A collaboration effort by the DFIR community to provide definitions (sometimes multiple) for common forensic terms!
Term | Definition(s) | Source |
---|---|---|
Acquisition | * A process by which digital evidence is duplicated, copied, or imaged. | NIST.gov |
Analysis | * The examination of acquired data for its significance and probative value to the case. | NIST.gov |
Artifact | * an arbitrary byte sequence, such as a file, which has some meaningful interpretation. | NIST.gov |
Authentication Mechanism | * Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. | NIST.gov |
BIOS | * Basic Input Output System. The set of routines stored in read-only memory that enables a computer to start the operating system and to communicate with the various devices in the system such as disk drives, keyboard, monitor, printer, and communication ports. | OJP.gov |
Bluetooth | * A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.). | NIST.gov |
Brute Force Password Attack | * A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords. | NIST.gov |
Buffer Overflow Attack | * A method of overloading a predefined amount of memory storage in a buffer, which can potentially overwrite and corrupt memory beyond the buffer’s boundaries. | NIST.gov |
Carving | * The process of collecting all data between the header and footer of a file signature from unallocated areas of the disk. | ENISA.eu |
Cellular Network Isolation Card (CNIC) | * A SIM card that isolates the device from cell tower connectivity. | NIST.gov |
Cellebrite Physical Analyzer | * a software program that opens extractions of mobile devices to enable the user to search through the data, analyze it, and generate reports. | NIST.gov |
Chain of Custody | * A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers. | NIST.gov |
Closed Source Operating System | * Source code for an operating system is not publicly available. | NIST.gov |
Cluster | * A group of contiguous sectors on a hard drive platter. Also known as a File Allocation Unit | NIST.gov |
Code Division Multiple Access (CDMA) | * A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA). | NIST.gov |
Complementary Metal Oxide Semiconductor (CMOS) | * A type of chip used to store BIOS configuration information. | OJP.gov |
Compressed File | * A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file makes it unreadable to most programs until the file is uncompressed. | NIST.gov |
Cradle | * A docking station, which creates an interface between a user’s PC and PDA and enables communication and battery recharging. | NIST.gov |
CDMA Subscriber Identity Module (CSIM) | * CSIM is an application to support CDMA2000 phones that runs on a UICC, with a file structure derived from the R-UIM card. | NIST.gov |
Deleted File | * A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data. | NIST.gov |
Digital Evidence | * Electronic information stored or transmitted in binary form. | NIST.gov |
Electromagnetic Interference | * An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment. | NIST.gov |
Electronic Serial Number (ESN) | * A unique 32-bit number programmed into CDMA phones when they are manufactured. | NIST.gov |
Encryption | * Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data. | NIST.gov |
Enhanced Data for GSM Evolution (EDGE) | * An upgrade to GPRS to provide higher data rates by joining multiple time slots. | NIST.gov |
Enhanced Messaging Service (EMS) | * An improved message system for GSM mobile devices allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages. | NIST.gov |
Examination | * A technical review that makes the evidence visible and suitable for analysis; as well as tests performed on the evidence to determine the presence or absence of specific data. | NIST.gov |
Exculpatory Evidence | * Evidence that tends to decrease the likelihood of fault or guilt. | NIST.gov |
Feature Phone | * A mobile device that primarily provide users with simple voice and text messaging services. | NIST.gov |
File Signature Anomaly | * A mismatch between the internal file header and its external file name extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension). | NIST.gov |
File Slack | * Space between the logical end of the file and the end of the last allocation unit for that file. Also known as Slack Space. | OJP.gov |
File System | * A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory. | NIST.gov |
Flash ROM | * Non-volatile memory that is writable. | NIST.gov |
Forbidden PLMNs | * A list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the mobile phone cannot automatically contact, usually because service was declined by a foreign provider. | NIST.gov |
Forensic Copy | * A bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm. | NIST.gov |
Forensic Specialist | * Locates, identifies, collects, analyzes, and examines data, while preserving the integrity and maintaining a strict chain of custody of information discovered. | NIST.gov |
General Packet Radio Service (GPRS) | * A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds. | NIST.gov |
Global Positioning System (GPS) | * A system for determining position by comparing radio signals from several satellites. | NIST.gov |
GrayKey | * A law enforcement only device made by Grayshift that uses a proprietary secretive technique to unlock or “crack” phones that cannot be unlocked by standard mobile forensics tools. Previously it only supported iPhones, but it recently added support for Android phones. | NIST.gov |
Global System for Mobile Communications (GSM) | * A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP). | NIST.gov |
Hardware Driver | * Applications responsible for establishing communication between hardware and software programs. | NIST.gov |
Hashing | * The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. | NIST.gov |
HyperText Transfer Protocol (HTTP) | * A standard method for communication between clients and Web servers. | NIST.gov |
Image | * An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered. | NIST.gov |
Inculpatory Evidence | * Evidence that tends to increase the likelihood of fault or guilt. | NIST.gov |
Instant Messaging (IM) | * A facility for exchanging messages in real-time with other people over the Internet and tracking the progress of a given conversation. | NIST.gov |
Integrated Circuit Card ID (ICCID) | * The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM. | NIST.gov |
