Glossary & Terms
Glossary & Terms
Sometimes a forensics report can be confusing, our forensics glossary and terms makes it easy to understand your forensics report.
Browse the glossary terms alphabetically by clicking on letters below.
Abuse of Power – Term used for malfeasance in office or official misconduct. An action done not in accordance with policy or law.
Acceptable Use Policy – In accordance with standards of policies.
Acquisition – The beginning stage of a digital forensics investigation. When the data involved is collected. Usually the media in question is also copied bit by bit during this stage.
Active Files – Data that is readily available and not deleted.
Allocated Data – Data that is present on a drive or media, not deleted or written over.
Allocated Space – The area of a hard drive or media used by a file system to track and store files and their associated metadata.
Ambient Data – Data or information that is located in areas not normally accessible to the user. Usually is stored in the unallocated clusters, file slack, virtual memory, or other areas.
Bit – The smallest unit of data in a computer, has a single binary value of 1 or 0.
Bit-Stream Image – Used during the preservation process. A sector by sector or bit by bit copy of the original media that verifies each bit is a true and accurate copy.
Byte – A unit of data used by a computer that consists of a group of 8 bits; and can be used to represent an alphanumeric character.
Carve – Searching for deleted or unallocated files based upon their header,footer, or other content. Used primary in recovering complete or partial files when their file system entries are no longer present.
Chain of Custody – The chronological and documented order and paper trail that records the sequence of custody, transfer, analysis, and disposition of physical and electronic evidence.
Cluster Sector – A group of sectors that make up the smallest unit of disk allocation for a file within a file system. It’s the smallest amount of space a file system can track.
Computer Forensics – A branch of digital forensic science that deals with evidence found in computers and other storage media. This involves examining a media in a sound and acceptable manner to identify, preserve, recover, analyze, and then report the artifacts and meta data stored within.
Decryption – The process of converting encrypted data (data that has been rendered unreadable through encryption) back into its unencrypted form. If there is a large amount of data a symmetric key is used.
Deletion – The removal of data from a file system.
Disk – Hard disk drive or hard drive, this is the physical disk that holds information.
Encryption – The process of encoding information or data in such a way that only authorized users can access it.
FAT – The File Allocation Table file system is a jointly developed file system originally designed for use with floppy diskettes in the 1970s. A rudimentary file system, newer versions of FAT have been routinely released to make use of larger storage devices and newer features, such as long file names. Because it is supported by most operating systems, FAT32 and its successor exFAT are routinely utilized for removable media that may be connected to computers running different OSes, such as a Windows 7 PC and an OS X MacBook Pro.
File – A component of the file name that indicates the type of file.
File Signature – The internal structure of the file, typically the header and footer that indicates the type of file.
File Slack – The unused portion of the last cluster allocated to a file.
File System – The organizational system by which files are stored, modified, and accessed within most digital storage devices.
Fixed Storage – Also known as primary storage, fixed storage refers to the storage devices within a computer that hosts its operating system, installed applications, and user data. Typically either hard disks or solid state disks, fixed storage is not intended to be disconnected from a computer and transported to another computer for subsequent connection. Although possible, fixed storage is typically only removed for an upgrade or replacement due to failure. Fixed storage may lack external buses or protections for transport, such as weather sealing or shock absorption.
Footer – The last bytes of a file that may also be used to indicate type of file.
Free Space – Space waiting to be used by a file system. Typically containing files that have been deleted and are waiting to be replaced with new allocation or files.
GUID Partition Table – The successor to the master boot record, it allows for both more partitions and larger partitions to be created; as well as more robust Operating System support.
Hashing/Hash Value – The process of summarizing the contents of a file with an numerical unique value.
Header – The beginning bytes of a file that indicate its type and the means by which it can be decoded.
Host Protected Area – A portion of a storage device reserved for maintenance and startup that is inaccessible to the end user.
Imaging – Process of creating a copy of a digital storage.
Logical Block Address – A modern form of addressing the sectors of a storage device that replaced the Cylinder/Head/Sector system. Sectors are addressed using numbers, starting at zero and incrementing by one. Although flash memory is organized differently than magnetic media, the translation layer converts addressing into LBA format as well.
Master Boot Record – A special type of sector at the very beginning of partitioned storage devices that holds information on how logical partitions are organized. It also contains an executable code to function as a loader for the operating system.
NTFS – The New Technology File System is Microsoft’s proprietary replacement for the FAT file systems utilized by default with Windows Operating Systems. First debuting with the Windows NT 3.1 OS, it has been the sole filesystem compatible with Windows’ operating systems since Windows Vista. NTFS incorporates many “modern” file system features, such as journaling, delayed writes, and access control lists.
Partition – This is the logical division of a storage device for a file system or Operating System installation.
