is described by one or more EBRs, which are located inside the extended partition.

The first (and sometimes only) EBR will always be located on the very first sector of the extended partition.

extended partition A construct that is used to partition a disk into logical units.

A disk may have up to four primary partitions or up to three primary partitions and one extended partition. The extended partition may be further subdivided into multiple logical drives.

falseticker A clock that does not maintain timekeeping accuracy to a previously published (and trusted) standard.

file Grouping of records each made up of multiple logical segments.

A file is the largest unit of information recognized by the system.

Also a collection of related records treated as a basic unit of storage in a computer system.

file extension The suffix appended to a file name in the FAT file-naming convention. The extension is optional in some file systems.

The compilers use file extensions to determine the source type of the file.

file format The way data is organized for a particular kind of file.

Some formats are proprietary and can be read only by the program used to create the file.

Other formats, such as ASCII and rich text format (RTF), are more generic and can be read by many programs.

file header Supplemental data placed at the beginning of a block of data being stored or transmitted.

In graphics file formats, the header might give information about an image’s size, resolution, number of colors, and the like.

file magic number Bytes within a file used to identify the format of the file; generally a short sequence of bytes (most are two to four bytes long) placed at the beginning of the file.

file share The process of direct or indirect data sharing on a computer network with various levels of access privilege; also, the process of direct or indirect file transfer via the Internet.

file signature Data used to identify or verify the content of a file.

file slack Any space left over between the last byte of the file and the first byte of the next cluster is a form of internal fragmentation called file slack or slack space.

file structure The format into which a file is arranged by computer so that the information it contains can be retrieved on demand.

file system A data structure or a collection of files.

The method for storing and retrieving files on a disk. It is system software that takes commands from the operating system to read and write the disk clusters (groups of sectors).

The file system manages a folder/directory structure, which provides an index to the files, and it defines the syntax used to access them (how the “path” to the file is coded).

The physical filesystem is divided first by disk partitions.

The DOS-, Windows-, OS/2-, Macintosh-, and UNIX-based operating systems all have file systems in which files are placed somewhere in a hierarchical (tree) structure. A file is placed in a directory (folder in Windows) or subdirectory at the desired place in the tree structure.

File systems specify conventions for naming files. These conventions include the maximum number of characters in a name, which characters can be used, and, in some systems, how long the file name suffix can be. A file system also includes a format for specifying the path to a file through the structure of directories.

forensic image Imaging a hard drive is a phrase that is commonly used for preserving the contents of a custodian hard drive or server.

A forensic image is an exact bit for bit copy of the drive to be examined as part of a forensic investigation.

gigabyte (GB) Equals about 1 billion bytes.

gigahertz (GHz) One billion (109) cycles or processes in one second.

hardware write blocker Write blockers are devices that allow acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. They do this by allowing read commands to pass while blocking write commands, hence their name.

Hardware write blockers can be either IDE-to-IDE or Firewire/USB-to-IDE.

hash values A hash is a code, calculated based on the contents of a message. This code should have the property that it is extremely difficult to construct a message so that its hash comes to a specific value.

Hashes are useful because they can be attached to a message, and demonstrate that it has not been modified. If a message were to be modified, then its hash would have changed, and would no longer match the original hash value.

HDD In a personal computer, a hard disk drive (HDD) is the mechanism that controls the positioning, reading, and writing of the hard disk, which furnishes the largest amount of data storage for the PC.

Although the hard disk drive (often shortened to “hard drive”) and the hard disk are not the same thing, they are packaged as a unit and so either term is sometimes used to refer to the whole unit.

head Data is written to and read from the surface of a platter by a device called a head.

Naturally, a platter has two sides and thus two surfaces on which data could be manipulated; usually there are two heads per platter—one on each side, but not always.

headers The supplemental data placed at the beginning of a block of data being stored or transmitted. In data transmission, the data following the header are called the body.

height The maximum distance of any leaf from the root of a tree. If a tree has only one node (the root), the height is zero.

HEX editor A HEX editor is a program that allows you to edit compiled programs and binary data files.

These editors are called HEX editors because they most often present data in hexadecimal format.

Hexadecimal is used because it is easier for most humans than working in binary. In addition, hexadecimal is frequently useful because computers tend to work with eight-bit bytes of information and because ASCII is an eight-bit code (www.tech-faq.com/hex-editor.shtml).

hexadecimal A numbering system using a base number of 16 and including the 10 decimal digits (zero to nine) along with six alpha digits (A to F). Thus, a digit is available to represent each of the possible values of a four-bit binary digit.

