Glossary
Purpose. A keyboard-side reference defining the working vocabulary of Data Recovery and Digital Forensics — storage hardware, file systems, recovery techniques, forensic artifacts, tooling, and the legal framework — with each term tied back to the chapter that owns it.
Terms are listed alphabetically. Each entry follows the form Term — definition (Ch. N), where the chapter number points to where the concept is introduced or defined (a concept is defined in its owner chapter and used in later ones). Where a term spans disciplines, the primary owner is listed first. Cross-references inside a definition use italic pointers to other glossary entries; a few link directly to the owning chapter by relative path. Symbols and numeric terms are collected at the end.
For the deepest treatment of any term, follow it to its chapter; for fast lookups of signatures, commands, file-system structures, artifact paths, and legal authorities, follow the pointers to the dedicated appendices.
How the chapter references map
Every (Ch. N) tag below resolves through this table. Chapter titles link by relative path; the Owns (selected terms) column shows where each concept is anchored.
| Ch. | Chapter | Owns (selected terms) |
|---|---|---|
| 1 | Two Disciplines, One Technical Foundation | data recovery, digital forensics, Locard's principle |
| 2 | How Data Is Stored | bit, byte, hex, sector, cluster, slack space, "deleted = pointer" |
| 3 | Storage Technology | HDD, SSD, NAND, FTL, wear leveling, RAID, NAS/SAN, SMART |
| 4 | File Systems | NTFS, MFT, inode, FAT/exFAT, APFS, MBR, GPT, ADS |
| 5 | The Forensic Process | forensic soundness, write blocker, image, hash, chain of custody |
| 6 | Logical Recovery | logical recovery, partition recovery, data runs |
| 7 | File Carving | file carving, file signature, header/footer, PhotoRec |
| 8 | Hard Drive Recovery | clean room, head swap, PCB, service area, ddrescue |
| 9 | SSD and Flash Recovery | TRIM, garbage collection, over-provisioning limits |
| 10 | RAID Recovery | RAID levels, parity, stripe, RAID reconstruction |
| 11 | Mobile Device Recovery | chip-off, JTAG/ISP, eMMC/UFS, BGA |
| 12 | Ransomware Recovery | ransomware, decryptor, Volume Shadow Copy, 3-2-1 backup |
| 13 | The Data Recovery Business | SLA, no-data-no-fee, evidence handling for clients |
| 14 | Forensic Acquisition | imaging, E01, HPA/DCO, verification hash |
| 15 | Live Response and Triage | order of volatility, RAM capture, KAPE, Faraday bag |
| 16 | Windows Forensics | registry, Prefetch, AmCache, LNK, $Recycle.Bin, USBSTOR |
| 17 | macOS and Linux Forensics | plist, unified log, FSEvents, journald, bash history |
| 18 | Browser and Internet Forensics | browser history, cache, cookies, SQLite, WebKit time |
| 19 | Email, Chat, and Social Media Forensics | email header, Received, PST/OST, MBOX, SPF/DKIM |
| 20 | Photo, Video, and Document Forensics | EXIF, geotag, thumbnail, ELA, hash set, NSRL |
| 21 | Timeline Analysis | MACB, FILETIME, super-timeline, plaso, timestomping |
| 22 | Memory Forensics | memory dump, Volatility, pslist/psscan, malfind |
| 23 | Network Forensics | PCAP, NetFlow, C2, IOC, deep packet inspection |
| 24 | Mobile Device Forensics | logical/physical extraction, Cellebrite, BFU/AFU, checkm8 |
| 25 | The Legal Framework | 4th/5th Amdt, warrant, Daubert/Frye, FRCP, ESI, spoliation |
| 26 | The Forensic Report | report, findings, reproducibility, examiner notes |
| 27 | Expert Testimony | expert witness, voir dire, direct/cross examination |
| 28 | Ethics | mandatory reporting, NCMEC, cognitive bias, secondary trauma |
| 29 | Encrypted Device Forensics | FDE, BitLocker, FileVault, LUKS, VeraCrypt, TPM, AES |
| 30 | Anti-Forensics | secure deletion, wiping, steganography, log clearing |
| 31 | Cloud Forensics | SaaS/IaaS, API acquisition, CLOUD Act, MLAT, preservation |
| 32 | Malware Forensics | static/dynamic analysis, sandbox, YARA, persistence, rootkit |
| 33 | Cryptocurrency Investigation | blockchain, wallet, UTXO, mixer, exchange/KYC |
| 34 | IoT, Vehicle, and Embedded Forensics | IoT, EDR (event data recorder), firmware, drone |
| 35 | AI-Assisted Forensics and Deepfakes | deepfake, PRNU, generative-AI artifacts |
| 36 | The Forensic Toolkit | Autopsy/TSK, FTK, EnCase, X-Ways, dual-tool verification |
| 37 | Building a Forensic Lab | ISO 17025, NIST CFTT, validation, SWGDE |
| 38 | The Capstone Investigation | end-to-end case file |
| 39 | Certifications | EnCE, GCFE, GCFA, GNFA, CCE, CFCE, CHFI |
| 40 | The Career | career paths, professional practice |
Companion appendices for fast lookup: Appendix A — File Signatures, Appendix C — Tool Reference, Appendix D — Artifact Locations, Appendix E — Legal Frameworks, Appendix G — File System Reference, and Appendix H — Command-Line Reference.
A
Acquisition — The process of creating a forensic copy of evidence from a source device, the first technical step of every investigation. Done correctly it is forensically sound: nothing on the source is altered, and the copy is verified by hash. See also forensic image, write blocker (Ch. 14; introduced Ch. 5).
Actuator arm — The pivoting mechanical assembly in a hard disk drive that positions the read/write heads over the correct track on the spinning platter. Failure of the actuator or its voice-coil motor is a common mechanical fault requiring clean-room repair (Ch. 3; Ch. 8).
Advanced Format — A hard-drive sector standard using 4,096-byte physical sectors instead of the legacy 512-byte sector. Drives that emulate 512-byte logical sectors over 4 KB physical sectors are 512e; drives exposing native 4 KB sectors are 4Kn. Misaligned partitions on Advanced Format media degrade performance and complicate offset math. See also sector (Ch. 2; Ch. 3).
AES (Advanced Encryption Standard) — The symmetric block cipher (128/192/256-bit keys) underlying nearly all modern full-disk and file encryption, including BitLocker, FileVault, LUKS, and VeraCrypt. Without the key, AES-protected data is effectively unrecoverable by brute force. See also encryption (Ch. 29).
AFF4 (Advanced Forensic Format 4) — An open, extensible forensic image container supporting very large evidence sets, sparse and remote sources, and rich metadata. An alternative to E01 and raw images (Ch. 14).
Allocation unit — See cluster (Ch. 2; Ch. 4).
Alternate Data Stream (ADS) — An NTFS feature allowing a file to carry additional named data streams beyond its main $DATA stream, written as filename:streamname. Legitimately used for the Zone.Identifier Mark-of-the-Web, ADS is also abused to hide data because the hidden stream does not appear in a normal directory listing. See also anti-forensics (Ch. 4; Ch. 30).
AmCache — A Windows registry hive (C:\Windows\AppCompat\Programs\Amcache.hve) recording program execution and installation, including each executable's full path, size, and SHA-1 hash — invaluable for proving a specific binary ran, even after deletion (Ch. 16).
Anti-forensics — Techniques intended to defeat, mislead, or complicate forensic analysis: secure deletion, timestomping, log clearing, steganography, and encryption. This book treats anti-forensics from the standpoint of detection, not evasion: nearly every technique leaves its own artifact (Ch. 30).
API acquisition — Collecting cloud evidence through a provider's application programming interface (e.g., Microsoft Graph, Google Workspace APIs) rather than by imaging physical media, because the underlying storage is inaccessible and multi-tenant. See also cloud forensics (Ch. 31).
APFS (Apple File System) — Apple's default file system since 2017 (macOS, iOS), featuring copy-on-write metadata, native snapshots, container/volume design, strong encryption, and nanosecond timestamps. Replaced HFS+ (Ch. 4).
AppCompatCache — See ShimCache (Ch. 16).
ASCII (American Standard Code for Information Interchange) — A 7-bit character encoding mapping the numbers 0–127 to letters, digits, and control characters; the right-hand column of a hex dump renders bytes as ASCII where printable. The basis for recognizing text and signatures in raw data (Ch. 2).
Attribute (NTFS) — A typed component of an NTFS MFT record. Key attributes include $STANDARD_INFORMATION`, `$FILE_NAME, and $DATA. Small attributes are resident (stored inside the MFT record); larger ones are non-resident, described by data runs pointing to clusters (Ch. 4).
Authentication (legal) — The evidentiary requirement (U.S. Federal Rule of Evidence 901; self-authentication under 902(14) via hash) to show that evidence is what its proponent claims. Hashing and chain of custody are how digital evidence is authenticated. See also best evidence rule (Ch. 25).
