Glossary

851 terms from Data Recovery and Digital Forensics

# A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

#

"acquired, verified, and inaccessible"
is a complete and professional result. Overreaching past it is where examiners lose credibility. → Data Recovery and Digital Forensics
"Deleted ≠ destroyed"
The foundational principle of both disciplines: deleting a file removes the *pointer* (the directory/MFT entry and allocation flag), not the file's data, which persists in *unallocated space* until overwritten. *See also* slack space, data remanence (Ch. 2). → Glossary
"which discipline am I on?" checklist
the 4–6 questions you will ask at the start of every future job to decide how much rigor it demands. Then test it: run scenarios 1.10–1.13 through your checklist and confirm it produces the same calls you made in Group C. If it disagrees with your earlier judgment, decide which one was right and fix → Data Recovery and Digital Forensics
$DATA
The NTFS *attribute* holding a file's actual content — *resident* in the MFT record if small, otherwise *non-resident* and described by *data runs*. *See also* MFT (Ch. 4). → Glossary
$FILE_NAME ($FN)
The NTFS *attribute* holding the file's name and a second *MACB* timestamp set written by the kernel and **not** exposed to normal user APIs — therefore the truthful set used to detect *timestomping* against *$STANDARD_INFORMATION*. *See also* MACB (Ch. 4; Ch. 21). → Glossary
$LogFile
The NTFS transaction journal used for crash recovery; also a forensic record of recent metadata operations. *See also* journaling (Ch. 4; Ch. 21). → Glossary
$MFT
The metadata file that **is** the *Master File Table*. *See also* MFT (Ch. 4). → Glossary
$Recycle.Bin
The NTFS Recycle Bin folder; each deleted item is split into a **`$I`** file (metadata: original path, deletion time, size) and a **`$R`** file (the content). Reading `$I`/`$R` recovers deleted files and proves when/where they were deleted (Ch. 16). → Glossary
$STANDARD_INFORMATION ($SI)
The NTFS *attribute* holding the file's commonly displayed *MACB* timestamps and flags. Because the API lets user-space alter it, it is the target of *timestomping*; corroborate against *$FILE_NAME*. *See also* MACB (Ch. 4; Ch. 21). → Glossary
$UsnJrnl (USN change journal)
The NTFS Update Sequence Number journal (`$Extend\$UsnJrnl:$J`) recording every file/directory change with a reason code and timestamp; a high-resolution record of activity that survives even when files are deleted. *See also* journaling, timestomping (Ch. 16; Ch. 21). → Glossary
(1) image first / work on a copy
never run recovery against the client's only drive, because a failing drive can die mid-attempt and a wrong write is irreversible; and **(2) hash/verify** the image and document the process so the client (and any later legal use) can trust what was returned. The **"no recovery, no fee"** model means → Midterm Exam — Solutions
(51.500000, −0.127500)
central **London** (Westminster). Altitude `(32,1)` with `GPSAltitudeRef = 0` → **32 m above sea level** (`ref = 1` would mean 32 m *below* sea level). → Answers to Selected Exercises
(answer in Appendix)
## Group D — ext4: inodes, extents, the journal, and why recovery is hard → Data Recovery and Digital Forensics
0 errors (test restores)
on separate credentials with MFA, behind a closed RDP port and a patched perimeter. A trustworthy immutable backup collapses this entire chapter into one calm sentence. → Data Recovery and Digital Forensics
0x (prefix)
The near-universal notation marking a number as *hexadecimal* (e.g., `0x4D` = 77). *See also* hexadecimal (Ch. 2). → Glossary
0x55AA
The two-byte boot signature ending a valid *MBR* (at offset 510–511); its presence/absence is a first check in partition diagnosis. *See also* MBR (Ch. 4). → Glossary
13–14
courtroom-ready; you can defend each artifact and its limits. **10–12** — solid grasp; revisit the execution-vs-presence table and the USB correlation chain. **7–9** — re-read "Execution evidence" and "Event logs," then redo Groups C and D in the [exercises](exercises.md). **Below 7** — re-read the → Data Recovery and Digital Forensics
13–14 correct
you have the byte-level literacy this book assumes; proceed to Chapter 3 confidently. **10–12** — solid; re-read the sections behind any miss, especially endianness (Q5) and the slack/deletion model (Q9–Q12). **7–9** — re-read the chapter's "Hexadecimal," "logical/physical divide," and "deletion rem → Data Recovery and Digital Forensics
13–15
you can triage a dead drive by ear and know when to stop; you're ready for Chapter 9. **10–12** — solid; re-read the four-families and DIY-vs-lab sections. **7–9** — review diagnosis-by-sound and the `ddrescue`/imaging workflow before moving on. **Below 7** — re-read the chapter, focusing on the log → Data Recovery and Digital Forensics
18 U.S.C. §2258A
The U.S. statute requiring electronic service providers to report apparent *CSAM* to *NCMEC*'s CyberTipline; the legal anchor of an examiner's *mandatory reporting* awareness. *See also* ethics (Ch. 28). → Glossary
18:51
but note carefully: this is on the *corporate* file, indicating the engineer *also* created an anyone-with-the-link share on the corporate copy, a second exfiltration path. The personal-account uploads themselves are not in the corporate UAL (different tenant) and would require legal process to obta → Data Recovery and Digital Forensics
2024
and the `$SI` times are suspiciously round (`08:00:00.000`). Tools like `timestomp` and `SetMACE` rewrite `$SI` (what Explorer and most tools show) but typically leave `$FILE_NAME` alone, because updating it requires moving/renaming the file. When `$SI` predates `$FN`, the `$FN` times are usually th → Appendix B — Python Forensics Toolkit
