Allocated Space: The clusters on a storage device that have been assigned to store data (also referred to as used space). When a file is to be written, the file system finds unused (i.e., unallocated) space on the medium and starts writing the data; the status of the clusters that are being written to is changed to allocated. (See also unallocated space.)
Availability: Availability is the assurance that the systems responsible for delivering, storing, and processing information are accessible when required by authorized users. Measures to maintain data availability can include redundant systems’ disk arrays and clustered machines, antivirus software to stop malware from destroying networks, and distributed denial-of-service (DDoS) prevention systems.
Bit: A measurement of data. It is the smallest unit of data. A bit is either the “1” or “0.”
Bit-for-bit copy: A method of copying the information stored on electronic media so that it replicates the data at the lowest level. The term bit copy refers to the duplication of the 0s and 1s (bits) that form the basis of all digital information. This type of copying is utilized to create the true and accurate copy analyzed by the forensic examiner.
Bot: A “bot” (a contraction of “robot”) is a software application or program that can be controlled remotely to execute or automate predefined tasks. Hackers use bots as agents that carry out malicious activity over the Internet. Attackers use infected machines to launch distributed denial-of-service (DDoS) attacks, keylogging, spying, etc.
Botnet: A network of connected devices running bots that can be used to attack a network.
Breach: The act of compromising security protocol or technology.
Carving: One method of recovering deleted data from the unallocated space or slack space of computer media. Many specialized file types, such as graphical images, have a file signature that identifies the file contents and format. When a file is “deleted,” the contents of the file remain intact, although the file location on the media becomes marked as unallocated and, therefore, invisible to the operating system. Forensics tools can search unallocated and slack space for known file signatures and, in many cases, can recover the files completely intact.
Chain of Custody: Chain of custody refers to the chronological documentation or paper trail, showing seizure, custody, control, transfer and disposition of evidence. As the objective of the evidence is to prove facts or to convict personnel of crimes in court, it must be handled with extreme care to avoid being altered or destroyed without authorization. The ultimate purpose is to demonstrate that the alleged evidence is in fact relevant to the alleged crime(s), instead of being fraudulently planted. If the chain of custody is broken, the underlying fact of the evidence will be questioned and the evidence can no longer be used in court.
For digital evidence, the chain of evidence also includes additional steps to create a binary forensic duplication of the original data and generate a digital fingerprint (i.e. hash) which can verify the data authenticity.
Cloud: A server that is hosted in a remote location or outsourced.
Cluster: A group of contiguous sectors.
Confidentiality: Confidentiality is the assurance that the information is accessible only to those who are authorized to have access. Confidentiality breaches may occur due to improper data handling or a hacking attempt. Confidentiality controls include data classification, data encryption, and proper equipment disposal (i.e. of DVDs, CDs, etc.).
Daisy Chaining: It involves gaining access to one network and/or computer and then using the same information to gain access to multiple networks and computers that contain desirable information.
DDoS: A Distributed Denial of Service attack is when a group of servers flood a network with traffic at the same time to prevent the network from functioning normally.
Defragmentation: The process of rewriting parts of a file to contiguous sectors on a hard disk to increase the speed of access and retrieval. When files are updated, the computer tends to save these updates on the largest continuous space on the hard disk, which is often on a different sector than the other parts of the file. When files are thus fragmented, the computer must search the hard disk each time the file is opened to find all of the parts of the file, which slows down response time. In Active Directory, defragmentation rearranges how the data is written in the directory database file to compact it. (See also fragmentation.)
Deleted Data: Deleted data is data that formerly existed on the computer as live data and which has been deleted by the computer system or end-user activity. Deleted data remains on storage media in whole or in part until it is overwritten by ongoing usage or wiped with a software program specifically designed to remove deleted data. After data has been deleted, directory entries, pointers, or other metadata relating to the deleted data may remain on the drive; wiped data is usually beyond the reach of most computer forensics processes.
Digital Forensics: The application of science to the identification, collection, examination, and analysis, of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Digital Forensic Evidence: Information stored or transmitted in binary form that may be relied on in court.
DKIM: DKIM, or DomainKeys Identified Mail, lets an organization (or handler of the message) take responsibility for a message that is in transit. According to DKIM.org, DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author’s From: field. DKIM is also a TXT record signature that builds trust between the sender and the receiver.