Autopsy — The open-source graphical front end to The Sleuth Kit (TSK); a full-featured, free forensic platform for disk analysis, keyword search, timeline, and artifact parsing (Ch. 36; Ch. 5).
B
Backup (3-2-1 rule) — The recovery doctrine of keeping 3 copies of data on 2 different media with 1 copy off-site (or offline/immutable). The single most reliable defense against ransomware and hardware failure — and the lesson the ransomware anchor case drives home (Ch. 12).
Bad sector / bad block — A region of media that can no longer reliably store data. Drives remap known-bad sectors to spares (see reallocated sector); a rising bad-sector count is an early failure warning visible via SMART (Ch. 3; Ch. 8).
Best evidence rule — The U.S. evidentiary principle (FRE 1001–1004) that an original is preferred, but an accurate duplicate — such as a verified forensic image — is admissible to the same extent. This is why imaging does not weaken a case (Ch. 25).
BFU / AFU (Before First Unlock / After First Unlock) — The two key-availability states of a modern smartphone. BFU (powered on but never unlocked since boot) leaves most user data encrypted and inaccessible; AFU (unlocked at least once) keeps many decryption keys in memory, enabling far richer extraction. Acquisition strategy hinges on which state the device is in (Ch. 24).
Binary — The base-2 number system of two states (0/1); the only thing any storage device physically holds. See also bit, hexadecimal (Ch. 2).
BitLocker — Microsoft's full-disk encryption for Windows, typically sealed to a TPM and optionally a PIN or USB key, with a 48-digit numeric recovery key. Acquisition usually requires the recovery key, a captured key from memory, or a logged-in (decrypted) live system (Ch. 29).
Bit — A binary digit, the smallest unit of information: a single 0 or 1. Eight bits make a byte (Ch. 2).
Block (Linux/storage) — In Unix file systems, the basic allocation unit (equivalent to a cluster); in flash, an erase unit composed of many pages. Context determines the meaning (Ch. 4; Ch. 3).
Blockchain — A distributed, append-only, cryptographically chained public ledger of transactions underpinning cryptocurrencies. Because most chains are public and permanent, they are a powerful — and permanent — source of financial evidence. See also UTXO, mixer (Ch. 33).
Bodyfile — An intermediate, pipe-delimited text format (produced by The Sleuth Kit's fls/ils) listing file metadata and MAC times; converted by mactime into a chronological timeline. See also super-timeline (Ch. 21).
Boot sector — The first sector of a partition (the Volume Boot Record), containing file-system parameters and bootstrap code; on the whole disk, the first sector is the MBR. A frequent target of partition-recovery work (Ch. 4).
B-tree — A balanced tree data structure used by file systems (NTFS directory indexes, APFS, HFS+, ext4 HTree) to store and look up file names and metadata efficiently (Ch. 4).
Brute force / dictionary attack — Recovering a passphrase by trying many candidates: brute force tries all combinations; a dictionary attack tries likely words and known-leaked passwords. Feasibility depends entirely on password strength and key-derivation cost. See also encryption (Ch. 29).
Byte — Eight bits, holding one of 256 values (0–255), written as two hex digits. The fundamental unit of storage: file sizes, offsets, and sectors are all measured in bytes (Ch. 2).
Byte offset — The position of a byte measured from the start of a file or device, often computed as sector number × sector size. The bridge between logical structures and physical locations; always label its base (hex vs. decimal) (Ch. 2).
C
Cache (browser) — Locally stored copies of web content (images, pages, scripts) kept to speed up browsing; a rich forensic source showing what a user actually viewed and when, even after history is cleared (Ch. 18).
Carving — See file carving (Ch. 7).
Cellebrite / UFED — A market-leading commercial mobile-forensics platform (Universal Forensic Extraction Device) for logical, file-system, and physical extraction from phones and tablets, plus decoding of app data (Ch. 24; Ch. 36).
Chain of custody — The documented, unbroken record of who handled a piece of evidence, when, why, and what they did to it, from seizure to courtroom. Combined with hashing, it is how you move from "I found this" to "I can prove this is unaltered." Breaks in the chain can render evidence inadmissible. See also Appendix F (templates) (Ch. 5).
checkm8 — A permanent (unpatchable) bootrom exploit affecting Apple devices with A5–A11 chips, enabling forensic access below the operating system on those older models. An example of how hardware-level flaws shape acquisition options (Ch. 24).
Chip-off — A destructive physical-extraction technique: the NAND flash memory chip is desoldered from the device's board and read directly in a programmer. A last resort used when the device is damaged or otherwise inaccessible. See also JTAG, ISP, BGA (Ch. 11; Ch. 24).
CLOUD Act (2018) — U.S. legislation (Clarifying Lawful Overseas Use of Data Act) allowing compelled production of data held by U.S. providers regardless of where it is physically stored, and establishing executive agreements with other nations. Central to cross-border cloud forensics. See also MLAT (Ch. 31; Ch. 25).
Clean room — A controlled, particle-filtered environment (e.g., ISO Class 5 / Class 100) required to open a hard drive and perform invasive repairs such as a head swap without contaminating the platters (Ch. 8).
Clock skew — The difference between a device's recorded time and true time, from a wrong time-zone, an un-synced clock, or drift. Must be measured and corrected before merging sources into a timeline (Ch. 21).
Cluster — The smallest unit of disk space a file system will allocate to a file, made of one or more sectors (commonly 4,096 bytes = eight 512-byte sectors). Because files rarely fill their last cluster exactly, slack space results. Also called an allocation unit or block (Ch. 2; Ch. 4).
Command and control (C2) — The infrastructure and channels an attacker uses to direct compromised hosts. Identifying C2 traffic and IOCs is central to network and malware forensics (Ch. 23; Ch. 32).
Consent (search) — A legal basis for searching a device without a warrant, valid only if voluntary and within the scope granted by someone with authority. Scope and revocation matter enormously in practice (Ch. 25).
Contiguous file — A file stored in one unbroken run of clusters. Contiguous files carve cleanly header-to-footer; fragmentation is what makes carving hard. See also file carving (Ch. 7).
Cookie — A small data item a website stores in the browser to track sessions and preferences; forensically, evidence of site visits, account use, and timing (Ch. 18).
Cryptocurrency — Digital assets (Bitcoin, Ethereum, and others) recorded on a blockchain and controlled by private keys. Frequently encountered in fraud, ransomware, and dark-market investigations (Ch. 33).
CSAM (child sexual abuse material) — Illegal imagery of the sexual abuse of minors. This book addresses it only clinically — procedure, law (mandatory reporting), and examiner well-being — and never describes content. Discovery triggers immediate scope and reporting duties. See also NCMEC, 18 U.S.C. §2258A (Ch. 28).
D
Data carving — See file carving (Ch. 7).
Data recovery — The discipline (and business) of retrieving data that has been deleted, lost to formatting or corruption, or stranded on failing or damaged media. Its priority is restoration; it shares techniques with forensics but optimizes for getting the data back, not for admissibility (Ch. 1; Ch. 13).
Data remanence — The residual physical representation of data that persists after deletion or even after a nominal erase — the phenomenon that makes recovery possible and motivates secure deletion. See also "deleted ≠ destroyed" (Ch. 2; Ch. 30).
Data run (cluster run) — In NTFS, the compact encoding inside a non-resident $DATA attribute that lists the starting cluster and length of each fragment of a file. Reconstructing data runs is the core of NTFS logical recovery (Ch. 4; Ch. 6).
Daubert standard — The U.S. federal test (from Daubert v. Merrell Dow, 1993; FRE 702) under which a judge acts as gatekeeper for expert testimony, weighing testability, peer review, known error rate, standards, and general acceptance. The reason your methods must be validated and documented. See also Frye standard (Ch. 25; Ch. 27).
dc3dd / dcfldd — Forensically enhanced versions of the Unix dd imaging tool that add on-the-fly hashing, progress, error handling, and logging — purpose-built for acquisition. See also Appendix H (Ch. 14).
dd — The classic Unix utility that copies data block-by-block; the simplest way to make a raw bit-stream image. Powerful but unforgiving (a reversed if=/of= can destroy evidence) (Ch. 14).
ddrescue (GNU ddrescue) — An imaging tool designed for failing media: it reads the easy areas first, retries bad regions, and logs a mapfile so imaging can resume — the recovery engineer's workhorse for unstable drives (Ch. 8).
Decryptor — A tool that reverses a specific ransomware family's encryption, sometimes released after a key leak or law-enforcement takedown; the best-case (and often unavailable) ransomware outcome. See also ransomware (Ch. 12).
Deep packet inspection (DPI) — Examination of packet payloads (not just headers) to identify applications, extract files, and detect malicious content in captured network traffic. See also PCAP (Ch. 23).
