Guide to Computer Forensics and Investigations, Third Edition
5-1
Key Terms
 4-mm DAT — Magnetic tapes that store about 4 GB of data, but like CD-Rs, are slow
to read and write data.
 Automated Fingerprint Identification Systems (AFIS) — A computerized system for
identifying fingerprints that’s connected to a central database; used to identify criminal
suspects and review thousands of fingerprint samples at high speed.
 computer-generated records — Data generated by a computer, such as system log
files or proxy server logs.
 computer-stored records — Digital files generated by a person, such as electronic
spreadsheets.
 covert surveillance — Observing people or places without being detected, often using
electronic equipment, such as video cameras or keystroke/screen capture programs.
 Cyclic Redundancy Check (CRC) — A mathematical algorithm that translates a file
into a unique hexadecimal value.
 digital evidence — Evidence consisting of information stored or transmitted in
electronic form.
 digital hash — A unique hexadecimal value that identifies a file.
 extensive-response field kit — A portable kit designed to process several computers
and a variety of operating systems at a crime or incident scene involving computers.
This kit should contain two or more types of software or hardware computer forensics
tools, such as extra storage drives.
 hazardous materials (HAZMAT) — Chemical, biological, or radiological substances
that can cause harm to people.
 initial-response field kit — A portable kit containing only the minimum tools needed
to perform disk acquisitions and preliminary forensic analysis in the field.
 innocent information — Data that doesn’t contribute to evidence of a crime or
violation.
 International Organization on Computer Evidence (IOCE) — A group that sets
standards for recovering, preserving, and examining digital evidence.
 keyed hash set — A value created by an encryption utility’s secret key.
 limiting phrase — Wording in a search warrant that limits the scope of a search for
evidence.
 low-level investigations — Corporate cases that require less effort than a major
criminal case.
 Message Digest 5 (MD5) — An algorithm that produces a hexadecimal value of a file
or storage media. Used to determine whether data has been changed.
 National Institute of Standards and Technology (NIST) — One of the governing
bodies responsible for setting standards for various U.S. industries.
 nonkeyed hash set — A unique hash number generated by a software tool and used to
identify files.
 person of interest — Someone who might be a suspect or someone with additional
knowledge that can provide enough evidence of probable cause for a search warrant or
arrest.
 plain view doctrine — When conducting a search and seizure, objects in plain view of
a law enforcement officer, who has the right to be in position to have that view, are
subject to seizure without a warrant and can be introduced as evidence.
Guide to Computer Forensics and Investigations, Third Edition
5-2
 probable cause — An indication that a crime has been committed, evidence of the
specific crime exists, and evidence for the specific crime exists at the place to be
searched.
 professional curiosity — The motivation for law enforcement and other professional
personnel to examine an incident or crime scene to see what happened.
 Scientific Working Group on Digital Evidence (SWGDE) — A group that sets
standards for recovering, preserving, and examining digital evidence.
 Secure Hash Algorithm version 1 (SHA-1) — A forensic hashing algorithm created
by NIST to determine whether data in a file or on storage media has been altered.
 sniffing — Detecting data transmissions to and from a suspect’s computer and a
network server to determine the type of data being transmitted over a network.