A proprietary file format that stores the physical bitstream of an acquired hard drive. When evidence is acquired, the MD5 hash value, or MD5, is calculated on the acquired bitstream image and not on the .e01 file; the bitstream image and MD5 are stored in the .e01 file with the MD5 at the end of the file.

A set of standards for wireless networks.

The creation of an exact physical duplicate of the original. The creation is the forensic copy.

A file that's accessible from normal use of the operating system.

Legislation that states that in any criminal proceeding, any property or material that constitutes child pornography shall remain in the care, custody, and control of the government or court.

Relevant evidence presented at trial and allowed by the judge. It's your goal!

An uncommon data storage concept that was developed to fix problems with operating system incompatibilities. A clever user can hide nefarious files in ADS because the files don't show up using a DIR (directory) command, nor do they appear in Windows Explorer. An ADS scanner is needed to find them.

To provide sufficient proof that something is what it claims to be.

Ensures that the forensic image and the original computer media are identical.

A rule specifying that a party seeking to admit a writing or recording or other content type must submit the original in order to prove its content. For electronic content, any printout or other output that's readable by sight, and shown to reflect the data accurately, is an original.

The smallest unit of computer data. A bit consists of either 0 or 1. Eight bits equals 1 byte.

An exact duplicate of the entire hard drive using non-invasive procedures. This read-only evidence file is also called a sector-by-sector image.

A set of standards for short-range wireless connectivity from fixed or mobile devices.

The first sector on a hard drive; holds the codes to boot up the computer. It contains the partition table, which describes how the hard drive is organized. Also called master boot record or MBR.

A password-cracking technique that tries possible combinations until the right password is found.

(Pronounced "cash") A "closet" that your computer or handheld device uses for storing recent data and passwords that a user has the computer remember in order to avoid having to type them repeatedly. Because the size of cache is capped, individual temporary Internet files are usually created and then discarded on a first-in-first-out basis.

Abbreviation for create, access, modify; a timestamp of when a file was created, accessed, or modified that helps to track a document and determine a timeline of events. CAM metadata is often part of the circumstantial evidence that helps support other aspects of a case.

A running list of the analysis you've completed and the results of this analysis.

The care, control, and accountability of evidence at every step of an investigation to verify the integrity of the evidence. The process of validating how the e-evidence was gathered, tracked, and protected on its way to a court of law. If you don't have a chain of custody, you don't have evidence.

Computer files, usually stored on an individual's computer, that contain the content from online chat sessions. These logs can include the dates and times of communications, file transfers, and the text of the communication.

The primary method used by all major forensic software packages to perform an integrity check of the acquired e-evidence.

A type of evidence without a witness; can be stronger and more convincing than direct evidence. The evidence shows surrounding circumstances that logically lead to a conclusion of fact about what happened. (E-evidence is circumstantial.) Also called indirect evidence. See also direct evidence.

A group of sectors on a hard drive that represents the smallest amount of data that can be allocated in a file system. Because sectors are at the hardware level and clusters are at the operating system level, techies often refer to sectors as physical address space and to clusters as logical address space. See also sector.

A content-altering algorithm applied to data or a message to shrink the size of the file. The result is a file that's unrecognizable from its original form. Compression adds a layer of complexity to forensics, but compressed files aren't themselves suspicious.

A branch of science that deals with circumstantial (indirect) evidence found on computers or other digital memory devices.

Property that's illegal to possess, produce, or distribute.

A simple text file that collects and stores data about you on the hard drive of your own computer, such as which Web pages you visited.

The bitstream image is continually verified by both a CRC value for every 32k block of data and an MD5 hash calculated for all data contained in the image file. Used to check data integrity.

The science of writing in secret codes. Encryption is one type of cryptography where readable plain text (data, message, or any type of file) is scrambled by applying an algorithm (the cipher) to it to convert it into unreadable ciphertext.

Primarily a question of relevance or fit of the evidence. In order for testimony to be used, it must be sufficiently tied to the facts of the case to help judges and juries understand the disputed issues.

The person or party who's accused. The defendant is listed on the right side of the v., as in Plaintiff v. Defendant.