In computers, HEX numbers are derived from the binary numbers stored on disk and in RAM. The advantage of HEX is that more information can be stored in less space. HEX 00 is the same as decimal 00. However, HEX FF represents decimal 256.

home directory A file system directory on a multi-user operating system containing files for a given user of the system.

The specifics of the home directory (such as its name and location) is defined by the operating system involved; for example, Windows systems between 2000 and 2003 keep home directories in a folder called Documents and Settings.

inodes In computing, an inode is a data structure on a traditional Unix-style file system such as UFS.

Each object in the filesystem is represented by an inode.

An inode stores basic information about a regular file, directory, or other file system object.

intellectual property Intellectual property is divided into two categories:

Industrial property, which includes inventions (patents), trademarks, industrial designs, and geographic indications of source.

Copyright, which includes literary and artistic works such as novels, poems, plays, films, musical works, drawings, paintings, photographs, sculptures, and architectural designs.

Internet artifacts Cookies, caches, and other temporary Internet files that can contain a wealth of information about the history of a suspect’s online activities. Searching these files can be very beneficial to an investigation but can also take a lot of time.

IP address An electronic identifier for a specific computer or device on the World Wide Web or other (internal or external) electronic network using the TCP/IP protocol. An IP address is a series of four numbers separated by periods (“dots”). Each number is a value from 0 to 255. An example could be 67.234.77. 43. “IP” stands for “Internet Protocol.”

iteration To solve a problem by repeatedly working on successive parts of the problem.

kernel Is the central component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level.

The kernel’s responsibilities include managing the system’s resources (the communication between hardware and software components).

kilobyte (KB) Equals 1,024 bytes.

leaf (leaves) A node in a tree that has no children.

logical block addressing A method used to address hard disks by a single sector number rather than by cylinder, head, and sector (CHS).

LBA was introduced to support ATA/IDE drives as they reached 504 MB, and Enhanced BIOSs in the PC translated CHS addressing into LBA addressing.

The Master Boot Record is the traditional way of storing partition information about a hard disk, along with some boot code.

That is, the Partition Table is contained inside the MBR, which is stored in the first sector (cylinder 0, head 0, sector 1—or, alternately, LBA 0) of the hard drive.

logical copy A logical copy gets all available active data (including text and multi-media files).

logical file system Refers to a hierarchy of connected directories made of all the files (or disk partitions) that are accessible to the user.

logical folder structure A way in which to store your files:

magic number A magic number is a number embedded at or near the beginning of a file that indicates its file format (i.e., the type of file it is). It is also sometimes referred to as a file signature.

Magic numbers are generally not visible to users. However, they can easily be seen with the use of a HEX editor.

magnetism Force of attraction or repulsion of a magnetic material due to the arrangement of its atoms.

master boot record (MBR) The first logical sector on a disk, this is (usually) where the BIOS looks to load a small program that will boot the computer.

maximum skew The maximum offset error due to skew of the local clock over the interval determined by NTP.MAXAGE, in seconds.

The ratio <$Ephi~=~roman {NTP.MAXSKEW over NTP.MAXAGE}> is interpreted as the maximum possible skew rate due to all causes.

MD5 Message-digest algorithm meant for digital signature applications where a large message has to be compressed in a secure manner before being signed with the private key.

megabyte (MB) Approximately 1 million bytes.

megaflop One million floating-point operations per second.

metadata Data about data.

In common usage as a generic term, metadata stores data about the structure, context, and meaning of raw data, and computers use it to help organize and interpret data, turning it into meaningful information.

microprocessor Known as the “brains” of the computer, this computer chip contains all the central processing functions of a computer. Also known as the central processing unit (CPU).

MIPS One million instructions per second.

mounted/mounting Is the process of making a file system ready for use by the operating system, typically by reading certain index data structures from storage into memory ahead of time.

The term recalls a period in the history of computing when an operator had to physically place (mount) a magnetic tape or hard disk on a spindle before using it.

multi-partitioned drive Multiple partitions on a single hard drive that appear as separate drives to the operating system.

For example, when you install an operating system like Windows XP, part of the process is to define a partition on the hard drive.

This partition serves to define an area of the hard drive that Windows XP can use to install all of its files. In Windows operating systems, this primary partition is usually assigned the drive letter of “C.”

