GLOSSARY

burden of proof A term that defines how much evidence is needed to prove a case. In criminal cases, the burden is “beyond a reasonable doubt”; in civil cases, it is “by a preponderance of the evidence.”

capture point The point in time at which evidence is seized.

chain of custody The complete documentation of the path evidence takes from the moment of seizure to presentation at trial.

cluster A cluster is a logical grouping of sectors. Clusters can be 1 sector in size to 128 sectors. That means 512B up to 64KB. The minimum size a file can use is one cluster. If the file is less than the size of a cluster, the remaining space is simply unused.

Daubert standard In laymen’s terms, the Daubert standard is that you should only use tests, software, and equipment that has gained wide acceptance in the industry.

discovery Discovery is the process of each litigant finding out what evidence the other party has. In a criminal case, the prosecutor has a legal obligation to turn over all evidence to the defense attorney. The defense attorney does not have a reciprocal obligation.

drive geometry This term refers to the functional dimensions of a drive in terms of the number of heads, cylinders, and sectors per track.

ELF Executable and Linkable Format (ELF, formerly called Extensible Linking Format) is a common standard file format for executables (i.e., programs, applications, etc.), object code, and shared libraries for Unix-based systems.

EMI Electromagnetic interference.

evidence return According to the SWGDE Model Standard Operation Procedures for Computer Forensics, this is the fourth of four steps in a forensic examination. Exhibits are returned to the appropriate location, usually some locked or secured facility.

exculpatory evidence Exculpatory evidence is evidence that proves the accused innocent.

EXT Extended File System was the first file system created specifically for Linux. There have been many versions of EXT—the current version is 4.

Faraday bag A bag that prevents electronic signals from entering or exiting. It is used to secure evidence such as cell phones.

FAT FAT (File Allocation Table) is an older system that was popular with Microsoft operating systems for many years. It was first implemented in Microsoft Stand-alone Disk BASIC. FAT stores file locations by sector in a file called, eponymously, the File Allocation Table.

forensic duplication According to the SWGDE Model Standard Operation Procedures for Computer Forensics, this is the second of four steps in a forensics examination. This is the process of duplicating the media before examination. It is always preferred to work with a forensic copy and not the original.

forensic report This is a report of every step in the investigation. Even before you begin your actual analysis, you will document the crime scene and the process of acquiring the evidence. You should also document how the evidence is transported to your forensic lab. From there, you continue documenting every step you take, starting with documenting the process you use to make a forensic copy. Then document every tool you use, every test you perform. You must be able to show in your documentation everything that was done.

forensics The use of science and technology to investigate and establish facts in criminal or civil courts of law.

GUID Windows Office files have a GUID (Globally Unique Identifier) to identify them.

high-level format This is the process of setting up an empty file system on the disk and installing a boot sector. This takes little time, and is sometimes referred to as a “quick format.”

hub The simplest connection device is the hub. A hub is a device into which you can plug network cables. It will have four or more ports, most likely RJ 45 jacks. You can also connect one hub to another; this strategy is referred to as “stacking” hubs. If you send a packet from one computer to another, a copy of that packet is actually sent out from every port on the hub.

IDE Integrated Drive Electronics is an older standard, but one that was commonly used on PCs for many years. It is obvious you are dealing with an IDE drive if you see a 40-pin drive connector. This was supplanted years ago by Extended IDE (EIDE). Chances are if you find any IDE drives, they will be EIDE. However, neither standard has been used in a long time.

iOS The Apple operating system for mobile devices, including the iPhone and iPad.

ipconfig This is the Windows command-line command to view and configure the settings for the network card. In Linux, the command is ifconfig.

Locard’s principle of transference This principle states that one cannot interact in any environment without leaving something behind.

low-level format This creates a structure of sectors, tracks, and clusters.

media examination According to the SWGDE Model Standard Operation Procedures for Computer Forensics, this is the third of four steps in a forensic examination. This is the actual forensic testing of the application. By media, we mean hard drive, RAM, SIM card—any item that can contain digital data.

netstat Netstat is short for network status. It shows the current connections that a machine is engaged in.

NTFS New Technology File System. This is the file system used by Windows NT 4, 2000, XP, Vista, 7, Server 2003, Server 2008, Windows 8, and Server 2012. One major improvement of NTFS over FAT was the increased volume sizes NTFS could support.

OC Optic cable. The cabling used with fiber optics. OC 3 and OC 12 are examples.

PE Portable Executable (PE) is used in Windows for executables and DLLs (dynamic linked libraries).

ping A command-line or shell command that sends one or more ICMP packets to a target to see if a response is sent back.

RAM RAM, or random access memory, is the main memory of a computer.

Reiser The Reiser File System is a popular journaling file system used primarily with Linux. Reiser was the first file system to be included with the standard Linux kernel, and first appeared in kernel version 2.4.1.

router A router is much like a switch, except that it routes traffic based on the IP address. Routers can also incorporate all types of network functionality such as a firewall.

SATA Serial Advanced Technology Attachment. SATA and solid state are the two most common drives in use today. These devices are commonly found in workstations and many servers. The internals of the hard drive are similar to IDE and EIDE—it is the connectivity to the computer’s motherboard that is different. Also, unlike IDE or EIDE drives, this type of drive has no jumpers to set the drive.

SCSI Small Computer Systems Interface—the acronym is pronounced “scuzzy.” This has been around for many years, and is particularly popular in high-end servers. This standard is actually pretty old—it was established in 1986. SCSI devices must have a terminator at the end of the chain of devices to work and are limited to 16 chained devices. There is also an enhancement to the SCSI standard called Serial SCSI.

sector A sector is the basic unit of data storage on a hard disk, usually 512 bytes. Newer hard drives using the Advanced Format have sector sizes of 4096 bytes.

solid state These drives are becoming more common—in fact, many tablets use solid-state drives (SSDs) because they have a longer battery lifespan (they use less electricity). Unlike other drive types, SSDs don’t have moving parts, such as platters, spindles, etc. Since 2010, most SSDs use NAND (Negated AND gate)−based flash memory, which retains memory even without power. Unfortunately, this type of memory has a shorter lifespan than traditional hard drives.

switch A switch is basically an intelligent hub. It works and looks exactly like a hub, but with one significant difference. When the switch receives a packet, it will send that packet out only on the port it needs to go out on. A switch accomplishes this routing by using the MAC address to determine where the packet should be routed to.

tort Torts are civil wrongs recognized by law as grounds for litigation.

tracert The Windows command-line command to send an ICMP packet to a target and trace the route it takes to the target. The Linux command is traceroute.

visual inspection According to the SWGDE Model Standard Operation Procedures for Computer Forensics, this is the first of four steps in a forensic examination. The purpose of this inspection is to verify the type of evidence, its condition, and relevant information to conduct the examination. This is often done in the initial evidence seizure. For example, if a computer is being seized, you want to document if the machine is running, its condition, and the general environment.

warrant

A legal document signed by a judge that authorizes law enforcement to search and/or seize certain evidence. A warrant must specify the particular place to be searched and what is being searched for.