Glossario Computer Forensics
Nota: I termini sono riportati in inglese, lingua in cui tali termini si sono formati ed evoluti, onde evitare fraintendimenti . I termini di questo glossario si riferiscono al contesto della Computer Science e della Digital Forensics, questi termini potrebbero avere altri usi in contesti diversi. .
Acquisition: The stage in a computer forensic investigation wherein the data involved is collected. Often the means used is a bit-by-bit copy of the hard disk or other media in question.
Active Files, Active Data: Data on a computer that is not deleted and is generally accessible and readily visible to the user under normal use.
Allocated space / sector / block: The logical area on a hard disk or other media assigned to a file by the Operating System (See Unallocated)
Allocation Block: (see block, cluster): A contiguous group of sectors, which is the smallest amount of space, assigned to a file by an operating system such as Microsoft Windows.
Ambient Data: The converse of active data. Ambient data is information that lies in areas not generally accessible to the user. This data lies in file slack, unallocated clusters, virtual memory files and other areas not allocated to active files.
Application: Commonly known as a Program, or (sometimes) Software. The software used to access and create files or documents. Microsoft Word and Corel WordPerfect are applications that work with word processing documents. Microsoft Excel and Lotus 1-2-3 are applications that work with or spreadsheets.
Archival data: Often backups, archival data is generally kept on another media, such as on tape or CD, and is often compressed. Such data is not usually immediately available to the user and may need to be restored from the archival media to be accessed.
ASCII: Stands for “American Standard Code for Information Exchange.” Pronounced “Ass-key.” Often referred to as “ASCII text.” ASCII assigns a numerical code for each character on a keyboard; hence ASCII text is often comprehensible to humans without much interpretation.
Attribute: See File Attribute.
Audit Trail: A chronological record of system activities on a computer or network security system that may keep track of user actions such as logins, file access, and other activities.
Back door: A means of accessing or controlling a computer that bypasses normal authentication, while remaining hidden from the casual user. A backdoor may be a program that has been installed surreptitiously, or may be a hidden function of a legitimate program.
Backdoor Trojan: A generic name for Trojan horse programs that open a backdoor and allow an unauthorized user remote access to a computer.
Backup: A copy of data that is kept as an emergency measure against data loss in a system or media failure, and/or for the purpose of keeping archival data. Backups may be compressed or encrypted, and are usually kept separate from the system containing the active version of the data that is being backed up.
Backup Server: A computer on a network that is designed to be used to back up data from other computers on the network. A Backup Server may also be used as a File Server, a Mail Server or as an Application Server.
Backup media: The media on which backup data is kept. May be almost any form of media, such as tapes, CD-ROM, DVD, external hard disks, floppy diskettes, magneto-optical disks, WORM disks, Zip disks, Jaz disks, and many others.
Bit: The smallest unit of data, consisting of a zero or a one, stands for “binary digit.”
Bitstream or bit-by-bit copy: A copy of every consecutive sector on a hard disk or other media, without regard to allocation of data. Sometimes confused with mirroring.
Block: An allocation block, as referred to in the Macintosh Operating System.
Browser: See web browser.
Buffer: An area of memory used to temporarily hold data. May be written to a buffer file.
Buffer file: A file written from data in a buffer.
Burn: The process of creating a CD-ROM or DVD.
Byte: Eight consecutive bits. The unit in which computer storage and computer memory is measured. The amount of data necessary to make a single character (such as a letter or a number) of data. Part of the words kilobyte (KB), megabyte (MB), gigabyte (GB), terabyte, petabyte.
Cache: French for “hide.” A storage area where frequently accessed data may be kept for rapid access. There are three main types of cache: disk cache, memory cache, and program cache. See these entries for further explanation
CD-ROM: Stands for Compact Disk – Read Only Memory. A plastic disk able to hold approximately 650MB to 700MB of data. A common storage medium for data.
Chain of Custody: As in other fields, a record of the chronological history of (electronic) evidence.
Cluster: Also known as allocation blocks, a cluster is a contiguous group of sectors that is the smallest amount of space assigned to a file by an operating system such as Microsoft Windows. Clusters generally range in size from 4 sectors to 64 sectors.
