Friday, Aug 23rd

Last update06:08:55 PM GMT

You are here: Home

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Page:  « Prev ... 2 3 4 5 6 Next »
Term Definition

Often used as a shorter synonym for random access memory (RAM). Memory is the electronic holding place for instructions and data that a computer’s microprocessor can reach quickly. Often used as a shorter synonym for random access memory (RAM). Memory is the electronic holding place for instructions and data that a computer’s microprocessor can reach quickly.


Electronic information about a file that travels with the electronic file. Otherwise called ‘data about data’

Mirror image backup

Mirror image backups (also referred to as bit-stream backups) involve the backup of all areas of a computer hard disk drive or another type of storage media. Mirror image backups exactly replicate all sectors on a given storage device. Accuracy is essential and to guarantee accuracy, mirror image backup programs typically rely on mathematical hashing computations in the validation process.

Misnamed files (also called files with a

One simple way to disguise a file’s contents is to change the file’s name to something innocuous. For example, if an investigator was looking for images by searching or filtering for a particular file extension (i.e. .gif), any file whose extension had been changed by the user to ‘rtf’ would not appear as a result of the search. Forensic examiners use special techniques (signature analysis) to determine if this has occurred, which the casual user would not normally be aware of.


A device that converts digital signals to analog signals for transmission over the telephone system.


The ‘heart’ of the computer. It handles system resources (IRQ lines, DMA channels, I/O locations), as well as core components such as the CPU, and all system memory. It accepts expansion devices such as sound and network cards, and modems.


MicroSoft Disk Operating System. Operating system marketed by Microsoft. This was the most common operating system in use on desktop PCs, which automatically loads into the computers memory in the act of switching the computer on.

Network Interface Card (NIC)

A piece of hardware used to connect a host to the network. Every host must have at least one network interface card. Every NIC is assigned a number called a Media Access Control (MAC) address.

Network port scanning

The process of probing selected service port numbers over an IP network with the purpose of identifying available network services on that system. Network port scanning is an information-gathering process often helpful for troubleshooting system problems or tightening system security, but it is often performed by hackers as a prelude to an attack.

Network spoofing

In network spoofing, a system presents itself to the network as though it were a different system (system A impersonates system B by sending B’s address instead of its own).

Network worm

A worm that migrates across platforms over a network by copying it-self from one system to another by exploiting common network facilities, resulting in execution of the (replicated) worm on that system and potentially others.

New Technology File System (NTFS)

Windows NT file system. NTFS has an advanced structure that is designed to overcome the limitations of other file systems that have come before it. The file descriptors for every file on an NTFS volume are stored in the Master File Table (MFT), including a reference to the MFT itself. Each file descriptor contains the name and other attributes of the file along with its extents list. This list contains the location of the file on the volume. Another file called the volume bitmap describes the free clusters on the volume. Folders are stored in a b-tree structure for quick disk access.


Any single computer or peripheral connected to a network. The processing location within a network. The processing location, node, can be a computer, printer, scanner or other type of device within a network

Operating system

This software is usually loaded into the computer memory upon switching the machine on and is a prerequisite for the operation of any other software.

Optical disk

A permanent, usually removable, data storage device that uses a laser to read and write the information it contains. These devices are not subject to erasure when exposed to a magnetic field

Original digital evidence

Physical items and those data objects, which are associated with those items at the time of seizure


A packet is a bundle of data that is routed between an origin and a destination on the Internet. When information such as files, e-mail messages, HTML documents, web pages, etc. are sent from one place to another on the Internet, TCP/IP divides the information into chunks of an efficient size for routing. Each of these packets includes the Internet address of the A packet is a bundle of data that is routed between an origin and a destination on the Internet. When information such as files, e-mail messages, HTML documents, web pages, etc. are sent from one place to another on the Internet, TCP/IP divides the information into chunks of an efficient size for routing. Each of these packets includes the Internet address of the

Packet sniffing

Packet sniffing is a technique in which attackers surreptitiously insert a software program at remote network switches or host computers. The program monitors information packets as they are sent through networks and sends a copy of the information retrieved to the hacker. By picking up the first 125 keystrokes of a connection, attackers can learn passwords and user identifications, which, in turn, they can use to break into systems. Packet sniffing is also used by Network Administrators for troubleshooting issues such as "slow" network connections.

Partition table

The partition table describes the first four partitions, their location on the disk, and which partition is bootable. This is indicated by a single byte in the partition table. In fact, the entire logical layout of the disk is determined by 64 bytes of information. It is quite easy to hide or change information or even entire volumes from DOS by changing a single byte in the partition table.

Password cracking

Password cracking is a technique used to surreptitiously gain system access by using another user’s account. Users often select weak password. The two major sources of weakness in passwords are easily guessed passwords based on knowledge of the user e.g. (wife's maiden name) and passwords that are susceptible to dictionary attacks (brute-force guessing of passwords using a dictionary as the source of guesses).


A location of a file. The path consists of directory or folder names, beginning with the highest-level directory or disk name and ending with the lowest-level directory name. A path can identify a drive (e.g. C), a folder (e.g. C\Temp), or a file (e.g., C\Windows \ftp.exe).


Personal Computer Memory Card International Association


A method of networking that allows every computer on the network to share its resources with all other users. This method makes good use of available hardware in exchange for data security.


A storage medium.

Penetration testing

The attempt to discern the level of security that is protecting a system or network. Such testing includes trying to evade security measures using the same tools and tech¬niques that a potential attacker might use. Penetration testing may be used by a company to identify and correct security weaknesses.

Physical address

The actual sector in which a file is located.