"Deleted ≠ destroyed" — The foundational principle of both disciplines: deleting a file removes the pointer (the directory/MFT entry and allocation flag), not the file's data, which persists in unallocated space until overwritten. See also slack space, data remanence (Ch. 2).
Device Configuration Overlay (DCO) — A hidden, vendor-settable area that can shrink the apparent capacity of an ATA drive, concealing sectors from the OS. Like the HPA, it must be detected and removed at acquisition so no data is missed (Ch. 14).
Digital forensics — The application of investigative and analytical techniques to identify, preserve, analyze, and present digital evidence in a legally admissible manner. Its priority is provable accuracy, not speed (Ch. 1).
DKIM (DomainKeys Identified Mail) — An email-authentication method using a cryptographic signature in the headers to verify a message's domain and integrity; with SPF and DMARC, central to assessing whether an email is spoofed (Ch. 19).
DLL injection — A technique (legitimate and malicious) of forcing a process to load a library into its address space; in memory forensics, injected or hidden code is hunted with tools like Volatility's malfind. See also malware forensics (Ch. 22; Ch. 32).
DoD 5220.22-M — A historically cited multi-pass disk-wiping pattern. Modern guidance (NIST SP 800-88) notes a single overwrite suffices for magnetic media, and that flash requires cryptographic erase. See also secure deletion, Gutmann method (Ch. 30).
Drive slack — See slack space (Ch. 2).
Dual-tool verification — The professional practice of confirming a significant finding with a second, independent tool, so a conclusion never rests on one program's correctness. A Daubert-friendly habit (Ch. 36; Ch. 28).
E
E01 (EnCase Evidence File / Expert Witness Format) — The most common forensic image container: it stores the bit-stream copy with embedded metadata, per-block CRCs, and stored MD5/SHA hashes, and supports compression and splitting. See also AFF4, raw image (Ch. 14).
eDiscovery (electronic discovery) — The legal process of identifying, preserving, collecting, and producing ESI in litigation, governed in U.S. federal court by the FRCP. See also litigation hold, spoliation (Ch. 25).
EDR (event data recorder) — A vehicle's "black box," which records pre-crash parameters (speed, braking, seatbelt status); a key data source in vehicle forensics. Note: in incident-response contexts, "EDR" instead means endpoint detection and response — a security agent that logs and blocks host activity (Ch. 34; IR sense Ch. 15/32).
Email header — The metadata block preceding a message body, containing From, To, Subject, Date, Message-ID, and the chain of Received lines that trace the message's path. Often the most truthful part of an email. See also X-Originating-IP (Ch. 19).
eMMC / UFS — Embedded flash storage standards in phones and embedded devices: eMMC (embedded MultiMediaCard) is older and slower; UFS (Universal Flash Storage) is newer and faster. Their packaging dictates chip-off and ISP feasibility (Ch. 11; Ch. 24).
EnCase — A long-established commercial forensic suite (OpenText) for imaging and analysis; origin of the E01 format and the EnCE certification (Ch. 36; Ch. 39).
Encryption — The transformation of data into ciphertext using a key, so that without the key it is unreadable. The single greatest honest limit on both recovery and forensics: strong, properly implemented encryption without the key is unbreakable. See also AES, full-disk encryption (Ch. 29).
Endianness — The byte order in which multi-byte values are stored. Little-endian (least-significant byte first; x86, most file systems) and big-endian (most-significant first; network order). Getting it wrong corrupts every parsed timestamp and offset (Ch. 2).
ESI (electronically stored information) — The FRCP term for any information created or stored electronically that is discoverable in litigation — documents, email, databases, metadata, logs. See also eDiscovery (Ch. 25).
Error Level Analysis (ELA) — An image-forensics technique that re-saves a JPEG and compares compression error across regions to flag inconsistent (possibly edited) areas. Suggestive, not conclusive. See also PRNU, deepfake (Ch. 20; Ch. 35).
Event log (.evtx) — Windows's binary logging format (C:\Windows\System32\winevt\Logs\), recording security, system, and application events with FILETIME stamps — a backbone of Windows timelines and intrusion analysis (Ch. 16).
EXIF (Exchangeable Image File Format) — Metadata embedded in photos (and many videos): camera make/model, settings, date-taken, and often GPS coordinates. A frequently decisive artifact — and one anti-forensics tries to strip. See also geotag (Ch. 20).
Exclusionary rule — The U.S. doctrine that evidence obtained through an unconstitutional search or seizure is generally inadmissible; its extension, fruit of the poisonous tree, excludes evidence derived from the illegal act. Why lawful authority precedes every acquisition (Ch. 25).
exFAT — Microsoft's lightweight file system for flash media and large removable drives; like FAT it lacks journaling, but supports large files and stores timestamps with a UTC-offset field (Ch. 4).
ext4 (fourth extended file system) — The common Linux file system, organized around inodes and block groups, with journaling and nanosecond timestamps (including crtime). Deletion zeroes block pointers, complicating recovery relative to older ext versions (Ch. 4).
Expert witness — A witness qualified by knowledge, skill, or experience to offer opinion testimony (FRE 702). The examiner's courtroom role; admissibility is gated by Daubert/Frye and credibility is tested in voir dire and cross-examination (Ch. 27).
F
Faraday bag — A radio-frequency shielding enclosure that isolates a seized phone from cellular, Wi-Fi, and Bluetooth signals to prevent remote wiping or alteration before acquisition (Ch. 15; Ch. 24).
FAT (File Allocation Table) — A simple, durable file-system family (FAT12/16/32) built around a table mapping cluster chains; still ubiquitous on small and removable media. Stores times in local time at coarse (2-second) resolution. See also exFAT (Ch. 4).
File carving — Recovering files by recognizing their content — signatures, structure, and footers — directly from raw data, without relying on file-system metadata. The primary recovery method when the file system is gone or the file's entry was overwritten. See also PhotoRec, header/footer (Ch. 7).
File signature (magic number) — A short, fixed byte sequence at (usually) the start of a file that identifies its type regardless of extension — e.g., JPEG FF D8 FF, PNG 89 50 4E 47, PDF 25 50 44 46 (%PDF), ZIP/Office 50 4B 03 04. The anchor of file carving and type verification. Full table in Appendix A (Ch. 7).
File slack — See slack space (Ch. 2).
File system — The on-disk structure and rules that organize raw storage into named files and directories, tracking which clusters belong to which file and what is free. What "deleted" means depends entirely on the file system. See also NTFS, ext4, APFS, FAT (Ch. 4).
FileVault — Apple's full-disk encryption for macOS (XTS-AES), tied to user credentials and a recovery key, and on modern Macs to the Secure Enclave. See also full-disk encryption (Ch. 29).
FILETIME — The Windows timestamp: a 64-bit count of 100-nanosecond intervals since 1601-01-01 UTC, used throughout NTFS, the registry, .evtx, and LNK files. Convert to Unix seconds by subtracting 116,444,736,000,000,000 and dividing by 10,000,000. See also Unix time (Ch. 21; Ch. 16).
Findings — The conclusions an examiner draws from the evidence, stated in the forensic report with the supporting basis and appropriate qualification. "The evidence is insufficient to reach a conclusion" is itself a valid finding (Ch. 26).
Firmware — Low-level software embedded in a device's hardware (drive controllers, phones, IoT, vehicles). On hard drives the service area holds firmware; firmware corruption is a recoverable failure mode, and firmware images are key evidence in embedded forensics (Ch. 34; Ch. 8).
Flash Translation Layer (FTL) — The controller logic in SSDs and flash media that maps logical block addresses the OS sees to ever-changing physical NAND locations, implementing wear leveling, garbage collection, and TRIM. The FTL is why an SSD's logical-to-physical mapping is opaque and recovery is unpredictable (Ch. 3; Ch. 9).
Footer (trailer) — A fixed byte sequence marking the end of a file type (e.g., JPEG FF D9), used with the header to bound a carve. Not all formats have one. See also file carving (Ch. 7).
Forensic image — A complete, verified, bit-for-bit copy of source media (also forensic duplicate), stored as raw/dd, E01, or AFF4. You analyze the image, never the original — protecting evidence integrity for forensics and the irreplaceable original for recovery. See also hash, write blocker (Ch. 5; Ch. 14).
Forensic soundness — The property that an acquisition and analysis altered nothing on the evidence (or that any unavoidable change is documented and explained), and that results are reproducible. The bedrock requirement for admissibility (Ch. 5).
Fourth Amendment — The U.S. constitutional protection against unreasonable searches and seizures; the source of the warrant requirement and its exceptions (consent, plain view, exigency). Defines the lawful authority to search a device (Ch. 25).
FRCP (Federal Rules of Civil Procedure) — The rules governing U.S. civil litigation, including eDiscovery obligations and the Rule 37(e) framework for sanctions over spoliation of ESI (Ch. 25).
FRE (Federal Rules of Evidence) — The rules governing admissibility in U.S. federal court; key ones for examiners are 702 (expert testimony / Daubert), 901 and 902(14) (authentication, including by hash), and 1001–1004 (best evidence) (Ch. 25).
