Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

Glossary of Key Terms

802.11 standards: A set of wireless local area network (LAN) standards for computer communication in the 2.4, 3.6, and 5 GHz frequency bands.

A

Adverse event: An event with negative consequences, such a system crash, network packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malicious code that destroys data.
Algorithm: A step-by-step procedure that a computer follows to solve a problem.
Alternate data streams (ADS): In Microsoft's NTFS (NT File System), metadata associated with a file system object. ADS can be used to hide data.
Ambient computer data: Data stored in the Windows swap file, unallocated space, and file slack. It includes e-mail fragments, word processing fragments, directory tree snapshots, and potentially almost anything that has occurred on the subject computer. Ambient computer data can be a valuable source of computer evidence. Also known as residual data.
American Society of Crime Laboratory Directors (ASCLD): An organization that provides guidelines for managing a forensics lab. ASCLD also certifies computer forensics labs.
Anonymizer: An e-mail server that strips identifying information from an e-mail message before forwarding it with the mailing computer's IP address.
Anonymous remailing: Sending an e-mail message to an anonymizer to strip identifying information from an e-mail message before forwarding it with the mailing computer's IP address.
Anti-Cybersquatting Consumer Protection Act (ACPA): A 1999 act designed to stop people from registering domain names that are trademarks that belong to other entities.
Anti-forensics: Attempts to adversely affect the existence, amount, and quality of evidence from a crime scene or to make the analysis and examination of evidence difficult or impossible to conduct.
Artifact: Data that an attacker leaves behind when compromising a system—such as code fragments, trojaned programs, running processes, or sniffer log files.

B

Backdoor: A difficult-to-detect way to bypass normal authentication, gain remote access to a computer, obtain access to plaintext, and so on. A rootkit may install a backdoor to enable an attacker to access the system, regardless of changes to system accounts or other access control techniques.
Backup: A copy of data that can be used to restore data if it is lost or corrupted.
Backup server: A server that is used to manage the policies, schedules, media catalogs, and indexes associated with the systems it is configured to back up.
Backup window: The period of time when backups can be run.
Batch file: A text file that contains a series of commands intended to be executed by the command interpreter. When a batch file is run, another program reads the file and executes its commands.
Bit stream backup: A backup that involves the copying of every bit of data on a computer hard disk drive or another type of storage media. A bit stream backup exactly replicates all sectors on the storage device, so all files and ambient data storage areas are copied. Bit stream backups are sometimes referred to as mirror image backups or evidence-grade backups, and they differ substantially from standard file backups and network server backups. Making a bit stream backup is referred to as imaging.
Black-box system forensic software tools: Tools that are used to check that the output of a program is as expected, given certain inputs. These tools do not actually examine the program being executed.
Block-level incremental backup: A backup of only the blocks that have changed since the last backup.
Bluetooth: A popular wireless protocol for connecting devices over short distances. The most popular use of Bluetooth is to create PANs of devices that communicate with a computer or device.
Boot process: A process that starts an operating system when the user turns on a computer system.
Botnet: A collection of software robots that create and send out spam extremely quickly.
Bundled product: Hardware, software, maintenance, and support provided together for a single price.
Business case: A reasoned proposal for making a change, such as a plan that justifies acquiring newer and better resources to investigate computer forensics cases.

