A set of codes defining all the various keystrokes you could make, including letters, numbers, characters, and even the spacebar and return keys.

The process of sending an email message to an anonymizer. The anonymizer strips identifying information from an email message before forwarding it with the anonymous mailing computer’s IP address.

The actions that perpetrators take to conceal their locations, activities, or identities.

Cryptography wherein two keys are used: one to encrypt the message and another to decrypt it.

The part of the cell network responsible for communications between the mobile phone and the network switching system.

The basic instructions stored on a chip for booting up the computer.

Information at the level of actual 1s and 0s stored in memory or on the storage device.

A form of cryptography that encrypts data in blocks; 64-bit blocks are quite common, although some algorithms (like AES) use larger blocks.

A special program, such as U-Boot or RedBoot, that is stored in a special section of the flash memory.

An attack in which the attacker tries to decrypt a message by simply applying every possible key in the keyspace.

A plan for maintaining minimal operations until the business can return to full normal operations.

An analysis of how specific incidents might impact the business operations.

The method of cryptography in which someone chooses a number by which to shift each letter of a text in the alphabet and substitute the new letter for the letter being encrypted. For example, if your text is “A CAT,” and you choose to shift by two letters, your encrypted text is “C ECV.” This is also known as a monoalphabet, single-alphabet, or substitution cipher.

The signal, stream, or data file into which the payload is hidden.

The process of searching the contents of cell phones.

The continuity of control of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.

The type of medium used to hide data in steganography. This may be photos, video, sound files, or Voice over IP.

An environment that has a controlled level of contamination, such as from dust, microbes, and other particles.

The practice of delivering hosted services over the Internet. This can be software as a service, platform as a service, or infrastructure as a service.

The use of analytical and investigative techniques to identify, collect, examine, and preserve computer-based material for presentation as evidence in a court of law.

A technique for file system repair that involves scanning a disk’s logical structure and ensuring that it is consistent with its specification.

A method of using techniques other than brute force to derive a cryptographic key.

An extensive document expounding one’s experience and qualifications for a position, similar to a résumé but with more detail. In academia and expert work, a CV is usually used rather than a résumé.

The use of electronic communications to harass or threaten another person.

The act of ensuring the data that is extracted is consistent.

The standard holding that only methods and tools widely accepted in the scientific community can be used in court.

Information that helps explain other evidence. An example is a chart that explains a technical concept to the judge and jury.

An attack designed to overwhelm the target system so it can no longer reply to legitimate requests for connection.

Information that has been processed and assembled so that it is relevant to an investigation and supports a specific finding or determination.

A plan for returning the business to full normal operations.

The process of acquiring and analyzing information stored on physical storage media, such as computer hard drives or smartphones.

A command-line operating system.

An attack in which the attacker seeks to infect several machines, and use those machines to overwhelm the target system to achieve a denial of service.

Data stored in written form, on paper or in electronic files, such as email messages and telephone call-detail records. Investigators must authenticate documentary evidence.

A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper.

A unique identification number developed by the U.S. Federal Communications Commission (FCC) to identify cell phones.

The study of the source and content of email as evidence, including the identification of the sender, recipient, date, time, and origination location of an email message.

A technology that does not fit neatly into the 2G/3G/4G spectrum. It is technically considered pre-3G but was an improvement on GSM (2G).

The total number of coprime numbers. Two numbers are considered coprime if they have no common factors.

A formal document prepared by a forensics specialist to document an investigation, including a list of all tests conducted as well as the specialist’s own curriculum vitae (CV). Anything the specialist plans to testify about at a trial must be included in the expert report.

The testimony of an expert witness, one who testifies on the basis of scientific or technical knowledge relevant to a case, rather than personal experience.

A cryptographic function that splits blocks of data into two parts. It is one of the most influential developments in symmetric block ciphers.

The unused space between the logical end of file and the physical end of file. It is also called slack space.

A U.S. law that prescribes procedures for the physical and electronic surveillance and collection of “foreign intelligence information” between foreign powers and agents of foreign powers, which may include U.S. citizens and permanent residents suspected of espionage or terrorism.

A broad category of crime that can encompass many different activities, but essentially, any attempt to gain financial reward through deception.

A standard developed by the European Telecommunications Standards Institute (ETSI). Basically, GSM is the 2G network.

A point-and-click user interface.

A popular Linux/UNIX search tool.

A newer Linux boot loader.

A function that is nonreversible, takes variable-length input, produces fixed-length output, and has few or no collisions.

Dynamic memory for a program comes from the heap segment. A process may use a memory allocator such as malloc to request dynamic memory.

Continuous online backup storage.

One of the five sections of the Windows Registry.

The database used by the MSC for subscriber data and service information.

Any use of another person’s identity.

