Glossary of digital forensics terms

Digital forensics is a branch of the forensic sciences related to the investigation of digital devices and media. Within the field a number of "normal" forensics words are re-purposed, and new specialist terms have evolved.

Acquisition: The process of creating a duplicate copy of digital media for the purposes of examining it^[1]
Computational forensics: Computational forensics are digital forensics with the use of artificial intelligence.
Digital media: Used within the fields to refer to the physical medium (such as a hard drive) or data storage device
E-discovery or eDiscovery: A common acronym for electronic discovery ^[2]
exhibit: Digital media seized for investigation is usually referred to as an "exhibit"^[2]
hashing: Within the field "hashing" refers to the use of hash functions (e.g. CRC, SHA1 or MD5) to verify that an "image" is identical to the source media^[2]
Image: A duplicate copy of some digital media created as part of the forensic process^[3]
Imaging: Synonym of "acquisition"^[1]
Live analysis: Analysis of a piece of digital media from within itself; often used to acquire data from RAM where this would be lost upon shutting down the device^[2]
Slack space: The unused space at the end of a file in a file system that uses fixed size clusters (so if the file is smaller than the fixed block size then the unused space is simply left). Often contains deleted information from previous uses of the block
Steganography: The word steganography comes from the Greek name “steganos” (hidden or secret) and “graphy” (writing or drawing) and literally means hidden writing. Steganography uses techniques to communicate information in a way that is hidden.^[4]
Unallocated space: Clusters of a media partition not in use for storing any active files. They may contain pieces of files that were deleted from the file partition but not removed from the physical disk ^[5]
Verification: A term used to refer to the hashing of both source media and acquired image to verify the accuracy of the copy
Write blocker: The common name used for a forensic disk controller, hardware used to access digital media in a read only fashion^[3]

Related Research Articles

Steganography is the practice of representing information within another message or physical object, in such a manner that the presence of the information is not evident to human inspection. In computing/electronic contexts, a computer file, message, image, or video is concealed within another file, message, image, or video. The word steganography comes from Greek steganographia, which combines the words steganós, meaning "covered or concealed", and -graphia meaning "writing".

A disk image is a snapshot of a storage device's structure and data typically stored in one or more computer files on another storage device.

In information technology, a backup, or data backup is a copy of computer data taken and stored elsewhere so that it may be used to restore the original after a data loss event. The verb form, referring to the process of doing so, is "back up", whereas the noun and adjective form is "backup". Backups can be used to recover data after its loss from data deletion or corruption, or to recover data from an earlier time. Backups provide a simple form of disaster recovery; however not all backup systems are able to reconstitute a computer system or other complex configuration such as a computer cluster, active directory server, or database server.

Computer forensics is a branch of digital forensic science pertaining to evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the digital information.

Disk cloning is the process of duplicating all data on a digital storage drive, such as a hard disk or solid state drive, using hardware or software techniques. Unlike file copying, disk cloning also duplicates the filesystems, partitions, drive meta data and slack space on the drive. Common reasons for cloning a drive include; data backup and recovery; duplicating a computer's configuration for mass deployment and for preserving data for digital forensics purposes. Drive cloning can be used in conjunction with drive imaging where the cloned data is saved to one or more files on another drive rather than copied directly to another drive.

In computing, a file system or filesystem governs file organization and access. A local file system is a capability of an operating system that services the applications running on the same computer. A distributed file system is a protocol that provides file access between networked computers.

The National Software Reference Library (NSRL), is a project of the National Institute of Standards and Technology (NIST) which maintains a repository of known software, file profiles and file signatures for use by law enforcement and other organizations involved with computer forensic investigations. The project is supported by the United States Department of Justice's National Institute of Justice, the Federal Bureau of Investigation (FBI), Defense Computer Forensics Laboratory (DCFL), the U.S. Customs Service, software vendors, and state and local law enforcement. It also provides a research environment for computational analysis of large sets of files.

In computing, data recovery is a process of retrieving deleted, inaccessible, lost, corrupted, damaged, or formatted data from secondary storage, removable media or files, when the data stored in them cannot be accessed in a usual way. The data is most often salvaged from storage media such as internal or external hard disk drives (HDDs), solid-state drives (SSDs), USB flash drives, magnetic tapes, CDs, DVDs, RAID subsystems, and other electronic devices. Recovery may be required due to physical damage to the storage devices or logical damage to the file system that prevents it from being mounted by the host operating system (OS).

In evidence law, digital evidence or electronic evidence is any probative information stored or transmitted in digital form that a party to a court case may use at trial. Before accepting digital evidence a court will determine if the evidence is relevant, whether it is authentic, if it is hearsay and whether a copy is acceptable or the original is required.

Venti is a network storage system that permanently stores data blocks. A 160-bit SHA-1 hash of the data acts as the address of the data. This enforces a write-once policy since no other data block can be found with the same address: the addresses of multiple writes of the same data are identical, so duplicate data is easily identified and the data block is stored only once. Data blocks cannot be removed, making it ideal for permanent or backup storage. Venti is typically used with Fossil to provide a file system with permanent snapshots.

