Unlike information security and information assurance, there doesn’t seem to be a definitive glossary for digital forensics. I compiled this glossary based on definitions from three NIST special publications:
• SP800-72 Guidelines on PDA Forensics (2004)
• S800-86 Guide to Integrating Forensic Techniques into Incident Response (2006)
• SP800-101r Guidelines on Mobile Device Forensics (2014)
The most recent definition of a term is the one provided.
acquisition A process by which digital evidence is duplicated, copied, or imaged.
analysis The third phase of the computer and network forensic process, which involves using legally justifiable methods and techniques to derive useful information that addresses the questions that were the impetus for performing the collection and examination. The examination of acquired data for its significance and probative value to the case.
anti-forensic A technique for concealing or destroying data so that others cannot access it.
authentication mechanism Hardware- or software-based mechanisms that force users to prove their identity before accessing data on a device.
bit-stream imaging A bit-for-bit copy of the original media, including free space and slack space. Also known as disk imaging.
Bluetooth A wireless protocol that allows two Bluetooth-enabled devices to communicate with each other within a short distance (e.g., 30 ft.).
brute-force password attack A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords.
buffer overflow attack A method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt memory in data.
CDMA Subscriber Identity Module (CSIM) CSIM is an application to support CDMA2000 phones that runs on a UICC, with a file structure derived from the R-UIM card.
Cellular Network Isolation Card (CNIC) A SIM card that isolates the device from cell tower connectivity.
chain of custody A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
closed-source operating system Source code for an operating system that is not publically available.
cluster A group of contiguous sectors.
Code Division Multiple Access (CDMA) A spread-spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA).
collection The first phase of the computer and network forensics process, which involves identifying, labeling, recording, and acquiring data from the possible sources while following guidelines and procedures that preserve the integrity of the data.
compressed file A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Common compression utilities are PKZIP and WinZip, with an extension of .zip.
cradle A docking station that creates an interface between a user’s PC and PDA and enables communication and battery recharging.
Cyclical Redundancy Check (CRC) A method to ensure data has not been altered after being sent through a communication channel.
data Distinct pieces of digital information that have been formatted in a specific way.
deleted file A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.
digital evidence Electronic information stored or transmitted in binary form.
digital forensics The application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
directory Organizational structures that are used to group files together.
disk imaging Generating a bit-for-bit copy of the original media, including free space and slack space. Also known as a bit-stream image.
disk-to-disk copy Copying the contents of one medium directly to another medium.
disk-to-file copy Copying the contents of media to a single logical data file.
duplicate digital evidence A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media (e.g., flash memory, RAM, ROM).
electromagnetic interference An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment.
electronic evidence Information and data of investigative value that is stored on or transmitted by an electronic device.
electronic serial number (ESN) A unique 32-bit number programmed into CDMA phones when they are manufactured.
Enhanced Data for GSM Evolution (EDGE) An upgrade to GPRS to provide higher data rates by joining multiple time slots.
Enhanced Messaging Service (EMS) An improved message system for GSM mobile devices allowing picture, sound, animation, and text elements to be conveyed through one or more concatenated SMS messages.
encryption Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data.
examination The second phase of the computer and network forensics process, which involves forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data. A technical review that makes the evidence visible and suitable for analysis. Tests performed on the evidence to determine the presence or absence of specific data.
eXecute in Place A facility that allows code to be executed directly from flash memory without loading the code into RAM.
false negative Incorrectly classifying malicious activity as benign.
false positive Incorrectly classifying benign activity as malicious.
feature phone A mobile device that primarily provides users with simple voice and text messaging services.
file A collection of information logically grouped into a single entity and referenced by a unique name, such as a filename.
file allocation unit A group of contiguous sectors; also known as a cluster.
file header Data within a file that contains identifying information about the file and possibly metadata with information about the file contents.
filename A unique name used to reference a file.
file signature anomaly A mismatch between the internal file header and its external filename extension; a filename inconsistent with the content of the file (e.g., renaming a graphics file with a nongraphics extension).
file system A method for naming, storing, organizing, and accessing files on logical volumes. A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory.
file slack Space between the logical end of the file and the end of the last allocation unit for that file.
flash ROM Nonvolatile memory that is writable.
forensic copy An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media whose validity and integrity has been verified using an accepted algorithm.
forbidden PLMNs A list of public land mobile networks (PLMNs) maintained on the SIM that the mobile phone cannot automatically contact, usually because service was declined by a foreign provider.
forensic science The application of science to the law.
forensic specialist Someone who locates, identifies, collects, analyzes, and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered.
forensically clean Digital media that is completely wiped of all data, including nonessential and residual data, scanned for malware, and verified before use.
free space An area on media or within memory that is not allocated.
General Packet Radio Service (GPRS) A packet-switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds.
global positioning system A system for determining position by comparing radio signals from several satellites.
hardware driver Applications responsible for establishing communication between hardware and software programs.
hashing The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.
heap A software data structure used for dynamic allocation of memory.
Hypertext Transfer Protocol (HTTP) A standard method for communication between clients and web servers.
image An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered.
inculpatory evidence Evidence that tends to increase the likelihood of fault or guilt.
instant messaging (IM) A facility for exchanging messages in real time with other people over the Internet and tracking the progress of a given conversation.
Integrated Circuit Card ID (ICCID) The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM.
Integrated Digital Enhanced Network (iDEN) A proprietary mobile communications technology developed by Motorola that combines the capabilities of a digital cellular telephone with two-way radio.
