Google’s multi-platform operating system. It is designed to work on anything from phones to computers to smart TVs. Due to its open-source nature and generous licencing requirements, it has been shipped on over 75% of smartphones since the start of 2013.
A Linux based command line tool allowing the examiner to send various commands from PC to mobile device, as well as extracting data from it.
A court order that allows the plaintiff to search and inspect the defendant’s premises as well as seize evidence (i.e. computer hard drives) without prior notice. This injunction is essentially a “civil search warrant” and is only granted when the plaintiff can convince the court that critical evidence would be otherwise destroyed.
The process of making an additional copy of data so that in case of a data loss, there is still access to the copy of the data. It is crucial to back-up important data regularly as all digital storage media is prone to fail at some point.
Sectors of a hard disk drive that cannot be used properly, thus reliably hold data.
Unique RAID configuration used in Drobo storage devices.
Numeral system that is composed of two symbols, usually 0 and 1. This is the most fundamental language a computer understands and knows to interpret.
Are stored in the boot sectors of a hard disk so when you start up the computer the virus is ready to "attack".
Temporary storage of information that a computer can use to rapidly access data instead of re-computing the original data.
The amount of information that a digital storage device can store once it is formatted. The majority of hard drive companies calculate disk capacity based on the notion that 1 megabyte is equal to 1000 kilobytes and 1 gigabyte is equal to 1000 megabytes. However, the real capacity of a hard disk drive is normally less than what is officially claimed.
A legal term referring to the chronological documentation of an evidence whereabouts during a digital forensics analysis. The chain of custody must be carefully recorded for evidence to be legally admissible.
A value representing the sum of the correct binary digits in a piece of stored digital data, used to ensure data is transmitted or stored without error.
This data recovery procedure refers to the removal or de-soldering of the NAND memory chip from a motherboard in order to read from it directly. This procedure is implemented on flash based devices when the device is too damaged to be accessed through standard techniques. A chip-off procedure is highly specialized and should only be performed by experienced engineers as, otherwise, irreversible chip damage can be easily caused.
Refers to dust free environment where all invasive data recovery procedures should be ideally performed to avoid any potential surface contamination.
A general term for the practice of using remote servers over the internet to store and process data, as opposed to using a local server or a PC.
When a malicious act, internal or external, seeks to exfiltrate data from a company. This can be accomplished by malware, social engineering, hacking, or even an employee.
Any Criminal Code offense that involves a computer (including devices like smartphones) in the commission of the crime.
Digital Forensics specifically for computers
A decree from a court or judge compelling a person to do or not do something.
Hardware or software failure that causes data to be lost and/or the computer to malfunction.
A synonym for information.
The retrieval of data stored on damaged or inaccessible storage digital media (i.e. hard drive, memory card, RAID, USB flash drive, SSD, etc.).
The central directory of the user interface. Desktops normally contain icons that represent links to the hard drive ("My Computer"), a network, and a trash/recycling bin for recently deleted files.
Pieces of data that can be used by a digital forensic analyst to piece together useful information about an issue that needs answers. Digital artifacts on their own typically hold no evidentiary value until combined with other artifacts and analyzed by a digital forensic analyst in an expert report.
Forensics relating specifically to digital technologies as opposed to traditional forensic disciplines like fingerprinting. Digital technology includes computers, smartphones, and more. Forensics is applied when evidence is needing to be collected for a legal process of some kind.
Refers to the reinitializing of a hard disk drive, which erases all previous data stored on it.
An identical drive to the faulty one used for parts.
External storage hardware system that is a type of a RAID, developed by Data Robotics.
Digital Video Disc that is capable of storing and playing both audio and video files.
The process in which electronic data is sought, located, and searched for evidence gathering for a civil or criminal legal case.
A comprehensive forensic software developed by Guidance Software, that acquires and analyzes digital evidence.
The process of encoding data for data security purposes. The locked data requires a digital key to read It.