DMARC: DMARC, or Domain-Based Message Authentication Reporting and Conformance, is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the “Friendly-From” domain that the user sees. In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned.
- Both authentications passing indicates that the email is coming from an authorized server and that the header information has not been tampered with to falsify alignment.
- At least one authentication aligning proves that the sender owns the DNS space of the “Friendly-From” and is therefore who they say that they are.
For SPF to align, the message’s From domain and its Return-Path domain must match. For DKIM to align, the message’s From domain and its DKIM d= domain must match.
Domain: A group of computers or servers that can be accessed on the same network.
Doxing: Doxing refers to gathering and publishing personally identifiable information such as an individual’s name and email address, or other sensitive information pertaining to an entire organization. People with malicious intent collect this information from publicly accessible channels such as the databases, social media and the Internet.
Electronic Storage Device: Any medium that is used to record information, including hard disks, magnetic tapes, compact disks, videotapes, audiotapes, and removable storage devices such as floppy disks and ZIP disks.
Email Account: A service that provides users with an email address and a mailbox.
Email Address: An identifier that includes a username, an @ symbol, and an email server; used to route email messages to their destination.
Email Header: An e-mail header is the part of an e-mail message that contains identification and routing information such as the sender, receiver, message identifier, chain of mail servers, message priority, and other tags. In an e-mail, the body (content text) is always preceded by header lines that identify particular routing information of the message, including the sender, recipient, date and subject. Some headers are mandatory, such as the FROM, TO and DATE headers. Others are optional, but very commonly used, such as SUBJECT and CC. Other headers include the sending time stamps and the receiving time stamps of all mail transfer agents that have received and sent the message. In other words, any time a message is transferred from one user to another (i.e. when it is sent or forwarded), the message is date/time stamped by a mail transfer agent (MTA) – a computer program or software agent that facilitates the transfer of email message from one computer to another. This date/time stamp, like FROM, TO, and SUBJECT, becomes one of the many headers that precede the body of an email.
Email Message: A computer file containing a letter or memo that is transmitted electronically via a communications network. An email consists of three vital components: the envelope, the header(s), and the body of the message. The envelope is something that an email user will never see since it is part of the internal process by which an email is routed. The body is the part that we always see as it is the actual content of the message contained in the email. The header(s), the third component of an email, is perhaps a little more difficult to explain, though it is arguably the most interesting part of an email.
Email Server: A computer that uses special software to store and send email messages over the Internet.
Email System: The collection of computers and software that works together to provide email services.
Endpoint: An internet capable device.
Ethical hackers: An ethical hacker, sometimes called a security researcher, will work to find and exploit a vulnerable piece of technology (a/k/a a vulnerability). These individuals often identify a software or hardware flaw and inform the vendor that something needs a patch.
Exploit: An exploit is a breach of IT system security through vulnerabilities, in the context of an attack on a system or network. It also refers to malicious software or commands that can cause unanticipated behavior of legitimate software or hardware through attackers taking advantage of the vulnerabilities
File: A collection of data of information stored under a specified name on a disk.
File Allocation Table (FAT): A file system based on a file allocation table (FAT) maintained by some operating systems, including Windows NT and Windows 2000, to keep track of the status of various segments of disk space used for file storage. The FAT file system is also commonly seen on floppy disks, thumb drives, and memory expansion cards.
File Extension: In the Windows operating system, the file extension is a tag of three or four characters, preceded by a dot that identifies a file’s format or the application used to create the file. File extensions can streamline the process of locating data; e.g., if one is looking for incriminating pictures stored on a computer, one might begin with .GIF and .JPG files. File extensions can be changed by a user, however, and cannot be the definitive method with which to identify the file type and content. (See also file signature.)
File Signature: A string of bytes within a file that definitively identifies the file format and application. A file signature is a better indication of file type than file extension.
File Slack: Space between the logical end of the file and the end of the last allocation unit for that file; the unused portion of a file between the end of the user data and the end of the last cluster of the file.
Firewall: A set of rules that dictates what traffic is allowed in and out of a network.
Flash Drive: a small electronic device containing flash memory that is used for storing data or transferring it to or from a computer, digital camera, etc.
Floppy Disk: An increasingly rare storage medium consisting of a thin magnetic film disk housed in a protective sleeve. The capacity of a 3.5″ floppy is approximately 1.44 MB.