<span class="mw-page-title-main">Digital forensics</span> Branch of forensic science

Digital forensics is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and computer crime. The term "digital forensics" was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

TestDisk is a free and open-source data recovery utility that helps users recover lost partitions or repair corrupted filesystems. TestDisk can collect detailed information about a corrupted drive, which can then be sent to a technician for further analysis. TestDisk supports DOS, Microsoft Windows, Linux, FreeBSD, NetBSD, OpenBSD, SunOS, and MacOS. TestDisk handles non-partitioned and partitioned media. In particular, it recognizes the GUID Partition Table (GPT), Apple partition map, PC/Intel BIOS partition tables, Sun Solaris slice and Xbox fixed partitioning scheme. TestDisk uses a command line user interface. TestDisk can recover deleted files with 97% accuracy.

Anti-computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">EnCase</span>

EnCase is the shared technology within a suite of digital investigations products by Guidance Software. The software comes in several products designed for forensic, cyber security, security analytics, and e-discovery use. EnCase is traditionally used in forensics to recover evidence from seized hard drives. It allows the investigator to conduct in-depth analysis of user files to collect evidence such as documents, pictures, internet history and Windows Registry information.

A forensic disk controller or hardware write-block device is a specialized type of computer hard disk controller made for the purpose of gaining read-only access to computer hard drives without the risk of damaging the drive's contents. The device is named forensic because its most common application is for use in investigations where a computer hard drive may contain evidence. Such a controller historically has been made in the form of a dongle that fits between a computer and an IDE or SCSI hard drive, but with the advent of USB and SATA, forensic disk controllers supporting these newer technologies have become widespread. Steve Bress and Mark Menz invented hard drive write blocking.

In computing, data deduplication is a technique for eliminating duplicate copies of repeating data. Successful implementation of the technique can improve storage utilization, which may in turn lower capital expenditure by reducing the overall amount of storage media required to meet storage capacity needs. It can also be applied to network data transfers to reduce the number of bytes that must be sent.

Forensic Toolkit, or FTK, is a computer forensics software originally developed by AccessData, an Exterro company. It scans a hard drive looking for various information. It can, for example, potentially locate deleted emails and scan a disk for text strings to use them as a password dictionary to crack encryption.

Mobile device forensics is a branch of digital forensics relating to recovery of digital evidence or data from a mobile device under forensically sound conditions. The phrase mobile device usually refers to mobile phones; however, it can also relate to any digital device that has both internal memory and communication ability, including PDA devices, GPS devices and tablet computers.

The digital forensic process is a recognized scientific and forensic process used in digital forensics investigations. Forensics researcher Eoghan Casey defines it as a number of steps from the original incident alert through to reporting of findings. The process is predominantly used in computer and mobile forensic investigations and consists of three steps: acquisition, analysis and reporting.

Gates Rubber Company v. Bando Chemical Industries, Ltd., et al. is a decision by the U.S. district court for the District of Colorado from May 1, 1996. It is considered a landmark decision in terms of expert witness court testimony in questions of electronic evidence and digital forensics.

References

1 2 Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation". Archived from the original on 17 May 2008. Retrieved 17 August 2010.
1 2 3 4 Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 978-0-12-374267-4 . Retrieved 27 August 2010.
1 2 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.
↑ SANS Institute (2003). "Steganalysis: Detecting hidden information with computer forensic analysis" . Retrieved 7 June 2012.
↑ Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 978-0-07-162677-4 . Retrieved 27 August 2010.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[horenbeeck-1] 1 2 Maarten Van Horenbeeck (24 May 2006). "Technology Crime Investigation". Archived from the original on 17 May 2008. Retrieved 17 August 2010.

[handbook-2] 1 2 3 4 Various (2009). Eoghan Casey (ed.). Handbook of Digital Forensics and Investigation. Academic Press. p. 567. ISBN 978-0-12-374267-4 . Retrieved 27 August 2010.

[casey-3] 1 2 Casey, Eoghan (2004). Digital Evidence and Computer Crime, Second Edition. Elsevier. ISBN 0-12-163104-4.

[steganography-4] SANS Institute (2003). "Steganalysis: Detecting hidden information with computer forensic analysis" . Retrieved 7 June 2012.

[exposed-5] Aaron Phillip; David Cowen; Chris Davis (2009). Hacking Exposed: Computer Forensics. McGraw Hill Professional. p. 544. ISBN 978-0-07-162677-4 . Retrieved 27 August 2010.

[1]

[2]

[3]

[4]

[5]

v t e Digital forensics
Branches	Computer forensics Mobile device forensics Network forensics Database forensics Software forensics
Hardware	Forensic disk controller
Software	ADF Solutions Digital Evidence Investigator EnCase Foremost FTK PTK Forensics The Sleuth Kit The Coroner's Toolkit COFEE HashKeeper Xplico
Certification	Certified Forensic Computer Examiner (CFCE) Global Information Assurance Certification
Processes	Digital forensic process Data acquisition Digital evidence eDiscovery Anti–computer forensics
Organisations	National Software Reference Library Department of Defense Cyber Crime Center National Hi-Tech Crime Unit (NHTCU) Australian High Tech Crime Centre (AHTCC)
People	Mary Aiken Annie Antón Rebecca Bace Josh Brunty Eoghan Casey Hany Farid Simson Garfinkel Clifford Stoll Robert Zeidman
Glossary of digital forensics terms

Contents

A

C

D

E

H

I

L

S

U

V

W

Related Research Articles

References