This page is meant to serve as a forensic terminology reference guide for the community on potential definitions, both layman and technical, as well as analogies and potential courtroom explanations for juries. This website and its writers claim no responsibility for incorrect definitions and gladly welcome end user input.
wdt_ID | Term | Layman | Technical | Forensic Implication | Analogy |
---|---|---|---|---|---|
1 | Computer Forensics | …is the analysis of information contained by and created within computer systems in support of answering four objectives: (what) happened, (when) did it happen, (how) did it happen, and (who) was involved. | ...adheres to a strict chain-of-custody, seeks to preserves original evidence, and uses forensically sound, repeatable, and defensible principles for purposes of presenting digital evidence in a court of law. | ||
3 | Corrupt File | …is a file that contains unrecoverable data. | ...is a file that contains errors that may have occurred during writing, reading, storage, transmission, or processing of the data which introduced unintended changes. This will not allow the file to be read by the software designed to interpret it. | ||
14 | File Carving | ...is the process of reassembling data from fragments found in drive free space (unallocated). | ...an Examiner can use a file carving option in FTK to pull embedded images out of document files. | File carving can pull standalone files out of container files which may be missed individually if not fully inspected by an examiner. | |
6 | Deleted File | ...is a file that has been marked as no longer existing by the operating system. The actual file is not overwritten as part of the deletion process, but rather is no longer “seen” by the Operating System. | ...is that files marked as deleted, but not yet overwritten with new data, can be recovered. | ||
9 | Encryption | ….is the process of converting data using a mathematical algorithm (called a cipher) to make it unreadable without the password (decryption key) | ...there are two types of encryption: symmetric (same key to encrypt/decrypt) and asymmetric (separate keys for encrypt/decrypt). | ...is that if data is encrypted, it may not ever be readable without the password. | |
12 | File Residue | ...is data that remains behind after a file (data) has been deleted. | ...exists in drive free space (unallocated) where the OS does not see it, but Digital Forensic tools can. | ||
19 | File Slack | In many file systems, each file always starts at the beginning of a container called a cluster because this simplifies organization and makes it easier to grow files. Any space left over between the end of the file (last byte of the file) and the (first byte of the next cluster) beginning of the next cluster is known as file slack. File slack is a term that represents the total slack space in a file. | Bucket of water holding four gallons (i.e., 4Kb)...or video tape with information at the end of the video. | ||
18 | File Signature vs File Extension | File signatures can reveal the true file type of a file if an extension is missing or has been modified while a file’s extension can be manipulated in an attempt to conceal contents. | ...is a few bytes, usually located at the beginning of a file, intended to identify or verify the content of a file versus a file extension which is a short series of letters and/or numbers after the file name, used to indicate the type of file and the software that will be required to execute/open the file. An end user can change a file’s extension to fool the OS, but forensic tools read the file’s signature to correctly determine the file type. | ||
20 | Forensically Prepared | ...is a process in which media is completely overwritten with a known character so that prior data can no longer exist. | |||
21 | Free Space | …is space that is not currently allocated to a file and is available to be written to. | |||
Term | Layman | Technical | Forensic Implication | Analogy |