Wednesday, Dec 12th

Last update06:08:55 PM GMT

You are here: Glossary

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Term Definition

File Allocation Table. On a FAT-based file system such as FAT16 or FAT32, the means by which a computer accounts for the space used or unused in the system. As files are added, the File Allocation Table records the positioning and space occupied by the added file. As a file is deleted from the computer, the record of the file on the file allocation table is deleted, although the file is not physically removed from the drive. Simply put, the FAT is an address book for locating files on the disk.

File extension

A tag of three or four letters, preceded by a period, which identifies a data file’s format or the application used to create the file. File extensions can streamline the process of locating data. For example, if one is looking for incriminating pictures stored on a computer, one might begin with the .gif and .jpg files.

File server

When several or many computers are networked together in a LAN situation, one computer may be utilized as a storage location for files for the group. File servers may be employed to store email, financial data, word processing information or to back-up the network.

File sharing

The sharing of computer data, usually within a network, with users having varying degrees of access privileges. Users may be able to view, write to, modify, or print information to or from the shared file.

File signature

Within the file, the file signature is the information about the true program-related origin of the file and, therefore, its type. Tools for reading file signatures identify the true program source even if the file extension has been changed.

File slack

Files are created in varying lengths depending on their contents. DOS-, Windows, and Windows NT-based computers store files in fixed-length blocks of data called clusters. Rarely do file sizes exactly match the size of one or multiple clusters. The data storage space that exists from the end of the file to the end of the last cluster assigned to the file is called ‘file slack’. Cluster sizes vary in length depending on the operating system involved and, in the case of Windows 95, the size of the logical partition involved. Larger cluster sizes mean more file slack and the waste of storage space when Windows 95 systems are involved. However, this computer security weakness creates benefits for the computer forensics investigator because file slack is a significant source of evidence and leads. File slack potentially contains randomly selected bytes of data from computer memory. This happens because DOS/Windows normally writes in 512-byte blocks called sectors. Clusters are made up of blocks of sectors. If there is not enough data in the file to fill the last sector in a file, DOS/Windows makes up the difference by padding the remaining space with data from the memory buffers of the operating system. This randomly selected data from memory is called RAM slack because it comes from the memory of the computer. RAM slack can contain any information that may have been created, viewed, modified, downloaded, or copied during work sessions that have occurred since the computer was last re-booted. Thus, if the computer has not been shut down for several days, the data stored in file slack can come from work sessions that occurred in the past.

File system

A system for organizing directories and files, generally, in terms of how it is implemented in the disk-operating system.


A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.


Software contained in a read-only memory (ROM) device


The DOS format program that performs high-level formatting on a hard disk, and both high- and low-level formatting on a floppy disk.


The state of having a file scattered around a disk in pieces rather than existing in one contiguous area of the disk. Fragmented files are slower to read than un-fragmented files.

Free space

Space on storage media that appears to contain no data, either because it is unused or because files that were intact and accessible at one time are now erased. The file data remains in the slack space until overwritten

All A B C D E F G H I J K L M N O P Q R S T U V W