Fragmentation — The condition in which a file's clusters are scattered across non-adjacent locations. It is the central obstacle to file carving, which assumes (or must reconstruct) contiguity (Ch. 7).
Fruit of the poisonous tree — The doctrine extending the exclusionary rule to evidence derived from an initial illegal search or seizure (Ch. 25).
Frye standard — The older "general acceptance" test for scientific evidence (Frye v. United States, 1923), still used in some U.S. states instead of Daubert (Ch. 25; Ch. 27).
Full-disk encryption (FDE) — Encryption of an entire volume or drive so that all data is ciphertext at rest until unlocked. BitLocker, FileVault, LUKS, and VeraCrypt are the major examples; FDE reshapes acquisition strategy toward live capture and key recovery (Ch. 29).
G
Garbage collection — The SSD background process that consolidates valid data and erases blocks marked free (often via TRIM) so they are ready to write. Combined with TRIM, it can permanently destroy deleted data within seconds — minutes, making SSD recovery time-critical (Ch. 9).
GDPR (General Data Protection Regulation) — The EU's comprehensive data-protection law, governing the lawful processing, transfer, and minimization of personal data — a constant constraint in cross-border investigations and cloud forensics (Ch. 25; Ch. 31).
Geotag — Geographic coordinates embedded in media metadata (chiefly EXIF GPSLatitude/GPSLongitude), placing a photo or video at a specific location and time. Frequently pivotal — and easy to overlook (Ch. 20).
GPT (GUID Partition Table) — The modern partitioning scheme that replaced the MBR: it supports drives larger than 2 TB and many partitions, uses GUIDs, and keeps a backup table at the end of the disk plus a protective MBR. See also partition table (Ch. 4).
GrayKey — A commercial law-enforcement device (Grayshift) for accessing and extracting data from locked iOS (and some Android) phones. See also mobile device forensics (Ch. 24).
Gutmann method — A 35-pass overwrite scheme designed for obsolete drive encodings; effectively overkill on modern media but still cited in wiping discussions. See also secure deletion (Ch. 30).
H
Hard disk drive (HDD) — A storage device that records data magnetically on rotating platters read by flying heads on an actuator arm. Mechanical, with characteristic failure modes (head crash, motor seizure, bad sectors) and, crucially, recoverable deleted data because there is no TRIM (Ch. 3).
Hash (cryptographic hash) — A fixed-length fingerprint computed from data such that any change yields a different value and the input cannot be derived from it. Hashing proves a forensic image matches its source and that evidence is unaltered. See also MD5, SHA-256, hash verification (Ch. 5).
Hash collision — Two different inputs producing the same hash. Practical collisions exist for MD5 and SHA-1, which is why SHA-256 is preferred for forensic integrity, though MD5/SHA-1 remain useful for de-duplication and known-file matching (Ch. 5).
Hash set — A collection of known file hashes used to filter evidence: known-good sets (e.g., NIST's NSRL) exclude standard OS/application files to reduce review volume; known-bad sets flag contraband or malware. See also PhotoDNA (Ch. 20).
Hash verification — Re-computing a hash after acquisition (and again before analysis) and comparing it to the original to confirm the image is a faithful, unaltered copy. The mechanical proof behind chain of custody (Ch. 5; Ch. 14).
Header — A fixed byte sequence marking the start of a file type (the file signature); the primary anchor of file carving (Ch. 7).
Head crash — A catastrophic HDD failure in which a read/write head contacts the platter surface, scoring it and destroying data in the affected tracks. Often requires clean-room work and is sometimes unrecoverable (Ch. 8; Ch. 3).
Head swap — A clean-room procedure replacing a hard drive's failed head assembly with one from a matching donor drive to read the original platters. Highly specialized and risky (Ch. 8).
Hearsay — An out-of-court statement offered for its truth, generally inadmissible; machine-generated records often qualify under the business-records exception, which matters when admitting logs (Ch. 25).
Hexadecimal (hex) — Base-16 notation (0–9, A–F) in which one digit equals one nibble and two digits equal one byte; the working language of low-level data examination and hex dumps (Ch. 2).
Hibernation file (hiberfil.sys) — A Windows file holding a compressed image of RAM written at hibernation; a valuable source of memory forensics evidence recoverable from disk. See also pagefile (Ch. 16; Ch. 22).
HFS+ (Hierarchical File System Plus) — Apple's legacy macOS file system (pre-APFS), using catalog and extents B-trees and a 1904 epoch for some timestamps (Ch. 4).
Host Protected Area (HPA) — A reserved, hidden area at the end of an ATA drive, invisible to the OS, sometimes used to conceal data. Must be detected and removed at acquisition. See also DCO (Ch. 14).
Hot spare — A standby disk in a RAID array that automatically replaces a failed member and rebuilds, reducing exposure to a second failure. See also RAID (Ch. 10).
I
icat — A Sleuth Kit command that extracts the content of a file by its metadata address (inode or MFT number), including deleted files still referenced by metadata. See also fls, mmls (Ch. 36; Ch. 6).
Imaging — See acquisition, forensic image (Ch. 14).
IMEI (International Mobile Equipment Identity) — A unique identifier for a mobile device, used to identify the handset (distinct from the SIM/subscriber). Key for device attribution. See also SIM (Ch. 24).
Incident response (IR) — The discipline of detecting, containing, investigating, and remediating security incidents, often under time pressure and on live systems. One of the four learning paths in this book (🛡️). See also live response, order of volatility (Ch. 15).
Indicator of Compromise (IOC) — An observable artifact suggesting an intrusion — a malicious hash, IP, domain, file path, registry key, or behavior — used to detect and scope incidents and to hunt across systems. See also YARA, C2 (Ch. 23; Ch. 32).
Inode (index node) — In Unix-family file systems, the metadata record for a file (permissions, owner, size, timestamps, and pointers to data blocks) — but not the file's name, which lives in the directory entry. The Linux analogue of an NTFS MFT record. See also ext4 (Ch. 4).
ISP (In-System Programming) — A mobile-extraction technique that reads the flash chip directly via its test/communication pads while still on the board, avoiding the desoldering of chip-off. See also JTAG (Ch. 11; Ch. 24).
ISO/IEC 17025 — The international standard for the competence of testing and calibration laboratories; the accreditation many forensic labs pursue to demonstrate quality and validated methods. See also NIST CFTT, SWGDE (Ch. 37).
J
JBOD (Just a Bunch Of Disks) — A non-RAID configuration that presents drives individually or spanned/concatenated, with no striping or redundancy. See also RAID (Ch. 10).
Journaling — A file-system feature that logs pending metadata (and sometimes data) changes before committing them, so the file system can recover consistency after a crash. NTFS (`$LogFile`), ext4, APFS, and HFS+ journal; FAT/exFAT do not. The journal and NTFS *$UsnJrnl* are also forensic goldmines (Ch. 4).
JTAG (Joint Test Action Group) — A hardware debug interface used in mobile/embedded forensics to read a device's memory through its test access port; more invasive than ISP, less than chip-off (Ch. 11; Ch. 24).
Jump List — Windows artifacts (AutomaticDestinations/CustomDestinations) recording recently and frequently used files per application — strong evidence of file access and user activity (Ch. 16).
K
KAPE (Kroll Artifact Parser and Extractor) — A widely used triage tool that rapidly collects and parses high-value forensic artifacts from a live or mounted Windows system using modular targets and modules. See also triage (Ch. 15).
Keychain — Apple's encrypted credential store (macOS/iOS) holding passwords, keys, and certificates; a high-value target whose accessibility depends on device state and unlock. See also Secure Enclave (Ch. 24).
Known file filtering — Using a hash set to exclude known-good files (or surface known-bad ones) and shrink the review set. See also NSRL (Ch. 20).
KYC (Know Your Customer) — Identity-verification requirements imposed on regulated cryptocurrency exchanges; the point where a pseudonymous blockchain address can be tied to a real person via subpoena. See also exchange (Ch. 33).
L
LBA (Logical Block Addressing) — The modern scheme that addresses every sector on a drive by a single sequential number, replacing geometric CHS addressing. The number examiners use to locate data. See also sector, byte offset (Ch. 2).
Legal hold — See litigation hold (Ch. 25).
Litigation hold (legal hold) — A directive to preserve all potentially relevant ESI once litigation is reasonably anticipated; failing to issue or honor it can lead to spoliation sanctions. See also eDiscovery (Ch. 25).
Live response — Collecting evidence from a running system — RAM, network connections, running processes, logged-in users — that would be lost on shutdown. Necessarily alters the system, so it is documented and follows the order of volatility. See also triage (Ch. 15).
LNK file — A Windows shortcut that records its target's full path, size, MAC times, and the source volume's serial number — proving a file existed and was accessed even from removable or now-absent media (Ch. 16).
