Computer Forensics Terminology
Active Data is information residing on the direct access storage media of computer systems, which is readily visible to the operating system and/or application software with which it was created and immediately accessible to users without undeletion, modification or reconstruction.
Software programs, such as word processors and spreadsheets that most users use to do work on a computer.
A set of electronic instructions, also known as a program, which instructs a computer to perform a specific set of processes.
A copy of data on a computer drive, or on a portion of a drive, maintained for historical reference.
Information that is not directly accessible to the user of a computer system but that the organization maintains for long-term storage and record keeping purposes. Archival data may be written to removable media such as a CD, magneto-optical media, tape or other electronic storage device, or may be maintained on system hard drives in compressed formats.
ASCII (Acronym for American Standard Code)
ASCII is a code that assigns a number to each key on the keyboard. ASCII text does not include special formatting features and therefore can be exchanged and read by most computer systems.
A copy of active data, intended for use in restoration of data. Most users backup some of their files, while many computer networks utilize automatic backup software to make regular copies of some or all of the data on the network. Some backup systems use digital audio tape (DAT) as a storage medium.
Information that is not presently in use by an organization and is routinely stored separately upon portable media, to free up space and permit data recovery in the event of disaster.
See Disaster Recovery Tape
Backup Tape Recycling
Describes the process whereby an organization’s backup tapes are overwritten with new backup data, usually on a fixed schedule (e.g., the use of nightly backup tapes for each day of the week with the daily backup tape for a particular day being overwritten on the same day the following week; weekly and monthly backups being stored offsite for a specified period of time before being placed back in the rotation).
The amount of information or data that can be sent over a network connection in a given period of time. Bandwidth is usually stated in bits per second (bps), kilobits per second (kbps), or megabits per second (mps).
Mathematical base 2, or numbers composed of a series of zeros and ones. Since zero”s and one”s can be easily represented by two voltage levels on an electronic device, the binary number system is widely used in digital computing.
A measurement of data. It is the smallest unit of data. A bit is either the “1″ or “0″
Eight bits. The byte is the basis for measurement of most computer data as multiples of the byte value. A “megabyte” is one million bytes or eight million bits or a “gigabyte” is one billion bytes or eight billion bits.
1 gigabyte = 1,000 megabytes
1 terabyte = 1,000 gigabytes
Slang for making (burning) a CD-ROM copy of data, whether it is music, software, or other data.
A type a computer memory that temporarily stores frequently used information for quick access.
Data storage medium that uses compact discs to store about 1,500 floppy discs worth of data.
A technology that reduces the size of a file. Compression programs are valuable to network users because they help save both time and bandwidth.
Includes but is not limited to network servers, desktops, laptops, notebook computers, employees’ home computers, mainframes, the PDAs of [party name] and its employees (personal digital assistants, such as PalmPilot, Cassiopeia, HP Jornada and other such handheld computing devices), digital cell phones and pagers.
Computer Forensics is the use of specialized techniques for recovery, authentication, and analysis of electronic data when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.
Small data files written to a user”s hard drive by a web server. These files contain specific information that identifies users (e.g., passwords and lists of visited).
Digital Audio Tape. Used as a storage medium in some backup systems.
Information stored on the computer system, used by applications to accomplish tasks.
Also referred to as“De-Duping”, is the process of comparing electronic records based on their characteristics and removing duplicate records from the data set.
Information that once existed on the computer as live data and has been removed by the computer system or end-user activity. Deleted data remains on storage media in whole or in part until it is overwritten by ongoing usage or “wiped” with a software program specifically designed to remove deleted data. Even after the data itself has been wiped, directory entries, pointers, or other metadata relating to the deleted data may remain on the computer.
A file with disk space that has been designated as available for reuse. The deleted file remains intact until it has been overwritten with a new file.
The process whereby data is removed from active files and other data storage structures on computers and rendered inaccessible except using special data recovery tools designed to recover deleted data. Deletion occurs in several levels on modern computer systems: (a) File level deletion: Deletion on the file level renders the file inaccessible to the operating system and normal application programs and marks the space occupied pages by the file’s directory entry and contents as free space, available to reuse for data storage. (b) Record level deletion: Deletion on the record level occurs when a data structure, like a database table, contains multiple records; deletion at this level renders the record inaccessible to the database management system (DBMS) and usually marks the space occupied by the record as available for reuse by the DBMS, although in some cases the space is never reused until the database is compacted. Record level deletion is also characteristic of many e-mail systems. (c) Byte level deletion: Deletion at the byte level occurs when text or other information is deleted from the file content (such as the deletion of text from a word processing file); such deletion may render the deleted data inaccessible to the application intended to be used in processing the file, but may not actually remove the data from the file’s content until a process such as compaction or rewriting of the file causes the deleted data to be overwritten.