Integrated Digital Enhanced Network (iDEN) | * A proprietary mobile communications technology developed by Motorola that combines the capabilities of a digital cellular telephone with two-way radio. | NIST.gov |
International Mobile Equipment Identity (IMEI) | * A unique identification number programmed into GSM and UMTS mobile devices. | NIST.gov |
International Mobile Subscriber Identity (IMSI) | * A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM. | NIST.gov |
Internet Message Access Protocol (IMAP) | * A method of communication used to read electronic messages stored in a remote server. | NIST.gov |
Key Chords | * Specific hardware keys pressed in a particular sequence on a mobile device. | NIST.gov |
Location Information (LOCI) | * The Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the (C/U)SIM when the phone is active and saved whenever the phone is turned off. | NIST.gov |
Logical Volume | * A partition or a collection of partitions acting as a single entity that has been formatted with a filesystem. | NIST.gov |
Metadata | * Data about data. For filesystems, metadata is data that provides information about a file's contents. | NIST.gov |
Mobile Devices | * A mobile device is a small hand-held device that has a display screen with touch input and/or a QWERTY keyboard and may provide users with telephony capabilities. Mobile devices are used interchangeably (phones, tablets) throughout this document. | NIST.gov |
Mobile Subscriber Integrated Services Digital Network (MSISDN) | * The international telephone number assigned to a cellular subscriber. | NIST.gov |
Multimedia Messaging Service (MMS) | * An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips. | NIST.gov |
Near Field Communication (NFC) | * A form of contactless, close proximity, radio communications based on radio-frequency identification (RFID) technology. | NIST.gov |
Non-volatile Data | * Data that persists even after a computer is powered down. | NIST.gov |
Operating System | * A program that runs on a computer and provides a software platform on which other programs can run. | NIST.gov |
Partition | * A logical portion of a media that functions as though it were physically separate from other logical portions of the media. | NIST.gov |
Password Protected | * The ability to protect the contents of a file or device from being accessed until the correct password is entered. | NIST.gov |
Personal Digital Assistant (PDA) | * A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, as well as for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar. | NIST.gov |
Personal Information Management (PIM) Applications | * A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list. | NIST.gov |
Personal Information Management (PIM) Data | * The set of data types such as contacts, calendar entries, phonebook entries, notes, memos, and reminders maintained on a device, which may be synchronized with a personal computer. | NIST.gov |
Post Office Protocol (POP) | * A standard protocol used to receive electronic mail from a server. | NIST.gov |
Probative Data | * Information that reveals the truth of an allegation. | NIST.gov |
Push-To-Talk (PTT) | * A method of communicating on half-duplex communication lines, including two-way radio, using a “walkie-talkie” button to switch from voice reception to transmit mode. | NIST.gov |
Removable User Identity Module (R-UIM) | * A card developed for cdmaOne/CDMA2000 handsets that extends the GSM SIM card to CDMA phones and networks. | NIST.gov |
Sector | * The smallest unit that can be accessed on media. | NIST.gov |
Secure Digital eXtended Capacity (SDXC) | * Supports cards up to 2 TB, compared to a limit of 32 GB for SDHC cards in the SD 2.0 specification. | NIST.gov |
Short Message Service (SMS) | * A cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset. | NIST.gov |
SMS Chat | * A facility for exchanging messages in real-time using SMS text messaging that allows previously exchanged messages to be viewed. | NIST.gov |
Steganography | * The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format. | NIST.gov |
Subscriber Identity Module (SIM) | * A smart card chip specialized for use in GSM equipment. | NIST.gov |
Synchronization Protocols | * Protocols that allow users to view, modify, and transfer/update data between a cell phone and personal computer. | NIST.gov |
Universal Integrated Circuit Card | * An integrated circuit card that securely stores the international mobile subscriber identity (IMSI) and the related cryptographic key used to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a: SIM, USIM, RUIM or CSIM, and is used interchangeably with those terms. | NIST.gov |
UMTS Subscriber Identity Module (USIM) | * A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks. | NIST.gov |
Universal Mobile Telecommunications System (UMTS) | * A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM. | NIST.gov |
Universal Serial Bus (USB) | * A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices. | NIST.gov |
Volatile Memory | * Memory that loses its content when power is turned off or lost. | NIST.gov |
Wireless Application Protocol (WAP) | * A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices. | NIST.gov |
Wireless Fidelity (WiFi) | * A term describing a wireless local area network that observes the IEEE 802.11 protocol. | NIST.gov |
Write-Blocker | * A device that allows investigators to examine media while preventing data writes from occurring on the subject media. | NIST.gov |
Write Protection | * Hardware or software methods of preventing data from being written to a disk or other medium. | NIST.gov |
New to GitHub? No problem! Here is a repo that you can test the below instructions on until you're comfortable to contribute to this repo!
Fork this repo by clicking on the Fork
button on the top right of this page.
After that, you'll be working off of your Fork of this repository, which is effectively a snapshop in time.
As time goes on, this repository will evolve and your Fork will be left behind if you don't keep it updated. Be sure to Fetch Upstream prior contributing more so you have the most up to date copy of the repository before you starting adding to it!
Above is an example of Fetch Upstream combined with doing a Pull Request, which is what you should do when you have something new to the repo you'd like to add to the main repo.