Most operating systems allow users to divide a hard disk into multiple partitions, in effect making one physical hard disk into several smaller logical hard disks.

native format Proprietary file format of a given application. A format which is not intended to be opened by any other application and is usually unsuitable for transferring data from one application to another.

new technology file system The standard file system of Windows NT, including its later versions Windows 2000, Windows XP, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows 7.

NTFS has a number of advantages over the previous file system, named FAT 32 (File Allocation Table). One major advantage of NTFS is that it includes features to improve reliability.

NTFS has several improvements over FAT and HPFS (High Performance File System) such as improved support for metadata and the use of advanced data structures to improve performance, reliability, and disk space utilization, plus additional extensions such as security access control lists (ACL) and file system journaling.

The new technology file system includes fault tolerance, which automatically repairs hard drive errors without displaying error messages. It also keeps detailed transaction logs, which tracks hard drive errors.

This can help prevent hard disk failures and makes it possible to recover files if the hard drive does fail.

nibble Sometimes written nybble, it is a four-bit aggregation, or half an octet.

As a nibble contains four bits, there are 16 (2^4) possible values, so a nibble corresponds to a single hexadecimal digit (thus, it is often referred to as a “hex digit” or “hexit”).

node Any element of a tree. Contains some data and potentially has children, which are other nodes in the tree.

nondisclosure agreement (NDA) Is a legally binding document which protects the confidentiality of ideas, designs, plans, concepts, or other commercial material. Most often, NDAs are signed by vendors, contractors, consultants, and other non-employees who may come into contact with such material.

NTFS partition NTFS (NT file system; sometimes New Technology File System) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk. NTFS is the Windows NT equivalent of the Windows 95 file allocation table (FAT) and the OS/2 High Performance File System (HPFS).

However, NTFS offers a number of improvements over FAT and HPFS in terms of performance, extendibility, and security.

NTFS is the primary file system used in Microsoft’s Windows NT, Windows 2000, Windows XP, Windows 2003, Windows Vista, and Windows 7 operating systems.

NTP timestamp Represented as a 64-bit unsigned fixed-point number, in seconds, relative to 0h on 1 January 1900. The integer part is in the first 32 bits and the fraction part in the last 32 bits.

This format allows convenient multiple-precision arithmetic and conversion to time protocol representation (seconds), but does complicate the conversion to ICMP timestamp message representation (milliseconds). The precision of this representation is about 200 picoseconds.

object linking and embedding (OLE) Is a technology that allows embedding and linking to documents and other objects developed by Microsoft.

octet An entity having exactly eight bits.

A series of eight binary digits, they are often formulated or displayed as hexadecimal, decimal, or octal values.

The binary value of all eight bits set (or turned on) is 11111111; equal to the hexadecimal value of FF, the decimal value of 255, and the octal value of 377.

operating system Operating system (commonly abbreviated to OS, O/S, or kernel) is an interface between hardware and software in a computer system. The software responsible for controlling the overall operation of a multipurpose computer system, including such tasks as memory allocation, input and output distribution, interrupt processing, and job scheduling.

order (1) The height of a tree. (2) The number of children of the root of a binomial tree. (3) The maximum number of children of nodes in a b-tree. (4) The number of data streams, usually denoted <Symbol>ω</Symbol>, in a multiway merge.

parent Of a node: the tree node conceptually above or closer to the root than the node and which has a link to the node.

parsing To analyze or separate (input, for example) into more easily processed components.

partition Is a logical division on a hard disk drive (HDD).

A “chunk” of space sectioned off of the disk drive. That chunk is then formatted with a file system and assigned a drive letter, at which point it is a volume labeled by its drive letter.

It so happens that the volume is on a partition. You can partition a drive without formatting them; you still have partitions, but no volumes.

partition boot record A type of boot sector, stored in a disc volume on a hard disk, floppy disk, or similar data storage device, that contains code for booting programs (usually, but not necessarily, operating systems) stored in other parts of the volume.

partition table A 64-byte data structure that defines the way a PC’s hard disk is divided into logical sectors known as partitions.

The partition table describes to the operating system how the hard disk is divided.

Each partition on a disk has a corresponding entry in the partition table.

The partition table is always stored in the first physical sector of a disk drive.

petabyte (PB) About 1 quadrillion bytes.

petahertz (PHz) One quadrillion (1015) cycles per second.

Power-On Self-Test (POST) A self-diagnostic program used to perform a single test of the CPU, RAM and various input/output (I/O) devices, to verify that the computer meets requirements to boot up properly.

If the computer does not pass the POST, you will receive a combination of beeps indicating what is malfunctioning within the computer.

