|
Computer Evidence Glossary
A |
B |
C |
D |
E |
F |
G
| H |
I |
J |
K |
L |
M |
N |
O |
P |
Q |
R |
S |
T |
U |
V |
W |
X |
Y |
Z
False Negative:
A result that is not
correct because it fails to indicate a
match where one exists.
False Positive:
A result that is not
correct because it indicates a match
where there is none.
Fast Mode Parallel Port:
See
Port.
FAT (File Allocation Table):
An internal data table on
hard drives that keeps track of where
the files are stored. If a FAT is
corrupt, a drive may be unusable, yet
the data may be retrievable with
forensics.
See
Cluster.
FAX:
Short for facsimile. A
process of transmitting documents by
scanning them to digital, converting to
analog, transmitting over phone lines,
reversing the process at the other end
and printing.
Fiber Optics:
Transmitting information
by sending light pulses over cables made
from thin strands of glass.
Field (or Data Field):
A name for an individual
piece of standardized data, such as the
author of a document, a recipient, the
date of a document or any other piece of
data common to most documents in an
image collection, to be extracted from
the collection.
Field Separator:
A code that separates the
fields in a record. For example, the CSV
format uses a comma as the field
separator.
File:
A collection of data or
information stored under a specified
name on a disc.
File Compression:
See
Compression.
File Extension:
Many systems, including
DOS and UNIX, allow a filename extension
that consists of one or more characters
following the proper filename. For
example, image files are usually stored
as .bmp, .gif, .jpg or .tiff. Audio
files are often stored as .aud or .wav.
There are a multitude of file extensions
identifying file formats. The filename
extension should indicate what type of
file it is; however, users may change
filename extensions to evade firewall
restrictions or for other reasons.
Therefore, file types should be
identified at a binary level rather than
relying on file extensions. To research
file types, see (http://www.filext.com).
Different applications can often
recognize only a predetermined selection
of file types.
See also
Format.
File Format:
The organization or
characteristics of a file that determine
with which software programs it can be
used.
See also
Format.
File Header:
See
Header.
File Level Binary
Comparison:
Method of deduplication
using the digital fingerprint (hash) of
a file. File Level Binary comparison
ignores metadata, and can determine that
“SHOPPING LIST.DOC” and “TOP SECRET.DOC”
are actually the same document.
See also
Data Verification,
DeDuplication, Digital Fingerprint, and
Hash coding.
File Plan:
A document containing the
identifying number, title, description,
and disposition authority of files held
or used in an office.
File Server:
When several or many
computers are networked together in a
LAN situation, one computer may be
utilized as a storage location for files
for the group. File servers may be
employed to store email, financial data,
word processing information or to
backup the network.
See
Server.
File Sharing:
Sharing files stored on
the server among several users on a
network.
File Signature:
See
Digital Signature.
File Slack:
The unused space on a
cluster that exists when the logical
file space is less than the physical
file space.
See
Cluster.
File System:
The engine that an
operating system or program uses to
organize and keep track of ESI. More
specifically, the logical structures and
software routines used to control access
to the storage on a hard disc system and
the overall structure in which the files
are named, stored, and organized. The
file system plays a critical role in
computer forensics because the file
system determines the logical structure
of the hard drive, including its cluster
size. The file system also determines
what happens to data when the user
deletes a file or subdirectory.
File System Metadata:
Metadata generated by the
system to track the demographics (name,
size, location, usage, etc.) of the ESI
and, not embedded within, but stored
externally from the ESI.
See also
Metadata.
File Table:
See
MFT.
File Transfer:
The process of moving or
transmitting a file from one location to
another, as between two programs or from
one computer to another.
Filename:
The name of a file,
excluding root drive and directory path
information. Different operating systems
may impose different restrictions on
filenames, for example, by prohibiting
use of certain characters in a filename
or imposing a limit on the length of a
filename. The filename extension should
indicate what type of file it is.
However, users often change filename
extensions to evade firewall
restrictions or for other reasons.
Therefore, file types must be identified
at a binary level rather than relying on
file extensions.
See also
File Extension and Full
Path.
FIPS:
Federal Information
Processing Standards issued by the
National Institute of Standards and
Technology after approval by the
Secretary of Commerce pursuant to
Section 111(d) of the Federal Property
and Administrative Services Act of 1949,
as amended by the Computer Security Act
of 1987, Public Law 100235.