Compressed file, zipped file: A file that has been encoded using less space than the original file in its uncompressed state. A zipped file may contain more than on compressed file.
Computer Forensics: A practice and methodology that may involve any or all of the following: electronic imaging, electronic discovery, forensic analysis of discovered information, preparation of information in a manner useful to the client or court, presentation of findings to the client or attorney, such as in written, oral and/or electronic reports, testimony in a court of law, when necessary, by an expert witness, including deposition and jury trial.
Cookie: In Internet or browser usage, a small file accessed by a web browser and written to the user’s computer. A shortened form of the term, “magic cookie,” cookies are used for tracking, authenticating, and maintaining information about users, generally to ease interaction between a website and a user. Cookies stored on a user’s computer often contain the times and dates that the user accessed a given website.
Corrupt Data, Corrupt File: A file that is damaged. Damage may have occurred inadvertently during transmission, copying, through operating system error, physical damage to the media on which the data was stored, or though other means.
Data: Information stored on a computer that is not part of a program.
Default: A setting or value automatically assigned without user intervention.
Deduplication (“De-duping”): A process performed on a collection of data from multiple sources, whether from several files, several different locations or computers, or from within a collective email file. The process is designed to yield one unique copy of ant given record, file, or email.
Delete: To cause a file or email to move from an active or live state to an ambient state, usually performed by moving a file to the trash or recycle bin on a computer, or by selecting a file and then pressing the delete [Del] key. Deleted files, while generally not removed from the computer until overwritten, are nonetheless invisible to the user.
Desktop (1): In a Graphical User Interface (GUI), such as Windows or the Macintosh OS, the view of files and folders visible before a user opens any windows. The desktop is actually a graphic view of an invisible folder stored on the computer’s hard disk.
Desktop (2): A desktop computer.
Desktop computer: A stand-alone computer that is generally designed to be connected to a keyboard and monitor (although some desktop computers, such as the Macintosh iMac, have the monitor integrated), as distinct from a laptop, and from a Server.
Directory: A hierarchically arranged listing of files stored on a hard disk or other media. The topmost directory is the root directory. Subsequent directories nested within the root directory are called subdirectories. In a GUI, a directory appears as a file folder.
Disk: Generally a hard disk. Floppy diskettes are often referred to as disks.
Disk cache: RAM used to speed up access to stored data. May be part of a computer’s RAM, or may be RAM integrated into the disk drive itself.
Disk Mirroring: Data copied to another hard disk or to another area on the same hard disk in order to have a complete, identical copy of the original.
Dot: A period that is used as part of a filename, or as part of a Web address. It is pronounced “dot.” For instance, a file named “glossary.doc” would be spoken as “glossary dot doc.” Similarly, a web address, such as www.yahoo.com would be spoken as “W-W-W dot yahoo dot com.”
Download: The transfer of data between two computers, generally over a network. One may download a file from the Internet, for instance. Commonly used as a misnomer for “copy.” For instance, a common mistake is to say that one downloaded a file from a diskette, when a file is copied (not downloaded) from a diskette.
E-mail: Electronic mail. Messages transmitted over a computer network or networks, directed to a given user, either individually or in bulk. Email may be stored in a largely text format, or in an encrypted form. Microsoft Outlook stores email messages in an encrypted file; most other email programs store messages primarily as text.
Encryption: A process to render a file unreadable to unauthorized persons or devices.
Exabyte: 1024 Petabytes
Extension, File Extension: Part of a file’s name, usually follows a “dot,” or period in a file name. Some operating systems, such a Microsoft Windows, depend on the extension to know what program is used to open the given file. Microsoft word documents, for instance have “.doc” as their extension.
Filename: The name of a file. Sometimes refers to the name of a file minus its extension.
File Attribute: Properties associated with a file that are kept with the file directory listing. Such attributes include the date and time the file was last accessed, created, or modified,
File Server: A computer on a network that is used to store files from and for multiple users on the network. A file server may also be used as an Application Server, a Backup Server, or as a Mail Server. May be used as a backup for the computers on the network.
File signature: Information contained within a file that identifies its type, even though the file’s extension may have been altered.
