Digital Forensics Glossary
This glossary explains common digital forensics and cyber investigation terms in clear professional language. It is designed for clients, legal teams, investigators, and business leaders who need to understand evidence handling and forensic reporting.
Anti-forensics
Anti-forensics refers to actions intended to hide, destroy, alter, or confuse digital evidence. Examples include wiping logs, changing timestamps, using encryption to obstruct review, or running privacy tools after an incident. Investigators look for both the missing evidence and the traces left by concealment attempts.
Artifacts
Artifacts are traces left behind by operating systems, applications, devices, or user activity. They may include browser history, shortcuts, logs, thumbnails, registry entries, or app databases. Forensic analysts correlate artifacts to reconstruct behavior and timelines.
Autopsy
Autopsy is an open-source digital forensics platform used to examine disk images and file systems. It helps analysts review deleted files, timelines, web activity, and installed programs. It is commonly used for triage, education, and structured forensic review.
Bit-for-bit copy
A bit-for-bit copy is an exact duplicate of source media at the binary level. It captures allocated files, deleted data remnants, slack space, and file system structures. This copy allows examination while preserving the original evidence.
Chain of custody
Chain of custody is the documented history of evidence possession, transfer, handling, and storage. It shows who accessed evidence, when it was accessed, and why. Strong chain-of-custody records help maintain trust in the evidence.
Cloud forensics
Cloud forensics examines evidence stored in cloud platforms, SaaS applications, online accounts, and hosted infrastructure. It may include logs, user access, file versions, backups, and account activity. Legal authorization and provider-specific procedures are important.
Cybercrime
Cybercrime involves unlawful activity using computers, networks, devices, or online services. Examples include fraud, unauthorized access, identity misuse, data theft, extortion, and harassment. Digital forensics helps identify evidence and reconstruct events.
Data acquisition
Data acquisition is the controlled collection of digital evidence from devices, systems, or accounts. The method may be physical, logical, cloud-based, or live depending on the source. Proper acquisition protects integrity and supports repeatable analysis.
Data recovery
Data recovery focuses on restoring lost, deleted, inaccessible, or damaged data. It may involve file system repair, deleted file recovery, damaged media handling, or backup extraction. In forensic matters, recovery must be balanced with evidence preservation.
Dead forensics
Dead forensics is analysis performed on powered-off systems or forensic images. It reduces the risk of changing volatile system state during examination. This method is common for disk, file system, and deleted data review.
Decryption
Decryption is the process of converting encrypted information back into readable data. It requires the correct key, password, certificate, or recovery material. In investigations, decryption may be necessary to review protected evidence lawfully.
Digital evidence
Digital evidence is information stored or transmitted in electronic form that may support an investigation. It can come from phones, computers, logs, cameras, emails, cloud accounts, or networks. Its reliability depends on proper preservation and documentation.
Digital signature
A digital signature is a cryptographic method used to verify authenticity and integrity of electronic data. It can show that a document or message was associated with a particular key and has not changed. It is different from a scanned handwritten signature.
EnCase
EnCase is a commercial digital forensics platform used for evidence acquisition, processing, and analysis. It supports forensic images, file system review, reporting, and enterprise investigation workflows. It is widely known in professional forensic environments.
Encryption
Encryption protects data by converting it into unreadable form unless the correct key or credential is available. It is used on devices, files, messages, disks, and cloud systems. Forensic work must account for encryption before acquisition and analysis.
Expert witness
An expert witness explains technical findings to a court, tribunal, or legal audience. The role requires clear methodology, independence, and the ability to communicate complex evidence. Reports and testimony should be accurate, defensible, and within the expert's competence.
File carving
File carving recovers files by identifying file signatures and structures rather than relying only on file system records. It is useful when directory entries are missing, damaged, or deleted. Results need validation because carved files may be incomplete or fragmented.
Forensic image
A forensic image is a verified copy of digital storage created for examination. It preserves original evidence while allowing analysis on a duplicate. Hash values are commonly used to confirm the copy remains unchanged.
FTK (Forensic Toolkit)
FTK is a digital forensics suite used for processing, indexing, searching, and reviewing electronic evidence. It helps analysts handle large datasets, email stores, documents, and file systems. It is often used in legal and investigative environments.
