Glossary

ACPO Guide

The Association of Chief Police Officers’ Good Practice Guide to Computer-based Evidence. ACPO has since been replaced in the UK by the National Police Chiefs’ Council – NPCC. One of the first such guides and adopted in various forms in many other countries.

ActiveX

A Microsoft programming device used on websites, for example to create fillable forms or animations

ADB

Android Debugging Bridge. Software used on Android phones to effect certain changes; used in some forensic procedures

AFF

Advanced Forensic Format – storage file method for disk media. Used by some open source forensic analysis programs; the E01 file format is much more popular.

Air gap

An air gapped device is one which is not connected to the Internet and is therefore considered highly secure

Algorithm

Generally: a mathematic process to solve a problem. More specifically: a generalised method to achieve encryption; the individual “key” is what provides the unique security for specific circumstances

Android

Operating system devised by Google and used in smartphones and tablets

APK

Format for Android programs

Application

A computer program

APT

Advanced Persistent Threat – a relatively meaningless term beloved of security marketing folk. Most threats are “advanced” when they first appear. They are “persistent” if they are used frequently.

Attachment

A file of any kind linked to an email, newsgroup posting, etc. The attachment may usually be in any of a number of formats

Audit trail

A record of activities in chronological form; a deliberate design feature to enable reconstruction of previous events

Backdoor

A facility, in either software or hardware, which enables security and authentication mechanisms to be circumvented

Back-up

A regular process to create additional copies of essential data and programs, or indeed entire systems. Back-up may be either complete or partial and, on each occasion, may be complete or incremental

Binaries

Binary files, that is all files that are not basic text. Includes software, photo and video files. (In more detail: text files can be represented in 7-bit ASCII, binaries are 8-bit)

BIOS

Basic Input–Output System. More colloquially BIOS refers to the hardware chip on a computer that runs on start-up and “looks for” a disk with a full operating system. The BIOS contains the system clock and may contain details of additional hardware installed on the computer. Although they are not identical, sometimes also referred to as CMOS (seeCMOS)

Blockchain

Publicly available ledger of activities such as cash transactions supported by cryptographic protocols. Used by cryptocurrencies

Bluetooth

Technology standard for exchanging data over short distances. It can be used device-to-device, eg PC to phone or phone to phone, to move data but its most common applications are for wireless headphones and speakers and links to fitness bands and smart watches.. Devices which wish to speak to each other over Bluetooth must first “pair” – exchange information about technical capabilities and identity.

Bot / botnet

A robot program used to perform a particular function, for example, to keep a transmission channel artificially open or to send out rogue commands. A bot army or botnet is a collection of bots on different computers working in concert. Innocent third-party computers taken over in this way are referred to as zombies. May be used for “phishing” or denial of service (DOS) attacks

Bricking

Carrying out a modification to a device so that it no longer works – it becomes a “brick”. A bricking attack is one where damage to hardware is irreversible

Browser (or web browser)

A program used to view the world wide web, such as Internet Explorer, Netscape, Mozilla, Firefox, Opera, Safari

Brute force

A common technique to break a password system by writing a program to throw large numbers of potential passwords exhaustively at a computer in the hope of eventually finding the correct one

Burner phone

Mobile phone for temporary, difficult-to-trace purposes. Phone and SIM are usually bought for cash and discarded after immediate use.

Cache

A holding area for temporary files, often used to speed up regular computer processes. The best known example is the Internet cache which contains recently viewed webpages and pictures

CAPTCHA

Technique aimed at preventing the machine creation of bogus credentials and accounts by requiring the use of a test only a human can satisfy – such as partially obscured letters

CAQDAS

Computer Assisted Qualitative Data AnalysiS, generic name for tools used in data mining.

Card-sharing

Fraud committed on satellite and cable tv systems where decrypting information is shared over the Internet. A handful of legitimate cards are purchased and these are used to capture the ever-changing encryption codes used by satellite and cable operators. The results are disseminated via the internet to modified decoders in customers’ homes; the customers pay a low fee to the scheme organizer

Carving (File)

Technique used to recover heavily deleted files and file fragments by searching for file signatures – the first few bytes of a file which indicate its type.

CDR Call Data Records

Records produced by telecommunications company; in the case of conventional telephony they include who called whom when and for how long. Mobile CDRs also include the identities of the SIM and the handset and the location of the cellsite over which the call took place

CERT

Computer Emergency Response Team

Certification Authority (CA)

A service offering authoritative identification of digital identities via cryptography. Used by websites to confirm their identity but also by businesses and individuals for the same purpose. Sometimes referred to as Certificate Authority.

CGNAT

Carrier Grade Network Address Translation, a technique used to share a single IP address among a large number of individuals, often used by mobile phone companies to give their customers Internet access

Chat logs

Many forms of social media allow people to type messages to each other in real time. Quite often these are recorded locally on the devices of the participants, when they become known as chat logs

Chatroom

An Internet facility to enable participants to talk online by typing on the keyboard. It occurs in real-time (seenewsgroups). There are many variants

Cloud Services

Services including data storage and data processing which are carried out on large remote computers which are rented on an as needed basis – as opposed to running the same services on computers directly owned by the user and on their own premises. See full section.

