Glossary Of Digital
Forensics-Related Terms
25 January 2013
Allocated Space: The clusters on a storage device that have been assigned to store data (also
referred to as used space). When a file is to be written, the file system finds unused (i.e.,
unallocated) space on the medium and starts writing the data; the status of the clusters that
are being written to is changed to allocated. (See also unallocated space.)
Allocation Unit: In file systems an allocation unit is the smallest amount of disk space that can
be allocated to hold a file. All file systems used by Windows 2000 organize hard disks based on
allocation units. The smaller the allocation unit size, the more efficiently a disk stores
information. If no allocation unit size is specified during formatting, Windows 2000 chooses
default sizes based on the size of the volume and the file system used. These defaults are
selected to reduce the amount of space lost and the amount of fragmentation on the volume.
Also called clusters.
ASL: Short for "age, sex, location," a common greeting when entering certain chat rooms
online.
Basic input/output system (BIOS): The set of essential software routines that tests hardware at
startup, assists with starting the operating system, and supports the transfer of data among
hardware devices. The BIOS is stored in read-only memory (ROM) so that it can be executed
when the computer is turned on. Although critical to performance, the BIOS is usually invisible
to computer users.
Bit: A measurement of data. It is the smallest unit of data. A bit is either the "1" or "0."
Bit-for-bit copy: A method of copying the information stored on electronic media so that it
replicates the data at the lowest level. The term bit copy refers to the duplication of the 0s and
1s (bits) that form the basis of all digital information. This type of copying is utilized to create
the true and accurate copy analyzed by the forensic examiner.
Bluetooth: A network technology for very small, so-called Personal Area Networks (PANs), with
a geographic scope of 1-100 m. Commonly used to enable communication between mobile
devices, such as a cell phone and external headset. Can also be used for file transfer. NOTE:
Bluetooth (BT) devices communicate with each other in a pair-wise fashion; BT must be enabled
on both devices, the devices must both be in discoverable mode, and permission set on both
devices to accept the communication.
Byte: Eight bits. The byte is the basis for measurement of most computer data as multiples of
the byte value. A kilobyte (KB) is nominally one thousand bytes or eight thousand bits; more
2
precisely, it is 210 = 1,024 bytes because units of computer storage are based on powers of 2
rather than powers of 10. Similarly, a megabyte (MB) is approximately one million bytes (it is
actually 220 = 1,048,576 bytes, or 1,024 KB). A gigabyte (GB) is roughly one billion bytes (230 =
1,073,741,824 bytes); 1 GB = 1,024 MB. A terabyte (TB) is approximately one trillion bytes (240 =
1,099,511,627,776 bytes); 1 TB = 1,024 GB. Because these units are based on powers of 2, a
new nomenclature is emerging, where a kilobyte, megabyte, gigabyte, and terabyte are
denoted KiB, MiB, GiB, and TiB, respectively.
Cache: A type a computer memory that temporarily stores frequently used information for
quick access or a storage location on a computer hard drive for temporary files (e.g., Internet
cache).
Carving: One method of recovering deleted data from the unallocated space or slack space of
computer media. Many specialized file types, such as graphical images, have a file signature
that identifies the file contents and format. When a file is "deleted," the contents of the file
remain intact, although the file location on the media becomes marked as unallocated and,
therefore, invisible to the operating system. Forensics tools can search unallocated and slack
space for known file signatures and, in many cases, can recover the files completely intact.
Central Processing Unit (CPU): The most powerful chip in the computer; located inside a
computer, it is the "brain" that performs all arithmetic, logic, and control functions (most
common processors are made by Intel, AMD, and Motorola).
Code Division Multiple Access (CDMA): One of the digital cellular phone technologies and the
one most widely employed in North America.
Compact Disc (CD): Data storage medium with a capacity of approximatly 650 MB; can store
about 1,500 floppy disks worth of data. Also known as a CD-ROM (read-only memory).
Cookie: Small data files written to a user's hard drive by a Web browser with information from
a Web site. These files contain specific information that identifies users (e.g., passwords and
lists of pages visited).
Chat Log: Computer files, usually stored on an individual's computer, that contain the content
from online chat sessions. These logs can include the dates and times of communications, file
transfers, and the text of the communication.