Firewall:
A set of related
programs, or hardware, that protect the
resources of a private network from
users from other networks. A firewall
filters information to determine whether
to forward the information toward its
destination.
Filter (verb):
See
Data Filtering.
Flash Drive:
See
Key Drive.
Flash Memory:
The ability to retain
data even when power is removed; the
equivalent to film for digital cameras.
Flat File:
Flat file is a
nonrelational text based file (ie: a
word processing document).
Flatbed Scanner:
A flatsurface scanner
that allows users to create a digital
image of books and other hard copy
documents or objects.
See
Scanner.
Floppy Disc:
A thin magnetic film disc
housed in a protective sleeve used to
copy and transport relatively small
amounts of data.
Folder:
See
Directory.
Forensic Copy:
A forensic copy is an
exact copy of an entire physical storage
media (hard drive, CDROM, DVDROM,
tape, etc.), including all active and
residual data and unallocated or slack
space on the media. Compresses and
encrypts to ensure authentication and
protect chain of custody. Forensic
copies are often called “image” or
“imaged copies.”
See
Bit Stream Backup and
Mirror Image.
Forensics:
The scientific
examination and analysis of data held
on, or retrieved from, ESI in such a way
that the information can be used as
evidence in a court of law. It may
include the secure collection of
computer data; the examination of
suspect data to determine details such
as origin and content; the presentation
of computer based information to courts
of law; and the application of a
country’s laws to computer practice.
Forensics may involve recreating
“deleted” or missing files from hard
drives, validating dates and logged in
authors/editors of documents, and
certifying key elements of documents
and/or hardware for legal purposes.
Form of Production:
The manner in which
requested documents are produced. Used
to refer both to file format (e.g.,
native vs. imaged format) and the media
on which the documents are produced
(paper vs. electronic).
Format (noun):
The internal structure of
a file, which defines the way it is
stored and used. Specific applications
may define unique formats for their data
(e.g., “MS Word document file format”).
Many files may only be viewed or printed
using their originating application or
an application designed to work with
compatible formats. There are several
common email formats, such as Outlook
and Lotus Notes. Computer storage
systems commonly identify files by a
naming convention that denotes the
format (and therefore the probable
originating application). For example,
“DOC” for Microsoft Word document files;
“XLS” for Microsoft Excel spreadsheet
files; “TXT” for text files; “HTM” for
Hypertext Markup Language (HTML) files
such as web pages; “PPT” for Microsoft
Powerpoint files; “TIF” for tiff images;
“PDF” for Adobe images; etc. Users may
choose alternate naming conventions, but
this will likely affect how the files
are treated by applications.
Format (verb):
To make a drive ready for
first use. Erroneously thought to “wipe”
drive. Typically, only overwrites FAT,
but not files on the drive.
Forms Processing:
A specialized imaging
application designed for handling
preprinted forms. Forms processing
systems often use highend (or multiple)
OCR engines and elaborate data
validation routines to extract
handwritten or poor quality print from
forms that go into a database.
Fragmented:
In the course of normal
computer operations when files are
saved, deleted or moved, the files or
parts thereof may be broken into pieces,
or fragmented, and scattered in various
locations on the computer’s hard drive
or other storage medium, such as
removable discs. Data saved in
contiguous clusters may be larger than
contiguous free space, and it is broken
up and randomly placed throughout the
available storage space.
See
DeFragment.
FTP (File Transfer
Protocol):
An Internet protocol that
enables the transfer of files between
computers over a network or the
Internet.
Full Duplex:
Data communications
devices that allow full speed
transmission in both directions at the
same time.
Full Path:
A path name description
that includes the drive, starting or
root directory, all attached
subdirectories and ending with the file
or object name.
FullText Indexing:
Every word in the ESI is
indexed into a master word list with
pointers to the location within the ESI
where each occurrence of the word
appears.
FullText Search:
The ability to search ESI
for specific words, numbers and/or
combinations or patterns thereof.
Fuzzy Search:
Subjective content
searching (as compared to word searching
of objective data). Fuzzy Searching lets
the user find documents where word
matching does not have to be exact, even
if the words searched are misspelled due
to optical character recognition (OCR)
errors. This search locates all
occurrences of the search term, as well
as words that are “close” in spelling to
the search term.
Glossary - Courtesy of
The Sedona Conference®
|