Cloud sync

Means of updating multiple devices with the latest version of a file etc; all devices are connected to the same cloud service. Used extensively by Google, Apple, Microsoft, DropBox etc

CMOS clock

A battery-driven device on the motherboard of a PC which is the main source for the day and time data associated with each file (seeBIOS)

CNE – Computer Network Exploitation

Term used by electronic intelligence agencies to refer to computer hacking.

Communications Data

In English law, “communication” is information about who is connected to who, when and for how long, but not including the content of the communication. Traffic data is a subset (see Traffic Data). In other jurisdictions it can be referred to as metadata

Configuration file

A file normally hidden on a computer that affects the specific way in which an individual program, hardware accessory or entire computer works. On Windows machines, it is often identified by the extension “.ini” (INI files)

Cookie

A small text file installed and stored on a computer by a website so that it can track a user’s activities and welcome them on a return visit. Cookies can be used for authentication and to build a list of purchases in an ecommerce basket. A third party tracking cookie is used to build a profile of a user so that they can be targeted for subsequent advertising. “Session” cookies expire at the end of a visit to a website, “persistent” cookies do not. “Zombie” ccokies can recreate themselves even when the user has tried to delete them. Also referred to as a HTTP cookie, to distinguish it from the food.

Cryptocurrency

Means of exchanging value using cryptographic protocols. The best known example is Bitcoin

Cryptography

Method used to hide the contents of a file, etc. (seeEncryption,Steganography) Can also be used for authentication

Cryptosystem

An entire arrangement to allow confidentiality and authentication – includes hardware, algorithm, key management

CSIRT

Computer Security Incident Response Team

CSP

Communications Service Provider – the term includes those provide Internet services but also telephone companies and large entities like Microsoft , Facebook and Google

Data mapping

Data is held or produced in various databases in a variety of formats; data mapping is the process of converting one format into another.

Data mining

Analysis of the content of large numbers of files in order to discover patterns and linkages

Data Preservation

Action to preserve data that might otherwise be deleted. Data preservation is usually required when legal proceedings have been notified. Internet Service Providers and others may at the request of law enforcement preserve data against the future likelihood of a formal order for production

Day and time stamps

Day and time information from an on-board computer clock. All modern operating systems associate with each file a series of day and time stamps, although there are variations.

DDoS

Distributed Denial of Service. An attack on an Internet site which involves sending large numbers of messages to that site to overwhelm and prevent it from operating properly. It is called “distributed” because large numbers of computers simultaneously attack the targeted web-site. They in turn are managed by a “command-and control” computer.

DHCP

Dynamic Host Configuration Protocol. Technical arrangement by which a computer or other device asks for an IP address from its host which then assigns it one. DHCP is one of a number of techniques used to overcome the shortage of actual IP addresses. Most local area networks operate on a DHCP basis and so most “retail” ISPs.

Dictionary attack

A common technique to break a password system by writing a program to throw large numbers of “likely” potential passwords at a computer

Digital fingerprint

A technique for uniquely identifying identical files (seehash)

Directory

A hierarchical system of organising files in places where they can be easily found on a computer hard disk (also known as folders)

Disclosure / discovery

The legal process by which information is fairly made available to opposing counsel and which is subject to a number of rules and obligations (known as “discovery” in the US).

Disk acquisition

A process to make an accurate exact copy or “image” of a hard disk, CDROM, USB stick or other data memory device, creating an intermediate file which can be examined using specialist tools and from which clones of the original can be created

Distributed denial of service (DDOS) attack

Using large numbers of computers to attack and overwhelm a target computer (seedenial of service (DOS)attack)

Distro

Short for “distribution”. The Linux operating system is made available in a series of collections which include the operating system, a display system and various programs and utilities – each is known as a “distro”. Examples include Ubuntu, Red Hat, Suse and Arch. There are also distros designed specifically for security and forensic applications.

DLNA

Digital Living Network Alliance. Guidelines and protocols to enable digital media to be shared among a variety of devices but with protection for intellectual property rights

DNS

Domain Name Server. An essential element of the Internet – a constantly updated collection of computers that translates the name of a computer into its IP address

DNS poisoning

Attacking a DNS so that requests to one website are redirected to another rogue site

Dongle

Hardware device usually connected to a USB or printer port, sometimes used to provide encryption protection to computers, without the dongle the disk can’t be “read”. Also used as a counter-piracy measure – the dongle is required to make a particular high-value program “run”. Another use is to connect a PC to the mobile phone network for data.

DOS (1)

Disk Operating System. Windows, Unix, Linux, MacOS, Solaris, OS/2 and VMS are all operating systems for various items of computer hardware.

DOS (2)

MS-DOS, the Microsoft disk operating system which was common before Windows 95

Dual Tool Forensics

Because of the fast-changing nature of the digital forensics landscape commercial forensic tools may not always produce complete and reliable results. The use of two separate tools to address the same problem may reduce the risk.

Dynamic DNS

Service which gives devices without a fixed IP address the ability to be located on the Internet. The dynamic DNS service gives the device a name under its own umbrella and keeps track at frequent intervals of it currently-assigned IP address. It is then able to direct requests to the device. Used, among others, by small companies, private individuals and small-scale cctv security systems but can also be used by cybercriminals as a means of disguising the identity and location of criminal servers.