File slack: Information at the end of a cluster that has not been completely filled, or overwritten by a file. The file may end before the end of the cluster, hence the cluster may contain data from a previous file
Floppy diskette, floppy: A square-shaped enclosure holding a rotating flexible plastic magnetically coated disk used for data storage. At this writing, the 8″ and 5.25″ variety of floppy diskette is obsolete, and the 3.5″ variety is approaching obsolescence. The most common floppy diskettes hold 1.44 MB of data.
Folder: in a GUI, a folder is the representation of a directory and may contain files and other, nested folders.
Forensic copy: See Forensic Image.
Forensic image: A forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Such copies include unallocated space, slack space, and boot record. A forensic image is often accompanied by a calculated Hash signature to validate that the image is an exact duplicate of the original.
GIF: A common format for storage of digital images. An acronym for Graphic Interchange Format. Pronounced “Jiff.” GIFs have the file extension “gif”
Gigabyte (GB): 1024 megabytes (MB), or 1,048,576 KB, or 1,073,741,824 bytes. Often considered (incorrectly) to be one billion bytes.
GUI: Graphical User Interface. An image and icon-based interface designed to make manipulation of computer data easy. Common GUIs are Microsoft Windows and the Macintosh OS.
Hard disk: Currently the primary storage medium for data on most computers, Consists of a sealed chassis containing a rapidly spinning metal-coated platter, or stack of platters that are magnetically encoded as data is written to them by enclosed magnetic read/write heads.
Hash, hash value: A hash is a number generated from a string of text. A hash value may be generated for a single file, or for an entire hard disk. A matching hash virtually guarantees that a copy is identical to the original. It does not absolutely guarantee this.
HTML: An authoring language, written in text that is used to create documents for access on the World Wide Web. Such documents may be web pages, or otherwise enhanced documents or email messages. Stands fro Hypertext Markup Language.
Instant Messaging: Abbreviated as IM. A text-based electronic communication in real time. It is similar to a telephone call in its immediacy; it is different in that it is generally text-based.
IP Address: An electronic identifier for a specific computer or device on the World Wide Web or other (internal or external) electronic network using the TCP/IP protocol. An IP address is a series of four numbers separated by periods (“dots”), Each number is a value from 0 to 255. An example could be 192.168.55.207 “IP” stands fro “Internet Protocol”
ISP: Internet Service Provider. A provider of access to or connection to the Internet. Some large ISPs include Earthlink, Yahoo, Roadrunner, SBC Global.
JPEG: A common format for storage of digital images. An acronym for Joint Photographic Experts Group. Pronounced “jay-peg.” JPEGs have the file extension, “jpg”
Keylogger: A program or device designed to keep a record of the keys types on a computer. May be used for monitoring, or espionage, such as to collect passwords. Some keyloggers may be accessed remotely.
Keyword search: A common technique used in computer forensic and electronic discovery, a keyword search is usually performed to find and identify every instance on a computer or other media of a given word or phrase, even if said word or phrase occurs in unallocated space or in deleted files.
Kilobyte (KB): 1024 bytes. Used to measure both storage and memory. Often considered (incorrectly) to be one thousand bytes.
Log files, or logfile: A record kept by many applications and operating systems of various activities by saving to a file – the logfile.
Mail Server: A server on a network that processes incoming and outgoing electronic communications, especially email. A mail server generally has security policies in place to allow only authenticated users access to given email communication. The mail server may store a copy of users’ data in various forms, or may not store copies of users’ data. A mail server may be utilized for multiple functions, including as a File Server, Application Server, or Backup Server.
Megabyte (MB): 1024 Kilobytes (KB), or 1,048,576 bytes. Often considered (incorrectly) to be one million bytes.
MAC dates: File attributes in the Windows operating system. Thee MAC dates are the date a file was last Modifies, Last Accessed, and Created.
Master File Table, or MFT: In an NTFS file structure (used in most versions of Windows from 1993-2014 (so far). The MFT contains substantial metadata about all files in a given volume, including file physical locations, MAC dates (times), file permissions, file size, the file’s parent directory, entry modification time, and at times, the entire content of small files.
