The following terms are frequently used in computer forensics:
Acquisition: A process by which digital evidence is duplicated, copied or imaged.
Analysis: To look at the results of an examination for its significance and probative value to a case.
Compressed File: A file that has been reduced in size through a compression algorithm to save disk space. Compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP with an extension of .zip.
Copy: An accurate reproduction of information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction.
Deleted File: A file that has been removed from a hard drive by the user. If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate the evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data.
Digital Evidence: Information stored or transmitted in binary form that may be relied on in court.
Duplicate: An accurate digital reproduction of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip or Jaz). Maintains contents and attributes (e.g., bit stream, bit copy and sector dump).
Encryption: Any procedure used in cryptography to convert plain text into cipher text in order to prevent anyone but the intended recipient from reading that data.
Examination: Technical review that makes the evidence visible and suitable for analysis. Tests performed on the evidence to determine the presence or absence of specific data.
File Slack: Space between the logical end of the file and the end of the last allocation unit for that file.
File System: The way the operating system keeps track of the files on the drive.
Hashing: The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.
Image: An accurate digital representation of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip or Jaz). Maintains contents and attributes, may also include metadata such as CRCs, hash value and audit information.
Network: A group of computers connected to one another to share information and resources.
Password Protected: Many software programs include the ability to protect a file using a password. One type of password protection is called “access denial.” If this feature is used, the data will be present on the disk in the normal manner, but the software program will not open or display the file until the user enters the password. In many cases, forensic examiners are able to bypass this feature.
System Administrator: The individual who has legitimate supervisory rights over a computer system. The administrator maintains the highest access to the system. Also can be known as sysop, sysadmin or system operator.
Unallocated Space: Allocation units not assigned to active files within a file system.
Write Protection: Hardware or software methods of preventing data from being written to a disk or other medium.