/DFIRGlossary

A collaboration effort by the DFIR community to provide definitions (sometimes multiple) for common forensic terms!

MIT LicenseMIT

DFIRGlossary

A collaboration effort by the DFIR community to provide definitions (sometimes multiple) for common forensic terms!

DFIRGlossary Definitions

Term Definition(s) Source
Acquisition * A process by which digital evidence is duplicated, copied, or imaged. NIST.gov
Analysis * The examination of acquired data for its significance and probative value to the case. NIST.gov
Artifact * an arbitrary byte sequence, such as a file, which has some meaningful interpretation. NIST.gov
Authentication Mechanism * Hardware or software-based mechanisms that force users to prove their identity before accessing data on a device. NIST.gov
BIOS * Basic Input Output System. The set of routines stored in read-only memory that enables a computer to start the operating system and to communicate with the various devices in the system such as disk drives, keyboard, monitor, printer, and communication ports. OJP.gov
Bluetooth * A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.). NIST.gov
Brute Force Password Attack * A method of accessing an obstructed device by attempting multiple combinations of numeric/alphanumeric passwords. NIST.gov
Buffer Overflow Attack * A method of overloading a predefined amount of memory storage in a buffer, which can potentially overwrite and corrupt memory beyond the buffer’s boundaries. NIST.gov
Carving * The process of collecting all data between the header and footer of a file signature from unallocated areas of the disk. ENISA.eu
Cellular Network Isolation Card (CNIC) * A SIM card that isolates the device from cell tower connectivity. NIST.gov
Cellebrite Physical Analyzer * a software program that opens extractions of mobile devices to enable the user to search through the data, analyze it, and generate reports. NIST.gov
Chain of Custody * A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for any transfers. NIST.gov
Closed Source Operating System * Source code for an operating system is not publicly available. NIST.gov
Cluster * A group of contiguous sectors on a hard drive platter. Also known as a File Allocation Unit NIST.gov
Code Division Multiple Access (CDMA) * A spread spectrum technology for cellular networks based on the Interim Standard-95 (IS-95) from the Telecommunications Industry Association (TIA). NIST.gov
Complementary Metal Oxide Semiconductor (CMOS) * A type of chip used to store BIOS configuration information. OJP.gov
Compressed File * A file reduced in size through the application of a compression algorithm, commonly performed to save disk space. The act of compressing a file makes it unreadable to most programs until the file is uncompressed. NIST.gov
Cradle * A docking station, which creates an interface between a user’s PC and PDA and enables communication and battery recharging. NIST.gov
CDMA Subscriber Identity Module (CSIM) * CSIM is an application to support CDMA2000 phones that runs on a UICC, with a file structure derived from the R-UIM card. NIST.gov
Deleted File * A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data. NIST.gov
Digital Evidence * Electronic information stored or transmitted in binary form. NIST.gov
Electromagnetic Interference * An electromagnetic disturbance that interrupts, obstructs, or otherwise degrades or limits the effective performance of electronics/electrical equipment. NIST.gov
Electronic Serial Number (ESN) * A unique 32-bit number programmed into CDMA phones when they are manufactured. NIST.gov
Encryption * Any procedure used in cryptography to convert plain text into cipher text to prevent anyone but the intended recipient from reading that data. NIST.gov
Enhanced Data for GSM Evolution (EDGE) * An upgrade to GPRS to provide higher data rates by joining multiple time slots. NIST.gov
Enhanced Messaging Service (EMS) * An improved message system for GSM mobile devices allowing picture, sound, animation and text elements to be conveyed through one or more concatenated SMS messages. NIST.gov
Examination * A technical review that makes the evidence visible and suitable for analysis; as well as tests performed on the evidence to determine the presence or absence of specific data. NIST.gov
Exculpatory Evidence * Evidence that tends to decrease the likelihood of fault or guilt. NIST.gov
Feature Phone * A mobile device that primarily provide users with simple voice and text messaging services. NIST.gov
File Signature Anomaly * A mismatch between the internal file header and its external file name extension; a file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphics extension). NIST.gov
File Slack * Space between the logical end of the file and the end of the last allocation unit for that file. Also known as Slack Space. OJP.gov