Forensic Image: A forensic image, sometimes referred to as a mirror image or hard drive clone, is a fundamental aspect of data preservation and digital forensics. Forensic imaging creates an exact bit-for-bit copy of the source hard drive, SSD, USB or other media, and creates a unique digital fingerprint that is used to certify its authenticity. This process is critical when digital evidence will be admitted as evidence in litigation.
Fragmentation: The scattering of parts of the same file over different areas of the disk. Fragmentation occurs as files on a disk are deleted and new files are added. It slows disk access and degrades the overall performance of disk operations, although usually not severely. (See also defragmentation.)
Gmail: Gmail is a free, advertising-supported email service developed by Google. Users can access Gmail on the web and using third-party programs that synchronize email content through POP or IMAP protocols. Gmail started as a limited beta release on April 1, 2004, and ended its testing phase on July 7, 2009.
Graphic Image Formats: There are several common graphic image file formats:
- Bitmap (BMP)
- Graphics Interchange Format (GIF), developed by Compuserve
- Joint Photographic Experts Group (JPEG) format, most commonly used for photographs; JPEG files, in particular, contain metadata that indicate photographic timestamps, camera-type, resolution, and more
- Portable Network Graphics (PNG)
- Tagged Image File Format (TIFF)
Hack Value: Hack value is the notion among hackers to evaluate something that is worth doing or is interesting. Hackers derive great satisfaction from breaking down the toughest network security, and consider it their accomplishment as it is something that not everyone can do
Hacktivists: A person or group of people who might either break in, or simply knock on the front door to prove they could break in if they wanted to. Hacktivists are not in it to make money. Their goal is to promote a personal or organization’s agenda, or affect social change. Basically, a hacktivist wants to make a point that networks and computers are not impervious to their attacks, and what they can view, extract, and share may be information they feel should be shared publicly. For example, Wikileaks is a well-known hacktivist group.
Hard Disk: The common magnetic storage medium for computers of all shapes and sizes; laptop computers commonly use a 2.5″ drive and desktop computers commonly use a 3.5″ drive. An internal hard drive is one that is located inside the computer case using an IDE or SCSI connector; an external hard drive connects to the computer via some sort of serial interface, such as Firewire or USB. Hard drives can also be stand-alone devices on a wired or wireless network. Common disk drive capacities today range from 160 GB (small notebook computers) and 250 GB (laptop computers) to 320 GB (desktop computers) and 1 TB (external network devices). Information on a hard drive remains on the disk even after the power is turned off. Technically speaking, a hard drive refers specifically to the magnetic storage platters and a hard disk drive is the mechanism that controls the positioning, reading, and writing of the information on the hard disk; since they are packaged as a unit, these terms tends to be used synonymously.
Hardware: The physical parts of a computer; if it can be picked up and touched, it is hardware as opposed to software.
Hashing: The process of using a mathematical algorithm to produce a numeric digital fingerprint of the contents of a file. Hash functions accept as input an arbitrarily long input string and generates a fixed length output string. Changing the name of a file will not change the hash value of the file (as long as the contents remain unchanged.) The two most common hash functions used in digital forensics applications are Message Digest 5 (MD5) and the Secure Hash Algorithm (SHA).
Hypertext Markup Language (HTML): The tag-based markup language used to create Web pages. A browser (e.g., Chrome, Firefox, Internet Explorer, or Safari) downloads an HTML file from a Web server and renders the file contents into a nicely formatted page for the user.
Integrity: Integrity is the trustworthiness of data or resources in the prevention of improper and unauthorized changes—the assurance that information is sufficiently accurate for its purpose. Measures to maintain data integrity may include a checksum (a number produced by a mathematical function to verify that a given block of data is not changed) and access control (which ensures that only the authorized people can update, add, and delete data to protect its integrity).
Internet Protocol (IP) Address: A unique set of numbers or letters that identify each computer using the internet. An IP version 4 (IPv4) address is a 32-bit number that uniquely identifies a host connected to the Internet. An IP address is expressed in “dotted decimal” format, consisting of the decimal value (0-255) of its four bytes, separated with periods; an example IPv4 address is 184.108.40.206. IPv4 address are broken into a network identifier (NETID) and host identifier (HOSTID); the NETID identifies the network on which the host resides. IPv4 defines several so-called private addresses that can be used by an enterprise any way they want (e.g., 10.0.0.0, 172.16.0.0-172.31.0.0, 192.168.0.0). IP version 6 (IPv6) addresses are 128 bits in length.