Locard's exchange principle — The forensic-science axiom that every contact leaves a trace; the conceptual root of this book's theme that every action leaves a trace, and the absence of a trace is itself a trace (Ch. 1; Ch. 5).
Log clearing — An anti-forensic technique of deleting or truncating logs to hide activity; detectable by the resulting gaps, event ID 1102 (security log cleared), and corroborating artifacts. See also anti-forensics (Ch. 30).
Logical extraction — A mobile-acquisition level that pulls data through the device's normal interfaces/backup APIs — fast but limited to what the OS exposes (no deleted data). Contrast file-system and physical extraction (Ch. 24).
Logical recovery — Recovering data from intact media whose file system is damaged, formatted, or has deleted entries — by repairing structures and re-reading metadata — as opposed to physical recovery of failed hardware. See also data run, partition recovery (Ch. 6).
log2timeline / plaso — The standard open-source engine for building a super-timeline: log2timeline ingests hundreds of artifact types into a plaso storage file, and psort filters and outputs it. See also timeline analysis (Ch. 21).
LOLBins (living-off-the-land binaries) — Legitimate, signed system tools (PowerShell, certutil, rundll32, WMI) abused by attackers to avoid dropping detectable malware — a key focus of modern malware and intrusion analysis (Ch. 32).
LUKS (Linux Unified Key Setup) — The standard full-disk encryption format on Linux (dm-crypt), with a header holding key slots derived from passphrases. Without a passphrase or key, the volume is unrecoverable. See also full-disk encryption (Ch. 29).
LVM (Logical Volume Manager) — A Linux abstraction layer that pools physical volumes into logical volumes that can span disks and be resized/snapshotted; examiners must reassemble LVM metadata to see the file systems inside (Ch. 17).
M
MACB (Modified, Accessed, Changed, Born) — The four canonical file timestamps: Modified (content), Accessed, Changed (metadata; on NTFS the MFT-entry change), and Born (creation). NTFS keeps two MACB sets — in $STANDARD_INFORMATION* (user-forgeable) and *$FILE_NAME (kernel-set, truthful) — and the disagreement between them exposes timestomping. See also timeline analysis (Ch. 21).
Magic number — See file signature (Ch. 7).
malfind — A Volatility plugin that locates hidden or injected code in process memory by scanning for suspicious memory regions (e.g., executable + writable private pages with no backing file). See also DLL injection (Ch. 22).
Malware forensics — The post-incident analysis of malicious software to determine what it did, how it persisted, and what it touched — via static and dynamic analysis. Framed defensively: analysis, not weaponization. See also sandbox, YARA (Ch. 32).
Mandatory reporting — The legal duty to report certain discoveries, most importantly suspected CSAM. Under 18 U.S.C. §2258A, electronic service providers must report apparent CSAM to NCMEC; examiners must understand their own reporting obligations and stop, preserve, and escalate on discovery. See also ethics (Ch. 28).
Mark-of-the-Web (MOTW) — The Zone.Identifier ADS Windows attaches to files downloaded from the internet, recording their origin zone (and sometimes URL) — useful provenance evidence (Ch. 16; Ch. 30).
Master Boot Record (MBR) — The legacy first sector (512 bytes) of a disk, holding bootstrap code and a four-entry partition table, ending in the signature 0x55AA at offset 510. Limited to 2 TB; superseded by GPT. See also boot sector (Ch. 4).
Master File Table (MFT) — The central NTFS metadata file: one ~1,024-byte record per file/directory, holding attributes including timestamps and either resident data or data runs. Deleted files often remain as MFT records flagged unallocated — the heart of NTFS logical recovery. See also attribute (Ch. 4; Ch. 6).
MBOX / EML / MSG — Common email storage formats: MBOX concatenates messages in one file (Unix, Thunderbird); EML is a single RFC 822 message; MSG is Outlook's single-message format. See also PST/OST (Ch. 19).
MD5 (Message Digest 5) — A 128-bit hash rendered as 32 hex characters. Cryptographically broken (collisions are practical) but still widely used for evidence integrity and known-file matching alongside a stronger hash. See also SHA-256, hash collision (Ch. 5).
Memory dump — A captured image of a system's volatile RAM (raw, crash dump, or from hiberfil.sys), the input to memory forensics. Contains processes, network state, injected code, and sometimes encryption keys and plaintext. See also Volatility (Ch. 22).
Memory forensics — Analysis of captured RAM to reveal running and hidden processes, network connections, injected code, command history, and keys that never touch disk. Often the only place to catch fileless malware. See also Volatility, order of volatility (Ch. 22).
Metadata — Data about data: file timestamps, sizes, owners, and embedded document/photo properties (author, GPS, camera). Frequently more probative than file content, and a prime anti-forensics target. See also EXIF, MACB (Ch. 20; Ch. 5).
Mixer (tumbler) — A service that pools and shuffles cryptocurrency to obscure the link between source and destination addresses; a money-laundering technique that blockchain analysis aims to defeat. See also blockchain (Ch. 33).
MLAT (Mutual Legal Assistance Treaty) — A treaty mechanism for one country to request evidence from another; historically slow, which is part of why the CLOUD Act was enacted. See also cloud forensics (Ch. 31; Ch. 25).
mmls — A Sleuth Kit command that displays the partition layout of a disk image (partition tables, slots, and gaps), the starting point for analyzing an acquired image. See also fls, icat (Ch. 36).
Mobile device forensics — The acquisition and analysis of smartphones and tablets, complicated by encryption, lock states (BFU/AFU), proprietary formats, and rich app data in SQLite. See also Cellebrite, chip-off (Ch. 24; recovery in Ch. 11).
N
NAND flash — Non-volatile memory storing bits as trapped charge in cells, the basis of SSDs, phones, and memory cards. Read/written in pages, erased in larger blocks, and worn by program/erase cycles. See also FTL, SLC/MLC/TLC/QLC (Ch. 3).
NAS (Network-Attached Storage) — A file-serving storage appliance on a network, often containing a RAID array and a Linux-based file system; a common recovery and evidence source. See also SAN, RAID (Ch. 3).
NCMEC (National Center for Missing & Exploited Children) — The U.S. nonprofit that operates the CyberTipline, the legally designated recipient of CSAM reports under 18 U.S.C. §2258A. See also mandatory reporting (Ch. 28).
NetFlow — A network-metadata record (source/destination, ports, bytes, timing) summarizing flows without full packet payloads — efficient for spotting C2 beaconing and exfiltration at scale. See also PCAP (Ch. 23).
Nibble — Four bits, equal to one hex digit (16 possible values); two nibbles make a byte (Ch. 2).
NIST CFTT (Computer Forensics Tool Testing) — A NIST program that publishes specifications and test results for forensic tools (imagers, write blockers, carvers), supporting tool validation and Daubert defensibility. See also validation, SWGDE (Ch. 37; Ch. 36).
Non-resident attribute — An NTFS attribute (typically $DATA) too large to fit in the MFT record, stored instead in external clusters described by data runs. Contrast resident attribute (Ch. 4).
NSRL (National Software Reference Library) — NIST's published hash set of known software files, used to filter out standard OS/application files from review. See also hash set (Ch. 20).
NTFS (New Technology File System) — The default Windows file system, built around the MFT, with journaling (`$LogFile`, *$UsnJrnl), security descriptors, ADS, and dual MACB timestamp sets. The most analyzed file system in this book. See also* MFT, $STANDARD_INFORMATION (Ch. 4).
NTUSER.DAT — The per-user Windows registry hive (in each profile folder) holding user-specific artifacts such as UserAssist, ShellBags, and recent-document lists. See also registry hive (Ch. 16).
O
Order of volatility — The sequence for collecting evidence from most to least perishable: CPU/registers and cache → RAM → network state → running processes → disk → archival/backup media. The rule governing live response so that fleeting data is captured first (Ch. 15).
OST — See PST/OST (Ch. 19).
Over-provisioning — Spare NAND capacity an SSD reserves (beyond the advertised size) for wear leveling and garbage collection. It holds copies of data outside the logical address space — occasionally a recovery angle, but controller-dependent and unreliable (Ch. 3; Ch. 9).
P
PCAP (packet capture) — A captured set of network packets (the .pcap/.pcapng format) produced by tcpdump/Wireshark; the raw material of network forensics, from which sessions and even transferred files can be reconstructed. See also deep packet inspection (Ch. 23).
Page (flash) — The smallest unit a NAND block can be written/read (commonly 4–16 KB). Pages can be written but not individually erased — erasure happens a whole block at a time, the root of garbage collection. See also NAND flash (Ch. 3).
Pagefile (pagefile.sys) — Windows virtual-memory backing on disk; it can contain fragments of process memory — strings, keys, document remnants — making it a useful disk-resident source of otherwise volatile data. See also hibernation file (Ch. 16; Ch. 22).
