Wednesday, Dec 12th

Last update06:08:55 PM GMT

You are here: Glossary

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Page:  « Prev 1 2 3 4 5... Next »
Term Definition
Data structures

The logical relationships among data units and description of attributes or features of a piece of data (e.g., type, length).

Database

A collection of information data consisting of at least one file, usually stored in one location, which may be available to several users simultaneously for various applications.

Decryption

The reverse of encryption, a method of unscrambling encrypted information so that it becomes legible again.

Defragment

As modern file systems are used and files are deleted and created, the total free space becomes split into smaller non-contiguous blocks. Eventually new files being created, and old files being extended, cannot be stored each in a single contiguous block but become scattered across the file system. This degrades performance as multiple seek operations are required to access a single fragmented file. Defragmenting consolidates each existing file and the free space into a contiguous group of sectors. Access speed will increase.

Deleted files

If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate the evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data.

Denial of Service

The inability to use system resources due to unavailability stemming from a variety of causes for example, infiltrations by hackers, the flooding of IP addresses from external messages, and network worms.

Dictionary attacks

The attacker uses a program that continuously tries different common words to see if one matches a password to the system or programs.

Digital certificate

A digital identifier linking an entity and a trusted third party with the ability to confirm the entities identification. Typically stored in a browser or a smart card.

Digital signature

A unique value that identifies a file. A code that is used to guarantee that an e-mail was sent by a particular sender.

Disaster Recovery

The process of returning a business function to a state of normal operations either at an interim minimal survival level and/or re-establishing full-scale operations.

Disk

It may be a floppy disk, or it may be a hard disk. May also refer to a CD ROM.

Disk cache

A portion of memory set aside for temporarily holding information read from a disk.

Disk duplexing

This refers to the use of two controllers to drive a disk subsystem. Should one of the controllers fail, the other is still available for disk I/O. Software applications can take advantage of both controllers to simultaneously read and write to different drives.

Disk geometry

The internal organization of the drive.

Disk mirroring

Disk mirroring protects data against hardware failure. In its simplest form, a two-disk subsystem would be attached to a host controller. One disk serves as the mirror image of the other. When data is written to it, it is also written to the other. Both disks will contain exactly the same information. If one fails, the other can supply the data to the user without problem.

Distributed Denial of Service (DDoS)

Distributed Denial of Service attempts involving multiple Internet-connected systems launching or being used in attacks against one or more target systems.

dll

Dynamic link library

DNS

Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

Domain name registration

A domain name is a textual address that is a unique identifier for your Web site that corresponds to your site's numerical Internet Protocol (IP) address.

Dongle

Also called a hardware key. A dongle is a copy protection device supplied with software that plugs into a computer port, usually the parallel or USB port on a PC. The software sends a code to that port and the key responds by reading out its serial number, which verifies its presence to the program. The key hinders software duplication because each copy of the program is tied to a unique number, which is difficult to obtain, and the key has to be programmed with that number.

DOS

Disk operating system. Usually used as an abbreviation for MS-DOS, a microcomputer operating system developed by Microsoft.

DoubleSpace

An MS DOS disk compression. A utility distributed with MS-DOS 6.0 and 6.20.

Download

Generally, to copy something from a bigger computer to a smaller one or from a distant one to a local one, e.g. from a network (including the Internet) or server on to PC, or from a PC to a PDA. The transferring of programs and data from a remote computer to your computer.

Drive slack

Any information that had been on the storage device previously. It can contain deleted files, deleted e-mail, or file fragments. Both file slack and RAM slack constitute drive slack.

Driver

A program designed to interface a particular piece of hardware to an operating system or other software.

Dynamic Random Access Memory (DRAM)

A type of memory used in a PC for the main memory. ‘Dynamic’ refers to the memory’s memory of storage—storing the charge on a capacitor. Specialized types of DRAM (such as EDO memory) have been developed to work with today’s faster processors.

EFS

Encrypted file system

EIDE

Enhanced Integrated Drive Electronics. A specific type of attachment interface specification that allows for high-performance, large-capacity drives.