Dynamic IP address

An IP address assigned on an as-needed basis. Over a period of time an individual may use several IP addresses from the same range within the user’s Internet Service Provider (ISP) (seeIP address)

E01

Encase format for forensic disk images

EFS

Encrypting File System – facility within Microsoft Windows to encrypt, files and folders

Email server

A computer that manages the distribution and reception of email on behalf of a community of users, holding mail until an individual is ready to download it

EnCase

Popular forensic computing suite which is capable of imaging a hard disk and then analysing it. “EnCase” also sometimes refers to the format in which a forensic image is created

Encryption

The translation of files, data, pictures, etc. into a form in which it can only be read/viewed by those authorised to do so. Encryption requires an algorithm (generic method) a key which is only known to participants. In conventional encryption the same key is used by both sender and recipient. Encryption, together with an appropriate management system, can also be used to authenticate documents

End-to-end encryption

Cryptosystem in which only the parties to a conversation control keys and algorithm. Many cryptosystems are not end-to-end because a supplier or intermediary have knowledge of the keys, authentication mechanism , etc

End-to-end encryption (E2EE)

Where the only people who have full knowledge of a crypto system are the originator and recipient. Many encryption systems are not end-to-end because part of the functionality is provided by an intermediary.

Epoch date

Computers find it difficult to store date/time information in the normal way – because there are uneven numbers of days in each month and there are leap years. The policy is therefore to store dates as the number of seconds since a start – or epoch – date. Unix starts at 1 January 1970, for example. In Apple OSX a Mac-timestamp is the number of seconds since midnight, January 1, 1904 GMT. Conversion programs are available on the web.

Equipment Interference

Hacking, when carried out by law enforcement and intelligence agencies

Escrow

Legal device in which a third party holds information or cash until asked to release it. Cash escrow is sometimes used so that payment for goods or services is delayed until the purchaser has received them. Key escrow is used in some forms of cryptosystems – the key is released if the owner has lost theirs, or is released to law enforcement under warrant

ESI

Electronically Stored Information

Exchange Server

Very widely used product from Microsoft used to provide email and shared facilities for organisations large and small

EXIF data

Standard for embedding information about a photograph within a graphics file; typically it includes time/date, technical data about camera and exposure and sometimes GPS co-ordinates

Expert evidence

In law, opinion evidence from someone whom the court has decided to accept as an expert (seetechnical evidence)

False positive / negative

Where a system has raised an alarm which on inspection turns out to be misplaced; a false negative is when a system should raise an alarm but fails to do so

Faraday cage

Device used to shield from radio signals; usually a metal box or similar. Used for the examination of mobile and smart phones

FAT, FAT32, xFAT

The Microsoft disk operating system used in MS-DOS and Windows 95, 98, etc. The FAT table contains information about the specific physical locations on disk of files (which may be fragmented) and is also the source of date and time stamp data (seeNTFS) FAT32 and xFAT are disk operation systems which overcome some of the limitations of the original FAT system

File compression

A technique for reducing the size of a file to make it smaller to transmit or store. In “lossless” compression, no original data is lost but many compression schemes involve an “acceptable” level of loss. ZIP, RAR, tar and Stuffit are general-purpose file compression schemes, MP3 is particular to sound files (seeZIP)

File signature

A specific series of computer characters at the start of the internal structure (or format) of a file which helps computer applications identify the file.

File-sharing program

A system to enable many people to share files. These files may have an “illegal” element because they violate copyright or are indecent. In order to participate in a file-sharing system, a user may require specialist client software

Finalising

In the context of CDs, DVDs and BDs: once files have been written to optical media, finalizing consists of closing the disk to prevent further writing sessions. Audio and Video disks also have additional material written to allow them to be read by standalone video players.

Firewall

Security device for internet-connected computers that is able to limit inbound and outbound traffic. The best firewalls are separate hardware units, although software firewalls exist and can provide a degree of protection

Firmware

Computer program usually concerned with device control which can be uploaded into re-writeable memory. The technique is used to carry out upgrades to equipment.

Flashing

Method for upgrading or altering firmware. Many devices such as phones, tablets, satellite receivers, media devices, hubs, etc are designed so that new features can be added later. There is chunk of re-writeable (“flash”) memory. The “new” program may come over the air, as with new versions of smartphone and tablet operating systems, or via a file loaded via a USB stick or other port. Flashing is also used for unofficial upgrades and alterations, for example to Internet access points and smart phones.

Folder

Seedirectory

Format (1)

of a disk – the creation of an internal structure so that it can hold files. Reformatting consists of replacing an existing scheme with a new one, which renders the old files difficult to read and recover without the use of advanced techniques

Format (2)

of a file – each computer application creates and reads files with a specific internal structure, known as format

FQDN

Fully Qualified Domain Name – usually means a way of identifying a website

FRP

Forensic Readiness Program

FTA

Free To Air. Broadcast channels and programs which are transmitted so that they can be received by all television sets, in contrast to “premium” services which are encrypted. FTA broadcasts are normally funded by advertising or license/tax.

Gb

Gigabyte. A unit of capacity of data or memory (1 Gb = 1024 Mb)

Geolocation data

Data which can be used to pinpoint the location of a device – and the person using it. Can be derived from cellphones and wifi access points, etc

GSM

Widely used standard for mobile phones – Global System for Mobile Communications (originallyGroupe Spécial Mobile)

GSM tracking

Service which pinpoints the location of an individual or vehicle via signals exchanged between a mobile phone handset and base stations

GUID

Globally Unique Identifier. A number of computer programs generate a GUID so as to distinguish one person or entity from another. Depending on circumstances the GUID may be randomly generated or may use information taken from the computer or device upon which the GUID is being created such as the network card and the current date/time.