Parity — Redundancy data (computed by XOR) in RAID 5/6 that allows a missing block to be rebuilt from the surviving members. RAID 5 has single parity (survives one disk loss); RAID 6 has dual parity (survives two). The math behind RAID reconstruction (Ch. 10).
Partition — A defined region of a disk treated as an independent unit, described in the MBR or GPT partition table and usually holding one file system (one volume) (Ch. 4).
Partition recovery — Rebuilding or relocating lost/corrupted partition entries (e.g., with TestDisk) so a volume becomes accessible again; a core logical recovery technique. See also TestDisk (Ch. 6).
Partition table — The on-disk structure listing a disk's partitions and their boundaries — the four-entry table in the MBR or the GUID entries in GPT. Damage here makes volumes "disappear" while data remains intact (Ch. 4).
Persistence mechanism — How malware survives reboot: run keys, scheduled tasks, services, startup folders, WMI subscriptions, and more. Enumerating persistence is central to malware forensics and incident scoping (Ch. 32).
PhotoDNA — A Microsoft-developed perceptual hash technology that matches known CSAM images even after resizing or minor edits, used by providers and NCMEC. Referenced clinically as a detection/triage tool. See also hash set (Ch. 20; Ch. 28).
PhotoRec — A widely used open-source file-carving tool (companion to TestDisk) that recovers files by signature from images and damaged media independent of the file system. See also foremost, scalpel (Ch. 7).
Physical extraction — A mobile-acquisition level that captures a bit-for-bit image of the device's flash (including unallocated/deleted data) — the most complete and most difficult level, often blocked by encryption. Contrast logical/file-system extraction (Ch. 24).
Plain view doctrine — The rule that incriminating items an officer lawfully positioned can see may be seized without a separate warrant; its application to digital searches is contested and scope-sensitive. See also scope (Ch. 25).
plaso — See log2timeline / plaso (Ch. 21).
Platter — The rigid magnetic disk inside an HDD on which data is stored; drives stack several, read by flying heads. Physical platter damage (a head crash) is among the hardest faults to recover (Ch. 3; Ch. 8).
plist (property list) — Apple's structured configuration/metadata format (XML or binary) pervasive in macOS/iOS; a primary artifact source for settings, accounts, and app state. See also unified log (Ch. 17).
Prefetch — Windows execution artifacts (C:\Windows\Prefetch\*.pf) that record an application's name, run count, the last several run times, and files it loaded — direct evidence that a program executed and when, even after deletion (Ch. 16).
PRNU (Photo-Response Non-Uniformity) — The unique sensor-noise fingerprint of a specific camera, usable to tie an image to a device or to detect manipulation — a deeper image-forensics technique. See also ELA, deepfake (Ch. 20; Ch. 35).
Private key — The secret that controls a cryptocurrency address (or unlocks asymmetric encryption); whoever holds it controls the funds. Recovering or seizing keys (often via a seed phrase) is decisive in crypto investigations (Ch. 33; Ch. 29).
Program/erase (P/E) cycle — One write-then-erase of a flash block; NAND endures a finite number (hundreds to tens of thousands depending on SLC/MLC/TLC/QLC) before wearing out, which wear leveling spreads evenly (Ch. 3).
Provenance — The documented origin and history of a piece of evidence, established by chain of custody, hashing, and acquisition records. See also authentication (Ch. 5).
PST / OST — Microsoft Outlook mail stores: PST (Personal Storage Table) is an exportable archive; OST (Offline Storage Table) is a synced cache of a server mailbox. Both are major email-forensics containers. See also MBOX (Ch. 19).
Q
QLC (Quad-Level Cell) — See SLC/MLC/TLC/QLC (Ch. 3).
Quick format vs. full format — A quick format rewrites only the file-system structures, leaving most user data intact and recoverable; a full format also reads/zeroes the data area (and on SSDs may issue TRIM), often making recovery impossible. The distinction decides whether the wedding-photos case is recoverable. See also logical recovery (Ch. 6).
R
RAID (Redundant Array of Independent Disks) — Combining multiple disks for performance, capacity, and/or redundancy. Recovery requires determining the array's parameters (level, disk order, stripe size, parity rotation, start offset) and reconstructing the virtual volume. See also parity, JBOD (Ch. 10; Ch. 3).
RAID levels — Common layouts: RAID 0 stripes for speed/capacity with no redundancy (any disk loss = total loss); RAID 1 mirrors; RAID 5 stripes with single distributed parity (survives one failure); RAID 6 adds dual parity (survives two); RAID 10 mirrors then stripes. (See the quick-reference table below.) (Ch. 10).
RAM (Random Access Memory) — Fast volatile working memory cleared on power loss; the subject of memory forensics and the highest priority in the order of volatility. See also memory dump (Ch. 22; Ch. 15).
RAM slack — See slack space (Ch. 2).
Ransomware — Malware that encrypts (or steals and threatens to leak) a victim's data and demands payment. Recovery without a current backup is partial at best — shadow copies (often deleted by the malware), unencrypted slack, and stale backups — driving the prevention lesson home. See also decryptor, Volume Shadow Copy (Ch. 12).
Raw image (dd image) — A forensic image that is a plain, uncompressed, byte-for-byte copy of the source with no embedded metadata (often .dd/.raw/.img, sometimes split). Universally readable; contrast E01. See also forensic image (Ch. 14).
Read/write head — The tiny transducer that magnetically reads and writes data on an HDD platter, flying microns above the surface on an air bearing. See also head crash, head swap (Ch. 3; Ch. 8).
Reallocated sector — A bad sector the drive has remapped to a spare from its reserve (tracked in the G-list; factory defects in the P-list). A growing reallocated count signals imminent failure. See also SMART (Ch. 8).
Recovery key — A backup credential (e.g., BitLocker's 48-digit key, a FileVault recovery key) that unlocks an encrypted volume without the user's password; obtaining it is often the path into encrypted evidence. See also full-disk encryption (Ch. 29).
Received header — The chronological trail of Received: lines added by each mail server an email passes through (read bottom-up); the most reliable evidence of an email's true path and origin. See also email header (Ch. 19).
Registry (Windows Registry) — Windows's hierarchical configuration database, stored in hives, that records system and user settings and an enormous range of forensic artifacts (devices, programs, recent files, network history). See also registry hive (Ch. 16).
Registry hive — A file holding part of the registry: system hives SYSTEM, SOFTWARE, SAM, SECURITY (in C:\Windows\System32\config\) and the per-user NTUSER.DAT/USRCLASS.DAT. Each key carries a FILETIME last-write time useful in timelines (Ch. 16).
Reproducibility — The requirement that another competent examiner, given the same evidence and your documented method, can reach the same result. The scientific backbone of the forensic report and Daubert admissibility (Ch. 26; Ch. 5).
Resident attribute — An NTFS attribute small enough to be stored inside its MFT record (small files' data, names, standard info). Contrast non-resident attribute (Ch. 4).
Rootkit — Malware that hides its presence by subverting the OS (hooking, driver-level concealment), often invisible to the live system but exposed by memory forensics and offline disk analysis. See also malfind (Ch. 32; Ch. 22).
S
SAN (Storage Area Network) — A high-speed network presenting block-level storage to servers as if locally attached; acquisition usually targets the logical volumes (LUNs) rather than raw disks. See also NAS, RAID (Ch. 3).
Sandbox — An isolated, instrumented environment for dynamic analysis, where suspected malware is detonated to observe its behavior (files, registry, network) without risking real systems. See also malware forensics (Ch. 32).
scalpel / foremost — Open-source file-carving tools driven by a configurable signature database (headers/footers). Fast and scriptable; weaker on fragmentation than structure-aware carvers. See also PhotoRec (Ch. 7).
Scope — The lawful and practical boundaries of a search — what a warrant or consent authorizes you to examine. Staying within scope (and recognizing when you have exceeded it) is both a legal and an ethical duty, especially on inadvertent discovery. See also plain view (Ch. 25; Ch. 28).
Secondary trauma — The psychological harm examiners can suffer from repeated exposure to disturbing material (especially CSAM cases); managing it is a professional and ethical responsibility, not a weakness. See also ethics (Ch. 28).
Sector — The smallest physically addressable unit of a disk, classically 512 bytes (4,096 on Advanced Format). Sectors are grouped into clusters by the file system; byte offset = sector × sector size. See also LBA (Ch. 2).
Secure deletion (wiping) — Deliberately overwriting data (or cryptographically erasing the key) so it cannot be recovered — the legitimate counterpart and the anti-forensic abuse. Effective wiping defeats recovery; on flash, cryptographic erase is the reliable method. See also data remanence, Gutmann method (Ch. 30).
Secure Enclave — A dedicated security coprocessor in Apple devices that manages encryption keys and biometrics in isolation from the main OS, making key extraction infeasible without exploiting it. See also BFU/AFU, checkm8 (Ch. 24; Ch. 29).
