Digital Forensics Glossary

A comprehensive glossary of terms, definitions, and concepts used in digital forensics, cybersecurity, and computer investigations. Use this resource to understand the terminology and jargon commonly used in the field.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

Acquisition

The process of creating a forensic copy or image of digital evidence. Also called imaging or cloning.

Artifact

Any piece of digital evidence that can be extracted from a device or system, such as files, registry entries, or browser history.

Anti-Forensics

Techniques used to prevent, hinder, or mislead digital forensics investigations, such as encryption, data wiping, or obfuscation.

B

Bit-Stream Copy

A sector-by-sector copy of a storage device that captures all data, including unallocated space and slack space. Also called a forensic image.

Browser Forensics

The analysis of web browser data including history, cookies, cache, bookmarks, and stored passwords to understand user activity.

C

Chain of Custody

A chronological documentation of every person who has handled evidence, when they handled it, and why. Essential for maintaining evidence integrity and admissibility in court.

Ciphertext

Encrypted data that appears as random characters and cannot be read without the decryption key.

Cryptographic Hash

A mathematical function that produces a fixed-size output (hash value) from input data. Used to verify data integrity and ensure forensic images are identical to originals.

Computer Forensics

The application of investigation and analysis techniques to gather and preserve evidence from computing devices in a way suitable for presentation in a court of law.

D

Deleted File Recovery

The process of recovering files that have been deleted but may still exist in unallocated space or file system metadata.

Digital Evidence

Information and data stored or transmitted in binary form that may be used in legal proceedings. Includes files, emails, images, logs, and other digital artifacts.

Disk Imaging

The process of creating a bit-by-bit copy of a storage device for forensic analysis. Creates an exact replica that can be analyzed without affecting the original evidence.

Dynamic Analysis

Examining malware or software by executing it in a controlled environment and observing its behavior, as opposed to static analysis of code.

E

EnCase

A commercial digital forensics software suite used for disk imaging, file analysis, and evidence management. Widely used in law enforcement and corporate investigations.

E01 Format

Expert Witness Format, a proprietary disk image format that includes compression, encryption, and integrity verification features.

Evidence Integrity

The assurance that digital evidence has not been altered, tampered with, or corrupted from the time it was collected through analysis and presentation.

F

File System

A method of storing and organizing files on storage devices. Common file systems include NTFS (Windows), HFS+ (macOS), and ext4 (Linux).

Forensic Image

An exact bit-by-bit copy of a storage device that preserves all data including deleted files, unallocated space, and metadata. Used for analysis while preserving original evidence.

FTK (Forensic Toolkit)

A commercial digital forensics software suite used for computer investigations, including disk imaging, file analysis, email analysis, and password recovery.

G

GUID Partition Table (GPT)

A standard for partitioning storage devices, replacing the older MBR (Master Boot Record) format. Used in modern Windows and Mac systems.

H

Hash Value

A unique digital fingerprint of a file or data created using a cryptographic hash function (MD5, SHA-1, SHA-256). Used to verify data integrity and identify files.

Hex Editor

A software tool that displays and allows editing of the raw hexadecimal representation of files. Used for low-level file analysis and recovery.

I

IOC (Indicator of Compromise)

A piece of information that indicates a system may have been compromised or attacked. Examples include IP addresses, file hashes, domain names, and registry keys.

Imaging

The process of creating a forensic copy of a storage device. See also: Acquisition, Disk Imaging.

Incident Response

The organized approach an organization takes to address and manage the aftermath of a security breach or cyber attack.

J

Journaling

A file system feature that logs changes before they are written to disk, allowing for recovery in case of system crashes. Can provide valuable forensic artifacts.

K

Keylogger

Software or hardware that records keystrokes. Can be used maliciously to steal passwords and sensitive information, or forensically to investigate user activity.

L

Live Forensics

Collecting evidence from a running system, including volatile data such as RAM contents, running processes, and network connections.