Hash

Seedigital fingerprint

Hash analysis/ hash libraries

Libraries exist of digital fingerprints for well-known files, for example those associated with popular operating systems and programs and offensive material. They can be used to scan hard disks rapidly to eliminate files of no interest or to look for files of particular significance

Hex Editor

Programmer’s facility enabling the examination of files in their raw state both as hexadecimal code and as simple text

Hibernation

Hibernation occurs when a computer is put into a paused state, typically when the lid of a laptop is closed without powering down. When the lid is opened, the user has to provide a password and the computer resumes to its previous state. Hibernation is made possible because the state of the computer is written to a special file – in Windows this is hiberfil.sys

Hot-firing

The process by which a clone of an original file is placed in suitable hardware so that what the original user saw can be viewed. The usual result is that data on the hard disk becomes altered and re-cloning may be necessary during an extended examination

HTML

Hypertext Mark-up Language. The language used for creating webpages containing not only content but formatting and other instructions. Many browsers contain a “View Source” option so that code can be viewed easily.

HTTP

Hypertext Transmission Protocol. The protocol of the World Wide Web. HTTPS is a secure version used for e-commerce transactions, etc.

IDS

Intrusion detection system – in effect, a burglar alarm for computer systems

Image (1)

A file containing a photograph or a picture

Image (2)

The process of making an entire copy of data media such as a hard disk. Some “imaging” programs” are designed to aid data recovery or to support the needs of a large organisation

IMAP

Internet Message Access Protocol. One of a number of ways in which email can be handled between an end user with a PC or smartphone and the email server facilities at an ISP. Data is synchronized between the two and copies are held on the remote server unless explicitly deleted by the user. (Cf POP3)

IMEI

The hardware identity of a mobile phone – International Mobile Station Equipment Identity

Implant

A physical or logical “bug” which enables activity to be covertly scrutinized or surveilled – this is the term favoured by the likes of NSA and GCHQ

IMSI

International Mobile Subscriber identity – number which identifies a SIM card in a mobile phone. A IMSI catcher is a mobile phone eavesdropping device

IMSI Catcher

Device for intercepting mobile phone calls. It consists of a fake mobile phone base station which captures traffic from mobile phones in its vicinity; the traffic is decoded before being passed on to the nearest official base station so that the call is completed without the phone owner being aware that interception has taken place. Also known as “stingray”, a popular model.

Intelligence purposes only

When law enforcement approach businesses for assistance they may say that the material sought will not be used in evidence in open court but only as intelligence during an investigation. If later it is desired to use the evidence then the material will have to be re-acquired.

Interception

In telephony and networks: the process of acquiring thecontentof a communication.

Internet Relay Chat (IRC)

The international protocol for online chatting. Other web interfaces can be used (seechatroom)

iOS

Apple’s operating system for the IPhone and IPad

IoT

Internet of Things. Increasingly all types of relatively simple devices are given the capability of connecting to the Internet and being control controlled from it. Wireless printers, IP cameras and networked baby alarms are existing examples but home heating and cooking devices and children’s toys are also available.

IP address

A uniquely identifiable, machine readable, number for each computer or host, on the Internet, that can be used by the Internet Protocol to transmit and receive traffic. Servers, websites and other computers permanently connected to the Internet always have the same, static IP address. Many ISPs allocate users an IP address on an as needed basis – this is known as a ‘dynamic IP address’ as it can change within a range set by the ISP. Over a period of time an individual may have used several IP addresses from within one range.The current addressing system is IPv4; it is being replaced by a newer system, IPv6, which allows there to be many more devices on the open Internet each with their own IP address.

IP address resolution

The processes involved in linking an IP address to a specific device – or a real person

IP spoofing

A technique for altering or compromising an IP address so that it appears be a third party

IPTV

Internet Protocol Television – the supply of TV programs over the Internet using streaming (qv) technology as opposed to via terrestrial, satellite and cable systems.

ISP

Internet Service Provider

Jailbreaking

Technique to remove some of the access restrictions on Apple iPhone and iPad devices

Java

A programming language frequently used on websites, for example to create online forms or animations

JTAG

Joint Test Action Group. Many electronic devices including smartphones and tablets feature on their circuit boards a series of test points for use during manufacture. They can also be used to extract data from devices when other easier methods have failed.

Jumper

A small connector on a hardware device such as a motherboard or disk drive. The connector links one or more protruding pins and makes the hardware behave differently, for example, to order which of two hard disks has priority – “master” or “slave”

Kb

Kilobytes. Unit of capacity of data or memory (1024 Kb = 1 Mb)

Keylogger

user makes so that they can be examined later. Hardware-based keyloggers exist as well; they are usually physically very small and are placed in-line to a computer’s keyboard; PS/2 and USB connection versions ate available. Keyloggers can be used to identify passwords and the software versions may be part of a Trojan. But keyloggers may also be deployed for investigatory surveillance purposes

Keystroke monitor/

A covert program which captures every keystroke that a computer

LI

Legal Intercept Where under the laws of a nation state there is a power to collect the content of communications in transit, the legal and technical process by which this is carried out

Link analysis

The use of software to amalgamate different types of data such as phone, IP records and geolocation data and find links within them to identify persons of interest. Closely related to data visualisation software and social network analysis software

Linux

Popular operating system, part of the Unix family. They are typically released in working “distributions” or “distros” such as SUSE, Red Hat, Unbuntu, Debian, etc

Live analysis

Most forensic analysis is done on copies of disks, etc which have been imaged. Thus it is always possible to return to the status quo ante. But sometimes this is not possible and those examinations are described as “live”

LNK file

Small file which points or links to a substantial file. Examples include desktop and “start menu” items which link to programs and lists of “recent” (recently used) files in word-processing etc programs. In forensic examinations LNK files may exist even if the substantive file to which it points has been deleted.