The main deliverable of a forensic analysis. This report contains all the information required to answer the questions that the client asked. In addition to the main conclusions, an expert report usually includes a detailed account of the procedure followed to find the results, descriptions of the tools used, and sometime lengthy logical analyses of the legal situation from the lens of the expert’s professional experience. Special attention must be paid to following the rules of the court likely to hear the case. Each provincial, superior, and the Federal Court, have different rules about what must go in an expert report and how the expert may have to be made available for cross-examination in person.
Someone that gives an opinion on facts that concern an issue outside the experience and knowledge of the trier-of-fact (the judge or jury). The expert must have peculiar knowledge in the matter. Experts are expected to be completely neutral and must refrain from advocating for one side or the other.
File Allocation Table. An area that contains the records of all files and directory in a FAT-formatted hard disk drive. The operating system requires this information to access the files and define the data cluster's chain. There are FAT32, FAT16 and FAT versions. The FAT file system was created by Microsoft and is supported by almost all operating systems for personal computers.
Writing over existing files which in turn erases the original data.
The process of recovering deleted or damaged files from a digital storage device.
A method for storing and organizing computer files and the data they contain.
Are stored in program files so when you run the infected application, the virus code attacks.
An information technology security program which protects a computer from unauthorized users to access it via the Internet.
Apple computer's brand name for high speed data transfer (up to 400 million bits per second).
A software (set of instructions) programmed on a hardware device. It is essentially the "brain" of the hard drive.
A detailed report prepared by a forensics examiner following a forensics analysis.
A confirmable procedure for a sector-by-sector overwriting of a defined area of digital media in order to process a completely new case file with digital evidence. This purpose of this process is to prevent cross-contamination of data.
Copyrighted Software made by programmers which is available for public use free of charge. The idea behind a freeware is a genuine willingness to assist people.
File Transfer Protocol. A format used for transferring files between computers.
A digital storage device that stores encoded data.
A numerical value of data generated by a mathematical algorithm. Hash values are commonly used in forensics applications to authenticate the integrity of digital evidence.
A detrimental type of a mechanical hard disk failure, when the read-write head of a hard disk drive comes in contact with its rotating platter(s).
AKA ATA is a standard electronic interface used between a computer motherboard's data paths or bus and the computer's disk storage devices.
The point of interconnection that allows an interaction. Cables are hardware interfaces that allow interaction between computers to a power source, whereas an operating system is an example of a software interface that allows the communication between different applicatins.
Apple’s iPhone operating system. As with many Apple products, iOS is designed only to be installed on Apple iPhones. Due to being restricted to only one company’s phones, the use of iOS has been steadily decreasing since it peaked at 21% of phones shipped at the end of 2012.
A document presented by the police to a judge arguing their need for a court order to search a suspect’s premises or digital device(s).
While this is technically an acronym for Joint Task Action Group, this term colloquially refers to a standardized set of electrical contacts inside a device that allow for direct hardware access. With the right tools, a computer can be connected to the JTAG contacts on an microelectronics board to access the board’s hardware with a standard command interface. For data recovery and digital forensics, JTAG may allow for the extraction of data when flash based devices are physically otherwise innaccessible.
A UNIX® like, open-source operating system developed by Linus Torvalds. Linux is a classic example of free software that can run on both PCs and Macintoshes.
A file that tracks and records the events and actions of an operating system or other applications.
An operating system with a graphical user interface, developed by Apple® for Macintosh® computers.
A malicious software intended to penetrate a computer to steal personal information.
Physical damage to a hard drive such as read/write head failure, failed spindle motor, platter damage, and so on.
A small memory card, created by Sony, used as storage for photos.
The information embedded within a file, which provides specific information about the various parameters of the file. The typical types of information the metadata contains are the locations of the file, times, and permissions.
IBM/Hitachi mini hard disk drive for digital cameras and PDA devices.
A sub category of digital forensics relating to the acquisition and analysis of digital evidence from a mobile device.
flash based media where the controller and memory chips are in a solid block.
A freeware relational database management system (RDBMS) based on Structured Query Language (SQL).
A type of non-volatile storage technology that does not require power to retain data.
A set of computer programs that controls the hardware and software resources of a computer. The most common operating systems these days are Windows, Macintosh, UNIX, and Linux.