File System * A software mechanism that defines the way that files are named, stored, organized, and accessed on logical volumes of partitioned memory. NIST.gov
Flash ROM * Non-volatile memory that is writable. NIST.gov
Forbidden PLMNs * A list of Public Land Mobile Networks (PLMNs) maintained on the SIM that the mobile phone cannot automatically contact, usually because service was declined by a foreign provider. NIST.gov
Forensic Copy * A bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm. NIST.gov
Forensic Specialist * Locates, identifies, collects, analyzes, and examines data, while preserving the integrity and maintaining a strict chain of custody of information discovered. NIST.gov
General Packet Radio Service (GPRS) * A packet switching enhancement to GSM and TDMA wireless networks to increase data transmission speeds. NIST.gov
Global Positioning System (GPS) * A system for determining position by comparing radio signals from several satellites. NIST.gov
GrayKey * A law enforcement only device made by Grayshift that uses a proprietary secretive technique to unlock or “crack” phones that cannot be unlocked by standard mobile forensics tools. Previously it only supported iPhones, but it recently added support for Android phones. NIST.gov
Global System for Mobile Communications (GSM) * A set of standards for second generation, cellular networks currently maintained by the 3rd Generation Partnership Project (3GPP). NIST.gov
Hardware Driver * Applications responsible for establishing communication between hardware and software programs. NIST.gov
Hashing * The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data. NIST.gov
HyperText Transfer Protocol (HTTP) * A standard method for communication between clients and Web servers. NIST.gov
Image * An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures the information is not altered. NIST.gov
Inculpatory Evidence * Evidence that tends to increase the likelihood of fault or guilt. NIST.gov
Instant Messaging (IM) * A facility for exchanging messages in real-time with other people over the Internet and tracking the progress of a given conversation. NIST.gov
Integrated Circuit Card ID (ICCID) * The unique serial number assigned to, maintained within, and usually imprinted on the (U)SIM. NIST.gov
Integrated Digital Enhanced Network (iDEN) * A proprietary mobile communications technology developed by Motorola that combines the capabilities of a digital cellular telephone with two-way radio. NIST.gov
International Mobile Equipment Identity (IMEI) * A unique identification number programmed into GSM and UMTS mobile devices. NIST.gov
International Mobile Subscriber Identity (IMSI) * A unique number associated with every GSM mobile phone subscriber, which is maintained on a (U)SIM. NIST.gov
Internet Message Access Protocol (IMAP) * A method of communication used to read electronic messages stored in a remote server. NIST.gov
Key Chords * Specific hardware keys pressed in a particular sequence on a mobile device. NIST.gov
Location Information (LOCI) * The Location Area Identifier (LAI) of the phone’s current location, continuously maintained on the (C/U)SIM when the phone is active and saved whenever the phone is turned off. NIST.gov
Logical Volume * A partition or a collection of partitions acting as a single entity that has been formatted with a filesystem. NIST.gov
Metadata * Data about data. For filesystems, metadata is data that provides information about a file's contents. NIST.gov
Mobile Devices * A mobile device is a small hand-held device that has a display screen with touch input and/or a QWERTY keyboard and may provide users with telephony capabilities. Mobile devices are used interchangeably (phones, tablets) throughout this document. NIST.gov
Mobile Subscriber Integrated Services Digital Network (MSISDN) * The international telephone number assigned to a cellular subscriber. NIST.gov
Multimedia Messaging Service (MMS) * An accepted standard for messaging that lets users send and receive messages formatted with text, graphics, photographs, audio, and video clips. NIST.gov
Near Field Communication (NFC) * A form of contactless, close proximity, radio communications based on radio-frequency identification (RFID) technology. NIST.gov
Non-volatile Data * Data that persists even after a computer is powered down. NIST.gov
Operating System * A program that runs on a computer and provides a software platform on which other programs can run. NIST.gov
Partition * A logical portion of a media that functions as though it were physically separate from other logical portions of the media. NIST.gov
Password Protected * The ability to protect the contents of a file or device from being accessed until the correct password is entered. NIST.gov
