Friday, Aug 23rd

Last update06:08:55 PM GMT

You are here: Glossary

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Term Definition

A cache (pronounced ‘cash’) is a place to store something more or less temporarily. Two common types of cache are cache memory and a disk cache.


To either locate a deleted file in its entirety or through fragments by searching for any occurrence of the known file’s header information.


An area the Macintosh file system uses to maintain the relationships between files and directories on a volume.

Chain of Custody

The identity of persons who handle evidence between the time of commission of the alleged offence and the ultimate disposition of the case. It is the responsibility of each transferee to ensure that the items are accounted for during the time that it is in his or her possession, that it is properly protected, and that there is a record of the names of the persons from whom they received it and to whom they delivered it, together with the time and date of such receipt and delivery.


Alternative term for an encryption algorithm.


The term given to the operation of creating an exact duplicate of one media on another like media. This is also referred to as a mirror image or physical sector copy


In the Macintosh file system, a contiguous allocation block. Clumps are used to keep file fragmentation to a minimum.


An elementary unit of allocation of a disk made up of one or more physical blocks. A file is made up of a whole number of possibly non-contiguous clusters. The cluster size is a trade off between space efficiency (the bigger is the cluster, the bigger is on the average the wasted space at the end of each file) and the length of the FAT.


A cluster is a group of sectors in a logical volume that is used to store files and folders. Clusters must contain a number of sectors that is a power of 2 (i.e. 2, 4, 8, 16, etc...). DOS maintains information about each cluster in the File Allocation Table (FAT). NTFS partitions store that same information in the file extents tables and the volume bitmap. EXT2 partitions store the information in the (node Tables and Block Bitmaps. CDs usually have un-fragmented file extents, so there is no need for a cluster bitmap or a FAT.


Complementary Metal Oxide Semi-conductor. A part of the motherboard that maintains system variables in static RAM. It also supplies a real-time clock that keeps track of the date, day and time. CMOS Setup is typically accessible by entering a specific sequence of keystrokes during the POST at system start-up.

Cold boot

Starting or restarting a computer by turning on the power supply. See also warm boot.

Compact disk — recordable.

A disk to which data can be written but not erased.

Compact disk — rewritable

A disk to which data can be written and erased.

Compact flash card

A form of storage media, commonly used in digital personal organizers and cameras but can be used in other electronic devices including computers.

Compressed file

A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are ZIP, Stuffit and RAR.

Computer forensics

The term "computer forensics" was coined in 1991 in the first training session held by the International Association of Computer Specialists (IACIS) in Portland, Oregon. Like any other forensic science, computer forensics deals with the application of law to a science. In this case, the science involved is computer science and some refer to it as forensic computer science. Computer forensics has also been described as the autopsy of a computer hard disk drive because specialized software tools and techniques are required to analyze the various levels at which computer data is stored after the fact. Computer Forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Like any other forensic science, computer forensics involves the use of sophisticated technology tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing.

Computer generated records

Data that is generated by the computer such as system log files or proxy server logs.

Computer Incident Response Team

A group of technical investigators and security engineers that responds to and investigates computer security incidents.

Computer investigations

Computer investigations rely on evidence stored as data and the timeline of dates and times that files were created, modified, and/or last accessed by the computer user. Timelines of activity can be especially helpful when multiple computers and individuals are involved in the commission of a crime.

Computer security

Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.

Computer security incident

An adverse event wherein some aspect of a computer system is threatened for example, loss of data confidentiality, disruption of data or system integrity, and disruption or denial of availability.

Computer stored records

Digital files that are generated by a person.

Computing forensic laboratory

A computer laboratory that is dedicated to computing investigations, and typically has a variety of computers, OSs, and forensic software.


A message given to a Web browser by a Web server. The browser stores the message in a text file called cookie.txt. The message is then sent back to the server each time the browser requests a page from the server. The main purpose of cookies is to acquire information, identify users and possibly prepare customized Web pages for them. The term "cookie" derives from UNIX objects called magic cookies. These are tokens that are attached to a user or program and change, depending on the areas entered by the user or program.


An accurate reproduction of information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction.

CPU, Central Processing Unit

The part of a computer system that does the actual ‘thinking’ or information processing of the computer. A programmable logic device that performs all the instruction, logic, and mathematical processing in a computer. Sometimes CPU is used to distinguish between the box housing the computer guts under the desk and the monitor that sits on the desk.


A sudden, usually drastic failure of a computer system. Can be said of the operating system or a particular program when there is a software failure (‘the system has crashed’). In addition, a disk drive can crash because of hardware failure (‘the disk has crashed’).

Cryptographic checksum

A one-way function applied to a file to produce a unique ‘fingerprint’ of the file for later reference. Checksum systems are a primary means of detecting file system tampering on UNIX.


The art of protecting information by transforming it (encrypting it) into an unreadable format, called Ciphertext. Only those who possess a secret key can decipher (or decrypt) the message into plaintext. Encrypted messages can sometimes be broken by cryptanalysis, also called code breaking, although modern cryptography techniques are virtually unbreakable.


William Gibson coined this term in his 1984 novel Neuromancer. It refers to the connections and conceptual locations created using computer networks. It has become synonymous with the Internet in everyday usage.

Cyclic Redundancy Check

A common technique for detecting data transmission errors.


The area of a disk that a read/write head can access without repositioning on one or more disk platter.

All A B C D E F G H I J K L M N O P Q R S T U V W