C

Campus area network (CAN): A network that is larger than a LAN but generally smaller than a MAN. CANs are useful to connect the LANs across multiple buildings that are all in fairly close proximity to one another.
Carrier file: The data that is used to hide secret data in steganography. Today, multimedia files, such as pictures or sound, are most commonly used as carrier messages to hide secret data. A carrier file is also called a cover file or carrier message.
Certification: A designation that recognizes a person's qualification to perform a job or task. Many certifications are earned based on experience and passing an exam. Professional bodies provide certification to safeguard the public interest.
Chain of custody: Continuity of evidence that makes it possible to account for all that has happened to evidence between its original collection and its appearance in court, preferably unaltered.
Chief information officer (CIO): An executive who heads information technology (IT) in an organization.
Chief technology officer (CTO): An executive who is focused on scientific and technical issues in an organization. A CTO is responsible for the transformation of capital—whether monetary, intellectual, or political—into technology.
Clean room: An environment that has a controlled level of contamination, such as dust, microbes, and other particles. The level of contamination is specified by the number of particles per cubic meter at a specified particle size. Data recovery experts use a clean room to protect media while making repairs to salvage the data.
Cloud computing: Using the Internet to allow people to access massively scalable technology-enabled services. Cloud computing includes searching for flights online or using Facebook, neither of which qualify as SaaS.
Cluster: A fixed-length block of data—one to 128 sectors—in which DOS- and Windows-based computers store files. Clusters are made up of blocks of sectors.
Cluster computing: Linking computers into local area networks (LANs) to improve performance and availability while reducing costs.
Collaborative computing: A technique for analyzing problems and developing solutions using the combined efforts of a number of individuals focused on a particular issue.
Compression: The process of encoding information with fewer bits than the unencoded information would use.
Computer Forensics Tool Testing (CFTT): A project of the National Institute of Standards and Technology (NIST) that focuses on developing standards to ensure reliable results during forensic investigations. The project seeks to help forensic tool providers improve their products, keep the justice system informed, and make information available to government agencies and other organizations.
Computer Fraud and Abuse Act (CFAA): Passed in 1984, the first piece of federal legislation that identified computer crimes as distinct offenses. The CFAA criminalizes the act of causing certain types of damage to a protected computer.
Computer-generated information: Records that are produced by a computing device. This information includes logs, content analysis, packet captures, reconstructed artifacts, and so on. The admissibility of computer-generated records depends on their authenticity.
Computer security incident: A violation or an imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.
Configuration management: A process in which an organization records all updates it makes to its workstations.
Connection: Two Internet Protocol (IP) addresses that are communicating with each other, as well as two port numbers that identify the protocol or service.
Consistency checking: A data recovery technique that involves scanning the logical structure of the disk and checking to make sure it is consistent with its specification.
Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act: A 2003 act that covers unsolicited commercial e-mail messages. The act has both civil and criminal provisions. Each separate e-mail sent in violation of the CAN-SPAM Act is subject to penalties of up to $16,000.
Covert channel: A technique for passing information between computers on a network, without being detected by a firewall or an intrusion detection system. Packet crafting and protocol bending are two covert channel techniques.
Criminal intent: The mental state of mind of a defendant in committing a crime.
Cyber Crimes Center (C3): A part of U.S. Immigration and Customs Enforcement (ICE) that identifies and apprehends Internet child pornographers.
Cybercrime: Criminal activity that pertains to the wrongful taking of information or the causing of damage to information.
Cybercriminal: An individual who uses a computer or network technology to plan or perpetrate a violation of the law.
Cybersquatting: The bad-faith registration of a domain name that is a registered trademark or trade name of another entity.
Cyberstalking: A crime that involves using the Internet, e-mail, or other electronic communications devices to repeatedly harass or threaten another person.
Cyberterrorist: An attacker or a group of attackers that use a target country's computers and information, usually through the Internet, to cause physical harm, severely disrupt the country's infrastructure, or create panic.
Cyberwarfare: The use of computers and the Internet to conduct warfare in cyberspace.

