Computer Forensics Louisiana :: PC Recovery Digital Forensics

Formal nomenclature for user action(s) not in accordance with organizational policy or law. Actions falling outside, or explicitly proscribed by, acceptable use policy.

A judicious and carefully considered assessment by the appropriate authority that a business, computing activity or network meets the minimum requirements of applicable security directives. The assessment should take into account the value of assets; threats and vulnerabilities; countermeasures; and operational requirements.

De facto nomenclature for documented standards and/or guidance on usage of information systems and networked assets.

The ability to enter a secured area. The process of interacting with an access control system and being permitted access

Permission granted to users, programs or workstations.

A set of procedures performed by hardware, software and administrators to monitor access, identify users requesting access, record access attempts, and grant or deny access.

In Windows, an internal security card that is generated when users log on. It contains the security IDs (SIDs) for the user and all the groups to which the user belongs. A copy of the access token is assigned to every process launched by the user.

The principle that individuals using a facility or a computer system must be identifiable. With accountability, violations or attempted violations of system security can be traced to individuals who can then be held responsible.

A program whereby a laboratory demonstrates that it is operating under accepted standards to ensure quality assurance. Passing ISO 9000 is called Accredited Certification

The stage in a computer forensic investigation where data is collected. Most often, this is done by making bit-by-bit copies of the hard disk/media.

Begins when information or physical items are collected or stored for examination purposes. The term ‘evidence’ implies that the collector of evidence is recognized by the courts. The process of collecting is also assumed to be a legal process and appropriate for rules of evidence in that locality. A data object or physical item only becomes evidence when so deemed by a law enforcement official or designee.

Data on a computer that is not deleted and is visible to the Operating System under normal use.

The term address is used in several ways. An Internet address or IP address is a unique computer (host) location on the Internet. A Web page address is expressed as the defining directory path to the file on a particular server. A Web page address is also called a Uniform Resource Locator, or URL. An e-mail address is the location of an e-mail user (expressed by the user's e-mail name followed by an "at" sign (@) followed by the user's server domain name.

A protocol used to map a computer network address (IP address) to a hardware address (MAC address).

A formal notification that an incident has occurred which may develop into a disaster.

A mathematical procedure that solves a recurrent problem.

Data on a drive that has not been deleted or written over.

The smallest unit of storage (number of sectors) that can be allocated by the Operating System to store data. The size of an allocation unit varies depending on the Operating System and size of the disk.

Ambient data is information that lies in areas not generally accessible to the user. This data lies in file slack, unallocated clusters, virtual memory files and other areas not allocated to active files. This is a forensic term that describes, in general terms, data stored in non-traditional computer storage areas and formats. The term was coined in 1996 to help students understand computer-evidence-processing techniques that deal with ev-idence not stored in standard computer files, formats, and storage areas. The term is now widely used in the computer forensics community and it generally describes data stored in the Windows swap file, unallocated space, and file slack.

To look at the results of an examination for its significance and probative value to the case.

A key part of the Linux file system that contains UIDs, GIDs, modification, access, creation times, and file locations.

A label for the class of intrusion-detection tactics that seek to identify potential intrusion attempts by virtue of their being (presumably) sufficiently deviant (anomalous) in comparison with expected or authorized activities. Phrased another way, anomaly detection begins with a positive model of expected system operations and flags potential intrusions on the basis of their deviation (as particular events or actions) from this presumed norm.

Allows visitors to upload and/or download predetermined files from designated directories without usernames or passwords. For example, distribute your latest software package by allowing visitors to download it through anonymous FTP. This is different than a regular FTP account

Software that detects, repairs, cleans, or removes virus-infected files from a computer.

Software that performs a specific function or a more technical term for program.

Application-specific data. The contents of the data stored in this directory are determined by the software vendor.

One form of a firewall in which valid application-level data must be checked or confirmed before allowing a connection. In the case of an ftp connection, the application gateway appears as an ftp server to the client and an ftp client to the server.

After processing discovery materials, an archive is created for each case.

A file that contains other files (usually compressed files). It is used to store files that are not used often or files that have been stored on a server or other location in this form to save space.

A file carried with an e-mail.

Examination and/or assessment of actions and records to ensure compliance with policies and operational procedures. If problems are found, recommendations are made to change policies or procedures. The independent examination of records to access their veracity and completeness.

In computer security systems, a chronological record of when users log-in, how long they are engaged in various activities, what they were doing, and whether any actual or attempted security violations occurred. An automated or manual set of chronological records of system activities that may enable the reconstruction and examination of a sequence of events and/or changes in an event.

Acceptable use policy

The process of establishing the legitimacy of a user (or node) before allowing access to requested information. An example is for the user to enter a name or account number (identification) and password (authentication).

The processes of determining what types of activities are permitted. Usually, authorization is in the context of authentication. Once you have authenticated a user, the user may be authorised different type of access or activity.

Ensuring that authorized users have access to information and associated assets when required.

B*-tree A file system used by the Mac OS that consists of nodes, which are objects, and leaf nodes, which contain data.

A hole in the security of a computer system deliberately left in place by designers or maintainers. Synonymous with trap door. A hidden software or hardware mechanism used to circumvent security controls. A breach created intentionally for the purpose of collecting, altering, or destroying data.

Either the act of creating a duplicate copy of working programs and data or the actual copy of programs and data, used for disaster recovery. Ideally, such copies are stored off site.

The ability to recreate current master files using appropriate prior master records and transactions.

In the Linux, file system, the anode that tracks the bad sectors on a drive.

An established standard for measurement or comparison.

In a big-endian system, the most significant value in the sequence is stored at the lowest storage address (i.e., first). Many mainframe computers, particularly IBM mainframes, use a big-endian architecture. Most modern computers, including PCs, use the little-endian system. The terms big endian and little endian are derived from the Lilliputians of Gulliver’s Travels, whose major political issue was whether soft-boiled eggs should be opened on the big side or the little side.

The Basic Input Output System of a PC. This is usually a number of machine code routines that are stored in ROM and available for execution at boot time. The "boot strap loader" is contained in ROM and is the first code to execute when the computer is turned on. The BIOS contains commands for reading the physical disks sector by sector.

A measurement of data. A bit is either the one or zero component of the binary code.

A bit-by-bit copy of the data on the original storage media.

The file used to store the bit-stream copy.

A representation of a graphics image in a grid format.

A marker or address that identifies a specific place or location for subsequent retrieval.

To start up a computer. Because the computer gets itself up and going from an inert state, it could be said to lift itself up ‘by its own bootstraps’—this is where the term ‘boot’ originates.