The producing party in e-discovery.

To hide a file or its filename. Deleted files are recoverable because a computer system never truly deletes (gets rid of) files.

A type of evidence that's offered to explain or summarize other evidence, but that's not usually admitted into evidence or considered by the jury. Examples are charts and maps and other types of computer-generated evidence.

Testimony given under oath in the presence of a court reporter before the trial begins, but not in court. A deposition can be the most painful and mentally exhausting activity you perform during the case.

The IP address of the destination or recipient's computer. See also Internet Protocol (IP) address.

A trial-and-error password-cracking technique that works remarkably often because of weak passwords. A dictionary of passwords or hashes is compared to the hash value stored on the suspect's password file to look for a match.

Evidence from a witness based on one of the five senses. For example, someone may have seen a person get shot, heard a scream, smelled smoke, or tasted or felt something. See also circumstantial evidence.

An organization of directories (or folders) and files on a hard drive. The main directory is the root directory.

The pretrial process during which each party has the right to learn about, or discover, as much as possible about the opponent's case.

An official request for access to information that may be used as evidence. Also called production request.

A hardware device, such as the Logicube Forensic Talon, that duplicates storage media quickly and forensically at the rate of about 4 gigabytes per minute.

A hard drive containing a set of consecutive cylinders. Before files are stored on a disk partition, it must be formatted to create a logical volume. See also extended partition.

Do-it-yourself. A DIY-er is an amateur who tinkers around in a computer and damages e-evidence.

A way to translate domain names into IP addresses. Internet traffic depends on the functioning of the DNSs.

An original version or a copy of words or information generated by printing, typing, longhand writing, electronic recording, or other process, regardless of the form. Examples include published materials, reports, e-mails, records, memoranda, notices, notes, marginal notations, minutes, diagrams, drawings, maps, surveys, plans, charts, graphs, data, computer files, PDA appointment books, invoices, and performance evaluations.

The forensic capturing of everything on a disk drive.

The program that controls various devices, such as your keyboard or mouse.

A part of the legal system that allows parties involved in a lawsuit to request electronic documents from the opposing party in preparation for trial.

The process of threatening a party with expensive e-discovery to force that party to settle a winnable lawsuit or case.

A digital message sent by way of a network. It's the richest source of electronic evidence because a message is typically candid, casual, or careless.

See e-discovery.

Evidence in digital or electronic form, such as e-mail, computer files, instant messages, PDA calendars, and Blackberry phone lists. (It's like a vampire lurking out of sight that can neither be destroyed nor intimidated.)

Digital content; a term used by the 2006 amendments to the Federal Rules of Civil Procedure.

The process of scrambling readable plain text (data, a message, or file) by applying an algorithm (the cipher) to it to convert it into unreadable ciphertext. Encrypted files are easy to spot because they usually have common file structures or extensions.

Proof of a fact about what did or did not happen; material used to persuade the judge or jury of the truth or falsity of a disputed fact. See also circumstantial evidence and direct evidence.

A long list of rules about evidence that have exclusions that have exceptions. Rules state which evidence is admissible. See also exception, exclusion.

A rule that contradicts exclusions and makes evidence admissible. See also evidence law, exclusion.

A rule that makes evidence inadmissible. See also exception.

A type of evidence which tends to show that a criminal defendant isn't guilty of the charges against him.

The fifth or higher-level partition on a hard drive that's divided into more than four partitions. See also disk partition.

A social network where you might sometimes learn about people (suspects) if they have an account.

A system of keeping track of where files are stored on a hard drive. The FAT system is used by the operating system to locate files within the computer by pointing to the starting cluster of the file. This is the original (and ancient) file system developed by Microsoft to organize data on a storage medium.

The rules that federal courts use to determine proper procedure for civil cases, including what material is subject to discovery or e-discovery.

Rules that control the conduct of all criminal proceedings brought in federal courts to ensure that a defendant's rights are protected.

The rules that federal courts use to determine what evidence is relevant in civil or criminal cases.

A sequence of characters at the beginning of a file that signifies what type of file it is.