D

Data: Raw numbers, pictures, and other "stuff" that may or may not have relevance to a particular event or incident under investigation.
Data analysis plan: A plan that lists the types of data to be collected and describes the expected sources for the data. It should also list any anticipated problems as well as recommended strategies to deal with those problems.
Data consistency: The validity, accuracy, usability, and integrity of data. This is an issue in live system forensics. When data is not acquired at a unified moment, it is inconsistent.
Data recovery: The process of salvaging data from damaged, failed, corrupted, or inaccessible primary storage media when it cannot be accessed normally. It involves evaluating and extracting data from damaged media and returning it in an intact format. Data recovery can also be the process of retrieving and securing deleted information from a storage media for forensic purposes or spying.
Dead man's switch: A switch an attacker plants that destroys any evidence when the system detects that it's offline.
Dead system analysis: Forensic analysis of machines that have been shut down.
Demonstrative evidence: Information such as a chart that helps explain other evidence to a judge and jury.
Denial of service (DoS)/distributed denial of service (DDos) attack: An attack in which an attacker deprives people of the services they are entitled to access or provide.
Department of Defense (DoD): The department of the U.S. federal government that coordinates and supervises agencies and functions of the government related to national security and the U.S. armed forces.
DFRWS framework: A framework for ensuring forensic soundness that has six classes: identification, preservation, collection, examination, analysis, and presentation. Each of these classes has several elements. The Digital Forensics Research Workshop (DFRWS) created this framework in 2001.
Differential backup: A backup in which only files that have changed since a backup was last made are backed up to the backup facility.
Digital Forensics Research Workshop (DFRWS): A nonprofit volunteer organization that aims to enhance the sharing of knowledge and ideas about digital forensics research. The DFRWS sponsors annual conferences, technical working groups, and challenges to help drive the direction of research and development. In 2001, the DFRWS developed a framework for digital investigation that is useful today.
Digital watermarking: A technique that allows the addition of copyright notices or other verification messages to digital audio, video, or image signals and documents.
Disaster recovery plan: A plan that helps a lab restore its workstations and file servers to their original condition after a catastrophic failure occurs.
Disk forensics: The process of acquiring and analyzing data stored on physical storage media, such as computer hard drives, smartphones, and removable media. Disk forensics includes the recovery of hidden and deleted data. It also includes the process of identifying who created a file or message.
Documentary evidence: Written evidence that must be authenticated, such as a printed report or a log file.
DoD Cyber Crime Center (DC3): A U.S. federal government agency that sets standards for digital evidence processing, analysis, and diagnostics. It is involved with DoD investigations that require computer forensic support to detect, enhance, or recover digital media.
Dump: A complete copy of every bit of memory or cache recorded in permanent storage or printed on paper.

E

Electronic Communications Privacy Act (ECPA): A federal act that extends legal protection against wiretapping and other forms of unauthorized interception to e-mail, mobile telephones, pagers, computer transmissions, and communications provided by private communication carriers. It also explicitly allows employers to monitor communications by employees using the employers' equipment.
E-mail attachment: A file such as a picture, document, audio file, program, or video that is attached to an e-mail message.
E-mail body: An area of an e-mail message that contains the content of the communication.
E-mail client: A software program used to compose and read e-mail messages.
E-mail forensics: The study of the source and content of e-mail as evidence. E-mail forensics includes identifying the sender, recipient, date, time, and origination location of an e-mail message.
E-mail header: An area of an e-mail message that contains addressing information and the route that an e-mail takes from sender to receiver. It is an abbreviated record of the e-mail message's journey.
E-mail log: A record of each e-mail message that passes through a computer in a network.
E-mail tracing: Examining e-mail header and other information to determine the route the e-mail has traveled and the sender's identity. E-mail tracing programs and services can be used to resolve problems with sexually harassing e-mail, cyber-stalking, and other unwanted Internet and intranet communications.
Embedded file: In steganography, the data that is to be kept a secret. An embedded file is also called an embedded message.
Embedding: In steganography, the process of hiding data. Also known as running the steganography algorithm.
Event: Any observable occurrence in a system or network. Examples of events include a user connecting to a file share, a server receiving a request for a Web page, a user sending e-mail, and a firewall blocking a connection attempt.
Event-based digital forensic investigation framework: A model for forensic investigation that has five phases: readiness, deployment, physical crime scene investigation, digital crime scene investigation, and presentation. The Center for Education and Research in Information Assurance and Security (CERIAS) at Purdue University created this model in 2004.
Evidence: Information that supports a specific finding or determination. Evidence may be conclusive or interpretive.
Evidence dynamics: Anything that changes or destroys digital evidence between the time the evidence is created and when the case goes to court. An action that changes the evidence could be either accidental or deliberate.
Evidence storage container: A container that stores evidence and is secured so that no unauthorized person can easily access the evidence. Also known as an evidence locker.
Evidence storage room: A room that stores large computer components, such as computers, monitors, and other peripheral devices. It may or may not be located within the lab itself.
Exculpatory evidence: Evidence that clears or tends to clear someone of guilt.
Extortion: An attempt to gain money or something else of value by threatening, coercing, or intimidating a victim.
Extraction: In steganography, the recovery of an embedded message.