Malicious Hackers: A person or a group of individuals who make a concerted effort to break into an organization’s network or a personal computer or device to do harm of some kind. They are often in it to make money and work somewhere in the Dark Web. These individuals are called Black Hats. Malicious hackers can also be those who have been tasked, as citizens or otherwise, to instigate a nation state-sponsored attack meant to disrupt operations or steal information from a government organization or company in the private sector within another nation-state.
Malware: Software that is designed to damage or gain unauthorized access to a system.
MBOX: The MBOX file is the most common format for storing email messages on a hard drive. All the messages for each mailbox are stored as a single, long, text file in a string of concatenated e-mail messages, starting with the “From” header of the message. MBOX files were used predominantly on Unix.
Media Storage Devices: Magnetic and optical storage devices that include hard and floppy disks, tapes, ZIP disks, thumb (aka flash) drives, memory expansion cards, CDs, and DVDs. These storage devices are distinct from computer memory, which refers to temporary storage areas within the computer. Unlike main memory, media storage devices retain data even when power is turned off.
Media Wiping: A process that overwrites the entire hard drive with data (zeros or random characters) thus rendering it unreadable and ensures a valid technique across media.
Message Digest 5 (MD5): A hash function that produces a 128-bit digital fingerprint of an input file. Although some researchers have been able to produce multiple files with the same MD5 hash, MD5 is still acceptable for computer forensics applications. (See also hashing and Secure Hash Algorithm.)
Metadata: Metadata is “data about data” and is information about a particular data set. System metadata is information about the file itself, such as location on the disk, size, timestamps, file sharing attributes, and file ownership. File metadata is data about the file contents and are usually application-dependent, such as camera information (in JPEG files) and user information (in Word files). Metadata is generally not reproduced in full form when a document is printed; indeed, it is usually not easily visible by the user.
microSD: A format for removable flash memory card, adding additional memory to a device.
NTFS (New Technology File System): A recoverable file system designed for use specifically with Windows NT-based operating systems (i.e., Windows NT, 2000, XP, Vista, and 7/10). NTFS supports file system recovery, large storage media, and many advanced features compared with the FAT file system.
Operating System: The master control program that runs a computer; examples include Linux, Mac OS X, Unix, and Windows. The OS provides the user interface (command line or graphical) and defines the interaction between the computer hardware and software.
Payload: Payload is the part of a malware or an exploit code that performs the intended malicious actions, which can include creating backdoor access to a victim’s machine, damaging or deleting files, committing data theft and hijacking computer. Hackers use various methods to execute the payload. For example, they can activate a logic bomb, execute an infected program, or use an unprotected computer connected to a network.
Penetration Test: A test designed to simulate an attack by hackers on a computer network or organization.
Peripherals: Ancillary devices that are not “essential” parts of the computer itself. Peripheral devices can be outside of the computer (i.e., external such as a mouse, keyboard, printer, monitor, camera, external hard drive, or scanner) or inside the computer case (i.e., internal such as a CD-ROM drive, internal modem, or floppy disk drive).
Phishing/Spearphishing: Sending emails to an organization or individual with the purpose of obtaining sensitive information through fraud.
Random Access Memory (RAM): Short-term, physical memory used by the computer processor to store program instructions and data. Information stored in RAM is lost when the computer is turned off. RAM today commonly range in capacity from 1 GB to 8 GB (more RAM means less swapping of information and, therefore, faster processing; see Page file). Because RAM might contain user names and passwords, it is becoming more common to image RAM prior to shutting a computer off. Contrast with Read Only Memory (ROM).
Ransomware: Malicious software that blocks access to a system until a ransom is paid.
Read-only memory (ROM): A type of storage that, in general, can only be read from but not written to. A computer’s basic input/output system (BIOS) chip, for example, is a semiconductor circuit that contains a small program that starts a computer and performs basic diagnostics. The system reads the instructions in BIOS during the boot process but does not write to BIOS. (A special process, called flashing, can be employed to re-write instructions to BIOS for purposes of updating, but normal operations merely read.) A CD-ROM is a media device that allows only a single write; all subsequent access to a CD-ROM is for reading. Contrast with Random Access Memory (RAM).
