Chapter 1: Understanding the Digital Forensics Profession and Investigations

Bit-Stream Copy

A bit-by-bit duplicate of data on the original storage medium. This process is usually called "acquiring an image" or "making an image."

Allegation

A charge made against someone or something before proof has been found.

Interview

A conversation conducted to collect information from a witness or suspect about specific fact related to an investigation.

Approved Secure Container

A fireproof container locked by a key or combination.

Single-Evidence Form

A form that dedicates a page for each item retrieved for a case. It allows investigators to add more detail about exactly what was done to the evidence each time it was taken from the storage locker. See also evidence custody form.

Computer Technology Investigators Network (CTIN)

A nonprofit group based in Seattle-Tacoma, WA, composed of law enforcement members, private corporation security professionals, and other security professionals whose aim is to improve the quality of high-technology investigations in the Pacific Northwest.

Affidavit

A notarized document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation. It is also called a "declaration" when the document is unnotarized.

Evidence Custody Form

A printed form indicating who has signed out and been in physical possession of evidence.

Digital Evidence First Responder (DEFR)

A professional who secures digital evidence at the scene and ensures its viability while transporting it to the lab.

Forensic Workstation

A workstation set up to allow copying forensic evidence, whether on a hard drive, USB drive, CD, or Zip disk. It usually has software preloaded and ready to use.

Hostile Work Environment

An environment in which employees cannot perform their assigned duties because of the actions of others. In the workplace, these actions include sending threatening or demeaning e-mail or a co-worker viewing pornographic or hate sites.

Multi-Evidence Form

An evidence custody form used to list all items associated with a case.

Digital Evidence Specialist (DES)

An expert who analyzes digital evidence and determines whether additional specialists are needed.

International Association Of computer Investigative Specialists (IACIS)

An organization created to provide training and software for law enforcement in the digital forensics field.

Digital Forensics

Applying investigative procedures for a legal purpose; involves the analysis of digital evidence as well as obtaining search warrants, maintaining a chain of custody, validating with mathematical hash functions, using validated tools, ensuring repeatability, reporting, and presenting evidence as an expert witness.

Professional Conduct

Behavior expected of an employee in the workplace or other professional setting.

Repeatable Findings

Being able to obtain the same results every time from a computer forensics examination.

Attorney-Client Privilege (ACP)

Communications between an attorney and client about legal matters is protected as confidential communications. The purpose of having confidential communications is to promote honest and open dialogue between the attorney and the client. This confidential information is not to be shared with unauthorized people.

Network Intrusion Detection and Incident Response

Detecting attacks from intruders by using automated tools; also includes the manual process of monitoring network firewall logs.

Fourth Amendment

Dictates that the government and its agents must have probable cause for search and seizure.

Inculpatory evidence

Evidence that indicates a suspect is guilty of the crime with which he or she is charged.

Exculpatory Evidence

Evidence that indicates the suspect is innocent of the crime.

Exhibits

Evidence that indicates the suspect is innocent of the crime.

Authorized Requester

In a private-sector environment, the person who has the right to request an investigation, such as the chief security officer or chief intelligence officer.

Search Warrants

Legal documents that allow law enforcement to search an office, a home, or other locale for evidence related to an alleged crime.

Evidence Bags

Nonstatic bags used to transport removable media, hard drives, and other computer components.

Data Recovery

Retrieving files that were deleted accidentally or purposefully.

Warning Banner

Text displayed on computer screens when people log on to a company computer; this text states ownership of the computer and specifies appropriate use of the machine or Internet access.

Verdict

The decision returned by a jury.

Bit-Stream Image

The file where the bit-stream copy is stored; usually referred to as an "image," "image save," or "image file."

Vulnerability/Threat Assessment and Risk Management

The group that determines the weakest points in a system. It covers physical security and the security of OSs and applications

Search and Seizure

The legal act of acquiring evidence for an investigation.

Line of Authority

The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence.

Digital Investigations

The process of conducting forensic analysis of systems suspected of containing evidence related to an incident or a crime.

Interrogation

The process of trying to get a suspect to confess to a specific incident or crime.

Chain of Custody

The route evidence takes from the time the investigator obtains it until the case is closed or goes to court.

Industrial Espionage

Theft of company sensitive or proprietary company information often to sell to a competitor.