F

Federal Rules of Evidence (FRE): A code of evidence law that governs the admission of facts by which parties in the U.S. federal court system may prove their cases. The FRE provides guidelines for the authentication and identification of evidence for admissibility under sections 901, 902, and "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations."
File allocation table (FAT): A table that stores associations between files and the clusters assigned to them.
File slack: A form of fragmentation that pertains to any space left over between the last byte of the file and the first byte of the next cluster. File slack is a source of potential security leaks involving passwords, network logons, e-mail, database entries, and word processing documents. Also known as slack space.
Firewall: A set of hardware and software components that protect system resources from attack by intercepting and checking network traffic.
Flash memory media: A computer memory chip or card that retains its data without being connected to a power source.
Footprinting: The process of collecting data about a specific network environment, usually for the purpose of finding ways to attack the target.
Forensic soundness: A state in which data is complete and materially unaltered.
Fourth Amendment to the U.S. Constitution: An amendment that guards against unreasonable searches and seizures. The Fourth Amendment specifically requires that search and arrest warrants be judicially sanctioned and supported by probable cause.
Fraud: A crime that involves intentional deception for personal gain or to cause other damage to an individual or a company.
Freezing the scene: A data collection method that involves taking a snapshot of a system in its compromised state and notifying the necessary authorities.
Fuzzy logic tool: A tool used to identify unknown strings of text by searching for values between "completely true" and "completely false."

G

Global area network (GAN): A collection of interconnected LANs, CANs, MANs, and even WANs that spans an extremely large area.
Graphical user interface: An interface for issuing commands to a computer using a pointing device (mouse) that manipulates and activates graphical images on a monitor.

H

Hacking: Illegal intrusion into a computer system without the permission of the computer owner or user.
Hardware fingerprinting: Checking to determine what hardware is present on a system.
Hearsay: Evidence presented by a person who was not a direct witness. Hearsay is generally inadmissible in court and should be avoided.
Honeypot: A trap set for cybercriminals that involves a system or data that is attractive to the hackers.
Honeypotting: A data collection process that involves creating a replica system and luring the attacker into it for further monitoring.
host protected area (HPA): An area on a hard drive where data can be hidden. The HPA was designed as an area where computer vendors could store data that is protected from user activities and operating system utilities, such as delete and format.
Human-generated information: Information created by humans. It includes e-mail messages, text messages, word processing documents, digital photos, and other records that are transmitted or stored electronically.
Hypertext Transfer Protocol (HTTP): A protocol that is involved in requesting and transmitting files over the Internet or another network; a protocol used for most Web browser/Web server communication.

I

Identity theft: A crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception. Criminals typically commit identity theft for economic gain. Also known as identity fraud.
Identity Theft and Assumption Deterrence Act: A federal 1998 act that makes identity theft a federal crime. A person who violates the law is subject to criminal penalties of up to 15 years in prison. This period increases to 20 years in special circumstances. Violators can also be fined up to $250,000.
Image backup: A backup that creates copies or snapshots of a file system at a particular point in time.
Imaging: The process of creating a complete sector-by-sector copy of a disk drive. Also known as making a bit stream backup.
Incident response plan: A document that outlines specific procedures to follow in the event of a security incident.
Incident response team (IRT): A group of people with responsibilities for dealing with any security incident in an organization.
Incremental backup: A backup that transfers only the data that has changed since the last backup.
Incriminating evidence: Evidence that shows, or tends to show, a person's involvement in an act, or evidence that can establish guilt.
Information: Data that has been processed and assembled so that it is relevant to an investigation.
Intellectual property theft: A crime that involves stealing trade secrets, material that is copyrighted, or other information to which an individual or a company has a right.
Internet forensics: The process of piecing together where and when a user has been on the Internet.
Internet Message Access Protocol (IMAP): A protocol that allows an e-mail client to access e-mail on a remote mail server.
Internet Protocol (IP): The primary network protocol used on the Internet. On the Internet and many other networks, IP is often used together with Transport Control Protocol (TCP) and referred to as TCP/IP.
Internet Protocol (IP) address: A numeric label that identifies a device and provides a location address. A forensic investigator may be able to identify IP addresses from a message header and use this information to determine who sent the message.
Intrusion detection system (IDS): Software that automates the process of monitoring events occurring in a computer system or network and analyzing them for signs of possible incidents and attempting to stop detected possible incidents.
Jailbreaking: A hacking process by which iPhone firmware is overwritten to install third-party applications or unlock the device. The jailbreaking process makes modifications to the user data partition and is therefore forensically unsound.