Physical file size

The physical size of a file is the amount of space that the file occupies on the disk. A file or folder always occupies a whole number of clusters, even if it does not completely fill that space. A file always takes at least one cluster, even if it is empty. Therefore, even if a file has a logical size of only five bytes, its physical size is one cluster.


A small dot used to create images.

PnP (Plug-and-Play)

A hardware and software specification developed by Intel that allows a PnP system and a PnP adapter to configure automatically. PnP cards generally have no switches or jumpers, but are configured via the PnP system’s BIOS or with supplied software for non-PnP computers.

Point-to-Point Protocol

PPP is a protocol for communication between two computers using a serial interface, typically a personal computer connected by phone line to a server.


Power On Self Test. Each time a PC initializes, the BIOS executes a series of tests collectively known as the POST. The test checks each of the primary areas of the system, including the motherboard, video system, drive system, and keyboard, and ensures that all components can be used safely. If a fault is detected, the POST reports it as an audible series of beeps or a hexadecimal code written to an I/O port

Private key

In encryption, the key held by the owner of the file.

Promiscuous mode

When an Ethernet interface reads all information regardless of its destination. This is the opposite of normal mode, when the interface reads packets destined for itself only.


A software agent that acts on behalf of a user. Typical proxies accept a connection from a user, make a decision as to whether or not the user or client IP address is permitted to use the proxy, perhaps does additional authentication, and then completes a connection on behalf of the user to a remote destination.

Proxy server

In an enterprise that uses the Internet, this server acts as an intermediary between a workstation user and the Internet so that the enterprise can ensure security, administrative control, and caching service. A proxy server can improve performance by supplying frequently requested data, such as a popular web page, and can filter and discard requests that the owner does not consider appropriate, such as requests for unauthorised access to proprietary files.


To search or ask. In particular, to request information in a search engine, index directory, or database.


Redundant Array of Inexpensive Disks. Instead of using one large disk to store data, you use many smaller disks. RAID uses many drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.

Ram slack

The space from the end of the file to the end of the containing sector is called RAM slack. Before a sector is written to disk, it is stored in a buffer somewhere in RAM. If the buffer is only partially filled with information before being committed to disk, remnants from the end of the buffer will be written to disk. In this way, information that was never ‘saved’ can be found in RAM Slack on disk.

Random Access Memory (RAM)

RAM chips that provide rapid access to information. This information can be read and written. There are two basic types of RAM: • Dynamic RAM (DRAM); • Static RAM (SRAM). The two types differ in the technology they use to hold data, DRAM being the more common type, which needs to be refreshed thousands of times per second. Static RAM does not need to be refreshed, which makes it faster; but it is also more expensive than dynamic RAM. Both types of RAM are volatile, meaning that they lose their contents when the power is turned off. In common usage, the term ‘RAM’ is synonymous with main memory, the memory available to programs. In contrast, ROM (read-only memory) refers to special memory used to store programs that boot the computer and perform diagnostics.

Read Only Memory (ROM)

Chips that contain a permanent program that is ‘burned in’ at the factory and maintained when the power to the computer is turned off. As its name implies, the information on the chips can only be read and not written to. They usually contain small programs and data that are needed to boot the computer.


In Windows, the Registry contains information about the hardware, network connections, user preferences, installed software, and other critical information.

Removable media cards

Small-sized data storage media that are more commonly found in other digital devices such as cameras, PDAs (Personal Digital Assistants) and music players. They can also be used for the storage of normal data files, which can be accessed and written to by computers. There are a number of these including - Smartmedia Card; SD Expansion Card; Ultra Compact Flash; Compact Flash; Multimedia Card; Memory Stick. The cards are non-volatile - they retain their data when power to their device is stopped - and they can be exchanged between devices.

Root folder

All file systems have a ‘tree’ structure that supports files and folders within folders to an arbitrary depth. The ‘root’ of this tree always stored in a known location. On FAT12 and FAT16 volumes, the root folder resides at a fixed location on the drive and contains a maximum number of entries that is determined when the volume is formatted. The number of files and folders in the root folder of such a volume is limited, but the number and size of the rest of the folders in the disk is essentially unlimited, because they are treated like normal files and can expand if space is available on the volume. On FAT32 volumes, the root folder is also treated like a file and can contain any number of files or folders. Its location is stored in the volume boot record. NTFS stores the root as a special file in the Master File Table. The name of the file is "." (dot). EXT2 drives store the root as a special Inode in the first group. CDFS give the location of the root folder in the boot sector.


A collection of software tools that permits a hacker to set up a backdoor into a computer system. Rootkits collect information about other systems on the network while disguising the fact that the system is compromised. Rootkits are a classic example of Trojan horse software and are available for a wide range of operating systems.


A host connected to two or more networks that can send network messages from one network (e.g. an Ethernet network) to another (e.g. an ATM network) provided the networks are using the same network protocol (e.g. TCP/IP).


Scripts are programs written to run with Web pages and perform a specific task in response to visitor actions such as clicking a button. For example, a Perl script could count the visits to a web page and a JavaScript script makes the buttons change colours when the mouse pointer hovers over them. Scripts can be written in Perl, Java, JavaScript, VBScript, and a number of other programming languages.


Small Computer System Interface. A standard that allows multiple devices to be connected in daisy-chain fashion.


The tracks on a disk are divided into sectors. Clusters contains from 1 to 64 sectors.

Secure Socket Layer (SSL)

A method of encrypting data as it is transferred between a browser and Internet server. Used for online payments amongst other processes.

Secure wipe

Overwriting all material on a disk so as to destroy, as far as possible, all data stored upon it.

Page:  « Prev ... 2 3 4 5 6 Next »
All A B C D E F G H I J K L M N O P Q R S T U V W