Logic bomb

Rogue program with a delayed effect which causes damage to data. It may be triggered by time or some external event

Logical image

A true forensic image of a data storage medium captures every element of the original and is referreds to as “physical”. But that is not always possible, particularly with smart phones where some aspects are hidden. A logical image collects files that are available, using the best methods available in the circumstances

LPP

Legal Professional Privilege, typically correspondence between a lawyer and his client

MAC address

Hardware identifier for network connected devices (media access control). In theory every one is unique. A MAC address consist of 6 octets, the first 3 of which usually identify the manufacturer – eg fc:aa:14:e5:48:28. manufacturer is Gigabyte Technology

Macro

An automated sequence of computer commands

Man-In-The-Middle (MITM)

A technique for “breaking” an encrypted transmission. A rogue machine masquerades as the intended recipient so that encrypted traffic can be eavesdropped and then passes the message on to its original intended destination. MITMs can also be used to intercept and then pass on wifi traffic – by the use of a rogue Access Point

Mb

Megabyte. Unit of capacity of data or memory (1024 Kb = 1 Mb)

Memory forensics

Most digital forensics is carried out on the contents of data storage devices; in memory forensics attempts are made to image the content of Random Access Memory (RAM) and then analyse the results. RAM may hold passwords, for example

Metadata

Literally, data about data. Some regular computer files contain hidden additional information which can be viewed. The term can also be used where information about a communication is provided.

MIME

Multi-Purpose Internet Mail Extensions. Method of sending attachments to emails. Traditional email is text based (7-bit ASCII) whereas nearly all files – word processed documents, pictures, video, programs, spreadsheets are 8-bit. MIME is a means to render 8-bit material so that it can transmitted via email.

MLAT

Mutual Legal Assistance Treaty – means by which law enforcement in one jurisdiction can get help and evidence from law enforcement in another jurisdiction

Modem

Device for interfacing computer with landline to enable communications. Older modems linked to the regular dial-up telephone; broadband modems are normally incorporated into a hub which also provides local area and wireless networking.

Motherboard

The main physical hardware of a PC or similar device. PC hardware has facilities for other hardware components to be added to it.

MTP

Media Transport Protocol – USB facility on Android phones to give access to some of its file system. See also PTP.

Multifactor authentication

System that requires more than one method of authentication from independent categories of credentials to verify the user’s identity for a login or other transaction, eg token plus password; sending one-time code to mobile phone. See also 2FA

NAS

Network Attached Storage. Box containing one or more hard disks which is connected to a local area network. Usually all of the PCs, smartphones etc on the same network can access its storage facilities. Often used for bulk back-up of files. Many NAS can also stream audio and video.

NAT – Network Address Translation

Technique used, among other places, to allow a number of computers and other devices each to have an IP address on an internal local area network but have just one IP address outwardly facing the world wide Internet. CGNAT is Carrier-Grade Network Address Translation and is used by some ISPs including mobile phone companies to share and lease IP addresses

NCND

Neither Confirm Nor Deny. Position taken by some intelligence agencies and government departments in relation to their activities.

Newsgroups

Internet-based discussion groups, one of the oldest Internet “institutions”, where participants post messages for later viewing. It can be used to publish attached files (also known as Usenet)

NFC

Near Field Communication. Technologies which enable data to be passed between devices that either touch each other or are in very close proximity. NFC is found in stickers, tags etc in retail environments and also in key fobs and City-based travel cards. Many smartphones can read NFC. NFC devices can be both passive (where data doesn’t change and can only be read) and active (where data can be changed during the interaction).

NTFS

The Microsoft Disk Operating System used in Windows NT, 2000, XP and subsequent operating systems. A replacement for FAT and FAT32. The MFT (Master File Table) contains information about the specific physical locations on disk of files (which may be fragmented) and is also the source of date and time stamp data

Off-chip

Investigation of a digital device which consists of attaching probes to a motherboard to read the contents of memory and other chips

Open Source

Computer programs which are written on a “community” basis and are usable without restriction (also known as “freeware”). They may need to be adapted to work well in specific circumstances

Open Source Intelligence (OSI, OSINT)

Information which is being gleaned from sources open to the public as a whole – and without recourse to legal orders to disclose or covert means

Operating System

Software which enables all the basic functions of a computer and which starts up whenever the computer is powered on. Applications programs sit on top of and interact with the operating system to provide the user with the specific functionalities they want – word processing, spreadsheets, email, Internet browsing, etc

OSX

Operating system used in Apple Mac computers; renamed macOS in 2016

OTA

Over the Air; usually refers to upgrade information for smartphones and tablets which supplied automatically via wifi

OTG

On the Go. Facility available in some smartphones and tablets to connect USB storage to provide additional capacity. Needs a special cable.