A data structure in the file system that stores all the information about a file except its name and its actual data.

A unique serial number that identifies each SIM. These numbers are engraved on the SIM during manufacturing.

A unique number identifying GSM, LTE, and other types of phones. The first 8 bits of the ESN identify the manufacturer, and the subsequent 24 bits uniquely identify the phone.

The process of piecing together where and when a user has been on the Internet.

A protocol used to receive email that works on port 143.

A system that monitors network traffic looking for suspicious activity.

A file system used with CDs.

A method of attacking polyalphabetic substitution ciphers by deducing the length of the keyword. This is sometimes also called Kasiski’s test or Kasiski’s method.

The total number of keys.

The last bit or least significant bit is used to store data.

A term that refers to how long data will last. The term is related to volatility. More volatile data tends to have a shorter life span.

One of the Linux boot loaders.

The process of searching memory in real time, typically for working with compromised hosts or to identify system abuse.

Analysis involving using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data.

Damage to how the data is stored—for example, file system corruption.

Malware that executes its damage when a specific condition is met.

A standard for wireless communication of high-speed data for mobile devices. This is what is commonly called 4G.

The record on the hard drive partition used to initiate booting that partition.

The length of time a system can be down before the business cannot recover.

The average length of time before a given piece of equipment will fail through normal use.

The average time needed to repair a given piece of equipment.

A switching system for a cellular network.

The observation by Gordon Moore of Intel Corporation that capacity would double and price would be cut in half roughly every 18 to 24 months for products based on computer chips and related technology.

The wireless technology that uses multiple antennas to coherently resolve more information than possible using a single antenna.

The process of examining network traffic, including transaction logs and real-time monitoring.

The data to be covertly communicated. In other words, it is the message you want to hide.

An ID number for a cell phone user.

A number for unlocking a cell phone.

Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system.

Damage to actual hard drive parts; for example, a damaged platter or spindle.

A protocol used to receive email that works on port 110.

This is a brief hardware test the BIOS performs upon boot-up.

Any computer at a financial institution of any kind or a government agency.

Type of password crackers that work with precalculated hashes of all passwords available within a certain character space.

Physical objects that can be touched, held, or directly observed, such as a laptop with a suspect’s fingerprints on it or a handwritten note.

A table used with routers to track what IP addresses are connected to ports on the router.

Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury.

Software that cleans unallocated space. Also called a sweeper.

A protocol used to send email that works on port 25.

The unused space between the logical end of file and the physical end of file. It is also called file slack.

The result of acquiring a file as it is being updated.

The computer software or hardware that can intercept and log traffic passing over a digital network.

Nontechnical means of obtaining information you would not normally have access to.

The process of examining malicious computer code.

The act of making an email message appear to come from someone or someplace other than the real sender or location.

Memory is allocated based on the last-in, first-out (LIFO) principle.

The determination of whether a file or communication hides other information.

The art and science of writing hidden messages.

The use of steganography with sound files.

A form of cryptography that encrypts the data as a stream, one bit at a time.

A card that identifies a phone with a user and a number.

In cryptography, the method of changing some part of the plaintext for some matching part of ciphertext.

A kind of software that cleans unallocated space. Also called a scrubber.

Those methods where the same key is used to encrypt and decrypt the plaintext.

Data that an operating system creates and overwrites without the computer user taking a direct action to save this data.

Information that forensic specialists use to support or interpret real or documentary evidence; for example, to demonstrate that the fingerprints found on a keyboard are those of a specific individual.

A functional system compatible with the hard drive from which someone is trying to recover data.

The process of connecting to a server that involves three packets being exchanged.

In terms of cryptography, this is the swapping of blocks of ciphertext.

Free space, or the area of a hard drive that has never been allocated for file storage.

The international standard for information encoding.

A file system used with DVDs.

A 3G standard based on GSM.

An act passed into law as a response to the terrorist attacks of September 11, 2001, that significantly reduced restrictions on law enforcement agencies’ gathering of intelligence within the United States; expanded the Secretary of the Treasury’s authority to regulate financial transactions, particularly those involving foreign individuals and entities; and broadened the discretion of law enforcement and immigration authorities in detaining and/or deporting immigrants suspected of terrorism and related acts.

A method of encrypting alphabetic text by using a series of different monoalphabetic ciphers selected based on the letters of a keyword. A polyalphabetic cipher.

Any software that self-replicates.

A database used by the MSC for roaming phones.

Data that changes rapidly and may be lost when the machine that holds it is powered down.

Computer memory that requires power to maintain the data it holds, and can be changed. RAM is highly volatile; EEPROM is very nonvolatile.

A live system forensic technique in which you collect a memory dump and perform analysis in an isolated environment.

A technique for file system repair that involves recovering data from a damaged partition with limited knowledge of the file system.