Acquisition (Imaging)
In digital forensics, acquisition is the process of creating an exact bit-by-bit copy of the drive or device which is under examination. Other terms for acquisition include imaging and cloning. As a fail-safe against critical errors corrupting data and destroying evidence, all examinations are made on clones of the source media.
Post-mortem a...
Allocated Space
When you check your hard drive's storage capacity, everything marked as "used space" is what is also known as allocated space. Because of the nature of sectors and clusters, allocated space may contain many bits and bytes of blank data, or partially-deleted files.
These remnants exist in what's called slack space.
A computer forensics examiner wi...
Binary Code
Binary arithmetic was originally described in the 17th Century by German mathematician and philosopher Gottfried Leibniz, but has its roots in the ancient Chinese Zhou dynasty.
In computer technology, binary code is a base 2 numbering system of 1s and 0s (as opposed to the base 10 decimal system we're most familiar with) which allows computers to ...
Bits & Bytes (Mega-, Giga-, Tera-)
Bits are the smallest form of information read by digital devices. In binary code, bits are represented by either a 1 (ON) or 0 (OFF). A collection of 8 bits is called a byte. A kilobyte is 1024 bytes, a megabyte is 1024 kilobytes, and gigabyte is 1024 megabytes, and so on for Tera-, Peta-, Exabytes and larger. A typical 3-minute mp3 song recording...
Clusters
Your computer's operating system reads and stores data as clusters. Clusters are groups of sectors and represent the smallest space your computer will use to store data. In Windows, default cluster sizes range from a single sector (512 bytes) to 64 kilobytes, depending on a number of factors. Even if your file is smaller than the cluster, your oper...
Cookies
Browser cookies are small files which act as a memory bank for websites accessed by a user. For example, Amazon remembers what you had in your shopping cart because it is communicating with the cookie it left in your browser. The cookie file itself is nothing more than a small .txt document. The site you’re visiting will identify any coo...
Delete
The most important thing to know about digital forensics investigations is delete does not mean "erase". To most of us, pressing Delete or emptying the recycle bin is the bitter end for unwanted files. It disappears from Finder or File Explorer, so it must be gone for good, right?
Not to a computer forensic examiner. With our specialized tools, we...
>Digital (Computer) Forensics
Digital forensics is the accepted term for the field of analyzing and recovering files from Windows or Mac-based computer hard drives, iPhones and iPads, Android and Windows smartphones and tablets, even video game systems and standalone GPS units. The term digital forensics grew from the field of computer forensics, to reflect the surge in digital...
E-Discovery
Electronic discovery, or e-discovery, refers to the process of obtaining and preserving digital evidence for use in a legal proceeding. The specialized hardware and software used by digital forensic examiners ensures the integrity of the information can be verified as original and unaltered, allowing recovered data to be admitted as courtroom evide...
Encryption
Digital encryption allows for the safe transmission of sensitive material between networks. Powerful encryptions are what make it possible for us to shop online with our credit cards, e-file our taxes to the government, even apply for loans or lines of credit without having to leave our homes. Encryption can also be used to hide incriminating files...
File Carving
In many respect, file carving is the heart of computer forensics examination. Digital forensic tools can help automate the process, but it frequently comes down to the skills and training of the analyst. File carving involves a bit-by-bit analysis of the contents of a hard drive, searching for remnants of files which have been marked for deletion.
...
GPS
GPS is short for Global Positioning System. The GPS system uses a series of satellites to track pinpoint locations of subjects anywhere on or near the Earth. Originally developed in the 1970s for military purposes, personal GPS technology has grown exponentially over the last fifteen years. Almost every, if not all smartphones and tablets manufactu...
Hard Drive
Hard drives are where all of your saved files, documents, music, pictures, programs, system files and much more are stored. Typical hard drives consist of an aluminum disc with a magnetic coating and a head which allows the computer to read and write to the disc. All data is stored on the disc in binary code: either magnetized (1, or ON), or not ma...
Hashing
Hashing is how we know our data acquisition has produced an exact bit-for-bit duplicate of our source. Hash values are generated mathematically by algorithms. Even the minor changes to data on the drive, like clicking the mouse, will create a radically different hash value. This makes it easy to verify legal evidence has not been compromised or cor...
