Computer Forensics Key terms

¡Supera tus tareas y exámenes ahora con Quizwiz!

Code Division Multiple Access (CDMA)

A widely used digital cell phone technology that makes use of spread-spectrum modulation to spread the signal across a wide range of frequencies.

Provisioning

Allocating cloud resources, such as additional disk space.

American Standard Code for Information Interchange (ASCII)

An 8-bit coding scheme that assigns numeric values to up to 256 characters, including letters, numerals, punctuation marks, control characters, and other symbols.

MD5

An Algorithm that produces a hexadecimal value for a file or storage media. Used to determine whether that data has been changed.

Layered Network Defense Strategy

An approach to network hardening that sets up several network layers to place the most valuable data at the innermost part of the network.

Volume Control Block (VCB)

An area of the Mac file system containing information from the MDB.

Second Extended File System (EXT2)

An early linux file system.

Whole disk Encryption

An encryption technique that performs a sector-by-sector encryption of an entire drive. Each sector is encrypted in its entirety, making it unreadable when copied with a static acq. method.

Enhanced Data GSM Environment (EDGE)

An improvement to GSM technology that enables it to deliver higher data rates.

International Telecommunications Union (ITU)

An international organization dedicated to creating telecommunications standards.

Hierarchal File System (HSF)

An older MAC OS file system, consisting of directories and subdirectories that can be nested.

Attorney Client Privilege (ACP)

Communication between an attorney and client about legal matters is protected as confidential communication. The purpose of having this is to promote honest and open dialogue between an attorney and client. This confidential information must not be shared with unauthorized people.

Service Level Agreement (SLA)

Contracts between a cloud service provider and a cloud customer. Any additions or changes to an SLA can be made through an addendum.

Computer Generated records

Data generated by a person, such as system log files or proxy server logs.

Spoliation

Destroying, Altering, of failing to preserve evidence, whether it's intentional or the result of negligence.

Computer Stored records

Digital Files generated by a person, such as electronic spreadsheets.

Voir dire

In this qualification phase of testimony, your attorney asks you questions to establish your credentials as an expert witness. The process of qualifying jurors is also called voir dire.

Master Directory Block (MDB)

On older Mac systems, the location where all volume information is stored. A copy of the MDB is kept in the next-to-last block on the volume. Called the Volume Information Block (VIB) in HFS+.

National Institute of Standards and Technology (NIST)

One of the governing bodies responsible for setting the standards for some U.S industries.

Subscriber identity module (SIM cards)

Removable cards in GSM phones that contain information for identifying subscribers. They can also store other information, such as messages and call history.

Bit Stream Image

The file where the bit-stream copy is stored; usually referred to as an "image", "image save," or "image file"

Line of Authority

The order in which people or positions are notified of a problem; these people or positions have the legal right to initiate an investigation, take possession of evidence, and have access to evidence.

File Allocation Table (FAT)

The original MS file structure database. It's written on the outermost track of a disk and contains information about each file stored on the drive. PCs use the FAT to organize files on a disk so that the OS can find the files it needs. The variations are FAT12, FAT16, FAT32, VFAT, FATX.

3g

The preceding generation of mobile phone standards and technology; had more advanced features and faster data rates than the older analog and personal communications service PCS technologies.

Data Compression

The process of coding data from a larger form to a smaller form.

Network Forensics

The process of collecting and analyzing raw network data and systematically tracking network traffic to determine how security incidents occur.

Carving

The process of removing file fragments that are scattered across a disk.

False Positives

The results of keyword searches that contain the correct match but aren't relevant to the investigation.

Time Division Multiple Access (TDMA)

The technique of dividing a radio frequency into time slots, used by GSM networks; also referred to a cellular network standard communication service (PCS) technologies.

File Slack

The unused space created when a file is saved. If the allocated space is larger than the file, the remaining, space is slack space slack space and can contain passwords, logon IDs, file fragments, and deleted emails.

Fact Witness

This type of testimony reports only the facts (findings of an investigation); no opinion is given in court.

Redundant Array of Independent Disks (Raid)

Two or more disks combined into one large drive in several configurations for special needs. Some Raid Systems are designed for redundancy to ensure continuous operation if one disk fails. Another configuration spreads data across several data across several disks to improve access speeds for reads and writes.

Cloud Service Providers

Vendors that provide on-demand network access to a shared pool of resources(typically remote data storage or Web applications)

Plain View Doctrine

When conducting Search and Seizure, objects in plain view of a law enforcement officer, who has the right to be in position to have that view, are subject to seizure without a warrant and can be introduced as evidence. As applied to executing searches of computers, the plain view doctrine's limitations are less clear.

Infrastructure as a Service

With this cloud service level, an organizer supplies its own OS, apps, databases, and operations staff, and the cloud provider is responsible only for selling or leasing the hardware.

Software as a service

With this cloud service level, typically a Web hosting service provides applications for subscribers to use.

Limiting Phrase

Wording in a search warrant that limits the scope of a search for evidence.

ISO image

a bootable file that can be copied to CD or DVD; typically used for installing operating systems. It can also be read by virtualization software when creating a virtual boot disk.