The POST is performed by startup BIOS when the computer is first turned on and is stored in ROM BIOS.

RAID (redundant array of independent disks) array A way of storing the same data in different places (thus, redundantly) on multiple hard disks. By placing data on multiple disks, I/O (input/output) operations can overlap in a balanced way, improving performance.

Since multiple disks increases the mean time between failures (MTBF), storing data redundantly also increases fault tolerance.

RAM (random access memory) Memory modules on the motherboard containing microchips used to temporarily hold data and programs while the CPU processes both.

Information in RAM is lost when the PC is turned off.

recursion A method for solving a problem in which the problem is broken down into a smaller version of itself, which can either be solved explicitly or can be solved recursively.

Registry A database used by the Windows operating system (Windows 95 and NT) to store configuration information.

The registry consists of the following major sections:

• HKEY_Classes_Root—file associations and OLE information
• HKEY_Current_User—all preferences set for current user
• HKEY_User—all the current user information for each user of the system
• HKEY_Local_Machine—settings for hardware, operating system, and installed applications
• HKEY_Current_Configuration—settings for the display and printers
• HKEY_Dyn_Data—performance data

relative address A memory address that represents some distance from a starting point (base address), such as the first byte of a program or table.

resident data To optimize the storage and reduce the I/O overhead for the very common case of streams with very small associated data, NTFS prefers to place this data within the stream descriptor instead of using the MFT entry space to list clusters containing the data; in that case, the stream descriptor will not store the data directly but will just store an allocation map pointing to the actual data stored elsewhere on the volume.

When the stream data can be accessed directly from within the stream descriptor, it is called “resident data.”

ROM (read-only memory) A type of data storage device which is manufactured with fixed contents.

ROM is inherently non-volatile storage—it retains its contents even when the power is switched off, in contrast to RAM.

It is used in part for storage of the lowest level bootstrap software (firmware) in a computer.

root The node from which all other nodes in the tree descend.

sanitized drive A hard drive, which has had its contents “erased” via the process of masking information recorded on the hard drive by overwriting the existing information with random, meaningless data.

sector A specifically sized division of a hard disk drive, optical disc, floppy disk, or other kind of storage medium.

Usually, one sector of a hard disk drive or floppy disk can hold 512 bytes of information. One sector of an optical disc can usually hold 2,048 bytes.

This difference in sector size doesn’t imply anything about the difference in possible sizes between hard drives and optical discs—the number of sectors available on the drive or disc determines this.

sector slack The portion of the slack space from the end of the logical file to the end of the sector (not the cluster) was called RAM slack.

More recently, the term sector slack has been used; both refer to the same portion of the slack space.

SHA-1 Secure Hash Algorithm. Used for computing a condensed representation of a message or a data file specified by FIPS PUB 180-1.

signature word The two final bytes of the first sector in the MRB, and they are used as a simple validation of the MBR’s contents.

slack space The unused space in a disk cluster. The DOS and Windows file systems use fixed-size clusters. Even if the actual data being stored requires less storage than the cluster size, an entire cluster is reserved for the file.

The unused space is called the slack space.

DOS and older Windows systems use a 16-bit file allocation table (FAT), which results in very large cluster sizes for large partitions.

For example, if the partition size is 2 GB, each cluster will be 32 K. Even if a file requires only 4 K, the entire 32 K will be allocated, resulting in 28 K of slack space.

Operating systems Windows 95 and above resolved this problem by using a 32-bit FAT (FAT 32) that supports cluster sizes smaller than 1K.

stream cipher A stream cipher encrypts in small units, often a bit or a byte at a time, but unlike a basic block cipher the output corresponding to a given input will depend on where in the message it occurs.

The simplest type of stream cipher uses a complicated function, which retains state, to generate a pseudo-random sequence which is then combined with the input using a simple operation such as bytewise addition.

subject An individual that can be a witness, but has not been eliminated as a culprit of the investigated activity.

subtree(s) The tree which is a child of a node.

As the name emphasizes, everything which is a descendant of a tree node is a tree, too, and is a subset of the larger tree.

superblock A record of the characteristics of a filesystem, including its size, the block size, the empty and the filled blocks and their respective counts, the size and location of the inode tables, the disk block map and usage information, and the size of the block groups.

symmetric key encryption Are a class of algorithms for cryptography that use trivially related, often identical, cryptographic keys for both decryption and encryption.