Messaging
Made popular in the 1990s with programs like ICQ, Yahoo! Instant Messenger, AIM and MSN Messenger (later called Windows Live Messenger), instant messaging programs actually predate the internet as some of the oldest real-time communications systems. The oldest program which could be considered an "instant messenger" dates to the mid-1960s.
Along w...
IP Address
An IP, or Internet Protocol address tells a server where a user is in the world, sometimes as accurately as the local ZIP code.
Your credit card company, for example, can use this information to determine whether or not someone is trying to use your card fraudulently. If the IP address of the person using your card is outside your normal range, th...
Live Acquisition
In digital forensics analysis, live acquisition is the process of recovering data from a device which is powered up while the acquisition is occurring. This is most-frequently done when analyzing cell phones and tablets.
This differs from post-mortem acquisition which is done when power has been removed from the source.
Live acquisition must also...
Memory (RAM)
Memory is the flip side of storage. While information in storage is considered stable or "involatile", memory is unstable, or volatile, requiring an electrical current to run.
The RAM on your computer is an example of memory. A memory cell containing a capacitor and a transistor records binary data as either a high charge (1, or ON) or a low charg...
Metadata
Metadata is supplemental information attached to a file. It literally means "data about data". The first form of metadata most of us learned was in 5th grade, memorizing the Dewey Decimal System and learning about library card catalogues.
In a digital file, metadata can record a number of useful facts, including the date and time a file was c...
Operating System
The Operating System, or OS, is the program you're using right now to interact with your computer. Most of you are running a version of Microsoft Windows, whether it be Windows 98, ME, XP, Vista, 7 or 8. Apple's Mac OS X has been growing in popularity over the years, but still trails well behind Windows in market share for personal computers.
The ...
Post-Mortem Acquisition
In digital forensics analysis, post-mortem acquisition is the process of recovering deleted data from a device which is disconnected from its power source.
This is the most common form of computer forensics acquisition when dealing with desktop computers and laptops. Typically, the hard drive is removed from the powered-down computer, plugged into...
Sectors
Sectors are the smallest containers computers will use to store data. Your operating system will group sectors together into clusters, which helps speed up the read and write process. Each sector holds up to 512 kilobytes of data.
When the operating system saves a file to the hard drive, it will mark the entire cluster as used, or allocated, even ...
Slack Space
Since computers store information into sectors, and groups of sectors called clusters, it is rare that a file will fit perfectly into the amount of space it is given. The excess space between the end of the file and the unfilled portion of the file's cluster is called slack space. Slack space is considered allocated space by your computer, but does...
Smartphones & Tablets
Chances are, you own a smartphone. More than 64% of Americans do, and the worldwide smartphone adoption rate is expected to triple between 2014 and 2020. You might wonder what makes a smartphone "smart". While low-end feature phones do provide some access to the internet and popular social media, smartphones are purpose-built for internet access an...
Solid-State Drives (SSD)
Solid-State Drives, or SSD, are a type of hard drive which does not contain a disc. SSDs store data in a similar fashion to memory, but typically have an on-board battery or capacitor, or don't require a persistent electrical current to retain data the way RAM does.
SSDs are becoming more common, particularly as high-speed boot drives containing a...
Storage
Storage describes any medium used to save files for long-term or permanent access. Storage media include your computer's hard drive, USB thumbsticks, memory cards, or optical storage media such as CDs, DVDs or Blu-rays. Unlike memory, storage is considered stable, or "involatile", because it does not require a persistent external electrical current...
Unallocated Space
When you check your hard drive's storage capacity, everything displayed as "free space" is what's also known as the unallocated space. Unallocated space does not mean unused space. When data is written to your hard drive, it is written into sectors to save time. A file may not use an entire sector, but the full capacity of the sector will neverthel...
Write Blocking
A write blocker must be used in order to preserve the integrity of evidence contained within a hard drive. Without a write blocker, any action taken by a digital forensic examiner will be recorded on the drive, no matter how minor or inconsequential. Even these miniscule changes can cast a shadow of doubt on the investigation and render any evidenc...