K

Kerckhoffs' principle: A theory which states that a system will be secure even if everything about it except the key is public knowledge.
Kernel module rootkit: A type of rootkit that installs itself into the application programming interface (API). The rootkit then intercepts system calls by acting as a "man in the middle," deciding what information and programs the user does and does not see.

L

Lab manager: An individual who performs general management tasks for a computer forensics lab, such as promoting group consensus in decision making, maintaining fiscal responsibility for lab needs, and enforcing ethical standards among staff members.
Live analysis school of thought: A segment of the forensics world that recommends leaving a suspect computer turned on and working on it immediately after securing it.
Live response: A live system forensics technique in which an investigator surveys the crime scene and simultaneously collects evidence and probes for suspicious activity. The purpose of live response is to collect relevant evidence from a system to confirm whether an incident occurred.
Live system forensics: An area of systems forensics that is used to search memory in real time. Live system forensics is typically used for working with compromised hosts and to identify system abuse.
Local area network (LAN): A network that covers a small physical area, such as an office or a building. LANs are common in homes and businesses and make it easy to use resources such as printers and shared disks.
Locard's exchange principle: A basic concept of forensic science, which states that "with contact between two items, there will be an exchange." In other words, every contact leaves a trace.
Log file: A record that a network device keeps of a person's activities on a system or network. Network security devices such as firewalls and intrusion detection systems (IDS) generate logs. Routers, VPNs, and other devices also produce logs.
Logical analysis: Analysis using the native operating system, on the evidence disk or a forensic duplicate, to peruse the data. Logical analysis looks for things that are visible, known about, and possibly controlled by the user.
Logical damage: Damage to a file system that may prevent it from being mounted by the host operating system. Logical damage is caused primarily by power outages that prevent file system structures from being completely written to the storage medium. However, problems with hardware and drivers, as well as system crashes, can have the same effect.

M

Mail relay: A server typically used within local networks to transmit e-mail messages among local users. Mail relays are often used in e-mail aliasing: They forward mail for multiple e-mail addresses to a single address.
Mail server: A device and/or program that routes an e-mail to the correct destination. A server that functions as an electronic post office, sending and receiving electronic mail. Most of the time, the mail server is separate from the computer where the mail was composed. Also referred to as a mail relay.
Malware: Malicious software that is designed to infiltrate a computer system without the user's consent. Malware includes computer viruses, worms, Trojan horses, spyware, some types of adware, and other malicious and unwanted software.
Master boot record (MBR): On a drive that uses a DOS partition, a reserved space at the beginning of the drive. The MBR often contains the boot code needed to start loading the operating system. The MBR contains 62 sectors of empty space where data can be hidden.
Means: The ability to commit a crime.
Metadata: Data about data. In a computer file, metadata provides information about a file. This information includes the means of creation, the purpose of the data, the time and date of creation, the creator or author of data, where the data was created, and what standards were used.
Metropolitan area network (MAN): A network that connects two or more LANs but does not span an area larger than a city or town. MANs are used to connect multiple buildings or groups of buildings spread around an area larger than a few city blocks.
Mirroring: Physical replication of all data, with two copies of the data kept online at all times. The advantage of mirroring is that the data does not have to be restored, so there are no issues with immediate data availability.
Moore's law: A trend in which the number of transistors on an integrated circuit doubles every two years.
Motive: A reason a suspect commits a crime.

N

Network: A collection of computers and devices joined by connection media. In a typical enterprise network environment, network components work together to make information and resources available to many users.
Network forensics: An area of system forensics that focuses on investigating network intrusions, abuse, and often crimes that cross jurisdictions.

O

Obscured data: Data that is difficult to collect and analyze because it is encrypted, compressed, or in a proprietary format.
Open Systems Interconnection (OSI) reference model: A tool for understanding communications systems. The OSI reference model divides networking into seven layers. Each layer contains similar functions that provide services to the layer above it and receive services from the layer below it.
Opportunity: The chance to commit a crime.
Order of volatility: A list of evidence sources, ordered by relative volatility.