The encryption key is trivially related to the decryption key, in that they may be identical or there is a simple transformation to go between the two keys.

The keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link.

target An individual who has been identified as the most likely culprit and is considered to be the focus of the investigation.

terabyte (TB) About 1 trillion bytes.

terahertz (THz) One trillion (1012) cycles per second.

time-lining A sequence of related events arranged in chronological order and displayed along a line (usually drawn left to right or top to bottom). (Chronology: a record of events in the order of their occurrence).

time provider With respect to the NTP nomenclature, a time provider is a primary reference source, a courier is a secondary server intended to import time from one or more distant primary servers for local redistribution, and a server is intended to provide time for possibly many end nodes or clerks. (Mills, D. (March 1992), “Network Time Protocol (Version 3) Specification, Implementation and Analysis,” ftp://ftp.isi.edu/in-notes/rfc1305.txt.)

timestamp A sequence of characters, denoting the date and/or time at which a certain event occurred.

A timestamp is the time at which an event is recorded by a computer, not the time of the event itself.

In many cases, the difference may be inconsequential: the time at which an event is recorded by a timestamp (e.g., entered into a log file) should be very, very close to the time of the occurrence of the event recorded.

timestamping Data is usually presented in a consistent format, allowing for easy comparison of two different records and tracking progress over time; the practice of recording timestamps in a consistent manner along with the actual data is called timestamping.

tracks Are the thin concentric circular strips on a floppy medium or platter surface which actually contain the magnetic regions of data written to a disk drive.

They form a circle and are (therefore) two-dimensional.

At least one head is required to read a single track. All information stored on the hard disk is recorded in tracks.

tree A data structure accessed beginning at the root node. Each node is either a leaf or a parent, which refers to child nodes.

Trojan Although Trojan horse programs are categorized as viruses, they are not true viruses, since they do not replicate.

It is a malicious program disguised as something benign, such as a screen saver.

When loaded onto a machine, a Trojan horse can capture information from the system—such as user names and passwords—or could allow a malicious hacker to remotely control the compromised computer.

Trojans are one of the sneakiest of the online risks. They are often downloaded on the back of a free program (freeware) that has some value to the user—a free game, software program, or music, for instance.

truechimer A clock that maintains timekeeping accuracy to a previously published (and trusted) standard.

tuple A particular kind of sequence, written like this: (1, 2, 3), or (C, H, S). Unlike lists, tuples are immutable.

unallocated Not allocated. Typically referring to disk space (see unallocated space).

unallocated space Defined as available disk space that is not allocated to any volume. The area of computer media, such as a hard drive, that does not contain normally accessible data. Unallocated space is usually the result of a file being deleted. When a file is deleted, it is not actually erased, but is simply no longer accessible through normal means.

The space that it occupied becomes unallocated space (i.e., space on the drive that can be reused to store new information). Until portions of the unallocated space are used for new data storage, in most instances, the old data remains and can be retrieved using forensic techniques.

unicode A 16-bit character encoding scheme allowing characters from Western European, Eastern European, Cyrillic, Greek, Arabic, Hebrew, Chinese, Japanese, Korean, Thai, Urdu, Hindi, and all other major world languages, living and dead, to be encoded in a single character set.

volume(s) In the context of computer operating systems, volume describes a single accessible storage area with a single file system, typically (though not necessarily) resident on a single partition of a hard disk.

Similarly, it refers to the logical interface used by an operating system to access data stored on some media using a single instance of a filesystem.

“Volume” can be used in place of the term “drive” where it is desirable to indicate that the entity in question is not a physical disk drive.

volume boot record (VBR) A type of boot sector, stored in a disc volume on a hard disk, floppy disk, or similar data storage device, that contains code for booting programs (usually, but not necessarily, operating systems) stored in other parts of the volume.

On nonpartitioned storage devices, it is the first sector of the device.

On partitioned devices, it is the first sector of an individual partition on the device, with the first sector of the entire device instead being a Master Boot Record (MBR).

witness An individual that, through sight, sound, touch, smell, and taste or any combination thereof can provide an evidentiary statement as to the investigated activity.

write blocker A specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive’s contents.

write protected Any physical mechanism that prevents modification or erasure of valuable data on a device. A piece of hardware (or software) that ensures a device that is used to acquire an image cannot write to the suspect media, which could potentially overwrite, damage, or invalidate the data.

zip file A file that has been compressed, or reduced in size, to save storage space and allow faster transferring across a network over the Internet. To read the information, the file must be uncompressed into its original form.