Megabyte (MB): 1024 Kilobytes (KB), or 1,048,576 bytes. Often considered (incorrectly) to be one million bytes.
Memory Cache: Also known as RAM cache, it is high-speed memory designed to store frequently accessed or recently accessed data for quick use. On the Macintosh, RAM cache may also be disk cache.
Native format, native environment: The original configuration or program in which a file or other data was produced.
Network: A group of computers electronically linked so as to be able to share files or other resources, or for electronic communication. The World Wide Web is a particularly large network.
NTFS: NEW Technology FIle System. An operating system developed by Microsoft and released in 1993 with Windows NT 3.1. It has subsequently been used in versions of Windows through Windows 8.1. Previous versions of Windows had been dependent on the DOS operating system.
Operating System, OS: The suite of programs that allow a computer to operate. The OS controls signals from and to input devices (such as mouse, keyboard, microphone), peripherals (such as hard disks, CD-ROM drives, and printers), output devices (such as monitors and speakers) and performs the basic functions needed for a computer to operate. Common operating systems include Windows XP, Macintosh OS X, and Linux.
Page File: See Windows Swap File
Partition: A logical delineation on a disk drive such that a single drive acts as two, smaller disk drives.
PDA: Personal Digital Assistant. A handheld device that may have multiple functions, one of which is usually a form of electronic data. PDAs may contain programs, data files and storage, a digital camera and associated storage, a telephone and associated address / phone book and other data.
PDF: An Adobe Acrobat document. A common format for graphic and text files that is not easily altered. Stands for Portable Document Format.
Petabyte: 1024 Terabytes, or 1,125,899,906,900,000 bytes – a bit more than a quadrillion bytes
Program: Also known as an Application, or (sometimes) Software. The software used to access and create files or documents. Microsoft Word and Corel WordPerfect are applications that work with word processing documents. Microsoft Excel and Lotus 1-2-3 are applications that work with or spreadsheets.
Protocol: An agreed-upon standard format for communicating, connecting, or transferring data between two computers or devices. There are many communications protocols, such as TCP (Transmission Control Protocol).
RAM: Random Access Memory. Computer chips that store digital data in electronic form.
Sector: The basic and smallest unit of data storage on a hard disk or other electronic media. Generally consists of one contiguous area able to hold 512 bytes of data.
Server: A computer on a network that shares data with other computers on the network.
Shadow Volume: Also known as Shadow Copy, Volume Snapshot Service, Volume Shadow Copy Service, or VSS, is included with Microsoft Windows and makes automated backup copies of some files and operating system components from time to time on NTFS-based computers.
Software: Anything that can be stored electronically. Includes programs, files, and data.
Spoliation: Intentional, negligent, or accidental destruction or alteration of evidence.
Standalone: A computer that is not connected to a network.
Steganography: A means of writing hidden messages such that only the intended recipient knows of its existence. An modern example may be the replacing a few pixels of a digital image with a digital message. The slight change in the image may be unnoticeable to a person who does not know where in the image to look. Older forms of Steganography, which means “covered writing” in Greek, date back more than 2.000 years.
TCP/IP: A suite of communications protocols used to allow communication between computers on a network, such as on the Internet. Stands fro Transmission Control Protocol / Internet Protocol.
Terabyte: 1024 Gigabytes, or 1,099,511,627,800 bytes – a bit more than one trillion bytes.
Unallocated: The area on a hard disk or other media that is not (or is no longer) assigned to a file by the Operating System. May contain intact deleted files, remnants thereof, or other data.
User: A common term for the person using a computer, also referred to as an End User.
Web Browser: Often simply referred to as “browser.” A program used to find and display web pages. Popular browsers as of this writing are Microsoft Internet Explorer) often abbreviated as “Explorer,” Netscape Navigator, Mozilla Firefox, and Apple Safari.
Windows Swap File: Also known as the Page file, or Pagesys file. A virtual memory file used by Microsoft Windows as a kind of scratch pad during most operations. The Swap file is usually quite large and often contains records of operations or remnants of files not found elsewhere.
World Wide Web: A system of servers connected through the Internet that support HTML documents.
Yottabyte: 1024 zettabytes.
Zettabyte: 1024 exabytes.