Registry: In Windows 95 and later versions, the registry is a database of information about the computer’s hardware and software configuration, including user profile and usage information. The registry was intended to consolidate all of the individual initialization (.INI) files associated with the operating system and user applications. The registry is organized in a hierarchical structure and consists of subtrees and their keys, hives, and entries.
Router: On the Internet, a router is a network backbone device responsible for forwarding Internet Protocol (IP) packets from the sender to the receiver. At a company, a router is the gateway between the corporate network and the greater Internet. A residential broadband router provides essentially the same service — i.e., acting as a gateway between the home network and Internet — but also usually incorporates additional functions such as a switch (allowing multiple computers to physically connect to the router and each other, forming a home local area network) or wireless access point (allowing multiple computers to access the router via radio).
Screen Capture: Refers to the act of copying what is currently displayed on a screen to a file or printer. Screen capture can be performed using functions on the computer, which generally create a graphical file containing a bit map of the screen image, or by taking photographs of the screen. Screen captures can be accomplished by a series of one or more photographs or video capture.
Secure Hash Algorithm (SHA): Developed by the National Institute of Standards and Technology (NIST), a hash function that produces a 160-bit digital fingerprint of an input file. (See also hashing and Message Digest 5.)
Session Hijacking: Exploiting a valid user session to gain unauthorized access to a computer or website.
SOC: A Security Operation Center is a centralized unit and/or location that deals with information security.
Software: The programs that allow users to perform tasks on a computer, such as word processing, media players, graphics editing, accounting systems, games, and more. The computer’s operating system is also software. Also known as applications and executables.
SPF: SPF, or Sender Policy Framework, is an email validation protocol designed to detect and block email spoofing that allows mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain’s administrators. An SPF record is a TXT record found in the DNS (Domain Name System) record that specifies which IP addresses and/or servers are allowed to send mail “from” that domain. It is akin to a return address on a postcard: most people are much more likely to open a letter if the letter has a reliable and recognizable return address from which it was sent. After a message is sent, ISPs will check the message’s Return-Path domain. They will then compare the IP address that sent the email to the IP address listed in the Return-Path domain’s SPF record to see if it is aligned. If so, SPF authentication has been confirmed and the message will be delivered.
Unallocated Space: The clusters on a storage device that are not assigned to store data. When a file is written to a drive, the clusters storing the data are marked as “allocated.” When the file is deleted, the clusters are merely marked as “unallocated” but the contents of those clusters remains untouched; this is why deleted data can often be recovered. If a file is wiped, the clusters are marked unallocated and the clusters are overwritten with other information, making the data effectively unrecoverable. (See also allocated space.)
Universal Serial Bus (USB): A serial bus for connecting peripherals to a microcomputer. USB can connect up to 127 peripherals, such as external CD-ROM drives, printers, modems, thumb drives, and keyboards, to the system through a single, general-purpose port. This is accomplished by daisy chaining peripherals together. USB supports hot plugging and multiple data streams.
Validation: A method of showing that a technique does what it is expected to.
VCF File: A VCF file is a standard file format for storing contact information for a person or business. It typically includes a name, address, phone number, e-mail address, and other contact information. VCF files also support custom fields, images, and other types of media. VCF files are often used for importing and exporting contacts from address books. They may be attached to e-mail messages, which provides the recipient with an easy way to import the sender’s contact information.
Verification: A method of showing that a given method produces consistent outcomes every time.
Vulnerability: Vulnerability is the existence of weakness, design, or an implementation error that, when exploited, leads to an unexpected and undesirable event compromising the security of the system. Simply put, vulnerability is a security loophole that allows an attacker to enter the system by bypassing various user authentications
Webmail: An email system that allows users to access email messages using a browser.
Write Blocking: Write blocking is the act of ensuring that the contents of an evidence drive cannot be modified during the scope of an investigation. It allows acquisition of information on a drive without creating the possibility of accidentally damaging the drive contents. Write blockers do this by blocking write commands, but allowing read commands. This can be done one of two ways – with either hardware or software write blockers.
Zero-Day Attack: In a Zero-Day attack, the attacker exploits vulnerabilities in a computer application before the software developer can release a patch for them.