The space between the logical end of the file and the end of the cluster. See also slack space.

Any device that stores data and is permanently attached to a computer.

A technical term for the end-product of a forensics acquisition of a computer's hard drive or other storage device. See also bitstream image.

A type of program that applies computer science operations to establish facts in accordance with legal evidentiary standards.

One of the two most common file formats for graphical images. See also JPG.

One thousand megabytes.

A computer-based mathematical process of calculating a unique ID for the target drive to authenticate e-evidence. A hash value is calculated for a hard drive at the time it's copied from a computer system. The hash assists in subsequently ensuring that data hasn't been altered or tampered with.

A way of analyzing a computer drive or file and calculating a unique identifying number for it, called a hash value.

The unique number of a computer file used to detect any manipulation of the data. Also known as the condensed representation or message digest (MD) of the original.

The process of using a mathematical algorithm against data to produce a numeric value that's representative of that data. Hashing generates a unique alphanumeric value to identify the combination of bytes that make up a particular computer file, a group of files, or an entire hard drive.

Part of the data packet; contains transparent information about the file or the transmission. A file header is a region at the beginning of a file where bookkeeping information is kept; for example, the date the file was created, the date it was last updated, and file size. The header can be accessed only by the operating system or specialized programs.

Secondhand evidence. Sometimes it's considered unreliable unless a rule of evidence says that it's reliable. See also hearsay rule.

The rule specifying that hearsay evidence is inadmissible. Thirty exceptions to the rule, however, specify that certain types of hearsay evidence are admissible. Electronic business records are an exception to the hearsay rule, so it may be admissible.

A software tool for digging into the structure of file systems and their files. Power users use these tools for deeper analysis, but require a fair amount of knowledge of file structures.

An operating system developed by Apple in the mid-1980s and used until Apple switched its operating system to Mac OS X.

A file that's marked as hidden but can still be viewed by selecting the Show Hidden Files and Folders option. Hidden files are no more hidden than deleted files are deleted.

A shared area on a network where files are stored but shares are hidden. Tech-savvy criminals can use hidden shares on remote computers rather than risk using their own machines. Finding hidden shares is more difficult than finding hidden files, but if you have the proper software, the process is straightforward.

A logical group of keys, subkeys, and values in a computer's Registry. Also called a registry hive.

Any computing device attached to a network that has some form of addressing, such as an IP address or a MAC address.

A concept which stipulates that people usually behave a certain way regardless of the consequences. As it relates to computer forensics, few people use different passwords for all the files or accounts they want to protect; and many people make incriminating statements in e-mail messages. Human nature is important to understand in order to perform well as a computer forensics investigator.

A short term for bitstream image or forensic image. The evidence file created by using forensic software that contains all files from the hard drive or other storage medium.

An e-mail system that downloads messages to the local destination without deleting them from the e-mail server until the user deletes them purposely.

A file used by Internet Explorer to create a database of cookies, Web sites visited, and other Web browsing details.

An older method of wireless communication between mobile devices using the infrared part of the light spectrum.

An inventory list showing which evidence and equipment was entered into your possession.

A computer's private number that enables it to communicate with a network. It uniquely identifies a host computer connected to the Internet or another network.

A type of question used to prepare for key witness depositions or to discover facts about an opposing party's case. Interrogatories are part of the pretrial discovery stage of a lawsuit and must be answered. See also e-discovery.

Logs every event that's even mildly suspicious on a network for further study to prevent that event from happening again.

Detects, blocks, and shuts down any perceived threat on the network by analyzing events in real-time (as it's happening).

Stands for Joint Photographic Experts Group, one of the two most common file formats for graphical images. See also GIF.

Software installed manually or by way of a Trojan on a computer to capture passwords or any other content by recording the keys that are pressed. This password-cracking technique resorts to sleuthing — when it's legal to do so, of course.

The consideration of evidence in the light most favorable to the prosecution such that any rational fact-finder could have found all essential elements beyond a reasonable doubt. See also preponderance of the evidence.

A pointer that's created whenever a file is stored or copied so that the operating system knows where the file is located. The link file is used to establish a trail (or link) from one computing device to another and can show the connection between where the e-evidence was found in relation to where it resided earlier.

