Active data
Data visible to the system's operating
system. Active data are accessible without modification or reconstruction.
Allocated
space
Disk
space that the operating currently considers in use. Allocated space includes
active data as well as slack space.
Alternate
Data Stream (ADS)
ADSs are
hidden files that are attached to visible ones. They are not well known, are
generally hidden from the user, and few security programs recognize them.
Although ADS was created for compatibility with the Mac world, it is not solely
used for that purpose. Many applications use ADS to store attributes of a file
in them. For example if you make a text document, and right click and go into
its properties you will see a summary page. This summary information is
attached to the file via ADS.
BIOS
The
Basic Input Output System, abbreviated as BIOS, is software stored on a small
memory chip on the motherboard. BIOS instructs the computer on how to perform
a number of basic functions such as booting and keyboard control. The BIOS is
also used to identify and configure the hardware in a computer such as the hard
drive and functions on the motherboartd, including the system clock. The BIOS
can be selected instead of booting, by pressing a specific key when prompted,
prior to booting from the hard drive.
Cluster
The
minimum increment of disk space the operating system will allocate. It can be
from one to 128 sectors depending on the disk size and organization.
Defrag
Defrag
is a Windows system maintenance tool. It is normally used to improve system
performance when a hard drive has become fragmented. Defrag also has
the effect of making it difficult to recover information that was previously deleted.
Deleted
Files
When a
file is deleted in Windows, the entire file is not erased, it is simply marked
as “deleted” by the
operating
system. As a “deleted” file, it is no longer visible to the end user, and the
space it takes up on the hard drive is considered “unallocated.” In
order to truly delete a file, rendering it unrecoverable, the file must be
overwritten. This can be accomplished using tools designed to securely erase
files. It is sometimes attempted by running Defrag.
Deleted
Partitions
When a partition
is deleted in Windows, the files in the partition are not erased. The portion
of the disk devoted to the partition is simply marked as “available” by the operating
system. As a “deleted” partition, it is visible as empty space and is not
recoverable to the end user, and the space it takes up on the hard drive is
considered “unallocated.” In order to truly delete the files in a
partition, rendering them unrecoverable, the disk must be overwritten. This can
be accomplished using tools designed to securely erase files.
Forensic
Image
A
forensic image captures the entire contents of a hard drive while insuring that
the original media is not altered. The resulting image is usually compressed
by a program such as EnCase, DD, FTK Imager, or others in a manner that
preserves the original data and provides for the generation and preservation of
a hash value to verify its accuracy.
Forensic
Write Blocker
A
forensic write blocker is a piece of hardware that allows a hard drive to be
connected to a computer in a forensically sound fashion, meaning that the integrity
of the data is ensured. The write blocker prevents anything from being written to
the drive that is connected to it.
Fragmented
In
normal usage when files on a hard drive are broken up and occupy non-contiguous
clusters, the drive is said to become fragmented.
FTP
Server
FTP
stands for File Transfer Protocol; it is a way for files to be transferred from
one place to another over a network or the internet. An FTP server is a
computer that is set up to allow users to upload to or download from it. They
are often used to host or store files so that they can be accessed from any
computer with an internet connection (and the necessary credentials).
Hash
Value
A Hash
Value is the output from running the MD5 or other hashing algorithm against a
piece of data such as a single file, multiple files, an entire hard drive or floppy disk, or other type
of media. Matching hash values for the original media and a forensic copy means that the copy is identical in
every respect to the original. See MD5 Hash.
Internet
Cache
The
Internet Cache is also called the Temporary Internet Files folder. There is a
cache present for every user
that logs onto a computer with a unique username. The Internet Cache is where
Web pages and files(such
as graphics) are stored as they are being downloaded and viewed. This speeds up
the display of content
frequently visited or that has already been seen, as it is faster to open
content from the local hard disk
versus the Web. Not all content accessed via the Web is cached, but the
majority is.
Internet
History
Internet
History is information on Websites/Web pages and other content that was
accessed, searches conducted
via search engines, as well as information on Web browser cookies. Cookies are
sent from Web sites
typically to track site visitor activity.
Latent Data
Latent data is any data that the operating
system no longer accesses or uses. It includes deleted files and, more importantly, information or metadata about the deleted files. This metadata is often
available long after the files have been
deleted and overwritten. Latent data can only be observed with special software tools.