Platform as a service

a cloud is a service that provides a platform in the cloud that has only an OS. The customer can use the platform to load their own applications and data. The CSP is responsible only for the OS and hardware it runs on; the customer is responsible for everything else that they have loaded on to it.

Lossless compression

a compression method in which no data is lost. With this type of compression, a large file can be compressed to take up less space and then uncompressed to without any loss of information.

RAW format

a data acq. format that creates simple sequential flat files of a suspect drive or data set.

Live acquisition

a data acq. method used when a suspect computer cannot be shut down to perform a static acq. Captured data might be altered during the acq. because its not write protected. Live acqs. arent repeatable because data is continually being alterd by the suspect computer's OS.

Exchangeable Image File (EXIF)

a file format the Japan Electronics and Information Technology Industries Association (JEITA) developed as a standard for storing metadata in JPEG and TIF files.

write blocker

a hardware device or software program that prevents a computer from writing data to an evidence drive. Software write-blocks typically alter interrupt-13 write functions to a drive in a PC's BIOS. Hardware write-blockers are usually bridging devices between a drive and the forensics workstation.

EXT 3

a linux file system that made improvements to EXT2, such as adding journaling as a built-in file recovery mechanism.

Partition

a logical drive on a disk. It can be the entire disk or part of the disk.

Host Protected Area (HPA)

an area of a disk drive reserved for booting utilities and diagnostic programs. It's not visible to the computer's OS.

repeatable findings

being able to obtain the same results every time from a digital forensics examination.

STEGO media

in steganalysis, the file containing the hidden message.

Chain of Custody

legal method of documenting lab testing process security

Deposition Banks

libraries of previously given testimony that law firms can access.

Sparse Acquisition

like logical acq. this data acq. captures only specifc files of interest to the case, but also collects fragments of unallocated (deleted) data.

Data recovery

retrieving files that were deleted accidentally or purposefully.

Clusters

storage allocation units composed of groups of sectors. Clusters are 512, 1024, 2048, 4096 bytes each.

4g

the current generation of mobile phone standards, with technologies that improved speed and accuracy.

Discovery Deposition

the opposing attorney sets the deposition and often conducts the equivalent of both direct and cross-examination. A discovery deposition is considered part of the discovery process.

Conflicting Out

the practice of opposing attorneys trying to prevent you from testifying by claiming you have discussed the case with them and, therefore, have a conflict of interest.

Acquisition

the process of creating a duplicate image of data one of the required functions of digital forensics tools.

Extraction

the process of pulling relevant data from an image and recovering or reconstructing data fragments; one of the required functions of digital forensics tools.

File system

the way files are stored on a disk; gives an OS a road map to data on a disk.

Logical Acquisition

this data acq. method captures only specific files of interest to the case or specific types of files, such as Outlook .pst files.

Expert witness

this type of witness reports opinions based on experience and facts gathered during an investigation.

Drive Slack

unused space in a cluster between the end of a active file and the end of the cluster. It can contain deleted files, deleted email, or file fragments. Drive slack is made up of both file slack and RAM slack.

LOSSY compression

A compression method that permanently discards bits of information in a file. The removed bits of information reduce image quality.

SHA-1

A forensics hashing algorithm created by NIST to determine whether data in a file or on storage media has been altered.

Scientific Working Group on Digital Evidence (SWGDE)

A group that sets standards for recovering, preserving and examining digital evidence.

Fourth Extended File System (EXT 4)

A linux file System that added support for partitions larger than 16 TB, improved management of large files, and offered a more flexible approach to adding file system features.

ASCLD

A national society that sets the standards, management, and audit procedures for labs used in crime analysis, including digital forensics labs used by the police, FBI, and similar organizations.

Affidavit

A notarized document, given under penalty of perjury, that investigators create to detail their findings. This document is often used to justify issuing a warrant or to deal with abuse in a corporation. Also called a "declaration" when the document is unnotarized.

Encrypting File System (EFS)

A public/private key encryption first used in Windows 2000 on NTFS-formatted disks. The file is encrypted with a symmetric key, and then a public/private key is used to encrypt the symmetric key.

Global System for Mobile Communications (GSM)

A second-generation cellular network standard; currently the most used cellular network in the world.

Order of Volatility (OOV)

A term indicating how long an item on a network lasts. RAM and running processes might last only milliseconds while items stored on hard drives can last for years.

Electronically erasable programmable read-only memory (EE prom)

A type of nonvolatile memory that can be reprogrammed electrically, without having to physically access or remove the chip.

Telecommunications Industry Association (TIA)

A U.S. trade association representing hundreds of telecommunications companies that works to establish and maintain telecommunications standards.

Deprovisioning

deallocation cloud resources that were assigned to a user or an organization.

Discovery

efforts to gather information before a trial by demanding documents, depositions, interrogations (written questions answered in writing under oath), and written requests for admissions of fact.

Virtual Machine

emulated computer environments that simulate hardware and can be used for running OSs separate from the physical (host) computer.


Conjuntos de estudio relacionados

Psyo 373 final: structural equation modelling

View Set

8.7ABC - Moon, Seasons, and Tides

View Set

unit level, batch level, product level, or facility level test 2

View Set

Fundamental Ch. 38 Bowel elimination

View Set