Our website may use cookies to improve and personalize your experience and to display advertisements (if any). Our website may also include cookies from third parties like Google Adsense or Google Analytics. By using the website, you consent to the use of cookies. We’ve updated our Privacy Policy. Please click on the button to check our Privacy Policy.

AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Forensic Terms

This page is meant to serve as a forensic terminology reference guide for the community on potential definitions, both layman and technical, as well as analogies and potential courtroom explanations for juries.  This website and its writers claim no responsibility for incorrect definitions and gladly welcome end user input.

TermLaymanTechnicalForensic ImplicationAnalogy
Bot….is a computer infected with malicious software that responds to commands from a central controller or malicious user. Infection can occur when a user unknowingly is infected with a malware that can run autonomously and automatically receiving commands from a common command and control infrastructure.
Botnet…is a networked collection of compromised computers infected with malicious software that responds to commands from a central controller or malicious user. Infection can occur when a user unknowingly is infected with malware that then runs autonomously and automatically receiving commands from a common command and control infrastructure.
Browser…is a software application used for interacting with resources on the Internet.Each browser (Firefox, Internet Explorer, Chrome, Opera, etc) store cookies, Internet history, Internet cache, and potentially passwords for websites in different locations on a hard drive that an examiner must be aware of.
Cloud Computing…is the use of remote computers, via the Internet, for purposes of storage, software hosting, or other services....a forensic implication of this is that data may be stored in an off-site location or across multiple storage devices.
Computer Forensics…is the analysis of information contained by and created within computer systems in support of answering four objectives: (what) happened, (when) did it happen, (how) did it happen, and (who) was involved....adheres to a strict chain-of-custody, seeks to preserves original evidence, and uses forensically sound, repeatable, and defensible principles for purposes of presenting digital evidence in a court of law.
Corrupt File…is a file that contains unrecoverable data....is a file that contains errors that may have occurred during writing, reading, storage, transmission, or processing of the data which introduced unintended changes. This will not allow the file to be read by the software designed to interpret it.
Deleted File...is a file that has been marked as no longer existing by the operating system. The actual file is not overwritten as part of the deletion process, but rather is no longer “seen” by the Operating System....is that files marked as deleted, but not yet overwritten with new data, can be recovered.
Disk Image...is a single logical file (bit-for-bit copy) containing the complete contents and structure (to include slack and free space) of an original piece of evidence. ...allows for a forensic examiner to work off of a forensically sound copy of the original evidence without risk of compromising or altering the original evidence itself.
Encryption….is the process of converting data using a mathematical algorithm (called a cipher) to make it unreadable without the password (decryption key)...there are two types of encryption: symmetric (same key to encrypt/decrypt) and asymmetric (separate keys for encrypt/decrypt)....is that if data is encrypted, it may not ever be readable without the password.
File Carving...is the process of reassembling data from fragments found in drive free space (unallocated). ...an Examiner can use a file carving option in FTK to pull embedded images out of document files.File carving can pull standalone files out of container files which may be missed individually if not fully inspected by an examiner.
File Residue...is data that remains behind after a file (data) has been deleted....exists in drive free space (unallocated) where the OS does not see it, but Digital Forensic tools can.
File Signature vs File ExtensionFile signatures can reveal the true file type of a file if an extension is missing or has been modified while a file’s extension can be manipulated in an attempt to conceal contents....is a few bytes, usually located at the beginning of a file, intended to identify or verify the content of a file versus a file extension which is a short series of letters and/or numbers after the file name, used to indicate the type of file and the software that will be required to execute/open the file. An end user can change a file’s extension to fool the OS, but forensic tools read the file’s signature to correctly determine the file type.
File SlackIn many file systems, each file always starts at the beginning of a container called a cluster because this simplifies organization and makes it easier to grow files. Any space left over between the end of the file (last byte of the file) and the (first byte of the next cluster) beginning of the next cluster is known as file slack. File slack is a term that represents the total slack space in a file.Bucket of water holding four gallons (i.e., 4Kb)...or video tape with information at the end of the video.