Typically refers to an individual PC/workstation — a user”s desktop computer.
Storing information as a string of digits – namely “1”s and “0”s.
A camera that stores still or moving pictures in a digital format (TIFF, GIF, etc.).
Disaster Recovery Tape
The portable media used to store data that is not presently in use by an organization to free up space but still allow for disaster recovery. Also referred to as a “Backup Tape.”
It is a magnetic storage medium on which data is digitally stored. May also refer to a CD-ROM.
A method of protecting data from a catastrophic hard disk failure. As each file is stored on the hard disk, a “mirror” copy is made on a second hard disk or on a different part of the same disk.
Information belonging to an organization which resides on portable media and non-local devices such as home computers, laptop computers, floppy disks, CD-ROMs, personal digital assistants (“PDAs”), wireless communication devices (e.g., Blackberry), zip drives, Internet repositories such as e-mail hosted by Internet service providers or portals, web pages, and the like. Distributed data also includes data held by third parties such as application service providers and business partners.
Includes but is not limited to any electronically stored data on magnetic or optical storage media as an “active” file or files (readily readable by one or more computer applications or forensics software); any “deleted” but recoverable electronic files on said media; any electronic file fragments (files that have been deleted and partially overwritten with new data); and slack (data fragments stored randomly from random access memory on a hard drive during the normal operation of a computer [RAM slack] or residual data left on the hard drive after new data has overwritten some but not all of previously stored data).
Commonly referred to as e-mail, is an electronic means for communicating information under specified conditions, generally in the form of text messages, through systems that will send, store, process, and receive information and in which messages are held in storage until the addressee accesses them.
A procedure that renders the contents of a message or file unintelligible to anyone not authorized to read it.
A common way of networking PCs to create a LAN.
An Internet based access method to a corporate intranet site by limited or total access through a security firewall. This type of access is typically utilized in cases of joint venture and vendor client relationships.
A collection of data of information stored under a specified name on a disk.
A tag of three or four letters, preceded by a period, which identifies a data file”s format or the application used to create the file. File extensions can streamline the process of locating data. For example, if one is looking for incriminating pictures stored on a computer, one might begin with the .gif and .jpg files.
When several or many computers are networked together in a LAN situation, one computer may be utilized as a storage location for files for the group. File servers may be employed to store e-mail, financial data, word processing information or to back-up the network.
One of the key benefits of a network is the ability to share files stored on the server among several users.
A set of related programs that protect the resources of a private network from users from other networks.
An increasingly rare storage medium consisting of a thin magnetic film disk housed in a protective sleeve.
A Forensic Copy is an exact bit-by-bit copy of the entire physical hard drive of a computer system, including slack and unallocated space.
Fragmented data is live data that has been broken up and stored in various locations on a single hard drive or disk.
FTP (File Transfer Protocol)
An Internet protocol that enables you to transfer files between computers on the Internet.
GIF (Graphic Interchange Format)
A computer compression format for pictures.
A measurement of computer data storage capacity and is a billion (1,000,000,000) bytes.
GUI (Graphical User Interface)
A set of screen presentations and metaphors that utilize graphic elements such as icons in an attempt to make an operating system easier to use.
The primary hardware that a computer uses to store information, typically magnetized media on rotating disks.
Instructions that assist a user on how to set up and use a product including but not limited to software, manuals and instruction files.
A peripheral data storage device that may be found inside a desktop or laptop as in a hard drive situation. The hard disk may also be a transportable version and attached to a desktop or laptop.
The primary storage unit on PCs, consisting of one or more magnetic media platters on which digital data can be written and erased magnetically.
HTML (Hypertext Markup Language)
The tag-based ASCII language used to create pages on the web.
In data recovery parlance, to image a hard drive is to make an identical copy of the hard drive, including empty sectors. Akin to cloning the data. Also known as creating a “mirror image” or “mirroring” the drive.
Instant Messaging (“IM”)
Instant Messaging is a form of electronic communication which involves immediate correspondence between two or more users who are all online simultaneously.
The interconnecting global public network made by connecting smaller shared public networks. The most well-known Internet is the Internet, the worldwide network of networks which use the TCP/IP protocol to facilitate information exchange.
A network of interconnecting smaller private networks that are isolated from the public Internet.
A string of four numbers separated by periods used to represent a computer on the Internet.