Cluster: (See Allocation Unit)
Defragmentation: The process of rewriting parts of a file to contiguous sectors on a hard disk to
increase the speed of access and retrieval. When files are updated, the computer tends to save
these updates on the largest continuous space on the hard disk, which is often on a different
sector than the other parts of the file. When files are thus fragmented, the computer must
search the hard disk each time the file is opened to find all of the parts of the file, which slows
3
down response time. In Active Directory, defragmentation rearranges how the data is written in
the directory database file to compact it. See also fragmentation.
Deleted data: Deleted data is data that formerly existed on the computer as live data and
which has been deleted by the computer system or end-user activity. Deleted data remains on
storage media in whole or in part until it is overwritten by ongoing usage or wiped with a
software program specifically designed to remove deleted data. After data has been deleted,
directory entries, pointers, or other metadata relating to the deleted data may remain on the
drive; wiped data is usually beyond the reach of most computer forensics processes.
Digital forensic evidence: Information stored or transmitted in binary form that may be relied
on in court.
Digital versatile disc (DVD): A type of optical storage media, a DVD looks like a CD-ROM and
can store up to approximate 8 GB. DVDs are often used to store full-length movies and other
multimedia content that requires large amounts of storage space.
Directory structure: Organization of directories (aka folders) and files on a hard drive, like the
branches of an upside down tree. The main directory is called the root directory, denoted "\"
on a Windows system or "/" on a Linux/Unix system.
Electronic storage device: Any medium that is used to record information, including hard disks,
magnetic tapes, compact disks, videotapes, audiotapes, and removable storage devices such as
floppy disks and ZIP disks.
Enhanced Message Service (EMS): An extension of SMS that allows multimedia exchange of
pictures, videos, etc.
Electronic Serial Number (ESN): A 32-bit numeric identifier assigned to CDMA and TDMA
phones. Can be expressed in decimal or hexadecimal; in the latter case, it is often preceded by
a "0x". (See also MEID.)
Faraday box (or bag): As with flight mode, a Faraday box ensures that a mobile device is
isolated from the network. If flight mode is not available on a phone, a Faraday box is another
option to secure the phone from receiving incoming network signals.
File: A collection of data of information stored under a specified name on a disk.
File allocation table (FAT): A file system based on a file allocation table (FAT) maintained by
some operating systems, including Windows NT and Windows 2000, to keep track of the status
of various segments of disk space used for file storage. The FAT file system is also commonly
seen on floppy disks, thumb drives, and memory expansion cards.
File extension: In the Windows operating system, the file extension is a tag of three or four
characters, preceded by a dot, that identifies a file's format or the application used to create
the file. File extensions can streamline the process of locating data; e.g., if one is looking for
4
incriminating pictures stored on a computer, one might begin with .GIF and .JPG files. File
extensions can be changed by a user, however, and cannot be the definitive method with which
to identify the file type and content. (See file signature.)
File signature: A string of bytes within a file that definitively identifies the file format and
application. A file signature is a better indication of file type than file extension.
File slack: Space between the logical end of the file and the end of the last allocation unit for
that file; the unused portion of a file between the end of the user data and the end of the last
cluster of the file.
Flight mode: Also known as airplane mode, an operational mode of a mobile phone where the
radio is turned off, thus allowing the user to access all features of the phone except the ability
to place and receive calls. This is ideal for investigations and analysis because the phone is
isolated from the network.
Floppy disk: An increasingly rare storage medium consisting of a thin magnetic film disk housed
in a protective sleeve. The capacity of a 3.5" floppy is approximately 1.44 MB.
Fragmentation: The scattering of parts of the same file over different areas of the disk.
Fragmentation occurs as files on a disk are deleted and new files are added. It slows disk access
and degrades the overall performance of disk operations, although usually not severely. See
defragmentation.
Global System for Mobile communications (GSM): A TDMA technology used for cellular
telephones. GSM is in growing use in North America and widely used throughout the rest of the
world.
Globally Unique Identifier (GUID): A 16-byte value generated from the unique identifier on a
device, the current date and time, and a sequence number. A GUID is used to identify a
particular device or component.
