Computer Evidence Glossary

         A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

PAB (Personal Address Book): A Microsoft Outlook list of recipients created and maintained by an individual user for personal use. The personal address book is a subset of the global address list (GAL).

PackBits: A compression scheme that originated with the Macintosh. Suitable only for black & white.

Packet: A unit of data sent across a network that may contain identity and routing information. When a large block of data is to be sent over a network, it is broken up into several packets, sent, and then reassembled at the other end. The exact layout of an individual packet is determined by the protocol being used.

Page: A single image of the equivalent of “one piece of paper.” One or several pages make up a “Document.”

Page File/Paging File: A file used to temporarily store code and data for programs that are currently running. This information is left in the swap file after the programs are terminated, and may be retrieved using forensic techniques. Also referred to as a swap file.

Parallel Port: See Port.

Parent: See Document.

Parsing: Transforms input text into a data structure suitable for later processing, while capturing the implied hierarchy of the input. Data may be parsed from one source of ESI to another.

Partition: A partition is an individual section of computer storage media such as a hard drive. For example, a single hard drive may be divided into several partitions. When a hard drive is divided into partitions, each partition is designated by a separate drive letter, i.e., C, D, etc.

Partition Table: The partition table indicates each logical volume contained on a disc and its location.

Partition Waste Space: After the boot sector of each volume or partition is written to a track, it is customary for the system to skip the rest of that track and begin the actual useable area of the volume on the next track. This results in unused or “wasted” space on that track where information can be hidden. This “wasted space” can only be viewed with a low level disc viewer. However, forensic techniques can be used to search these “wasted space” areas for hidden information.

Password: A secret code utilized, usually along with a user ID, in order to log on or gain access to a PC, network or other secure system, site or application.

Path: The hierarchical description of where a directory, folder, or file is located on a computer or network. In DOS and Windows systems, a path is a list of directories where the operating system looks for executable files if it is unable to find the file in the working directory. The list of directories can be specified with the PATH command. Path is also used to refer to a transmission channel, the path between two nodes of a network that a data communication follows, and the physical cabling that connects the nodes on a network.

Pattern Matching: A generic term that describes any process that compares one file’s content with another file’s content.

Pattern Recognition: Technology that searches ESI for like patterns and flags, and extracts the pertinent data, usually utilizing an algorithm. For instance, in looking for addresses, alpha characters followed by a comma and a space, followed by two capital alpha characters, followed by a space, followed by five or more digits, are usually the city, state and zip code. By programming the application to look for a pattern, the information can be electronically identified, extracted, or otherwise utilized or manipulated.

PCI: Peripheral Component Interconnect (Interface). A high­speed interconnect local bus used to support multimedia devices.

PCMCIA: Personal Computer Memory Card International Association. Plug­in cards for computers (usually portables) that extend the storage and/or functionality.

PDA (Personal Digital Assistant): A small, usually hand­held, computer that “assists” business tasks, e.g. Blackberry, Palm Pilot Treo.

PDF (Portable Document Format): An imaging file format technology developed by Adobe Systems. PDF captures formatting information from a variety of applications in such a way that they can be viewed and printed as they were intended in their original application by practically any computer, on multiple platforms, regardless of the specific application in which the original was created. PDF files may be text­searchable or image­only. Adobe^® Reader, a free application distributed by Adobe Systems, is required to view a file in PDF format. Adobe^® Acrobat, an application marketed by Adobe Systems, is required to edit, capture text, or otherwise manipulate a file in PDF format.

Peripheral: Any accessory device attached to a computer, such as a disk drive, printer, modem or joystick.

Personal Computer (PC): Computer based on a microprocessor and designed to be used by one person at a time.

Personal Data (as used with regard to the EU Data Protection Act): Data which relate to a natural person who can be identified from those Data, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Petabyte (PB): 1,125,899,906,824,624 bytes ­10245 (a quadrillion bytes). See Byte.

Phase Change: A method of storing information on rewritable optical discs.

Physical Disc: An actual piece of computer media, such as the hard disc or drive, floppy discs, CD­ROM discs, Zip discs, etc.

Physical File Space: When a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, previously deleted/overwritten files or fragments thereof.


Physical Unitization: See Unitization ­Physical and Logical.

PICA: One sixth (1/6) of an inch. Used to measure graphics/fonts. There are 12 points per pica; 6 picas per inch; 72 points per inch.

Picture Element: The smallest addressable unit on a display screen. The higher the resolution (the more rows of columns), the more information can be displayed.

Ping: Executable command, used as a test for checking network connectivity.

Pitch: Characters (or dots) per inch, measured horizontally.

