Wednesday, Dec 12th

Last update06:08:55 PM GMT

You are here: Glossary

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Page:  « Prev 1 2 3 4 5... Next »
Term Definition
Boot disk

The magnetic disk (usually a hard disk) from which an operating system kernel is loaded (or ‘bootstrapped’). MS-DOS and Microsoft ® Windows® can be con-figured (in the BIOS) to try to boot off either floppy disk or hard disk, in either order (and on some modern systems even from CD or other removable media). A special floppy boot disk (often called a ‘System Rescue Disk’) can be created, which will allow your computer to boot even if it cannot boot from the hard disk.

Boot record

Once the BIOS determines which disk to boot from, it loads the first sector of that disk into memory and executes it. Besides this loader program, the Boot Record contains the partition table for that disk.


To load and initialize the operating system on a computer. Often abbreviated to ‘boot’.


Any prohibited penetration or unauthorized access to a computer system that causes damage or has the potential to cause damage.


A device attached to a network cable to connect two like topologies.


Short for Web Browser. A software application used to locate and display Web pages. The two most popular browsers are Netscape Navigator and Microsoft Internet Explorer. Both of these are graphical browsers, which mean that they can display graphics as well as text. In addition, most modern browsers can present multimedia information, including sound and video, although they require plug-ins for some formats.


An area of memory, often referred to as a ‘cache’ used to speed up access to devices. It is used for temporary storage of data read from or waiting to be sent to a device such as a hard disk, CD-ROM, printer, or tape drive.

Buffer Overflow

A buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited.


Slang for making (burning) a CD-ROM copy of data, whether it is music, software, or other data.


A set of conductors (wires or connectors in an integrated circuit) connecting the various functional units in a computer. There are busses both within the CPU and connecting it to external memory and peripheral devices. The bus width (i.e., the number of parallel connectors) is one factor limiting a computer's performance.


In most computer systems, a byte is a unit of data generally consisting of 8 bits. A byte can represent a single character, such as a letter, a digit, or a punctuation mark.


A cache (pronounced ‘cash’) is a place to store something more or less temporarily. Two common types of cache are cache memory and a disk cache.


To either locate a deleted file in its entirety or through fragments by searching for any occurrence of the known file’s header information.


An area the Macintosh file system uses to maintain the relationships between files and directories on a volume.

Chain of Custody

The identity of persons who handle evidence between the time of commission of the alleged offence and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time that it is in his or her possession, that it is properly protected, and that there is a record of the names of the persons from whom they received it and to whom they delivered it, together with the time and date of such receipt and delivery.


Alternative term for an encryption algorithm.


The term given to the operation of creating an exact duplicate of one media on another like media. This is also referred to as a mirror image or physical sector copy


In the Macintosh file system, a contiguous allocation block. Clumps are used to keep file fragmentation to a minimum.


An elementary unit of allocation of a disk made up of one or more physical blocks. A file is made up of a whole number of possibly non-contiguous clusters. The cluster size is a trade off between space efficiency (the bigger is the cluster, the bigger is on the average the wasted space at the end of each file) and the length of the FAT.


A cluster is a group of sectors in a logical volume that is used to store files and folders. Clusters must contain a number of sectors that is a power of 2 (i.e. 2, 4, 8, 16, etc...). DOS maintains information about each cluster in the File Allocation Table (FAT). NTFS partitions store that same information in the file extents tables and the volume bitmap. EXT2 partitions store the information in the (node Tables and Block Bitmaps. CDs usually have un-fragmented file extents, so there is no need for a cluster bitmap or a FAT.


Complementary Metal Oxide Semi-conductor. A part of the motherboard that maintains system variables in static RAM. It also supplies a real-time clock that keeps track of the date, day and time. CMOS Setup is typically accessible by entering a specific sequence of keystrokes during the POST at system start-up.

Cold boot

Starting or restarting a computer by turning on the power supply. See also warm boot.

Compact disk — recordable.

A disk to which data can be written but not erased.

Compact disk — rewritable

A disk to which data can be written and erased.