OWA

Outlook Web App. The provision of webmail access to an Exchange Server.

P2P

Peer-to-Peer. Among other things a distributed network architecture whereby fragments of a file are shared and made available to many users, thus speeding up the process of file acquisition. P2P file-sharing takes many specific forms and although the technology has many legal uses, P2P networks have also been widely used for the distribution of pirated videos, games and software. P2P technology is also used for some legal video streaming services (IPTV) , such as the BBC IPlayer. See also Torrents

Packet

The quantity of data sent over a network. Both for efficiency and to allow for error-checking, files are split up into packets for transmission and then re-assembled in the correct order on reception. “Packet switching” is a data transmission technique to maximise the efficient use of physical cables, satellite links, etc.

packet filtering

A technique for listening on a data transmission and selecting packets according to particular criteria. When this takes place on a large scale it is referred to as Deep Packet Inspection – DPI.

packet sniffer

The device that listens for data transmission (seepacket filtering)

Partition

A means of dividing a hard disk so that it presents itself to the operating system as one or more hard disks (e.g. C:, D:, etc.). The technique separates programs from data files and makes back-up easier; it makes one or more operating systems available on the computer; and it maintains an area containing recovery files. Partitions can also be hidden

PAT

Port Address Translation. A means of overcoming the shortage of IP v4 addresses. Under PAT many people can use the same IP address but are assigned an individual port. Ports 49152 to 65535 are used for this purpose, so that for each IP address there 16,383 port numbers. Used by some mobile phone companies and ISPs,

Payload

The “bomb” or result of a logic bomb or virus

Phishing

Creating temporary fake websites to incite visitors to release sensitive information for fraudulent purposes. Usually, users are lured to the fake websites via emails purporting to come from legitimate sources such as banks. Spear phishing occurs when it is focused at a particular individual, usually to get access to information they hold or computers they control,

Phreaking

The abuse of telephone and similar systems

PKI

Public Key Cryptography – a more sophisticated version, where there are large numbers of participants to a system, different (paired) keys are used for encryption and decryption – public key cryptography. Encryption, together with an appropriate management system, can also be used to authenticate documents

Plist

Configuration and logging files associated with Apple operating systems. Data is stored in XML.

POP3

Post Office Protocol. One of a number of ways in which email can be handled between an end user with a PC or smartphone and the email server facilities at an ISP. Messages are usually deleted at the server after downloading. (Cf IMAP).

Pop-up

Subsidiary windows which appear on the screen during Internet use. These may contain detail related to the main window or for advertising

Port

Exit and entry points to a computer system. Internet communications protocols designate a number of ports to a computer system; certain ports always have the same function (port 80 is used for websites, for example). All ports on a computer which are not going to be used should be closed off (seefirewall). There are a total of 65536 ports though a number of them a reserved for specific activities or specifically registered to software corporations

Port scanner

A program which looks for “open” ports – in malicious scanning, leading to computer intrusion and possible abuse

Predictive coding

Technique used in e-disclosure / e-discovery where a specialist piece of software is provided with a set of sample documents from which it derives a set of rules defining what should be disclosed. These rules are then applied to a whole collection of potentially disclosable material. Also known as Technology Aided Review

Privilege (legal)

Rule which says discussions between lawyer and client are confidential. (1) Where devices and media storage contain privileged information that material will have to be redacted. (2) Work carried out by Experts instructed by lawyers will probably be within the cloak of privilege. Also referred to as LPP – legal Professional Privilege.

Privilege escalation

Technique or piece of code which allows some-one to gain a higher level of control over a device than was expected; typically the escalation is to “root” – full control

Protocol

A set of rules enabling computers and electronic devices to exchange data, etc. in an agreed, pre-defined way

Proxy

A device or program that performs an operation while hiding the details from outside scrutiny. A proxy server acts as an intermediary for requests from clients seeking services from substantive servers

PTP

Photo Transport Protocol. USB facility on Android devices which allows access to photos but nothing else. See also MTP.

RADIUS

Remote Authentication Dial In User Service – a log maintained by many ISPs to record who had the use of a specific dynamic IP address at a given time

Ransomware

Form of malware in which destruction by encryption of files and disks is threatened unless a ransom – usually in an anonymous cryptocurrency – is paid.

RAT

Remote Access Tool – malware which allows remote control of a device over the Internet. Also referred to as a trojan

RCE

Remote Code Execution; malware which allows hackers to run unauthorized software on a device without the knowledge and consent of the owner

Registry

In modern Windows systems, a normally hidden part of the operating system that holds important configuration and other data

Restore point

In Windows operating systems, a facility by which copies of key files are taken periodically so that in the event of a computer crash, the computer can be restored to an earlier stable state. Forensically restore points can be used to achieve limited historic views of a computer. More recent Windows operating systems use the more extensive VSS (qv)

RFC

Request for Comment. The way in which Internet technical standards and protocols are discussed and then promulgated. Run by IETF: Internet Engineering TASK Force

Root

The operating system at its most fundamental level of control

root kit

A series of rogue programs used to take control of an operating system

Rooting

Process of increasing the access to the file system, usually of Android devices

Sandbox

Technique of creating a limited isolated and controlled environment in which to test software etc and ensuring that no harmful effects can escape

SATA

Serial Advanced Technology Attachment. The main means by which a hard disk is attached to a computer motherboard – the cable is usually coloured red

Screen capture

Software which can capture all or part of what can be seen on a computer monitor. It can include moving video and audio. From an evidential point of view it is important to remember that a screen capture will be saved to the device the screen of which is being captured.