P

Packet crafting: A covert channel technique that involves embedding data in packet headers.
Peer-to-peer (P2P) network: A network in which each user manages his or her own resources and configures who may access the user's computer resources and how. On a P2P network, each computer is configured individually.
Personal area network (PAN): A network that consists of one or more workstations and its network devices, such as printers, PDAs, network disk systems, and scanners. A PAN refers to the networked devices one person would likely use and normally does not span an area larger than an office or cubicle.
Phishing: A crime that involves using e-mail or Web sites to get confidential information by deceptive means.
Physical analysis: Offline analysis conducted on an evidence disk or forensic duplicate after booting from a CD or another system. Physical analysis looks for things that may have been overlooked, or are invisible, to the user.
Physical damage: Damage to storage media that occurs on a physical level, such as broken tapes or CDs or hard disks damaged by fire or water. Physical damage always causes at least some data loss. In many cases, the logical structures of the file system are damaged as well.
Piracy: Theft of material that is copyrighted through the illegal copying of genuine programs or counterfeiting of products that are intended to pass as originals.
Pirate: To defeat copy protection in order to copy software or other files.
Post Office Protocol (POP): A protocol that local e-mail clients use to retrieve e-mail from a remote server.
Pretty Good Privacy (PGP): A widely used encryption program for protecting the privacy of e-mail and other computer files. PGP uses two keys and an NIST-certified algorithm. It makes encrypted data practically impossible to decipher without the appropriate key.
Protocol bending: A covert channel technique that involves the use of a network protocol for some unintended purpose.
Public-key cryptography: A form of encryption that uses a pair of cryptographic keys: one public, the other private. The public key is freely distributed and is used to encrypt the information to be sent. The recipient holds the private key and uses it to decrypt the received information.
Public key steganography (PKS): A form of steganography in which the sender and receiver share a secret key, called the stego key. Only a possessor of the stego key can detect the presence of an embedded message.

R

Real evidence: A physical object that can be touched, held, or directly observed, such as a hard drive or removable media. Also: Any evidence that speaks for itself, without relying on anything else. An example is a log produced by an audit function.
Real time: The actual time during which a process takes place.
Rootkit: A program or a combination of several programs designed to hide or obscure the fact that a system has been compromised.
Router: A hardware or software device that forwards data packets across a network to a destination network.
Rules of evidence: Rules that govern whether, when, how, and why proof of a legal case can be placed before a judge or jury. The rules vary depending on the type of court and the jurisdiction.

S

Safe shutdown school of thought: A segment of the forensics world that believes a suspect computer should be carefully shut down immediately when the computer is secured.
Sandboxing: A data collection method that involves limiting what an attacker can do while still on the compromised system, so the attacker can be monitored without much further damage.
Script kiddy: A rather unsophisticated hacker who uses a point-and-click tool rather than program software.
Search warrant: A court order that allows law enforcement personnel to collect equipment or data from that equipment. Search warrants are typically used by law enforcement officers.
Sector: The smallest unit of storage on a computer. A sector is composed of bits and is generally a power of two bytes in size. A "regular" disk sector is 512 bytes.
Security through obscurity: A principle that attempts to provide security through the use of secrecy of design, implementation, and so on. A system that relies on security through obscurity may have security vulnerabilities, but its owners or designers believe that the flaws are not known, and that attackers are unlikely to find them.
Server-based network: A network in which a central server manages which users have access to which resources through a database called a directory. This is the best option when an organization has 10 or more network users.
Shadow data: Fringe data that remains on the physical track of storage media after deletion, sweeping, or scrubbing.
Simple Mail Transfer Protocol (SMTP): A protocol that mail servers use to send and receive mail messages. E-mail clients use SMTP to send messages to a mail server for relaying.
Simple steganography: A form of steganography that is based on keeping the method for embedding a secret. Also called pure steganography.
Slurred image: An image that results from acquiring a file system while it is being updated or changed by a program in process. A slurred image is similar to a photo of a moving object.
Sniffing: Monitoring network data using a self-contained software program or a hardware device. Sniffers examine network traffic, making a copy of the data without redirecting or altering it. Some sniffers work only with TCP/IP packets, but the more sophisticated tools can work with many other protocols.
Software as a service (SaaS): Software that a provider licenses to customers as a service on demand, through a subscription model.
Software forensics: An area of systems forensics that is most often used to examine malicious code. Also known as malware forensics.
Spam: Unsolicited or undesired electronic messages.
Spamming: Abusing electronic messaging systems to send unsolicited, unwanted bulk messages indiscriminately.
Spoliation: Withholding, hiding, alteration, or destruction of evidence relevant to a legal proceeding, whether intentional or negligent.
Spoofing: Making an e-mail message appear to come from someone other than the real sender or location.
Steganalysis: The process of detecting messages hidden using steganography. In other words, steganalysis is about separating cover messages from stego messages.
Steganalysis software: Tools that can detect the presence of steganography.
Steganography: The process of hiding secret data within nonsecret data.
Stego key: In secret key steganography, the secret key that the sender and receiver share. Only a possessor of the stego key can detect the presence of an embedded message.
Stego message: In steganography, the message that results from the embedding process.
Storage area network (SAN): An architecture in which a network separate from the traditional LAN connects all storage and servers. In a SAN, the devices appear to be locally attached to the operating system.
Subpoena: A court order than requires the person or organization that owns the equipment to release it for analysis. Subpoenas are typically used in civil actions or court proceedings.
System forensics: The collection, preservation, analysis, documentation, and presentation of digital evidence so that it is admissible in a court of law.
System forensics evidence: Evidence gathered from computers, digital media, or electronic devices, such as a mobile phone or digital camera.
System forensics specialist: An individual responsible for system forensics.