The division of a hard disk into separated sections. Each partition appears as a separate, independent hard drive, which makes it convenient to those running multiple operating systems.
Acronym for a Printed Circuit Board, referring to a thin electrical plate that holds chips and other electronic components.
The work performed directly on a damaged storage device. The idea is to bring the device to a temporary working order in order to gain access and ultimately extract data from.
Acronym for Redundant Array of Inexpensive/Independent Drives (or disks). The idea behind RAID is to spread data across multiple hard drives that act as one while keeping some redundancy so in case of one of the drives failing, the data remains intact. There are different levels of RAID systems (RAID-0,1,2,3,4,5, 6, 10, 0+1, Drobo, etc.).
A type of RAID that strips data across multiple disks. RAID-0 is a widely used RAID configuration that is known for its speed. However, RAID 0 is very risky in case of a failure. If one of the hard drives crashes, the whole data is at risk.
Fault Tolerance (Widely Used) - Uses disk mirroring, which duplicates the entire data. RAID 1 is extremely reliable in terms of data protections and, therefore, commonly used for business purposes.
Speed and Fault Tolerance - Data is striped at the byte level across three or more hard disk drives. RAID-5 configuration is known for performance as well as fault tolerance and is commonly used in servers.
Random Access Memory. One of two basic types of information storage used by computers. The operating system, various segment of programs, and data in current use are stored in the RAM so they can be quickly accessed by the computer's processor. Nevertheless, the data in RAM is kept there only as long as the computer is running. When the computer is turned off, the RAM loses its data.
Serial ATA (Serial Advanced Technology Attachment) is a standard interface for connecting hard drives into computer systems.
A standard for physically connecting and transferring data between multiple peripheral devices.
The smallest accessible part on a hard disk drive, which is essentially a sub-category of a track. Each sector can store a fixed amount of data.
A tiny memory card used to make digital media storage portable among various devices, such as GPS, cellular phones, and cameras.
A computer that shares software and information with other computers connected by a network.
The area on the platter that contains the translator table as well as other important information regarding the drive.
A memory card standard owned by Toshiba.
A cellular phone with a hand-held computer, usually offering Internet access, email capability, data storage, text messaging, etc.
Software containing errors.
A specific type of flash-based digital storage device without moving mechanical components. This distinguishes them from traditional electromechanical magnetic disks such as hard disk drives, which contain spinning disks and movable read/write heads. Compared with electromechanical disks, SSDs are typically more resistant to physical shock, run silently, and are much faster. However, data recovery from SSDs is normally significantly more complex.
A high-precision, small motor on which the hard drive disk platters are mounted and rotate.
A standardized query language for requesting information from a database, originally called SEQUEL (structured English query language) and built by IBM in 1974. SQL was first presented to the market as a commercial database system by Oracle in 1979.
A portable computer with a touch-screen interface, battery, and circuitry in a single unit.
A unit of computer storage capacity that is equal to thousand gigabytes.
Is not exactly a virus but a program that contains malicious programs. It is disguised as something innocent, such as a, email or a game.
A powerful operating system firstly developed by AT&T. This operating system is hardware independent and known as extremely reliable.
A plug-and-play industry standard connecting between a computer and add-on devices, such as keyboards, cameras, scanners, and printers. USB devices are very conveniently connected to a computer as there is no need to turn off or restart the computer. You may connect the USB while the computer is running.
The extension of USB 1.1, supporting data rates up to 480Mbps.
AKA Super Speed USB, is the latest version of the Universal Serial Bus standard which supports data transfer speed of up to and beyond 5GB/s (gigabytes per second).
An emulation of a specific computer system that runs a dedicated OS on shared physical hardware.
A manmade computer program that duplicates itself into the other programs stored in a computer causing a detrimental effect. It can destroy or corrupt data stored on the hard disk and even destroy the overall operation of a computer.
An operating system made by Microsoft specifically for mobile devices.
A tiered database that stores setting information (such as user accounts, connected hardware, etc.), for the Microsoft Windows OS.
A hardware device or software used to protect a digital device (i.e. hard drive) from accidental overwriting or erasure of data.