Screenshot Evidence

The use of a separate camera – still or video – to capture events on screen. Used only when there is no better evidential route. Will usually need to be accompanied by further evidence to establish authenticity.

Semantic Analysis

Analysis based on the content of a file – used to show linkages and perhaps common authorship of files. Closely linked todata mining

Serialing

An ascending unique serial number assigned in situations where a system is recording transactions, so that any attempt at transaction deletion can be seen

Server

A program that sits on a network (including the Internet) waiting to respond to requests (seeemail serverandweb server)

Shell account

In Unix/Linux a “shell” is a means of addressing the operating system, usually via the Terminal. It is similar to but not identical to the Windows Command Prompt. There are a number of available shells –bash, cshbeing two common examples. A shell account on a computer means the ability to load and run programs.

Shodan

Search engine for Internet-connected devices

Sideload

Software which is installed on a smartphone, tablet or other device by a means other than the official one; usually deployed to enhance a product

Signature, file

In a forensics context, the handful of bytes that help identify a file as of being of a specific type, or a way of uniquely identifying a piece of malware

SIM

Subscriber Identity Module – small card inserted into a mobile phone which enables call origination and receipt by identifying the phone to the network. SIMS can contain additional data and even small programs. They are available in a variety of physical sizes. SIM can also mean simulation game

Skimmer

Illicit device for reading the contents of a credit card for later fraudulent exploitation

SLA

Service Level Agreement: key feature of any contract for computer-related services – what the supplier is offering and guaranteeing

SMS

Short Message Service – “texting” as used in GSM mobile phones, each message is limited to 160 characters

SMS authentication

Technique used by some ISPs, merchansts and banks to allow customers who have forgotten their passwords to access a service – a code is sent via SMS to a mobile phone which has been pre-designated by the customer – the customer then inputs the received code into the website which then admits them.

Social Engineering

Tricking people into doing things they would normally not, eg disclose passwords, allow free access to their computer, phone etc. Typical examples include faked emails, web-pages, phone calls. One of the most common ways in which security is compromised.

Social Media

Generic name for services such as Facebook, Twitter, LinkedIn, etc

Spidering

A technique for capturing a website – the program identifies all the internal links on a page and follows them through. Spidering can only capture fixed pages, not ones which are dynamically created

SQL

Structured Query Language – pronounced sequel. SQL implies a database and SQL is the means of storing and extracting information from it. MySQL and SQLite are variants. Many programs use SQL, MySQL and SQLite as their database “engine”; these include many Internet-related programs such as browsers and social media clients

SQL Injection

Very common hack method deployed on websites. Many websites are linked to databases which accept SQL commands – such commands can sometimes be injected direct from a browser bar and cause the database to disclose all of its contents

SSD

Solid State Disk, as opposed to ordinary hard disks, HDDs, which have spinning disks. A hybrid disk has a small SDD integrated with a more conventional HDD

SSL

Secure Sockets Layer: cryptographic protocol to provide communications security over a network. Used for email, web-browsing, instant messaging and VOIP.

STARTTLS / STARTSSL

Facilities within email to initiate a session which provides both authentication of the parties and confidentiality of the communication

STB

Set Top Box. Device provided by satellite and cable companies so that their channel can be viewed. The STB acts as a tuner and also provides decryption as necessary. Most STBs also have a slot for a smart card which is unique to each customer and determines which channels have been subscribed to.

Steganography

Techniques for hiding data in an apparently innocent file

Streaming

A streaming service allows a computer file, typically of video or music, to be enjoyed while it is still being delivered, as opposed to having to wait till an entire file has been downloaded. Much “live” Internet television and many audio and video services use streaming.

Swap file

When a computer runs out of memory on its motherboard during use it will “swap” data to the hard disk. The swap file sometimes contains a record of recent activity on the computer

TAR

Technology Aided Review: a feature of e-discovery / e-disclosure in which obligations to disclose material to the “other” side are satisfied by the use of data-mining and artificial intelligence techniques replace manual review. Sometimes referred to as “predictive coding”

Tb

Terabyte. Unit of capacity of data or memory (1 Tb = 1024 Gb)

TCP/IP

Transmission Control Protocol / Internet Protocol.The set of networking protocols used on the Internet and on some private networks

technical evidence

Evidence which is the result of a specific technical procedure or investigation; “expert evidence”, on the other hand, as far as the courts are concerned, can include the opinion of the witness

Thin client

Workstation with vary basic functionality designed to operate on a network; most of what the user needs is held centrally and not on the workstation

Threading

In email, when successive emails are presented as part of an ongoing conversation, as opposed to simple date/time order

Thumbdrive

A small portable hard disk drive, usually with a Universal Serial Bus adaptor

Thumbnail

A small file containing a miniature version of a larger graphic file; they are used in folders/directories on websites and a number of other applications. Click on the thumbnail and usually the larger version of the file is displayed. Often a collection of thumbnails may be held in a database with a name like thumbs.db, which can be forensically examined

TLS

Transport Layer Security; cryptographic protocol to provide communications security over a network. Used for email, web-browsing, instant messaging and VOIP. A development from SSL (qv)

Torrent

Torrenting is a protocol for file sharing; a Torrent is a small piece of code which when inserted into a torrenting application will start to download a requested file from all the available computers that hold copies of it. See also P2P file sharing.