Seed phrase (mnemonic / recovery phrase) — A human-readable list of 12–24 words that deterministically regenerates a crypto wallet's private keys; finding one (on paper, in a note, in a screenshot) hands an investigator the wallet. See also wallet (Ch. 33).
Service area — The reserved, firmware-controlled region of a hard drive (outside the user area) holding the drive's microcode, adaptive parameters, and defect lists (P-list/G-list). Corruption here bricks a healthy drive; specialists repair it to regain access (Ch. 8).
SHA-1 (Secure Hash Algorithm 1) — A 160-bit hash (40 hex characters). Collision-broken (2017) and deprecated for integrity, but still seen in legacy tools and used by AmCache. See also hash collision (Ch. 5).
SHA-256 — A 256-bit hash from the SHA-2 family (64 hex characters), the current standard for forensic integrity because no practical collisions exist. The recommended verification hash for images and exhibits. See also hash verification (Ch. 5).
ShellBags — Registry artifacts (in USRCLASS.DAT/NTUSER.DAT) recording folders a user has browsed in Explorer — including folders on removable or now-deleted media — evidencing knowledge and access (Ch. 16).
ShimCache (AppCompatCache) — A Windows compatibility cache in the SYSTEM hive listing executables the system encountered, with paths and (on some versions) timestamps — evidence of presence (not necessarily execution). See also AmCache (Ch. 16).
SIM (Subscriber Identity Module) — The card identifying a mobile subscriber to the carrier (storing the IMSI, some contacts/SMS); distinct from the handset's IMEI. A small but useful evidence source (Ch. 24).
Slack space — Unused bytes between the logical end of a file and the end of its last allocated cluster; RAM/file slack is the gap to the sector end (historically padded with memory contents), drive slack the remaining sectors of the cluster. Slack can preserve fragments of previously deleted files — a classic recovery and evidence source. See also "deleted ≠ destroyed" (Ch. 2).
SLC / MLC / TLC / QLC — NAND cell densities storing 1, 2, 3, or 4 bits per cell. More bits per cell means cheaper and denser but slower, less durable (fewer P/E cycles), and harder to read reliably. See also NAND flash (Ch. 3).
Sleuth Kit, The (TSK) — The open-source command-line forensic library/toolset (mmls, fls, icat, fsstat, blkls, mactime) underlying Autopsy and much else. See also bodyfile (Ch. 36).
SMART (Self-Monitoring, Analysis and Reporting Technology) — A drive's built-in health-reporting system exposing attributes (reallocated sectors, pending sectors, read-error and spin-retry counts, temperature) that warn of impending failure — read it before you stress a sick drive. See also reallocated sector (Ch. 3; Ch. 8).
SPF (Sender Policy Framework) — A DNS-based email-authentication mechanism declaring which servers may send for a domain; with DKIM and DMARC, used to judge whether a message is forged (Ch. 19).
Spoliation — The destruction, alteration, or failure to preserve relevant evidence; in litigation it can trigger sanctions (FRCP 37(e)) up to an adverse-inference instruction. The legal teeth behind the litigation hold. See also eDiscovery (Ch. 25).
SQLite — A self-contained, file-based database used pervasively by browsers, phones, and apps (history, messages, contacts). A central skill is parsing SQLite — including recovering deleted rows from freelist pages and write-ahead logs. See also browser history (Ch. 18; Ch. 24).
$STANDARD_INFORMATION ($SI) — The NTFS attribute holding the file's commonly displayed MACB timestamps and flags. Because the API lets user-space alter it, it is the target of timestomping; corroborate against $FILE_NAME. See also MACB (Ch. 4; Ch. 21).
Static vs. dynamic analysis — The two halves of malware forensics: static examines a sample without running it (strings, headers, disassembly, YARA); dynamic runs it in a sandbox to observe behavior. Used together (Ch. 32).
Steganography — Concealing data inside an innocuous carrier (image, audio, document) so its very existence is hidden — an anti-forensic and data-exfiltration technique detectable by statistical and tool-based analysis. See also anti-forensics (Ch. 30; Ch. 20).
Stripe — A set of blocks written across the members of a striped RAID array; the stripe size (block per disk) and the rotation of data/parity are parameters you must recover to rebuild the array. See also RAID levels (Ch. 10).
Subpoena — A legal demand to produce records or testimony; for stored communications, the level of process required (subpoena vs. court order vs. warrant) depends on the data and the SCA/ECPA. See also CLOUD Act (Ch. 25; Ch. 31).
Super-timeline — A single chronological list merging every dated event from every source (file system, registry, logs, browser, email, metadata), normalized to one time standard (UTC). The synthesis that turns isolated artifacts into a provable sequence. See also MACB, plaso (Ch. 21).
SWGDE (Scientific Working Group on Digital Evidence) — A body that publishes best-practice and standards documents for digital and multimedia evidence, widely cited in lab procedure and validation. See also NIST CFTT (Ch. 37; Ch. 28).
T
TestDisk — An open-source tool for partition recovery and boot-sector repair (companion to PhotoRec); rebuilds or restores lost partition tables to make volumes accessible again (Ch. 6).
Thumbnail / thumbcache — Cached small previews of images. Windows stores them in thumbcache_*.db; the resulting previews can persist after the originals are deleted, proving an image once existed. See also metadata (Ch. 20; Ch. 16).
Timeline analysis — The discipline of reconstructing events by collecting, normalizing, and ordering timestamps from many sources into a super-timeline, then reading it as a narrative — the analytical heart of an investigation. See also MACB, clock skew (Ch. 21).
Timestamp — A recorded point in time stored as a number plus a convention (epoch + resolution). Interpreting one requires knowing its format — FILETIME, Unix time, WebKit, PRTime, DOS — and its time zone. See also timeline analysis (Ch. 21).
Timestomping — An anti-forensic technique of falsifying file timestamps (commonly the $SI* MACB) to hide when activity occurred. Detectable because the kernel-set *$FILE_NAME times, $UsnJrnl, and sub-second precision usually betray the manipulation — the move that exposes the IP-theft anchor case. See also MACB (Ch. 21; Ch. 30).
TPM (Trusted Platform Module) — A hardware chip that securely stores keys and measures boot integrity; BitLocker commonly seals its key to the TPM, so the volume auto-unlocks on trusted boot but resists offline attack. See also BitLocker (Ch. 29).
Triage — Rapid, prioritized examination to find the most relevant evidence quickly and decide what to fully acquire — essential when devices are many and time is short. See also KAPE, live response (Ch. 15).
TRIM — An ATA/NVMe command by which the OS tells an SSD which blocks are no longer in use, so the controller can erase them in advance via garbage collection. TRIM is the single biggest reason deleted data on SSDs is often unrecoverable — frequently within seconds. See also FTL, wear leveling (Ch. 9).
U
UFS — See eMMC / UFS (Ch. 11; Ch. 24).
Unallocated space — Clusters the file system currently marks as free — including those holding deleted files not yet overwritten. The primary hunting ground for file carving and deleted-data recovery. See also "deleted ≠ destroyed", slack space (Ch. 2; Ch. 6).
Unicode (UTF-8 / UTF-16) — Character-encoding standards covering the world's scripts. UTF-8 is the web/Linux default (ASCII-compatible); UTF-16LE is common in Windows internals (filenames, registry). Recognizing the encoding is essential to reading strings correctly. See also ASCII (Ch. 2).
Unified log — Apple's consolidated, high-volume system logging (macOS 10.12+, iOS), stored in a binary .tracev3 format and queried with log; a major macOS timeline source. See also FSEvents (Ch. 17).
Unix time (POSIX time / epoch time) — A timestamp counting seconds since 1970-01-01 00:00:00 UTC, used by Linux file systems, syslog, and many apps (often extended to nanoseconds). The other epoch you will convert constantly. See also FILETIME (Ch. 21).
USBSTOR / USB device history — Registry keys (SYSTEM\CurrentControlSet\Enum\USBSTOR and related) recording USB storage devices ever connected — vendor/model, serial, and first/last connection times. Pivotal in IP-theft and exfiltration cases. See also registry (Ch. 16).
UserAssist — NTUSER.DAT keys logging GUI program launches per user with run counts and last-run times, obfuscated with ROT13. Evidence that a user (interactively) ran a program. See also Prefetch (Ch. 16).
$UsnJrnl (USN change journal)** — The NTFS Update Sequence Number journal (`$Extend\$UsnJrnl:$J`) recording every file/directory change with a reason code and timestamp; a high-resolution record of activity that survives even when files are deleted. See also journaling, timestomping (Ch. 16; Ch. 21).
UTXO (Unspent Transaction Output) — In Bitcoin-style chains, an amount received but not yet spent; the accounting model that blockchain analysis follows to trace funds across addresses. See also blockchain (Ch. 33).
V
Validation (tool validation) — Formally testing that a forensic tool produces correct, reproducible results for its intended use, documented so findings withstand Daubert. Supported by NIST CFTT and SWGDE. See also dual-tool verification (Ch. 37; Ch. 36).