Master
Boot Record
The
master boot record (MBR), or partition sector, is the first sector of a partitioned data
storage device such as a hard disk. The MBR
may be used for holding a disk's primary partition table
as well as other functions.
MD5
Hash
An MD5
hash is the result of running the MD5 algorithm against a piece of data. This
data can be a single
file,
multiple files, an entire hard drive or floppy disk, or other type of media.
The MD5 algorithm creates a 128-bit "fingerprint" or "message
digest" of the input – the input being a single file, multiple files, an
entire hard drive or floppy disk, or other type of media. A good analogy is to
compare a hash value with a human fingerprint. Each person has his or her own
unique fingerprint. When the person changes (the input) the fingerprint changes
as well. As long as the person remains the same, the fingerprint will remain
the same.
An MD5
hash function runs an algorithm against a single file, multiple files, an
entire hard drive or floppy disk, or other type of media and creates a unique
digital fingerprint for it. Change the data that you originally ran the hash
function against (the input), and the value of the hash changes, just as when
you select another person (the input) to take a fingerprint from the
fingerprint changes. In computer forensics, when the hash values of two items
are the same, then both copies are identical.
Metadata
Literally data about data.
Metadata is information about the history and management of a document or computer file. It is generally
not visible in the ordinary display or printing of the document.
NetBIOS
NetBIOS
is an acronym for Network Basic Input/Output System. It is a part of the
Microsoft Windows operating
system, and provides services allowing applications on separate computers to
communicate with
each other over a local network.
Partition
One
section of a hard disk, usually associated with a drive letter such as C: or
D:, or any other letter through Z:.
Partition table
The
section of the master boot record that defines where partitions
reside on the disk.
Photoshop
Photoshop
is a full feature picture editing tool published by Adobe. It is normally used
to touch up photographs and fine tune them for printing. It has the ability to
adjust brightness, contrast, color hue and saturation, edit details, resize
images and more.
Prefetch file
Prefetch
files are created by Windows only when a program is run. They contain
information that Windows uses when the program is run additional times.
Regedit
Regedit
is a Windows system maintenance tool. It is normally used to repair or explore
the registry. It can also be used to delete unwanted entries in the registry.
Registry
The
Windows registry is a database which stores settings and options for Microsoft
Windows. The registry can record and store devices connected to the system, searches
conducted while accessing the Web, as well as information typed by the user
into Web-based forms. Information on files saved and opened by a particular
user can be found as well.
Sector
The
smallest increment of disk space that can be accessed. It is usually 512 bytes
for hard drives. Sector size is determined by the low level formatting of the
hard drive or media. Some hard drives introduced in 2010 are formatted with
4096 byte sectors.
Sector-By-Sector
Imaging
This is
a process commonly used in computer forensics to assure that all data from the
original media is gathered.
This includes system data not available to a user using normal access methods,
as well as data that
has been “deleted” yet is still present on the media.
Shortcut
file
Shortcut
files are created by Windows when a file is accessed.
Slack
space
Space
that is allocated but not currently in use. It may contain information from
previous usage, but is not accessible without special software tools.
Swap
File
This is
space that is used to temporarily store parts of running programs or
information that is swapped out of physical computer memory to make room for
other running programs. A swap file is sometimes called Virtual Memory. Swap
files can either be permanent (in a contiguous location on the hard drive) or temporary
(placed wherever space is available).
Temporary
Files
These
are intermediate files created by a software application or the operating
system. Temporary files are created for numerous reasons, such as speed and
efficiency, the ability to recover data after a computer “crash” or power loss,
as well as the capability to ”undo” changes made to data.
Unallocated
Space
This is
space that is marked by the operating system as available. Unallocated space, however, can contain all or part of previously deleted files. When a file is
deleted, the operating system marks the space as available for use, but does
not delete the file. The file remains intact until the space once
occupied by the file is partially or completely overwritten. Data located in
unallocated space is also called latent or ambient data. Data in unallocated
space are not accessible by normal methods, and requires special software tools
to access it in a meaningful manner.
Write
Blocker
A write
blocker is a piece of hardware that allows a hard drive to be connected to a
computer in a forensically
sound fashion, meaning that the integrity of the data is ensured. The write
blocker prevents anything
from being written to the drive that is connected to it.
|