03 Applicable SWGDE Glossary Definitions

Wear Leveling

Mechanisms aided by algorithms tracking use and wear on flash memory ensure all memory blocks experience a similar number of write/erase cycles, extending the life of the device.

Artifact

Data created as a result of the use of a n electronic device that shows past activity.

Carve

the extraction of a portion of data for the purpose of analysis.

Archive

Data placed on media for long-term storage / A bit-stream duplicate of the original data placed on media for long-term storage.

Algorithm

Step-by-step (mathematical) procedure for solving a problem or accomplishing some end.

Chain of Custody

Chronological documentation of the movement, location, and possession of evidence.

Codec

(Compressor/Decompressor)… a device or program capable of encoding and decoding digital data. They encode a stream or signal for transmission, storage, or encryption.

Competency Test

Evaluation of a person’s knowledge and ability to perform independent work in forensic casework, prior to performance. (vs Proficiency)

Compression

Process of reducing the size of a data file… a reduction in the number of bits needed to represent data. Concerns: storage capacity, speed, cost, bandwidth.

Compression Ratio

Size of data file before compression divided by the file size after compression.

Computer Evidence

Subsection of digital multimedia forensics that involves the examination, comparison, and/or evaluation of digital evidence in legal matters.

Data

Information in analog or digital form that can be transmitted or processed.

Data Analysis

The assessment of the information contained within the media.

Data Extraction

Process that identifies and recovers information that may be latent, or not immediately apparent.

Digital Evidence

Information of probative value that is stored or transmitted in binary form.

Duplicate

An accurate and complete reproduction of all data objects independent of the physical media.

Extraction

A method of exporting data(obtaining and recovering) from a source. Extraction carving is a technique used in computer forensics and data recovery to extract files and information from storage devices. We use the definition specifically for obtaining data from mobile devices… “Recovery” for computer devices.

File Format

The structure by which data is organized in a file.

File Slack

The data between the logical end of a file and end of the last storage unit for that file.

Forensic

The use or application of science, scientific knowledge to a point of law, especially as it applies to the investigation of crime.

Forensic Clone

A comprehensive duplicate of electronic media. Artifacts can be discovered in its slack and unallocated space. A bit stream image (an exact bit-for-bit copy) duplicate of the available data from one physical media to another. Usually used as a working copy.

Forensic Image

A comprehensive duplicate, a bit stream copy of available data, often encapsulated in a proprietary form (E01, AD1,). Usually used for analysis and evidence preservation. Artifacts such as deleted files, fragments, hidden data may be found in slack (end-of-file marker and end of cluster) and unallocated space. An exact duplicate of the data, also considered a bit by bit copy.

Hash Value or Hash

Numerical values generated by hashing tools, used to substantiate the integrity of digital evidence and/or for inclusion/exclusion comparisons against know value sets.

Hashing or Hashing Function

Application of… an established mathematical calculation that generates a numerical value (the hash) based on input data.

Integrity Verification

The process of confirming that the data presented is complete and unaltered since time of acquisition.

Log File

A record of actions, events, and related data.

Logical Acquisition

Accurate reproduction of information contained within a logical volume (e.g. mounted volume, logical drive assignment, etc.)

Logical Volume (LV)

A group of information on a physical volume (PV) that can span multiple disks. LVs are virtual storage volumes that can be used for a variety of system, such as paging.

Memory Smear

The modification of data by a running system during the memory acquisition process.

Metadata

Data frequently embedded within a file that describes a file or directory, which can include the locations where the content is stored, dates and times, app specific info, permissions.

Mobile Forensics

The utilization of scientific methodologies to recover data stored by a cellular device for legal purposes.

Physical Copy

An accurate reproduction of information contained on the physical device.

Physical Image

Bitstream duplicate of data contained on a device.

Proficiency Test

A test to evaluate analysts, tech personnel and quality performance of an agency.

Quality Assurance

Planned and systematic actions necessary to provide sufficient confidence that an agency/lab product or service will satisfy requirements for quality.

Quantitative Analysis

Process used to extract measurable data from a source.

Reliability

Extent to which info can be depended upon.

Reproducibility

The extent to which a process yields the same results on repeated trials.

Residue

Data contained in unallocated space or file slack.

Resolution

The act, process, or capability of distinguishing between two separate but adjacent parts or stimuli, such as elements of detail in an image or similar colors.

Restoration

Any process applied to partially or totally remove the effects of degradation.

Routing Switcher

A device &/or software used to direct the path of one or more signals into one or more devices.

Signature Wiped

Media securely wiped in accordance with acceptable standards such as those of NIST utilizing a unique sector character signature.

Technical Peer Review

An evaluation conducted by a second qualified individual of reports, notes, data, conclusions, and other documents.

Triage

Process by which items considered for collection or analysis are prioritized to determine the order in which they should be collected and analyzed if at all.

Validation

Process of performing a set of experiments which establishes the efficacy and reliability of a tool - An evaluation to determine if a tool, technique, or procedure functions correctly and as intended. Standardized testing / outcomes compared to standard expected results are known.

Verification

Process of confirming the accuracy of an item to its original / confirmation that a tool, technique, or procedure performs as expected.

WORM

Write Once Read Many

Write Block / Write Protect

Hardware/software methods of preventing modifications of media content.