Wednesday, Dec 12th

Last update06:08:55 PM GMT

You are here: Glossary

Glossary of Computer Forensics Terms

Search for glossary terms (regular expression allowed)
Begins with Contains Exact term
All A B C D E F G H I J K L M N O P Q R S T U V W
Term Definition

Redundant Array of Inexpensive Disks. Instead of using one large disk to store data, you use many smaller disks. RAID uses many drives as a group to improve performance, yet also provides a degree of redundancy that makes the chance of data loss remote.

Ram slack

The space from the end of the file to the end of the containing sector is called RAM slack. Before a sector is written to disk, it is stored in a buffer somewhere in RAM. If the buffer is only partially filled with information before being committed to disk, remnants from the end of the buffer will be written to disk. In this way, information that was never ‘saved’ can be found in RAM Slack on disk.

Random Access Memory (RAM)

RAM chips that provide rapid access to information. This information can be read and written. There are two basic types of RAM: • Dynamic RAM (DRAM); • Static RAM (SRAM). The two types differ in the technology they use to hold data, DRAM being the more common type, which needs to be refreshed thousands of times per second. Static RAM does not need to be refreshed, which makes it faster; but it is also more expensive than dynamic RAM. Both types of RAM are volatile, meaning that they lose their contents when the power is turned off. In common usage, the term ‘RAM’ is synonymous with main memory, the memory available to programs. In contrast, ROM (read-only memory) refers to special memory used to store programs that boot the computer and perform diagnostics.

Read Only Memory (ROM)

Chips that contain a permanent program that is ‘burned in’ at the factory and maintained when the power to the computer is turned off. As its name implies, the information on the chips can only be read and not written to. They usually contain small programs and data that are needed to boot the computer.


In Windows, the Registry contains information about the hardware, network connections, user preferences, installed software, and other critical information.

Removable media cards

Small-sized data storage media that are more commonly found in other digital devices such as cameras, PDAs (Personal Digital Assistants) and music players. They can also be used for the storage of normal data files, which can be accessed and written to by computers. There are a number of these including - Smartmedia Card; SD Expansion Card; Ultra Compact Flash; Compact Flash; Multimedia Card; Memory Stick. The cards are non-volatile - they retain their data when power to their device is stopped - and they can be exchanged between devices.

Root folder

All file systems have a ‘tree’ structure that supports files and folders within folders to an arbitrary depth. The ‘root’ of this tree always stored in a known location. On FAT12 and FAT16 volumes, the root folder resides at a fixed location on the drive and contains a maximum number of entries that is determined when the volume is formatted. The number of files and folders in the root folder of such a volume is limited, but the number and size of the rest of the folders in the disk is essentially unlimited, because they are treated like normal files and can expand if space is available on the volume. On FAT32 volumes, the root folder is also treated like a file and can contain any number of files or folders. Its location is stored in the volume boot record. NTFS stores the root as a special file in the Master File Table. The name of the file is "." (dot). EXT2 drives store the root as a special Inode in the first group. CDFS give the location of the root folder in the boot sector.


A collection of software tools that permits a hacker to set up a backdoor into a computer system. Rootkits collect information about other systems on the network while disguising the fact that the system is compromised. Rootkits are a classic example of Trojan horse software and are available for a wide range of operating systems.


A host connected to two or more networks that can send network messages from one network (e.g. an Ethernet network) to another (e.g. an ATM network) provided the networks are using the same network protocol (e.g. TCP/IP).

All A B C D E F G H I J K L M N O P Q R S T U V W