An operating system that is gaining in popularity and whose smallest unit of storage space is a block.

A type of text file that doubles as an audit trail; contains IP addresses and information in the cache.

A search of a hard drive that looks at the directory structure on the computer itself; for example, the way that you would search a filing cabinet. An average user can see files in the directory structures and open and view them by clicking on the filename.

a basic digital storage medium.

A proprietary e-mail protocol used by Microsoft to power Microsoft Outlook.

A sector, located in front of the first partition, that contains bootstrap information and unique storage device identifiers. This information can often be used to track USB drives that have been attached to the computer system.

A way to verify data integrity; a 128-bit number that (like a fingerprint) uniquely identifies the forensics image (evidence file). An MD hash value, for example:

is assigned to the evidence file by the software during acquisition of the hard drive. This verification process prevents the possibility of evidence tampering and provides for a very high degree of data and evidence integrity. It's supposedly computationally infeasible to produce two messages having the same MD5. See also SHA.

One thousand bytes.

A digital storage (memory) device. To read this type of memory device, you often have to use a multimedia card reader.

A storage area on a mobile device that exists only as long as the device has power.

Data describing a file or its properties, such as creation date, author, or last access date. Invisible information that programs such as Microsoft Word, Excel, and Outlook attach to each file or e-mail. A good source of e-evidence about who created a file and when — just in case someone is trying to hide the truth. Even hidden files have metadata.

A formal request to a judge to make a legal ruling. This tool is used by either side in an effort to define the boundaries of the case.

A request that the court limit the evidence at trial or rule that certain evidence cannot be used.

A vehicle's black box that records data before and after an accident.

A device that holds a computer's MAC (Media Access Control) address, which uniquely identifies it to a network. It's similar to a computer's phone number.

A more sophisticated operating system than FAT, created by Microsoft in 1993.

A master control program that runs a computer; provides an interface between hardware and software. Examples are Windows, DOS, MacOS, Unix, and Linux.

For data stored in a computer or similar device, any printout or other output that's readable by sight, shown to reflect the data accurately.

A logical division (or a logical volume) of a physical storage device that acts as a file organization method.

The data or message in a packet.

The crime of lying under oath.

What you always need to obtain from the owner or person in authority before investigating.

One thousand terabytes.

A heavily armored encryption algorithm.

A type of search performed by a software program to find and recover remnants of files that were overwritten or deleted from the hard drive. The program searches everything on the drive rather than simply search the computer's directories (folders).

The party bringing the charge; the requesting party in e-discovery. See also defendant.

The language an e-mail system uses to retrieve messages from an e-mail server. After POP retrieves a message, it deletes the original message from the server and downloads a copy to the destination computer.

Any device that stores data and can be carried, such as a flash drive, an iPod, an MP3 player, or a mobile phone.

The standard of proof that must be established to win a civil case. This standard is met when a party's evidence indicates that it's "more likely than not" that the fact is as the party alleges it to be. See also legal sufficiency.

Protection from destruction and alteration.

The extremely busy period before trial begins — when every legal, technical, and constitutional issue can get scrutinized to try to get the case resolved.

Material or electronic communications protected from being used as evidence.

The reasonable basis to believe that a defendant has committed a wrong or is guilty of the crime charged. Prevents fishing expeditions for evidence.

A standard by which evidence is judged. It's a characteristic of evidence that's sufficiently useful to prove something worthwhile in a trial.

A password-cracking technique that uses huge hash databases of possibilities. They're typically stored on the Internet because of their large size.

A computer's short-term memory. Provides memory space for the computer to work with data. Information stored in RAM is lost when the computer is turned off.

The FBI's full-service forensics laboratory and training center for examination of digital evidence in support of criminal investigations. At least 14 RCFLs exist across the United States.

A Microsoft Windows database in which applications and system components store and retrieve configuration data. Data stored in the Registry varies according to the version of Windows. The Registry has evolved over the course of 20 years into a complex database that tracks almost everything that's done on the computer and keeps all configuration settings up-to-date.