Path – The folder hierarchy within a file system that indicates the logical storage location of a file. Also referred to as directories, files can be organized within different folders for efficiency or security’s sake. For example, if properly configured, files stored within the C:\Users\jim\Documents path are inaccessible by any user but “jim”. “Jim” may also separate pictures and video into a separate folder, indicated by the path C:\Users\jim\Media.
Physical Address – Physical address commonly refers to the sector in which data resides. The physical sector could be represented by either C/H/S or LBA addressing depending upon the age and design of the media.
Program/Application – A set of computer instructions designed to perform a specific task. For example, Microsoft Word is a program (or application) that enables a computer user to write, save, and print text and some graphics. Word can be used to create memos, letters, even books. Programs (or applications) are launched within and ultimately controlled by an operating system. Microsoft Word is available for purchase for both the Windows and OS X operating systems.
RAID – A Redundant Array of Independent Disks, wherein individual storage devices (commonly hard disks) are grouped to act as a single device. Disks can be grouped to act as a gestalt for either redundancy, increased bandwidth, or a combination of both. Common RAID levels include 0, 1, 5, and 6, as well as combinations of 1 and 0, known as 10, or 1+0.
RAM – Random-access memory is the temporary storage component of a computer. RAM is not intended to store data long-term, but rather cache it in a location that can be quickly accessed by the processor. RAM can be reallocated on the fly as either the operating system or individual applications require more or less of it. By design, the contents of RAM cannot be recovered after an extended power off or reboot. Some research has indicated that exceptions exist under very deliberate conditions. When engaged in a live response, the imaging of RAM for later review of cached processes is a standard practice.
Removable Storage – Storage devices designed for transport between computer systems. The most common example is the USB removable storage device, commonly known as a “thumb drive” or “memory stick”. These devices typically deploy a bus designed for external use, such as USB, and some form of protection, be it a plastic casing or more robust shock absorption.
Sector – A grouping of bytes for addressing purposes within a storage device. Just as 8 bits are grouped into 1 byte, traditionally 512 bytes are grouped into a sector. Due to increased storage capacities, sectors may be grouped into larger byte allocations, such as 4096 bytes. Devices using sectors larger than 512 bytes are referred to as Advanced Format devices. Sectors are configured and assigned during the manufacturing process. Sectors are the smallest of data that can be written or read from a storage device. If only 1 byte within a file is changed, the entire sector containing the change must be rewritten. Sectors are not grouped linearly upon a storage device, but rather spaced to match the read/write capabilities of the device.
Slack – The space within a storage block not utilized by a file. There are two types of slack, RAM slack and file slack. For example, assume a hard disk has 512 byte sectors, upon which a file system using 4096 byte (8 sectors) clusters is installed. The sectors have LBA IDs of 24-31. If a file is written to the file system that is less than 4096 bytes, some slack will be reside within the cluster. Assume a file is written that is 3073 bytes in size. This leaves 1023 bytes of slack within the cluster, which is contained within the last two sectors of the cluster (30,31), since files are stored linearly within a cluster. 1 byte is needed within cluster 30 to finish the allocation of the file. The remaining 511 bytes are called RAM slack. Because nothing smaller than a sector can be read or written, sector 30 must have 512 bytes written. The final, single byte of the file is written, along with 511 \x00 entries to complete the sector write. RAM slack is so named because originally, the 511 bytes would have been written with random content from the RAM of the computer instead of \x00. The contents of sector 31 is unchanged (neither read nor written). Whatever data was last allocated within the sector and subsequently deleted (thereby freeing up sector 31 for use with this file) remains. This slacke, i.e. the slack that exists within a cluster after the RAM slack, is known as file slack.
Swap File – Also called “virtual memory”, the swap file is a temporary space, usually upon the primary storage device, used by the operating system in place of RAM, typically when RAM is occupied by large amounts of data. Computers with small amounts of RAM will make more use of a swap file than a computer with a large amount of RAM. Because RAM is faster to read and write than primary storage, using a swap file in place of RAM is less than ideal, although some applications expressly require the presence and use of a swap file in order to function. RAM is not designed to retain data after a reboot or power off, instead it functions as a temporary scratchpad for the processor. Because primary storage devices do keep data after a power off or reboot, information representing past processes or user data may be recoverable from a swap file.
Wipe – The process of systematically overwriting any data resident in sectors upon a storage device. Wiping is used to eliminate the possibility of recovering any previously allocated or deleted data. Modern wiping tools allow for the individual erasure of files, commonly known as “secure erase”, the overwriting of only unallocated clusters, or the overwriting of an entire storage device. Although the pattern of \x00 is typically used, any pattern can be used to overwrite existing data.
Write Blocker – A hardware device or software application designed to prevent an operating system from making any changes to the contents of a connected storage device. Typically used for imaging or triage purposes, write blockers exist because modern operating systems routinely make changes to connected storage devices, even if not the installed primary storage. Write blockers only stop operating system and driver level commands from the connected computer. Write blockers cannot stop controller level maintenance functions on a connected device itself, so operations like TRIM may take place on a eMMC device.