International Mobile Equipment Identity (IMEI) A unique identification number programmed into GSM and UMTS mobile devices.
International Mobile Subscriber Identity (IMSI) A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM.
Internet Message Access Protocol (IMAP) A method of communication used to read electronic messages stored in a remote server.
key chords Specific hardware keys pressed in a particular sequence on a mobile device.
location information (LOCI) The location area identifier (LAI) of the phone’s current location, continuously maintained on the (C/U)SIM when the phone is active and saved whenever the phone is turned off.
logical backup A copy of the directories and files of a logical volume.
logical volume A partition or a collection of partitions acting as a single entity that has been formatted with a file system.
loopback mode An operating system facility that allows a device to be mounted via a loopback address and viewed logically on the PC.
message digest A hash that uniquely identifies data. Changing a single bit in the data stream used to generate the message digest will yield a completely different message digest.
metadata Data about data. For file systems, metadata is data that provides information about a file’s contents.
misnamed files A technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension. See file signature anomaly.
mobile devices A mobile device is a small handheld device that has a display screen with touch input and/or a QWERTY keyboard, and may provide users with telephony capabilities. Mobile devices are used interchangeably (phones, tablets) throughout this document.
Mobile Subscriber Integrated Services Digital Network (MSISDN) The international telephone number assigned to a cellular subscriber.
Multimedia Messaging Service (MMS) An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips.
near-field communication (NFC) A form of contactless, close-proximity radio communications based on radio-frequency identification (RFID) technology.
Network Address Translation The process of mapping addresses on one network to addresses on another network.
network intrusion detection system Software that performs packet sniffing and network traffic analysis to identify suspicious activity and record relevant information.
network traffic Computer network communications that are carried over wired or wireless networks between hosts.
nonvolatile data Data that persists even after a computer is powered down.
normalize The process by which differently formatted data is converted into a standardized format and labeled consistently.
operating system A program that runs on a computer and provides a software platform on which other programs can run.
packet The logical unit of network communications produced by the transport layer.
packet sniffer Software that monitors network traffic on wired or wireless networks and captures packets.
partition A logical portion of a media that functions as though it were physically separate from other logical portions of the media.
password protected The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.
personal digital assistant (PDA) A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, and for organizing personal information, such as a database of names and addresses, a to-do list, and an appointment calendar.
personal information management (PIM) applications A core set of applications that provides the electronic equivalents of an agenda, address book, notepad, and business card holder maintained on a device that may be synchronized with another device or to the Cloud.
Post Office Protocol (POP) A standard protocol used to receive electronic mail from a server.
probative data Information that reveals the truth of an allegation.
process An executing program.
protocol analyzer Software that can reassemble streams from individual packets and decode communications that use various protocols.
proxy Software that receives a request from a client then sends a request on the client’s behalf to the desired destination.
push-to-talk (PTT) A method of communicating on half-duplex communication lines, including two-way radio, using a “walkie-talkie” button to switch from voice reception to transmit mode.
remote access server Devices such as virtual private network gateways and modem servers that facilitate connections between networks.
Removable User Identity Module (R-UIM) A card developed for cdma-One/CDMA2000 handsets that extends the GSM SIM card to CDMA phones and networks.
reporting The final phase of the computer and network forensic process, which involves reporting the results of the analysis. This may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed (e.g., forensic examination of additional data sources, securing identified vulnerabilities, improving existing security controls), and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process. The formality of the reporting step varies greatly depending on the situation.
sector The smallest unit that can be accessed on media.
security event management software Software that imports security event information from multiple data sources, normalizes the data, and correlates events among the data sources.
Secure Digital eXtended Capacity (SDXC) Supports cards up to 2TB, compared to a limit of 32GB for SDHC cards in the SD 2.0 specification.
slack space The unused space in a file allocation block or memory page that may hold residual data.
Short Message Service (SMS) A cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset.
SMS chat A facility for exchanging messages in real time using SMS text messaging that allows previously exchanged messages to be viewed.
steganography Embedding data within other data to conceal it. The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.
subdirectory A directory contained within another directory.
Subscriber Identity Module (SIM) A smart card chip specialized for use in GSM equipment.
synchronization protocols Protocols that allow users to view, modify, and transfer/update PDA data from the PC or vice versa. The two most common synchronization protocols are Microsoft’s ActiveSync and Palm’s HotSync.
thread A defined group of instructions executing apart from other similarly defined groups, but sharing memory and resources of the process to which they belong.
Universal Integrated Circuit Card An integrated circuit card that securely stores the International Mobile Subscriber Identity (IMSI) and the related cryptographic key used to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a SIM, USIM, RUIM, or CSIM; these terms can be used interchangeably.
UMTS Subscriber Identity Module (USIM) A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks.
Universal Mobile Telecommunications System (UMTS) A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM.
universal serial bus (USB) A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices.
volatile data Data on a live system that is lost after a computer is powered down.
volatile memory Memory that loses its content when power is turned off or lost.
Wireless Application Protocol (WAP) A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices.
wireless fidelity (Wi-Fi) A term describing a wireless local area network that observes the IEEE 802.11 protocol.
wiping Overwriting media or portions of media with random or constant values to hinder the collection of data.
write-blocker A tool that prevents all computer storage media connected to a computer from being written to or modified. A device that allows investigators to examine media while preventing data writes from occurring on the subject media.
write protection Hardware or software methods of preventing data from being written to a disk or other medium.