A tracking technology designed to leave a digital trail.

A special-purpose computer that uses IP addresses to move data across networks.

Requires opposing parties to meet and discuss a discovery plan and evaluate the protection and production of electronically submitted information. See also electronically stored information (ESI).

Each company has the duty to preserve documents that may be relevant in a case.

The initial disclosure of sources of discoverable information. Parties must identify all sources of ESI that may be relevant by category and location.

E-records and communications are subject to subpoena and discovery for use in legal proceedings.

The Federal Rule of Evidence governs the admissibility of expert testimony. The witness must be qualified as an expert in order to be allowed to provide testimony.

Rules that control which material the judge and jury can consider (what's in) and cannot consider (what's out).

A group of bytes on any given track of a hard drive's platters. It's the smallest unit of storage on a storage medium and, therefore, the smallest area of information that can be accessed on the drive. See also cluster.

An algorithm for computing a condensed representation of a message or data file. The condensed representation is of fixed length and is known as a message digest (MD) or fingerprint. It's similar to a human fingerprint in that it uniquely identifies the forensics image (evidence file). Either SHA or MD5 is used to verify the evidence file. If the hash values of the forensic image and the original match, there's no way the that data could have been modified through the normal course of your investigation. See also MD5 hash.

A portable memory chip, used in some cellular telephone models, that holds the user's identity information, cell number, phone book, text messages, and other data.

Unused space on a cluster that exists when the logical file space is less than the physical file space. May hold the content of files that previously occupied this space.

The language used in an e-mail system to send messages to an e-mail server. SMTP pushes (delivers) the messages to e-mail servers.

A type of software that logs not only keystrokes but also almost any activity that occurs on the computer, including screen shots, printouts, chat sessions, e-mails, and even the number of times the computer was turned on.

IP address of the originating or sender's computer, unless that IP address has been disguised. See also Internet Protocol (IP) address.

The destruction of evidence. It's a crime because it's an obstruction of justice.

A system of hiding files within other files using one of many algorithms, which require stego-detecting software to extract (if the extraction is possible). Stego refers to covered writing, such as invisible ink. In the digital world, this technique involves hiding a message inside an innocuous image, music file, or video that's posted on a Web site, e-mailed, or stored on a hard drive.

A writ commanding a person designated in it to appear in court or face a penalty for not showing up.

A writ commanding a person to appear in court to testify as a witness.

A writ commanding a person to produce in court certain designated documents or evidence.

Information used by the mobile phone network to authenticate the user to the network and verify the services tied to the account.

An operating system function that acts like RAM but uses the hard drive or storage device rather than memory microchips. If an application needs the data, the operating system retrieves it from the swap file and deletes the data from the storage device. Because the swap file is written and then deleted, the information is still physically on the storage device and can be retrieved.

A network component that uses the Media Access Control (MAC) identification of a host computer on a network to move traffic within a network.

A file type, commonly created by Internet browsers, that is stored for only temporary use. Temp files store information about Web sites a user visited. Forensic techniques can be used to track the history of a computer's Internet usage through the examination of temporary files.

One thousand gigabytes.

Judges and juries.

The space created when a file is deleted that can be reused to store new information. Until unallocated space is used for new data storage, in most instances, the old data remains and can be retrieved by using forensic techniques.

A type of memory in which a file of adjustable size temporarily stores "imaginary" memory. The file can be written and deleted like any other file on an operating system.

A specific amount of storage space on hard drives, CDs, and disks. In some instances, computer media may contain more than one volume, whereas in other cases, one volume may be contained on more than one disk.

Typically, the human link.

Software used on storage media to ensure that no cross contamination of cases or evidence occurs. Failing to wipe all storage media, including brand-new media, dooms the investigation and your credibility.

Hardware or software that protects the original evidence while creating a forensics copy. Devices such as the Weibetech Forensic Ultradock keep you from accidentally writing to storage devices during a preview or acquisition from a suspect's media. Don't copy without it. Also called a write protector.

An operation that allows data to be written onto a disk or other storage device just one time. After that, the data is permanent and can be read any number of times.