Electromagnetic interference

An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment.

Electronic records

Information stored in a format that can only be read and processed by a computer.

Encryption

Any procedure used in cryptography to convert plain text into cipher text in order to prevent anyone but the intended recipient from reading that data.

End-of-file marker

0x0FFFFFFF, the code typically used with FAT file systems to show where the file ends.

Ethernet

A very common way of networking PCs to create a LAN.

Event viewer

In Windows, a utility used to display event logs. With Event Viewer, users can monitor events recorded in the Application, Security, and System logs.

Examination

Technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.

Executable

A binary file containing a program in machine language that is ready to be executed (run). MS-DOS and Windows machines use the filename extension ‘.exe’ for these files.

Exploit

To use a program or technique to take advantage of vulnerabilities or flaws in hardware or software.

Ext2

The Ext2 file system is the primary file system used on the Linux operating system. Ext2 partitions are divided into a series of Groups. Each Group contains a series of Inodes and Blocks. The Inode tables describe the files that are located within each group. As with the FAT file system, a folder is a file that contains descriptors for each of its children.

Extended DOS partitions

Normally, each partition table entry describes a volume to be mounted by the file system. If more than four partitions are on the drive, a special partition type called an ‘Extended Partition’ is created. In this configuration, the first sector of every extended partition is itself a boot sector with another partition table. This table has a duplicate copy of the partition entry for that volume that contains a sector offset into the current partition where the logical volume begins.

Extended headers

Information that is added by e-mail programs and transmitting devices – which shows more information about the sender that is in many circumstances traceable to an individual computer on the Internet.

External cache memory

Internal caches are often called Level 1 (L1) caches. Most modern PCs also come with external cache memory, called Level 2 (L2) cache. These caches sit between the CPU and the DRAM. Like L1 caches, L2 caches are composed of SRAM but are much larger.

External drive

A data storage unit not contained in the main computer housing

Extract

To extract is to return a compressed file to its original state. Typically, to view the contents of a compressed file, it must be extracted first.

FAT

File Allocation Table. On a FAT-based file system such as FAT16 or FAT32, the means by which a computer accounts for the space used or unused in the system. As files are added, the File Allocation Table records the positioning and space occupied by the added file. As a file is deleted from the computer, the record of the file on the file allocation table is deleted, although the file is not physically removed from the drive. Simply put, the FAT is an address book for locating files on the disk.

File extension

A tag of three or four letters, preceded by a period, which identifies a data file’s format or the application used to create the file. File extensions can streamline the process of locating data. For example, if one is looking for incriminating pictures stored on a computer, one might begin with the .gif and .jpg files.

File server

When several or many computers are networked together in a LAN situation, one computer may be utilized as a storage location for files for the group. File servers may be employed to store email, financial data, word processing information or to back-up the network.

File sharing

The sharing of computer data, usually within a network, with users having varying degrees of access privileges. Users may be able to view, write to, modify, or print information to or from the shared file.

File signature

Within the file, the file signature is the information about the true program-related origin of the file and, therefore, its type. Tools for reading file signatures identify the true program source even if the file extension has been changed.

File slack

Files are created in varying lengths depending on their contents. DOS-, Windows, and Windows NT-based computers store files in fixed-length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called ‘file slack’. Cluster sizes vary in length depending on the operating system involved and, in the case of Windows 95, the size of the logical partition involved. Larger cluster sizes mean more file slack and the waste of storage space when Windows 95 systems are involved. However, this computer security weakness creates benefits for the computer forensics investigator because file slack is a significant source of evidence and leads. File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512-byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM slack because it comes from the memory of the computer. RAM slack can contain any information that may have been created, viewed, modified, downloaded, or copied during work sessions that have occurred since the computer was last re-booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

File system

A system for organizing directories and files, generally, in terms of how it is implemented in the disk-operating system.

Page:  « Prev 1 2 3 4 5... Next »
All A B C D E F G H I J K L M N O P Q R S T U V W