Firehose Programmer...is a piece of software that allows one full read/write access to flash memory on a mobile device...is a piece of software containing raw flash read/write functionality. They can be digitally signed with a vendor signature (i.e. Samsung, LG, etc) that is verified by the device. EDL Mode accepts and verifies the firehose programmer. The programmer must match both the hardware and signature requirement. Firehose programmers are typically device specific so it must match the model and device manufacturer.
Forensically Prepared...is a process in which media is completely overwritten with a known character so that prior data can no longer exist.
Free Space…is space that is not currently allocated to a file and is available to be written to.
Hash…is the result of a mathematical procedure (calculation or hash algorithm) that generates a unique fixed length value based on input data, such as a string of text, an electronic file, or even the entire contents of a hard drive. ...is that a forensic examiner can use the resulting hash to verify that an image is a forensically sound copy of the original or that a copied file is an identical match of its original.A hash is like the human fingerprint, it is a proven unique method for identifying data.
Indexed Search vs. Non-Indexed Search...searches against an indexed listing of data to facilitate fast and accurate information retrieval versus a non-indexed search which searches data line-by-line or file-by-file.With an indexed search, the initial indexing takes time, but subsequent searches are much faster versus a non-indexed search which results in a slower search as all data, each time, is searched from start to finish.
Logical Copy…is a copy process whereby the underlying physical file system structure and deleted files are ignored by the copy process....is that deleted files or previously overwritten data will not be copied.
Logical COpy…is an exact clone (bit-for-bit copy) wherein the underlying physical file system structure is copied to include deleted files, free space, and slack space, resulting in an exact duplicate of the original...is that all data will be replicated.
Logicube…is a company that sells hard drive duplicators and computer forensic systems and more specifically is the name of a device that the FBI uses to make dd images of hard drives (IDE and SATA). A Logicube can also be used to forensically wipe a drive, is portable, and lightweight.
Message Digest Algorithm (MD5)...is a mathematical algorithm used to verify data integrity through the creation of a 128 bit or a unique 32 character string. It is as unique to that specific data as a fingerprint is to a specific individual. MD5 is a standard and according to the standard, it is "computationally infeasible" that any two sets of data, unless identical, could have the same output.MD5 a cryptographic function that produces a 128-bit, 32-character hexadecimal hash value to uniquely identify a piece of data.MD5 is one of the methods that the FBI uses to uniquely identify data and to verify that original data is not altered after an examination. An MD5 tool calculates the contents of the media and if even a single period has been added or taken away, then the MD5 will calculate a differing value from the original.
Metadata…is descriptive information about another set of data. The prefix meta means self-referring.Metadata may contain personally identifiable information such as in the example of a Document, a name or an author’s comment and in the example of a digital photograph, the model of the camera or GPS coordinates where the picture was taken....like a card catalog in a Library.
National Child Victim Identification Program (NCVIP)…is the world’s largest database of child pornography data sets, maintained for the purpose of identifying victims of child abuse by the Child Exploitation and Obscenity Section of the DOJ and the National Center for Missing and Exploited Children (NCMEC).
National Software Reference Library (NSRL)…is a DOJ-supported project designed to collect software from various sources and incorporate file profiles computed from that software into hash sets for the purpose of excluding known good, non-evidentiary files.
Recovered File…is a file that has been recovered from unallocated space after being deleted or lost. When a file is deleted, it is not immediately overwritten, but rather its entry in the file system’s index (MFT or FAT) is marked resulting in the actual data still persisting until overwritten with new data. Until this occurs, the file may be recovered....is that deleted data may be recovered and partially overwritten data may be recovered or reconstructed.
Registry…is a hierarchical database that stores configuration data for installed and previously installed software as well as the Windows operating system....is that it can contain user specified software settings as well as passwords, Internet browser history, date, time and time zone information, etc.
Secure Hash Algorithm (SHA1)...SHA1 is one of the methods that the FBI uses to uniquely identify data and to verify that original data is not altered after an examination. A SHA1 tool calculates the contents of the media and if even a single period has been added or taken away, then the SHA1 will calculate a differing value from the original. SHA1s a cryptographic function that produces a 160-bit, 40-character hexadecimal hash value to uniquely identify a piece of data.
Wiped Drive…has been completely overwritten, from start to finish, with a known character which is usually a Zero or the letter “F.”...is a drive that can not possibly contain data from another source.
Write Protected…is the process of protecting data so that new data cannot be added, nor can existing data be altered or erased...is that it allows for protection of original or best evidence from alteration.