Hash value
A hash value is a fixed-length digital fingerprint calculated from data. If the data changes, the hash usually changes as well. Hashing is used to verify forensic images, compare files, and document evidence integrity.
Hex editor
A hex editor displays raw data in hexadecimal form. It allows analysts to inspect file headers, binary structures, hidden content, and damaged data. It is useful when normal applications cannot interpret the file correctly.
Incident response
Incident response is the structured process of detecting, containing, investigating, and recovering from cyber incidents. It includes technical actions and decision-making under time pressure. Forensics supports response by preserving evidence and determining scope.
Live forensics
Live forensics collects evidence from a running system. It can capture volatile data such as active processes, network connections, memory, and logged-in sessions. Care is required because interacting with a live system can change evidence.
Log analysis
Log analysis reviews records generated by systems, applications, networks, and security tools. Logs can show access, errors, suspicious activity, data movement, and administrative changes. Correlating logs across sources helps build timelines.
Malware forensics
Malware forensics studies malicious software, its behavior, persistence, communications, and impact. Analysts may examine files, memory, logs, network traffic, and affected systems. Findings help containment, attribution assessment, and recovery planning.
MD5 hash
MD5 is an older hashing algorithm that produces a 128-bit hash value. It is still seen in forensic workflows for quick identification and legacy compatibility. Because it is not collision-resistant for security purposes, stronger hashes are often preferred for critical verification.
Metadata
Metadata is data about data, such as timestamps, author names, GPS coordinates, camera details, or file properties. It can provide valuable context about creation, modification, access, and origin. Metadata must be interpreted carefully because applications and systems may update it automatically.
Mobile forensics
Mobile forensics examines smartphones, tablets, SIM cards, app data, messages, media, and device backups. It may use logical, file system, or physical acquisition methods depending on the device. Mobile evidence often requires special handling because encryption and app ecosystems change frequently.
Network forensics
Network forensics examines traffic, logs, flows, packet captures, and network device records. It helps identify intrusions, data exfiltration, malicious communications, and lateral movement. Findings often depend on what monitoring data was retained before the incident.
Non-volatile memory
Non-volatile memory retains data when power is removed. Examples include hard drives, SSDs, flash drives, and memory cards. It is commonly imaged and analyzed in traditional forensic examinations.
OSINT
OSINT means open-source intelligence gathered from publicly available sources. It may include websites, social platforms, domains, public records, and exposed technical data. OSINT must be collected ethically and verified before being treated as evidence.
Packet capture
Packet capture records network packets for later analysis. It can reveal protocols, endpoints, timing, payloads, and communication patterns. Encrypted traffic may hide content, but metadata can still be useful.
RAM dump
A RAM dump captures the contents of volatile memory from a running system. It can contain processes, keys, network artifacts, malware traces, and fragments of user activity. Because RAM changes constantly, timely acquisition matters.
Registry hive
A registry hive is a structured database file used by Windows to store configuration and user activity information. It can reveal installed software, device connections, user preferences, and system history. Registry analysis is a common part of Windows forensics.
SHA-256
SHA-256 is a cryptographic hash algorithm that produces a 256-bit value. It is widely used to verify integrity and identify files with high confidence. Forensic reports often include SHA-256 values for evidence images and important files.
Slack space
Slack space is unused space within allocated disk clusters. It can contain remnants of older data that no longer belongs to the current file. Analysts may examine slack space when looking for deleted or hidden evidence fragments.
Steganography
Steganography hides information inside another file or communication, such as an image, audio file, or document. The goal is to conceal the existence of the message. Forensic detection may involve statistical analysis, file structure review, and comparison with known originals.
Timeline analysis
Timeline analysis arranges events by time across files, logs, artifacts, and user activity. It helps show sequence, correlation, and gaps in activity. Strong timelines are especially useful in incident response and legal reporting.
Volatile memory
Volatile memory loses its content when power is removed. RAM is the most common example and may contain active processes, encryption keys, and network sessions. It must be captured during live response if it is relevant.
Write blocker
A write blocker is hardware or software that prevents changes to source media during acquisition. It helps preserve original evidence while allowing read access. Use of write blockers is a standard evidence-protection practice in many disk investigations.