Compact flash card

A form of storage media, commonly used in digital personal organizers and cameras but can be used in other electronic devices including computers.

Compressed file

A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are ZIP, Stuffit and RAR.

Computer forensics

The term "computer forensics" was coined in 1991 in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. Like any other forensic science, computer forensics deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as forensic computer science. Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. Computer Forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Like any other forensic science, computer forensics involves the use of sophisticated technology tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing.

Computer generated records

Data that is generated by the computer such as system log files or proxy server logs.

Computer Incident Response Team

A group of technical investigators and security engineers that responds to and investigates computer security incidents.

Computer investigations

Computer investigations rely on evidence stored as data and the timeline of dates and times that files were created, modified, and/or last accessed by the computer user. Timelines of activity can be especially helpful when multiple computers and individuals are involved in the commission of a crime.

Computer security

Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.

Computer security incident

An adverse event wherein some aspect of a computer system is threatened for example, loss of data confidentiality, disruption of data or system integrity, and disruption or denial of availability.

Computer stored records

Digital files that are generated by a person.

Computing forensic laboratory

A computer laboratory that is dedicated to computing investigations, and typically has a variety of computers, OSs, and forensic software.


A message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies is to acquire information, identify users and possibly prepare customized Web pages for them. The term "cookie" derives from UNIX objects called magic cookies. These are tokens that are attached to a user or program and change, depending on the areas entered by the user or program.


An accurate reproduction of information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction.

CPU, Central Processing Unit

The part of a computer system that does the actual ‘thinking’ or information processing of the computer. A programmable logic device that performs all the instruction, logic, and mathematical processing in a computer. Sometimes CPU is used to distinguish between the box housing the computer guts under the desk and the monitor that sits on the desk.


A sudden, usually drastic failure of a computer system. Can be said of the operating system or a particular program when there is a software failure (‘the system has crashed’). In addition, a disk drive can crash because of hardware failure (‘the disk has crashed’).

Cryptographic checksum

A one-way function applied to a file to produce a unique ‘fingerprint’ of the file for later reference. Checksum systems are a primary means of detecting file system tampering on UNIX.


The art of protecting information by transforming it (encrypting it) into an unreadable format, called Ciphertext. Only those who possess a secret key can decipher (or decrypt) the message into plaintext. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable.


William Gibson coined this term in his 1984 novel Neuromancer. It refers to the connections and conceptual locations created using computer networks. It has become synonymous with the Internet in everyday usage.

Cyclic Redundancy Check

A common technique for detecting data transmission errors.


The area of a disk that a read/write head can access without repositioning on one or more disk platter.


A software program that runs in the background, often to facilitate networking. Daemon programs are usually invisible to users, unlike applications.


Representation of facts, concepts, or instructions in a formalized manner suitable for communication, interpretation, or processing by humans or by automatic means. Any representations such as characters or analog quantities to which meaning is or might be assigned. A representation of facts, concepts, or instructions suitable for com¬munication, interpretation, or processing by humans or computers. (Note: processed data become information)

Data compression

A complex algorithm used to reduce the size of a file.

Data Encrypting Key

Used for the encryption of message text and for the computation of message integrity checks (signatures).

Data fork

The part of the Macintosh file structure that contains the actual data of a file.

Data integrity

Refers to the validity of data. Data integrity can be compromised in a number of ways, including: • Human errors when data is entered; • Errors that occur when data is transmitted from one computer to another; • Software bugs or viruses; • Hardware malfunctions, such as disk crashes; • Natural disasters, such as fires and floods. There are many ways to minimize these threats to data integrity, including: • Backing up data on a regular basis; • Controlling access to data via security mechanisms; • Designing user interfaces that prevent the input of invalid data; • Using error detection and correction software when transmitting data.

Data recovery

Retrieving files that were accidentally or purposefully deleted, or rendered inaccessible by logical (software) problems or physical (hardware) problems with the data storage device.

Page:  « Prev 1 2 3 4 5... Next »
All A B C D E F G H I J K L M N O P Q R S T U V W