This page is meant to serve as a forensic terminology reference guide for the community on potential definitions, both layman and technical, as well as analogies and potential courtroom explanations for juries. This website and its writers claim no responsibility for incorrect definitions and gladly welcome end user input.
|1||Computer Forensics||Layman||…is the analysis of information contained by and created within computer systems in support of answering four objectives: (what) happened, (when) did it happen, (how) did it happen, and (who) was involved.|
|2||Computer Forensics||Technical||...adheres to a strict chain-of-custody, seeks to preserves original evidence, and uses forensically sound, repeatable, and defensible principles for purposes of presenting digital evidence in a court of law.|
|3||Corrupt File||Layman||…is a file that contains unrecoverable data.|
|5||Corrupt File||Technical||...is a file that contains errors that may have occurred during writing, reading, storage, transmission, or processing of the data which introduced unintended changes. This will not allow the file to be read by the software designed to interpret it.|
|6||Deleted File||Layman||...is a file that has been marked as no longer existing by the operating system. The actual file is not overwritten as part of the deletion process, but rather is no longer “seen” by the Operating System.|
|7||Deleted File||Technical||In a FAT-based OS, the OS replaces the first character of a deleted file’s name with the hex code 0xE5. In an MFT-based OS, the OS deletes a file by removing its MFT entry and by marking the file’s associated clusters as free within the $BitMap metafile.|
|8||Deleted File||Forensic Implication||...is that files marked as deleted, but not yet overwritten with new data, can be recovered.|