Digital Forensics Glossary

Active data can be seen by a computer’s operating system (OS) or the software used to create it. It excludes data not stored on a local storage media or device. It may also refer to information that a user can see on a computer screen.

Think of it as everything forensics experts can see with their naked eyes at a crime scene—the murder weapon, perhaps. Active data in such a case would thus exclude sweat or other bodily fluids that may have fallen onto the carpet while the crime was being committed. Investigators would need specialized tools like a DNA kit for that.

Active data is the easiest data to retrieve during a digital forensics investigation. It includes all the files, programs, and system information a computer’s OS uses.

Backup media refer to storage devices where people save electronic file backups, sometimes for forensic investigations. Examples include disks, disk drives, and tapes. They don’t usually include CDs, DVDs, and USB flash drives where people store unique, relevant files. But should disks and flash drives be used to store file copies, they can serve as backup media, too.

For storage devices to be considered backup media, they need to contain copies of files currently or formerly stored on devices. They are kept for several reasons, primarily avoiding data loss in case of device failure. Should investigators need evidence on a suspect, all of the files on backup media can serve as sources, too.

A bitstream is a sequence of bits that is transferred from one device to another. Remember that all types of data are made up of bits, the most basic unit of information. As such, a bitstream applies to all data, be it an audio, image, or any other type of file. For example, every time you listen to your favorite song, you hear a bitstream audio or a sequence of bits that make it up.

In digital forensics, the term “bitstream” means having an exact bit-by-bit copy of a picture, file, folder, or any data point that serves as digital evidence. It can even refer to any kind of electronic media and all its contents. Even the available space in a copied disk is also reflected in a bitstream.

A digital footprint is the residual information individuals and organizations leave while navigating the Web. It can be an active footprint users voluntarily share or a passive one they unknowingly left behind. Whether active or passive, though, digital footprints can shape a data owner’s online reputation and persona. This information can be used for various legal purposes, including investigations, forensic analysis, among others.

However, threat actors can also abuse digital footprints. They can use regular Internet users’ personal information to commit identity theft, financial fraud, and other forms of cybercrime. Attackers can also lurk behind businesses and collect their digital footprints to learn about their systems, networks, and applications. They can then check these resources for vulnerabilities and potential exploits.

A file attribute refers to metadata that describes a file or directory. It also tells users how to modify a file or directory based on its behavior. It is critical to digital forensics in that it can, for instance, tell users what malware can do or how it behaves.

So, when asked the question, “What is a file attribute?” A typical file attribute may, for instance, tell users if the file is visible, modifiable, compressed, or encrypted. But its availability may depend on the support provided by the underlying file system, which can be File Allocation Table (FAT), New Technology File System (NTFS), or ext4, where the attribute data is stored along with its control structures. Apart from files and directories, folders, volumes, and other file system objects may also have attributes.

A file signature is a unique identification number seen at the beginning of a file. It tells you the file’s type and provides information about the data it contains. A computer uses it to determine how to read it or what application to use to open it. If a user saves the file using the wrong extension, the computer will return an error saying it can’t be opened.

A file signature also ensures the original data stored in the file remains intact and has not been modified. These make a file signature a necessary form of verification, especially against computer viruses, which digital forensics experts typically identify.

A forensic image refers to a copy of unmodified electronic data. The image file can be a copy of a single file or an entire hard drive.

Forensic imaging, the process of getting a forensic image, is the first step in any digital forensic investigation. If not done right, the evidence may be deemed inadmissible. That is why choosing an expert third party to create a forensic image is critical. The professional ensures that proper procedures and protocols are followed and avoids evidence tampering or destruction.

A jump list is a feature that came with Windows 7 and newer versions. It allows users to view the most recently accessed or used files on installed programs on their taskbar. To view it, right-click any program icon in your taskbar. That would make a list of the files you most recently used that program for.

Jump lists enable faster access to a suspect’s most recently and frequently accessed files for digital forensics pros. So, say they’re looking for the culprit who made an unauthorized change to a shared document. They can immediately see if and when the person under investigation accessed the file in question.

Latent data refers to the information stored in computers that you can’t see via the operating system (OS) or standard programs installed. It is also known as “ambient data.” It includes the information that gets left on a computer by deleted files, swap files, print spooler files, memory dumps, the slack space of existing files, and temporary cache.

Computers use latent data to recover files lost due to user errors, unexpected program operations, or malicious activity, such as ransomware infection. Computer forensics experts also use the hidden information to retrieve deleted files but doing so requires using special software.

The master file table (MFT) is a local file system found in a New Technology File System (NTFS). It contains at least one entry for every file stored on an NTFS volume, including itself. It provides all the NTFS knows about a file, including its size, time and date stamps, permissions, and data content, which are stored in MFT entries or the space outside the MFT described by the MFT entries.

You can liken it to the inventory of a store. Everything every employee needs to know about the store's products can be found in it. It tells you how many items of a particular product are still available when they were ordered and will expire, and many more. In this scenario, the inventory is the MFT.

Digital forensics investigators can use the MFT to know all about the files stored on any Windows computer or system that uses NTFS.

A registry hive is a logical group of keys, subkeys, and values in the registry whose supporting files are loaded into memory when the operating system (OS) starts, or a user logs in to a computer.

Confused when answering the question, “What is a registry hive?” Think of it this way. When someone else logs into your computer, it creates a new registry hive for that user and a separate file for his/her user profile. That registry hive is called the “user profile hive.” It contains specific registry information about that user’s application settings, desktop setup, environment, network connections, and printers.

A registry hive is crucial in digital forensics as it can limit the investigation’s scope on a system. Instead of going through all the user profile hives, law enforcement agents can zoom in on the profile the suspect owns.

Slack space refers to the hard disk space between the end of a stored file to the end of the cluster it is kept in. Note that hard disks typically keep files in clusters with a specific file size. If your computer, for instance, stores files in clusters of 4KB each, then a file that is 3KB in size will be stored in one cluster with 1KB of slack space left.

Think of it this way, a guest house with four bedrooms (HDD) that can accommodate four people per room (capacity per cluster) can house a family with eight members (file size) in two rooms with two rooms left for other guests (slack space).

Unallocated space refers to the portion of a hard drive that people can use to save new files. It is also aptly known as “free space” since it can be freely used to store any type of data. On the other hand, the area on a hard drive already containing files is called “allocated space.”

Unallocated space is simple enough to understand, as it is similar to the empty seats on a bus. Those still unoccupied represent a hard drive’s unallocated space, while the seats that have people sitting on them comprise allocated space. When a passenger gets off the bus, the allocated space he/she occupied becomes unallocated, and another person can take his/her seat.

Free space plays a vital role in cybercriminal investigations since it can still hold part or all of the data of a deleted file that can serve as evidence. As much as possible, lawyers and investigators would want to recover and preserve any data stored in the unallocated space to support their cases.

A write blocker is a device digital forensics investigators use to gain read-only access to a computer to avoid damaging any of the data it contains. The computer may have critical data that can serve as evidence, and accessing it without a write blocker can be risky and prone to accidents resulting in data damage or loss.

In a physical crime scene, investigators wear gloves, take photos, mark items methodically while preventing unauthorized people from entering the area. These measures are done to prevent any piece of evidence lying around from getting tampered with. Digital investigators use write blockers, also called “forensic disk controllers,” for the same reason.