Personal Digital Assistant (PDA) * A handheld computer that serves as a tool for reading and conveying documents, electronic mail, and other electronic media over a communications link, as well as for organizing personal information, such as a name-and-address database, a to-do list, and an appointment calendar. NIST.gov
Personal Information Management (PIM) Applications * A core set of applications that provide the electronic equivalents of such items as an agenda, address book, notepad, and reminder list. NIST.gov
Personal Information Management (PIM) Data * The set of data types such as contacts, calendar entries, phonebook entries, notes, memos, and reminders maintained on a device, which may be synchronized with a personal computer. NIST.gov
Post Office Protocol (POP) * A standard protocol used to receive electronic mail from a server. NIST.gov
Probative Data * Information that reveals the truth of an allegation. NIST.gov
Push-To-Talk (PTT) * A method of communicating on half-duplex communication lines, including two-way radio, using a “walkie-talkie” button to switch from voice reception to transmit mode. NIST.gov
Removable User Identity Module (R-UIM) * A card developed for cdmaOne/CDMA2000 handsets that extends the GSM SIM card to CDMA phones and networks. NIST.gov
Sector * The smallest unit that can be accessed on media. NIST.gov
Secure Digital eXtended Capacity (SDXC) * Supports cards up to 2 TB, compared to a limit of 32 GB for SDHC cards in the SD 2.0 specification. NIST.gov
Short Message Service (SMS) * A cellular network facility that allows users to send and receive text messages of up to 160 alphanumeric characters on their handset. NIST.gov
SMS Chat * A facility for exchanging messages in real-time using SMS text messaging that allows previously exchanged messages to be viewed. NIST.gov
Steganography * The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format. NIST.gov
Subscriber Identity Module (SIM) * A smart card chip specialized for use in GSM equipment. NIST.gov
Synchronization Protocols * Protocols that allow users to view, modify, and transfer/update data between a cell phone and personal computer. NIST.gov
Universal Integrated Circuit Card * An integrated circuit card that securely stores the international mobile subscriber identity (IMSI) and the related cryptographic key used to identify and authenticate subscribers on mobile devices. A UICC may be referred to as a: SIM, USIM, RUIM or CSIM, and is used interchangeably with those terms. NIST.gov
UMTS Subscriber Identity Module (USIM) * A module similar to the SIM in GSM/GPRS networks, but with additional capabilities suited to 3G networks. NIST.gov
Universal Mobile Telecommunications System (UMTS) * A third-generation (3G) mobile phone technology standardized by the 3GPP as the successor to GSM. NIST.gov
Universal Serial Bus (USB) * A hardware interface for low-speed peripherals such as the keyboard, mouse, joystick, scanner, printer, and telephony devices. NIST.gov
Volatile Memory * Memory that loses its content when power is turned off or lost. NIST.gov
Wireless Application Protocol (WAP) * A standard that defines the way in which Internet communications and other advanced services are provided on wireless mobile devices. NIST.gov
Wireless Fidelity (WiFi) * A term describing a wireless local area network that observes the IEEE 802.11 protocol. NIST.gov
Write-Blocker * A device that allows investigators to examine media while preventing data writes from occurring on the subject media. NIST.gov
Write Protection * Hardware or software methods of preventing data from being written to a disk or other medium. NIST.gov

Contributing to This Project

New to GitHub? No problem! Here is a repo that you can test the below instructions on until you're comfortable to contribute to this repo!

Fork this repo by clicking on the Fork button on the top right of this page.

image

After that, you'll be working off of your Fork of this repository, which is effectively a snapshop in time.

image

As time goes on, this repository will evolve and your Fork will be left behind if you don't keep it updated. Be sure to Fetch Upstream prior contributing more so you have the most up to date copy of the repository before you starting adding to it!

GitHubFetchandMergeandContributeExample

Above is an example of Fetch Upstream combined with doing a Pull Request, which is what you should do when you have something new to the repo you'd like to add to the main repo.

New to Markdown? No problem!

  • Use StackEdit to write in Markdown with live preview.
  • Additionally, GitHub has a useful guide for Markdown syntax here.
  • Need help with making/using tables in Markdown? Check out this site!