Graphic image formats: There are several common graphic image file formats:





Bitmap (BMP)
Graphics Interchange Format (GIF), developed by Compuserve
Joint Photographic Experts Group (JPEG) format, most commonly used for photographs;
JPEG files, in particular, contain metadata that indicate photographic timestamps,
camera-type, resolution, and more
Portable Network Graphics (PNG)
Tagged Image File Format (TIFF)
Hard disk: The common magnetic storage medium for computers of all shapes and sizes; laptop
computers commonly use a 2.5" drive and desktop computers commonly use a 3.5" drive. An
internal hard drive is one that is located inside the computer case using an IDE or SCSI
5
connector; an external hard drive connects to the computer via some sort of serial interface,
such as Firewire or USB. Hard drives can also be stand-alone devices on a wired or wireless
network. Common disk drive capacities today range from 160 GB (small notebook computers)
and 250 GB (laptop computers) to 320 GB (desktop computers) and 1 TB (external network
devices). Information on a hard drive remains on the disk even after the power is turned off.
Technically speaking, a hard drive refers specifically to the magnetic storage platters and a hard
disk drive is the mechanism that controls the positioning, reading, and writing of the
information on the hard disk; since they are packaged as a unit, these terms tends to be used
synonymously.
Hardware: The physical parts of a computer; if it can be picked up and touched, it is hardware
as opposed to software.
Hashing: The process of using a mathematical algorithm to produce a numeric digital
fingerprint of the contents of a file. Hash functions accept as input an arbitrarily long input
string and generates a fixed length output string. Changing the name of a file will not change
the hash value of the file (as long as the contents remain unchanged.) The two most common
hash functions used in digital forensics applications are Message Digest 5 (MD5) and the Secure
Hash Algorithm (SHA).
Header, e-mail: An e-mail header is the part of an e-mail message that contains identification
and routing information such as the sender, receiver, message identifier, chain of mail servers,
message priority, and other tags.
Hypertext Markup Language (HTML): The tag-based markup language used to create Web
pages. A browser (e.g., Firefox, Internet Explorer, or Safari) downloads an HTML file from a Web
server and renders the file contents into a nicely formatted page for the user.
Instant messaging: A type of communications service that enables one to create a kind of
private chat dialogue with another individual in order to communicate in real-time over the
Internet; instant messaging is analogous to a telephone conversation but is text-based rather
than voice-based. Typically, the instant message system alerts one whenever somebody on
one's private list is online. One can then initiate a chat session with that particular individual.
Examples of instant messaging services include AOL Instant Messenger, Microsoft Messenger,
Skype chat service, and Yahoo! Chat.
Instant Messenger (IM): The instant messaging service from America Online (AOL).
Integrated Digital Enhanced Network (iDEN): A Motorola-developed TDMA mobile
telecommunications technology. iDEN phones allow normal two-way telephone conversations
as well as a walkie-talkie capability.
International Mobile Equipment Identity (IMEI): A unique 56-bit numeric identifier assigned to
a GSM phone.
6
International Mobile Subscriber Identity (IMSI): A unique number that identifies a mobile
phone user.
Internet Protocol (IP) address: An IP version 4 (IPv4) address is a 32-bit number that uniquely
identifies a host connected to the Internet. An IP address is expressed in "dotted decimal"
format, consisting of the decimal value (0-255) of its four bytes, separated with periods; an
example IPv4 address is 207.32.187.12. IPv4 address are broken into a network identifier
(NETID) and host identifier (HOSTID); the NETID identifies the network on which the host
resides. IPv4 defines several so-called private addresses that can be used by an enterprise any
way they want (e.g., 10.0.0.0, 172.16.0.0-172.31.0.0, 192.168.0.0). IP version 6 (IPv6) addresses
are 128 bits in length.
Media storage devices: Magnetic and optical storage devices that include hard and floppy
disks, tapes, ZIP disks, thumb (aka flash) drives, memory expansion cards, CDs, and DVDs. These
storage devices are distinct from computer memory, which refers to temporary storage areas
within the computer. Unlike main memory, media storage devices retain data even when
power is turned off.
Message Digest 5 (MD5): A hash function that produces a 128-bit digital fingerprint of an input
file. Although some researchers have been able to produce multiple files with the same MD5
hash, MD5 is still acceptable for computer forensics applications. (See also hashing and Secure
Hash Algorithm.)
Metadata: Metadata is "data about data" and is information about a particular data set. System
metadata is information about the file itself, such as location on the disk, size, timestamps, file
sharing attributes, and file ownership. File metadata is data about the file contents and are
usually application-dependent, such as camera information (in JPEG files) and user information
(in Word files). Metadata is generally not reproduced in full form when a document is printed;
indeed, it is usually not easily visible by the user.
microSD: A format for removable flash memory card, adding between 64 MB and 8 GB of
additional memory to a device.