VeraCrypt / TrueCrypt — Open-source on-the-fly encryption creating encrypted volumes and supporting deniable hidden volumes. VeraCrypt is the maintained successor to the discontinued TrueCrypt. See also full-disk encryption, hidden volume (Ch. 29).
Verification hash — The hash recomputed and matched after acquisition to prove the forensic image equals the source; the proof step of forensic soundness. See also hash verification (Ch. 14; Ch. 5).
Volatile data — Evidence that exists only while a system is powered (RAM contents, running processes, open connections, encryption keys in memory) and is lost on shutdown — hence captured first per the order of volatility. See also live response (Ch. 15; Ch. 22).
Volatility — The leading open-source memory forensics framework, with plugins to list processes (pslist/psscan), connections, loaded modules, and injected code (malfind); v2 uses profiles, v3 uses symbol tables. See also memory dump (Ch. 22).
Volume — A single accessible storage area presented to the OS, usually one file system on one partition (though LVM/RAID can span disks). See also partition (Ch. 4).
Volume Boot Record (VBR) — The first sector of a partition, holding file-system parameters (BPB) and boot code — distinct from the disk-level MBR. See also boot sector (Ch. 4).
Volume Shadow Copy (VSS) — Windows's snapshot service creating point-in-time copies of volumes; shadow copies can yield earlier versions of files (and deleted files) — a prime recovery source, which is exactly why ransomware tries to delete them. See also ransomware (Ch. 16; Ch. 12).
voir dire — The questioning by which a court (and opposing counsel) tests an expert's qualifications before opinion testimony is allowed; the gateway to being accepted as an expert witness. See also Daubert (Ch. 27).
W
Wallet — Software or hardware that stores the private keys/seed phrase controlling cryptocurrency; "recovering the wallet" means recovering the keys, not coins on a disk. Wallet files and seed backups are key evidence. See also blockchain (Ch. 33).
Warrant (search warrant) — A judicially authorized order, based on probable cause and particular as to place and items, permitting a search/seizure; the default lawful basis for examining a device absent consent or an exception. See also Fourth Amendment, scope (Ch. 25).
Wear leveling — The SSD/flash controller strategy of distributing writes evenly across NAND so no block wears out prematurely. A side effect is that logical data moves physically, scattering remnants and frustrating predictable recovery. See also FTL (Ch. 3; Ch. 9).
WebKit time — The Chrome/Chromium/Safari timestamp: microseconds since 1601-01-01 UTC (a FILETIME-like epoch at microsecond resolution), seen in browser history databases. Contrast Firefox PRTime (microseconds since 1970). See also timestamp (Ch. 18; Ch. 21).
Wiping — See secure deletion (Ch. 30).
Wireshark — The leading graphical network-protocol analyzer for inspecting PCAP captures — dissecting protocols, following streams, and extracting transferred files. Pairs with the CLI tcpdump. See also deep packet inspection (Ch. 23).
Word / DWORD / QWORD — Multi-byte groupings whose width depends on architecture/context: in the Windows world a WORD is 16 bits, a DWORD 32 bits (as in the registry's REG_DWORD), and a QWORD 64 bits. See also byte, endianness (Ch. 2).
Working copy — The verified duplicate of a forensic image that you actually analyze, so the master image (and the original) stay untouched. See also forensic image (Ch. 5).
Write blocker — A hardware device or trusted software that permits reads from evidence media but blocks all writes, guaranteeing the source is not altered during acquisition. The physical embodiment of "the original is sacred." See also forensic soundness (Ch. 5; Ch. 14).
X
X-Originating-IP — A non-standard email header sometimes added by webmail/clients recording the sender's apparent IP address; corroborate against the Received chain rather than trusting it alone. See also email header (Ch. 19).
X-Ways Forensics — A commercial, highly efficient disk-forensics suite favored for its speed and low-level control; a common alternative to EnCase/FTK. See also forensic toolkit (Ch. 36).
xxd — A Unix command-line hex dump utility (offset / hex bytes / ASCII columns); the quickest way to inspect raw bytes and confirm a file signature. See also hexadecimal (Ch. 2; Ch. 36).
Y
YARA — A pattern-matching engine and rule language for identifying and classifying files (especially malware) by textual and binary signatures; the standard way to encode and share IOCs. See also malware forensics (Ch. 32).
Z
Zone.Identifier — See Mark-of-the-Web (Ch. 16; Ch. 30).
Symbols and numbers
3-2-1 rule — See backup (Ch. 12).
4Kn / 512e — See Advanced Format (Ch. 2; Ch. 3).
18 U.S.C. §2258A — The U.S. statute requiring electronic service providers to report apparent CSAM to NCMEC's CyberTipline; the legal anchor of an examiner's mandatory reporting awareness. See also ethics (Ch. 28).
$DATA — The NTFS attribute holding a file's actual content — resident in the MFT record if small, otherwise non-resident and described by data runs. See also MFT (Ch. 4).
$FILE_NAME ($FN) — The NTFS attribute holding the file's name and a second MACB timestamp set written by the kernel and not exposed to normal user APIs — therefore the truthful set used to detect timestomping against $STANDARD_INFORMATION. See also MACB (Ch. 4; Ch. 21).
$LogFile — The NTFS transaction journal used for crash recovery; also a forensic record of recent metadata operations. See also journaling (Ch. 4; Ch. 21).
$MFT — The metadata file that is the Master File Table. See also MFT (Ch. 4).
**$Recycle.Bin** — The NTFS Recycle Bin folder; each deleted item is split into a **`$I** file (metadata: original path, deletion time, size) and a **$R`** file (the content). Reading `$I/$R` recovers deleted files and proves when/where they were deleted (Ch. 16).
0x (prefix) — The near-universal notation marking a number as hexadecimal (e.g., 0x4D = 77). See also hexadecimal (Ch. 2).
0x55AA — The two-byte boot signature ending a valid MBR (at offset 510–511); its presence/absence is a first check in partition diagnosis. See also MBR (Ch. 4).
Quick-reference tables
These compress the most-consulted facts behind the entries above. For exhaustive listings, follow the appendix links.
Timestamp epochs and resolutions
| Format | Epoch (zero point) | Unit | Where you meet it |
|---|---|---|---|
| FILETIME | 1601-01-01 UTC | 100 ns | NTFS, registry, .evtx, LNK |
| Unix / POSIX | 1970-01-01 UTC | 1 s (often ns) | ext4/APFS, syslog, journald, many DBs |
| WebKit | 1601-01-01 UTC | 1 µs | Chrome/Chromium/Safari history |
| PRTime (Firefox) | 1970-01-01 UTC | 1 µs | Firefox places.sqlite |
| DOS (FAT) | local time, no zone | 2 s (write) | FAT/exFAT removable media |
| HFS+ | 1904-01-01 | 1 s | legacy macOS |
Bridge constant: FILETIME of the Unix epoch =
116,444,736,000,000,000. Convert FILETIME → Unix seconds:(filetime − 116444736000000000) / 10,000,000. (Ch. 21.)
Hash algorithms at a glance
| Algorithm | Bits | Hex length | Forensic status |
|---|---|---|---|
| MD5 | 128 | 32 | Broken (collisions); still used for integrity/known-file matching |
| SHA-1 | 160 | 40 | Broken (2017); deprecated; seen in AmCache |
| SHA-256 | 256 | 64 | Current standard for evidence integrity |
(Ch. 5.)
RAID levels
| Level | Layout | Redundancy | Survives |
|---|---|---|---|
| 0 | Striping | None | 0 disks (any loss = total loss) |
| 1 | Mirroring | Full copy | 1 disk |
| 5 | Striping + single distributed parity | Parity | 1 disk |
| 6 | Striping + dual distributed parity | Double parity | 2 disks |
| 10 | Mirror, then stripe | Mirror pairs | 1 per mirror pair |
(Ch. 10.)
Common file signatures (headers)
FF D8 FF JPEG image (footer FF D9)
89 50 4E 47 0D 0A 1A 0A PNG image (.PNG....)
25 50 44 46 PDF document (%PDF)
50 4B 03 04 ZIP / DOCX/XLSX/PPTX / JAR / APK
D0 CF 11 E0 A1 B1 1A E1 Legacy MS Office (.doc/.xls/.ppt)
47 49 46 38 GIF image (GIF8)
49 44 33 / FF FB MP3 audio (ID3 tag / frame sync)
52 49 46 46 .... 41 56 49 20 AVI video (RIFF....AVI )
Full headers and footers for carving are in Appendix A — File Signatures Reference. (Ch. 7.)
See also: Appendix C — Tool Reference · Appendix D — Forensic Artifact Locations · Appendix E — Legal Frameworks Reference · Appendix G — File System Reference · Appendix H — Command-Line Reference. For the worked solutions referenced throughout the chapters, see Answers to Selected Exercises.