FEATURED NEWS ARTICLE

Learn how new tape indexing technology may impact eDiscovery cost shifting

>> Read Article
ONSITE3 RANKED TOP PROVIDER BY 2008 SOCHA-GELBMANN SURVEY

4th consecutive
year to be
ranked as a
Top Provider

>> Learn More
FREE CONVERSION TOOL

Download our
EDRM XML
Load File
Converter

>> Download Tool
FREE EDISCOVERY ESTIMATOR

Scoping e-discovery processing requirements

>> Get Details
>> Login Now
SUBSCRIBE TO NEWSLETTER

Get a monthly look at the electronic discovery arena

>> Subscribe Today
>> View Past Newsletters

Terms frequently used within Computer Forensics

Acquisition: A process by which digital evidence is duplicated, copied, or imaged.

Analysis: To look at the results of an examination for its significance and probative value to the case.

Compressed file: A file that has been reduced in size through a compression algorithm to save disk space. The act of compressing a file will make it unreadable to most programs until the file is uncompressed. Most common compression utilities are PKZIP with an extension of .zip.

Copy: An accurate reproduction of information contained on an original physical item, independent of the electronic storage device (e.g., logical file copy). Maintains contents, but attributes may change during the reproduction.

Deleted files: If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate the evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances a forensic examiner is able to recover all or part of the original data.

Digital evidence: Information stored or transmitted in binary form that may be relied on in court.

Duplicate: An accurate digital reproduction of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and attributes (e.g., bit stream, bit copy, and sector dump).

Encryption: Any procedure used in cryptography to convert plain text into cipher text in order to prevent anyone but the intended recipient from reading that data.

Examination: Technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.

File slack: Space between the logical end of the file and the end of the last allocation unit for that file.

File system: The way the operating system keeps track of the files on the drive.

Hashing: The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.

Image: An accurate digital representation of all data contained on a digital storage device (e.g., hard drive, CD-ROM, flash memory, floppy disk, Zip, Jaz). Maintains contents and attributes, but may include metadata such as CRCs, hash value, and audit information.

Network: A group of computers connected to one another to share information and resources.

Password protected: Many software programs include the ability to protect a file using a password. One type of password protection is sometimes called "access denial." If this feature is used, the data will be present on the disk in the normal manner, but the software program will not open or display the file without the user entering the password. In many cases, forensic examiners are able to bypass this feature.

System administrator: The individual who has legitimate supervisory rights over a computer system. The administrator maintains the highest access to the system. Also can be known as sysop, sysadmin, and system operator.

Unallocated space: Allocation units not assigned to active files within a file system.

Write protection: Hardware or software methods of preventing data from being written to a disk or other medium.

>> Ready to get started? Contact us now for help with your forensics and data recovery needs.
Back