Mobile Device (or Directory) Number (MDN): The number that someone would dial to reach
this mobile phone; the equivalent to the phone number. Mobile phones also have a MIN. Prior
to wireless number portability, the MDN and MIN were the same.
Mobile Equipment Identifier (MEID): A 56-bit numeric identifier that is supposed to replace
ESNs in CDMA and TDMA phones.
Mobile Identification Number (MIN): A unique 10-digit number assigned by a carrier to the
physical phone handset. Designed for use in CDMA and TDMA networks.
7
Mobile Services Integrated Services Digital Network (MSISDN): A 15-digit globally unique
phone number associated with a cell phone. The MSISDN contains the country code (+1 in
North America), service provider identifier, and subscriber phone number. Designed for use
with SIM cards and GSM networks.
Modem (Modulator-demodulator): Originally, a piece of hardware that allows computers to
connect to the analog telephone network. A cable modem is a specialized device that allows a
computer to connect to a cable TV network.
Moving Picture Experts Group (MPEG): An international standard for compressing full motion
video. MPEG files frequently use the .MPEG or .MPG file extension.
MPEG-2: A standard for video compression and video file format. MPEG-2 offers video
resolutions of 720 x 480 and 128 x 720 at 60 frames per second, with full CD-quality audio.
MP3: Audio compressed in the MPEG1 Layer 3 format.
MP4: Video compressed in the MPEG1 Layer 4 format.
Multimedia Messaging Service (MMS): An extension to SMS that allows small multimedia
attachments to text messages, such as video clips and animations. See also EMS.
NTFS file system: A recoverable file system designed for use specifically with Windows NTbased operating systems (i.e., Windows NT, 2000, XP, Vista, and 7). NTFS supports file system
recovery, large storage media, and many advanced features compared with the FAT file system.
Operating system: The master control program that runs a computer; examples include Linux,
Mac OS X, Unix, and Windows. The OS provides the user interface (command line or graphical)
and defines the interaction between the computer hardware and software.
Page file: A hidden file in the Windows operating system (usually named pagefile.sys) that hold
parts of programs and data files that do not fit into physical memory. The page file and physical
memory support a virtual memory system, whereby the computer believes that it has more
physical memory than it actually has (e.g., the computer OS might have a memory address
space of 16 GB of memory even though it only physically has 4 GB of RAM; memory "contents"
in excess of 4 GB are written to pagefile.sys). The OS moves data from the page file to physical
memory, as needed, and moves data from memory to the page file to make room for new data.
Also called a swap file. See also random access memory (RAM).
Peer-to-peer (P2P): A distributed network architecture whereby network hosts share their
resources (such as processing power and storage capacity) with other hosts without the need
for a central managing device. Most Internet applications are client-server, whereby a host
(e.g., an e-mail or Web user) obtains a service from another host (e.g., an e-mail or Web
server). In a P2P environment, hosts communicate directly without the need of a server. The
most common P2P application is file sharing, using software such as FastTrack, Gnutella, and
Kazaa. Skype is a P2P application for chat, file sharing, and voice communication.
8
Peripherals: Ancillary devices that are not "essential" parts of the computer itself. Peripheral
devices can be outside of the computer (i.e., external such as a mouse, keyboard, printer,
monitor, camera, external hard drive, or scanner) or inside the computer case (i.e., internal
such as a CD-ROM drive, internal modem, or floppy disk drive).
Personal Identification Number (PIN): A numeric password that can be used to protect access
to a cell phone and/or SIM card.
Personal Unblocking Key (PUK): A numeric password that can unlock the PIN. This is obtained
from the service provider.
PTHC: Short for "preteen hardcore" or child pornography. Used mostly on peer-to-peer (P2P)
programs such as Kazaa.
Random Access Memory (RAM): Short-term, physical memory used by the computer processor
to store program instructions and data. Information stored in RAM is lost when the computer is
turned off. RAM today commonly range in capacity from 1 GB to 8 GB (more RAM means less
swapping of information and, therefore, faster processing; see Page file). Because RAM might
contain user names and passwords, it is becoming more common to image RAM prior to
shutting a computer off. Contrast with Read Only Memory (ROM).
R@ygold: A codename used by pedophiles so that they can easily locate each other's media.
R@ygold is a keyword added to image and video files with illegal child pornographic content, so
that those dealing in child porn can locate and share files over P2P networks.