PKI (Public Key Infrastructure) Digital Signature: A document or file may be digitally signed using a party’s private signature key, creating a “digital signature” that is stored with the document. Anyone can validate the signature on the document using the public key from the digital certificate issued to the signer. Validating the digital signature confirms who signed it, and ensures that no alterations have been made to the document since it was signed. Similarly, an email message may be digitally signed using commonly available client software that implements an open standard for this purpose, such as Secure Multipurpose Internet Mail Extensions (S/MIME). Validating the signature on the email can help the recipient know with confidence who sent it, and that it was not altered during transmission. See Certificate.

Plaintext: The least formatted and therefore most portable form of text for computerized documents.

Plasma: A type of flat panel display commonly use for large televisions, although quickly being replaced by LCD due to advances in technology; many tiny cells are located between two panels of glass holding an inert mixture of gases.

Platter: One of several components that make up a computer hard drive. Platters are thin, rapidly rotating discs that have a set of read/write heads on both sides of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sections called sectors, and each sector is sub­divided into bytes.

PMS (Pantone Matching System): A color standard in printing.

POD (Print On Demand): Document images are stored in electronic format and are available to be quickly printed and in the exact quantity required, long or short runs.

Pointer: A pointer is an index entry in the directory of a disc (or other storage medium) that identifies the space on the disc in which an electronic document or piece of electronic data resides, thereby preventing that space from being overwritten by other data. In most cases, when an electronic document is “deleted,” the pointer is deleted, that allows the document to be overwritten, but the document is not actually erased.

Port: Hardware ports are an interface between a computer and other computers or devices, and can be divided into two primary groups based on signal transfer: serial ports send and receive one bit at a time via a single wire pair, while parallel ports send multiple bits at the same time over several sets of wires. Software ports are virtual data connections used by programs to exchange data directly instead of going through a file or other temporary storage locations; the most common types are TCP and UDP.

Portable Volumes: A feature that facilitates the moving of large volumes of documents without requiring copying multiple files. Portable volumes enable individual CDs to be easily regrouped, detached and reattached to different databases for a broader information exchange.

Portrait Mode: A display where the height exceeds the width (Vertical).

Preservation: The process of ensuring retention and protection from destruction or deletion all potentially relevant evidence, including electronic metadata. See also Spoliation.

Preservation Notice, Preservation Order: See Legal Hold.

Printout: A printed version of text of data, another term for which is hard copy.

Private Network: A network that is connected to the Internet but is isolated from the Internet with security measures allowing use of the network only by persons within the private network.

Privilege Data Set: The universe of documents identified as responsive and/or relevant, but withheld from production on the grounds of privilege, a log of which is usually required to notify of withheld documents and the grounds on which they were withheld (e.g., work product, attorney­client privilege).

Process/processing (as used with regard to the EU Data Protection Act): Any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

Processing Data: In the context of this document, synonymous with Image Processing.

Production: The process of delivering to another party, or making available for that party’s review, documents and/or ESI deemed responsive to a discovery request.

Production Data Set: The universe of documents and/or ESI identified as responsive to document requests and not withheld on the grounds of attorney­client, work product, or other privilege.

Production De­Duplication: Removal of a document if multiple copies of that document reside within the same production set. For example, if two identical documents are both marked responsive, non­privileged, production de­duplication ensures that only one of those documents is produced. See De­Duplication.

Production Number: Often referred to as the “bates” number. A sequential number assigned to every page of a production for tracking and reference purposes. Often used in conjunction with a suffix or prefix to identify the producing party, the litigation, or other relevant information. See also Bates Number.

Program: See Application and Software.

Properties: Fields of electronic information, or certain “metadata,” associated with a record or document such as creation date, author, date modified, blind copy recipients and date received. See Metadata.

Protocol: Defines a common series of rules, signals and conventions that allow different kinds of computers and applications to communicate over a network. One of the most common protocols for networks is called TCP/IP.

Protodigital: Primitive or first­generation digital. Applied as an adjective to systems, software, “documents,” or ways of thinking. The term was first used in music to refer to early computer synthesizers that attempted to mimic the sound of traditional musical instruments, and to early jazz compositions written on computers with that instrumentation in mind. In electronic discovery, this term is most often applied to systems or ways of thinking that ­­on the surface ­­appear to embrace digital technology, but attempt to equate ESI to paper records, ignoring the unique attributes of ESI. When someone says, “What’s the big deal with e­discovery? Sure we have a lot of email. You just print it all out and produce it like you used to,” that is an example of protodigital thinking. When someone says, “We embrace electronic discovery. We scan everything to .PDF before we produce it,” that person is engaged in protodigital thinking ­­attempting to fit ESI into the paper discovery pardigm.

Proximity Search: For text searches, the ability to look for words or phrases within a prescribed distance of another word or phrase, such as “accident” within 5 words of “tire.”

PST: A Microsoft Outlook email store. Multiple .pst files may exist in different locations (hard drive, network shares, backup tapes or discs, etc.) and contain archived email.

Public Key: See PKI Digital Signature.

Public Network: A network that is part of the public Internet.

Glossary - Courtesy of The Sedona Conference^®