Tracert (traceroute)

A program used to identify all the links between a computer and the one to which it is connected

Tradecraft

Term used by covert law enforcement, intelligence agents and others to describe actions designed to conceal their activity. In digital investigations the aim is to prevent a target from realizing that they are under investigation.

Traffic analysis

An intelligence technique which consists of looking at patterns of connections between people based on the fact that they are communicating, as opposed to looking at the content of what is being said while they are communicating

Traffic Data

In telephony and networks: who called whom, when and for how long. Mobile phone traffic data also contains location information based on the cellsites to which a phone has been registered. Traffic data doesnotinclude the contents of the communication

Triage

Method for seeking to eliminate evidence sources which are unlikely to be useful in order to concentrate on those that may be

Trojan defence

A claim by a defendant that they are not responsible for activities apparently associated with their computer. The counter to the Trojan defence is to search the defendant’s computer for signs of a rogue program (seeTrojan horse)

Trojan horse

A hidden program which covertly opens a port on an Internet-connected computer, enabling the contents of that computer to be viewed and altered and the whole computer to be remotely controlled. To work, the Trojan needs a “server”, which is installed on the target computer; and a “client”, which the perpetrator uses to send out commands

Ubuntu

Popular distribution of Linux

UEFI

Unified Extensible Firmware Interface – facility built into the hardware of most modern PCs and which provides the link to the software-based operating system. Since approximately 2011 it has replaced the BIOS (qv)

UMTS

Universal Mobile Telecommunications System: third generation mobile phone technology, based on GSM – principally but not exclusively used on 3G and 4G high speed mobile phone telephony

Unallocated space / Unallocated clusters

On a media storage device such as a hard disk, sectors which appear to be empty but in fact retain fragments from old files. File fragments recovered from unallocated space usually lack a file name or any date/time information; but enough may be recovered to be useful in an investigation

Unix

Family of operating systems which includes GNU-Linux, Solaris, BSD Unix and many others

URL

Universal Resource Locator – the address of a site or file on the world wide web. Strictly speaking, this should be URI – Uniform Resource Identifier.

USB

Universal Serial Bus. A very widely used method for connecting external devices to computers, eg printers, scanners, memory sticks, external hard disks. The most common standard at the moment is USB2. The earlier and much slower USB1 is now obsolete and the even faster USB3 is widely used.

Usenet

Also known as the newsgroups. One of the oldest aspects of the Internet, originally used for themed discussions nearly all of them unmoderated. More recently a means for the distribution of binary files – programs, videos, etc, often pirated. It used to be the case that most ISPs provided their customers with Usenet feeds but many have stopped doing so but there are many specialist providers. Software is needed to read the feeds and download and amalgamate binaries

User profiles

On more sophisticated computer operating systems, a profile of each user with their own desktops, programs, etc, accessed via a separate username and password. The most important user profile is that of the Administrator, who may have complete control of and access to the computer.

Virtual Machine

A VM is a technique by which what appears to be a complete computer is in fact running as a task on a larger computer. In regular use in large organisations and at some ISPs, VMs offer advantages in management and overall costs. A variation of the technique used in forensic investigations in which an image of a seized computer is mounted as a VM so that it is possible for the investigator to view the seized computer running more-or-less as the original user would have seen it.

Virus

A self-replicating malicious program. There are many specific definitions that distinguish a virus from a worm (seeworm)

VOIP

Voice Over Internet Protocol, or Internet Telephony. There are several competing implementations. .

VPN

Virtual Private Network; a facility which uses the open Internet but where all data is encrypted to prevent eavesdropping

VSS

Volume Shadow Service, or Volume Shadow Copy: Security feature within Windows 7 and related and later operating systems whereby a backup of a key disk partition is maintained for security purposes. In forensic examination it is possible to use the VSS to view a hard disk at several past stages. The AppleOSX near-equivalent is called Time Machine

war-driving

The technique of driving around in a motor vehicle looking for open, unprotected wireless networks

Web server

A program holding webpages that will be sent on specific request

Web shell

Malware affecting web servers so that they can be administered remotely using a script

Webmail

Email where the emails are received, originated and stored on a remote web site as opposed to via a program on the user’s own PC or smartphone.

Whois

An internet facility to find out who owns an IP address or website

Wifi

Networking facility which takes place over the air using radio as opposed to along a cable. A Wifi access point is a device which provides localized wifi capabilities to the fixed wired network (often the Internet). Wifi access points or APs are sometimes referred to as Wifi hotspots.

Worm

A self-replicating malicious program (seevirus)

Write-protect

A hardware or software device used to prevent inadvertent alteration of an original disk

XML

Extensible Mark-up Language – a language similar to HTML which can be read both by computers and humans. A number of computer programs store logging and configuration files in XML.

Zero-day malware

Malware which had hitherto been unknown and is particularly effective because standard existing anti-virus software is unable to detect it.

ZIP

A file compression program. A zip file contains one or more compressed files

ZIP disk

Larger capacity removable disk medium, now obsolete

Zombie

A third-party computer utilised in a distributed denial of service (DDOS) attack (seeDenial of service (DOS))