IS / IT Information Systems or Information Technology
Usually refers to the people who make computers and computer systems run.
ISP (Internet Service Provider)
A business that delivers access to the Internet.
JPEG (Joint Photographic Experts Group)
An image compression standard for photographs.
A search for documents containing one or more words that are specified by a user.
One thousand bytes of data is 1K of data.
LAN (Local Area Network)
Usually refers to a network of computers in a single building or other discrete location.
Legacy Data is information in the development of which an organization may have invested significant resources and which has retained its importance, but which has been created or stored by the use of software and/or hardware that has been rendered outmoded or obsolete.
A million bytes of data is a megabyte, or simply a meg.
Metadata is information about a particular data set which may describe, for example, how, when, and by whom it was received, created, accessed, and/or modified and how it is formatted. Some metadata, such as file dates and sizes, can easily be seen by users; other metadata can be hidden or embedded and unavailable to computer users who are not technically adept. Metadata is generally not reproduced in full form when a document is printed. (Typically referred to by the less informative shorthand phrase “data about data,” it describes the content, quality, condition, history, and other characteristics of the data.)
Migrated Data is information that has been moved from one database or format to another, usually as a result of a change from one hardware or software technology to another.
The duplication of data for purposes of backup or to distribute network traffic among several computers with identical data.
Management information systems is general term for the computer systems in an enterprise that provide information about its business operations. It”s also used to refer to the people who manage these systems.
A piece of hardware that lets a computer talk to another computer over a phone line.
A group of computers or devices, connected together for the exchange of data and sharing of resources.
Any device connected to network. PCs, servers and printers are all nodes on the network.
Optical Character Recognition is a technology which takes data from a paper document and turns it editable text data. The document is first scanned. Then OCR software searches the document for letters, numbers and other characters.
Not connected to a network.
Connected to a network.
Operating system The software that the rest of the software depends on to make the computer functional. On most PCs this is Windows or the Macintosh OS. Unix and Linux are other operating systems often found in scientific and technical environments.
Personal computer is a microcomputer designer for personal use.
Personal digital assistant is a digital handheld personal daily organizer.
Portable Document Format is Adobe technology for formatting documents so that they can be viewed and printed using the Adobe Acrobat reader.
A petabyte is a measure of computer data storage capacity and is one thousand billion (1,000,000,000,000,000) bytes.
The least formatted and therefore most portable form of text for computerized documents.
Is an index entry in the directory of a disk or other storage medium that identifies the space on the disc in which an electronic document or piece of electronic data resides, thereby preventing that space from being overwritten by other data. In most cases, when an electronic document is deleted, the pointer is deleted, which allows the document to be overwritten, but the document is not actually erased.
A secure point-to-point connection and is not a part of the public Internet.
A network that is part of the public Internet.
Random Access Memory is the working memory of the computer into which application programs can be loaded and executed.
Also referred to as Ambient Data is data that is not active on a computer system. Residual data includes (1) data found on media free space; (2) data found in file slack space; and (3) data within files that has functionally been deleted in that it is not visible using the application with which the file was created, without use of undelete or special data recovery techniques.
A piece of hardware that routes data from a local area network (LAN) to a phone line.
Usually (but not always) refers to the process of statistically testing a data set for the likelihood of relevant information. It can be a useful technique in addressing a number of issues relating to litigation, including decisions as to which repositories of data should be preserved and reviewed in a particular litigation, and determinations of the validity and effectiveness of searches or other data extraction procedures. Sampling can be useful in providing information to the court about the relative cost burden versus benefit of requiring a party to review certain electronic records.
A network or series of networks that are not connected to other networks.
Any computer on a network that contains data or applications shared by users of the network on their client PCs.
Coded instructions (programs) that make a computer do useful work.
Stand alone computer
A personal computer that is not connected to any other computer or network, except possibly through a modem.
The person in charge of keeping a network working. (sysadmin, sysop)
A terabyte is a measurement of computer data storage capacity and is one thousand million (1,000,000,000,000) bytes.
Tagged Image File Format isone of the most widely supported file formats for storing bit-mapped images. Files in TIFF format often end with a .tiff extension.
Transmission Control Protocol/Internet Protocol is a collection of protocols that define the basic workings of the features of the Internet.
A virtually private network that is constructed by using public wires to connect nodes.
The World Wide Web is made up of all of the computers on the Internet which use HTML-capable software (Explorer, Firefox, etc.) to exchange data. Data exchange on the WWW is characterized by easy-to-use graphical interfaces, hypertext links, images, and sound. Today the WWW has become synonymous with the Internet, although technically it is really just one component.