We understand that often there is certain jargon used in the Digital Forensic industry by both Digital Forensic Providers and the court when describing forensic services or methods.
These terminologies are used regularly on a day-to-day basis, for cases big and small, commercial or private, criminal or civil. There is no margin for error, confusion or miscommunication between Digital Forensic Providers and the court. With this in mind, it comes as no surprise that those external to the industry may struggle to understand some of the terms used. That is why we have created a terminology list of frequently used terms:
Data that is still present on the physical memory and file partition of the device, and has not been deleted.
Guidelines set for computer forensics evidence by (ACPO) the Association of Chief Police Officers. The guidelines surround handling data, sharing findings and ensuring processes can be repeated. These guidelines are no longer used but are still considered best practice throughout the digital forensic industry.
This is the operating system developed by Google. It is used primarily in mobile technology, such as smartphones and tablets. Android is now the world’s most commonly used smartphone platform and is used by many different phone manufacturers.
A virtual copy taken of information which is held on a computer in case the original copy is damaged or something happens to it and as a result loses stored information.
A trial and error approach to decoding encrypted data such as passwords. This method attempts to guess the password combination by guessing every possible password combination. This starts with shorter potential passwords and then this time increases as potential combinations grow greater in length and complexity.
Browsers use caches as a form of short-term memory through the saving and storing of previously visited web pages; this is to speed up the serving of data for future similar requests. For example if visiting a web page you have previously browsed on, it will retrieve the page from the cache as opposed to the original server.
Cell Site Analysis
This is the digital forensic process of establishing a geographical location of a phone. Using the data provided by the mobile network operators, combined with radio test measurements of the cell masts, experts can produce detailed reports to give the likely positioning to within just a few metres and movements of a mobile phone.
Chain of Custody/Continuity of Evidence
Audit and “paper trail” of electronic evidence whilst in possession/custody of a DFU, commercial or any other provider. This refers back to the exhibit handling procedure, consisting of Seizure, Custody, Control, Transfer, Analysis and Dispatch of the electronic evidence.
Chip Off Analysis
This is the process of removing memory chips from the device and using forensic tools to extract the data directly from the chip. As the chip is removed from the device, this would render the device unusable, and is often used as a last resort means of data acquisition.
These are small files placed onto your device when visiting a web page in order to store information about your preferences. By accepting cookies it works to improve the browsing experience as it remembers accessibility privileges, preferences and sign in details, making the process more efficient. These can be recovered as an indicator of web activity.
Used as a standard of quality. Contemporaneous notes are an accurate record of notes that are made at the time or directly after a notable event has taken place. The accuracy is the main focus as these notes are often used as records of relevant evidence.
Securing private information sent through public networks by encrypting it in a way that makes it unreadable to everyone except the person holding the mathematical key/knowledge to decrypt the information.
The legally tested and approved restoration, collection, preservation, analysis, and presentation of computer-related evidence. This digital evidence may be used to support, or disprove, aspects of an investigation or litigation involving companies, individuals or law enforcement.
The transferral of large amounts of data from one system or location to another.
This refers to the process of restoring inaccessible data through digital forensic techniques and tools from corrupted or damaged secondary storage, removable media or files, when the data they store cannot be accessed in a normal way.
This is the opposite from encryption. Decryption is the process of taking encrypted text or other data and converting it back into text that you or the computer can read and understand.