T

TEMPEST: Special computer-emission shielding used to shield sensitive computing systems and labs and prevent electronic eavesdropping on any computer emissions.
Temporary data: Data that an operating system creates and overwrites without the computer user taking a direct action to save this data.
Testimonial evidence: Information that is used to support or interpret real or documentary evidence. Also: Any evidence supplied by a witness. Documents from a word processing program written by a witness may be considered testimonial.
Thin client: A PC that uses little of its computing capability, functioning much like a dumb terminal.
Topology: A network design that specifies the devices, locations, and cable installation as well as how data is transferred in the network.
Trade secret: A plan, method, technology, or other sensitive information that is owned by an individual or a company. Theft of these secrets damages a business's competitive edge.
Transmission Control Protocol/Internet Protocol (TCP/IP): A set of protocols used to send messages between computers over the Internet. IP handles delivery of the data. TCP keeps track of the individual units of data, called packets, in a message.

U

Unallocated space: The unused portion of the hard drive that is not allocated to any volume. Unallocated space is also called free space.
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (U.S.A. PATRIOT) Act: A law that amended both the Wiretap Act and the ECPA. The Patriot Act enhances law enforcement tools to intercept electronic communications to fight computer fraud and abuse offenses.
Unused space: The space that is left on a hard drive or disk when a file is deleted. The computer considers that spaced unused and available for reuse.
U.S. Computer Emergency Readiness Team (US-CERT): Part of the National Cyber Security Division of the Department of Homeland Security that assists civilian agencies in their incident-handling efforts.

V

Virtual machine: A software implementation of a computer that executes programs as if it were a physical computer. For example, a Mac user might use a virtual machine to run Windows on the Mac. VMware and VirtualBox are commonly used virtual machine software programs.
Volatile data: Data from running processes on a live computer. Volatile data is memory that is highly sensitive to system usage, such as registers, memory, and cache. Such data is lost whenever a system is used. It should be collected first to minimize corruption or loss.
Volatile memory analysis: A live system forensics technique in which an investigator acquires a physical memory dump of the compromised system and transmits it to the data collection system for analysis.
Voluntary surrender: Permission from a computer or equipment owner to search and/or seize equipment as part of an investigation.

W

Wide area network (WAN): A network that connects multiple LANs and can span very large areas, including multiple countries. WANs provide network connections among computers, devices, and other networks that communicate across great distances. For example, the Internet is a WAN.
Wireless local area networks (WLANs): A local area network that links devices wirelessly.
Wiretap Act: An amended 1968 act that governs real-time interception of the contents of a communication.
Write blocker: A piece of hardware or software that allows a system to read data from an external drive at full speed. At the same time, it blocks any write commands to the external drive to prevent unauthorized modification or formatting of the drive being examined.

Z

Zero-knowledge analysis: A file system repair technique in which a recovery specialist assumes very little about the state of the file system to be analyzed, uses any hints that any undamaged file system structures might provide, and rebuilds the file system from scratch.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for Glossary of Key Terms

Create new playlist

Sign In

Sign Up

Glossary of Key Terms

A

B

C

D

E

F

G

H

I

K

L

M

N

O

P

R

S

T

U

V

W

Z

Table of Contents for
Glossary of Key Terms