Logical Acquisition

A method of data extraction that retrieves files through normal operating system interfaces, typically recovering only active files and not deleted data or unallocated space.

M

Malware

Malicious software designed to harm, exploit, or gain unauthorized access to computer systems. Includes viruses, trojans, ransomware, and spyware.

Memory Dump

A copy of the contents of RAM at a specific point in time. Used in memory forensics to analyze running processes, loaded drivers, and other volatile data.

Metadata

Data about data. File metadata includes information such as creation date, modification date, file size, and file permissions. Can be crucial in investigations.

N

Network Forensics

The capture, recording, and analysis of network events to discover the source of security attacks or other problem incidents.

NTFS (New Technology File System)

The primary file system used by Windows operating systems. Provides features such as journaling, encryption, and detailed metadata that are important in forensics.

O

Obfuscation

The deliberate act of making code or data difficult to understand or analyze. Often used by malware authors and in anti-forensics techniques.

Occlusion

The process of hiding or obscuring information, often used in anti-forensics to prevent detection or analysis.

P

Packet Capture

The process of intercepting and logging network traffic. Captured packets are stored in files (PCAP format) for analysis in network forensics investigations.

PCAP File

A file format for storing captured network traffic. Contains all packets transmitted over a network during a specific time period.

Physical Acquisition

A method of data extraction that creates a bit-by-bit copy of a storage device, including unallocated space and deleted files. Provides the most complete data recovery.

Preprocessing

Initial analysis steps performed on evidence before detailed examination, such as identifying file types, calculating hashes, and extracting metadata.

Q

Quick Format

A formatting operation that clears file system metadata but doesn't erase actual file data. Files may still be recoverable through forensics techniques.

R

RAM (Random Access Memory)

Volatile memory that stores data temporarily while a computer is running. Contains valuable forensic evidence including running processes, passwords, and encryption keys.

Registry

A hierarchical database in Windows that stores configuration settings and information about the operating system, installed software, and user preferences.

Rootkit

Malicious software designed to hide its presence and maintain persistent access to a system. Often difficult to detect and remove.

S

Slack Space

The unused space in a disk cluster after a file ends. May contain remnants of previously deleted files or other data that can be recovered forensically.

Static Analysis

Examining code or files without executing them, typically by analyzing source code, binary files, or file structure. Opposite of dynamic analysis.

Steganography

The practice of hiding information within other files or data, such as embedding messages in images. Used to conceal data in investigations.

T

Timeline Analysis

Examining events chronologically to understand the sequence of activities on a system. Helps identify patterns, relationships, and the progression of events during an incident.

Trojan Horse

Malicious software that disguises itself as legitimate software but performs harmful actions when executed. Named after the mythological Trojan horse.

U

Unallocated Space

Disk space that is not currently assigned to any file. May contain data from previously deleted files that can be recovered through forensics techniques.

USB Write-Blocker

A hardware device that prevents write operations to USB storage devices, ensuring evidence integrity during forensic examination.

V

Volatile Data

Data that exists only while a system is running and is lost when the system is powered off. Includes RAM contents, running processes, and network connections.

Virus

Malicious code that replicates by inserting copies of itself into other programs or files. Requires user action to execute and spread.

W

Write-Blocker

A hardware or software device that prevents any write operations from reaching storage media, ensuring forensic images remain unchanged during analysis.

Worm

Self-replicating malware that spreads automatically across networks without requiring user interaction. Often exploits security vulnerabilities.

X

X-Ways Forensics

A commercial digital forensics software tool known for its efficiency and advanced searching capabilities. Widely used in professional investigations.

Z

Zero-Day

A security vulnerability that is unknown to the vendor or public, making it particularly dangerous as no patch or defense exists yet.

Learn More

This glossary covers common digital forensics terminology. To learn more about these concepts in detail, explore our educational resources:

Learning Resources

Tools & Resources