Read-only memory (ROM): A type of storage that, in general, can only be read from but not
written to. A computer's basic input/output system (BIOS) chip, for example, is a semiconductor
circuit that contains a small program that starts a computer and performs basic diagnostics. The
system reads the instructions in BIOS during the boot process but does not write to BIOS. (A
special process, called flashing, can be employed to re-write instructions to BIOS for purposes
of updating, but normal operations merely read.) A CD-ROM is a media device that allows only
a single write; all subsequent access to a CD-ROM is for reading. Contrast with Random Access
Memory (RAM).
Registry: In Windows 95 and later versions, the registry is a database of information about the
computer's hardware and software configuration, including user profile and usage information.
The registry was intended to consolidate all of the individual initialization (.INI) files associated
with the operating system and user applications. The registry is organized in a hierarchical
structure and consists of subtrees and their keys, hives, and entries.
Router: On the Internet, a router is a network backbone device responsible for forwarding
Internet Protocol (IP) packets from the sender to the receiver. At a company, a router is the
gateway between the corporate network and the greater Internet. A residential broadband
router provides essentially the same service -- i.e., acting as a gateway between the home
network and Internet -- but also usually incorporates additional functions such as a switch
9
(allowing multiple computers to physically connect to the router and each other, forming a
home local area network) or wireless access point (allowing multiple computers to access the
router via radio).
Screen capture: Refers to the act of copying what is currently displayed on a screen to a file or
printer. Screen capture can be performed using functions on the computer, which generally
create a graphical file containing a bit map of the screen image, or by taking photographs of the
screen. Screen captures can be accomplished by a series of one or more photographs or video
capture.
Secure Hash Algorithm (SHA): Developed by the National Institute of Standards and
Technology (NIST), a hash function that produces a 160-bit digital fingerprint of an input file.
(See also hashing and Message Digest 5.)
Short Message Service (SMS): The protocol for cell phone (and Twitter!) text messages. SMS
messages are limited to 1,120 bits, or 160 7-bit (ASCII) characters, 140 8-bit (ASCII) characters,
or 70 16-bit (Unicode) characters.
Small Computer System Interface (SCSI): A standard high-speed parallel interface defined by
the American National Standards Institute (ANSI). A SCSI interface is used to connect
microcomputers to SCSI peripheral devices, such as many hard disks and printers, and to other
computers and local area networks.
Software: The programs that allow users to perform tasks on a computer, such as word
processing, media players, graphics editing, accounting systems, games, and more. The
computer's operating system is also software. Also known as applications and executables.
Subscriber Identity Module (SIM): A smart card that provides storage and other features for
some types of cell phones, such as contact names and SMS messages (sometimes including
deleted SMS messages). Always found in GSM and iDEN phones.
Thumbs.db: On Windows systems, a small database of cached thumbnail images of any image
or movie file in a folder. Creating a thumbnail cache improves the speed of displaying
thumbnails the next time a folder is opened; this file is created automatically by the operating
system.
Time Division Multiple Access (TDMA): One of the digital cellular phone technologies. TDMA
phones, per se, are seeing less and less use in North America although TDMA is the underlying
technology used in GSM and iDEN phones.
Unallocated space: The clusters on a storage device that are not assigned to store data. When a
file is written to a drive, the clusters storing the data are marked as "allocated." When the file is
deleted, the clusters are merely marked as "unallocated" but the contents of those clusters
remains untouched; this is why deleted data can often be recovered. If a file is wiped, the
10
clusters are marked unallocated and the clusters are overwritten with other information,
making the data effectively unrecoverable. (See also allocated space.)
Universal Serial Bus (USB): A serial bus for connecting peripherals to a microcomputer. USB can
connect up to 127 peripherals, such as external CD-ROM drives, printers, modems, thumb
drives, and keyboards, to the system through a single, general-purpose port. This is
accomplished by daisy chaining peripherals together. USB supports hot plugging and multiple
data streams.
USB power: The Universal Serial Bus port on most computers is able to supply a low amount of
power to an attached device. In some cases, a cell phone or other mobile device can be charged
by connecting a compatible phone plug to a computer's USB port.
WAV: An audio storage file type, developed by Microsoft. An alterative to MP3.
Wideband Code Division Multiple Access (WCDMA): A newer, third generation (3G) mobile
device technology for voice and data. WCMDA is not compatible with CDMA.