2026-0207, Item 01
under the authority of the firm's acceptable-use policy and the login banner that consented to monitoring. There was no warrant and no law enforcement; this was civil litigation, and the deliverable would be an expert report that had to survive a deposition. → Data Recovery and Digital Forensics
23:47:55 on June 22, 2026
three days before the resignation. The `$SI` set claims the file was *created and last modified* in February 2025 — sixteen months *earlier* than the `$FN` "created" time. A file cannot be modified before it exists. That ordering — `$SI` modified earlier than `$FN` created — is a logical impossibili → Data Recovery and Digital Forensics
24-word recovery sheet
and it was nowhere. Not in the box, not in the safe, not photographed on any device, not in the notes, not in unallocated space on the laptop after a full carve for BIP39 word sequences. → Data Recovery and Digital Forensics
3,400 frames
each shot as a paired CR2 RAW and a full-resolution JPEG, the way he always worked. The trip's centerpiece was a migratory bird event that happens for about ten days a year in one place; the images were, in the literal sense, irreplaceable. → Data Recovery and Digital Forensics
3-2-1 rule
*See* backup (Ch. 12). → Glossary
31 years
an error opposing counsel will gleefully exhibit. (Some columns use Unix time, some use Mac absolute time; verify per column.) - **Expecting ext4 to undelete like NTFS.** On ext4 the live inode's block map is zeroed at deletion, so the NTFS reflex ("read the data runs from the deleted record") fails → Data Recovery and Digital Forensics
33.19 — Identify two carved 16-byte specimens.
**A:** `... 0000 0000 6231 0500` — bytes at offset 12 are **`62 31 05 00` = `0x00053162`**, the **Berkeley DB magic number** at its standard offset. Specimen A is a **`wallet.dat`** (legacy Bitcoin Core BDB wallet). A `strings` scan returning **`mkey` and `ckey`** proves the wallet is **encrypted** → Answers to Selected Exercises
37(e)(1)
upon a finding of **prejudice** to another party, the court may order measures **no greater than necessary** to cure the prejudice. - **37(e)(2)** — **only upon a finding that the party acted with the intent to deprive** another party of the information may the court impose the severe sanctions: a p → Data Recovery and Digital Forensics
4,096 bytes
that is eight 512-byte sectors, or one 4 KB sector, bundled together and treated as one indivisible allocation unit. → Data Recovery and Digital Forensics
4Kn / 512e
*See* Advanced Format (Ch. 2; Ch. 3). → Glossary
6% of files overall were fragmented
but the rate was far higher for exactly the file types investigators care about most. Around **16% of JPEGs**, a similar share of Microsoft Word documents, and well over **half of PST email stores** were fragmented, largely because those files are big, are written and rewritten over time, or are app → Data Recovery and Digital Forensics
8,000–12,000 words (hard floor 6,000)
write thorough, complete prose, multiple substantial sections, full worked examples. Long paragraphs of real explanation, not bullet skeletons. (Self-estimates run high — over-write.) - **Accuracy:** hex offsets, file signatures, registry paths, file-system structures, tool commands, and hashes must → _style-spec.md — exact file formats (INTERNAL — do not publish)
90–100
Courtroom-ready: precise vocabulary, correct arithmetic, and reasoning that distinguishes *presence vs. execution*, *integrity vs. guilt*, and *deleted vs. destroyed*. - **80–89** — Strong: solid mechanics; revisit one or two nuance areas (RAID levels, `$SI`/`$FN`, order of volatility). - **70–79** → Midterm Exam — Solutions
[Glossary](glossary.md)
key terms across storage, file systems, recovery, forensics, and the law. - **[Bibliography](bibliography.md)** — books, papers, standards, tools, and communities. - **[Answers to Selected Exercises](answers-to-selected.md)** — worked solutions to the exercises marked *(answer in Appendix)*. → Appendices
`!BDN`
the signature of a Microsoft Outlook **PST/OST** personal store. (b) The version word `wVer` sits at **offset `0x0A`**; the bytes there are `0E 00`, little-endian = `0x000E = 14`, which denotes an **ANSI** store (Unicode PST uses `wVer = 23`). (c) The practical risk: an **ANSI PST is capped near 2 G → Answers to Selected Exercises
`$Extend\$UsnJrnl:$J`
the **USN change journal** — logs, for each change, the affected file reference, a *reason* flag (`FILE_CREATE`, `DATA_OVERWRITE`, `RENAME_NEW_NAME`, `FILE_DELETE`, …), and a timestamp. A `USN_REASON_FILE_CREATE` record for `TurbineHousing_v7.sldprt` dated 2024-03-15 18:58 corroborates `$FN` and con → Data Recovery and Digital Forensics
`$STANDARD_INFORMATION` (type 0x10)
always resident. Holds the four timestamps that Windows Explorer shows, plus DOS-style flags and owner/security IDs. These are the timestamps malware and insiders manipulate, because they are the ones the OS updates and displays. - **`$FILE_NAME` (type 0x30)** — holds the file's name (in UTF-16), a → Data Recovery and Digital Forensics
`$UsnJrnl`
the Update Sequence Number journal, found at `$Extend\$UsnJrnl` and read from its `:$J` stream — is even better for investigation. When enabled (it is, by default, on modern Windows), it logs *every change* to *every file*: an Update Sequence Number, a timestamp, the file's MFT reference, and **reas → Data Recovery and Digital Forensics
`/var/run/utmp`
who is logged in *right now* (volatile; relevant in live response). - **`/var/log/wtmp`** — the historical record of logins, logouts, reboots, and shutdowns. - **`/var/log/btmp`** — *failed* login attempts (brute-force evidence). → Data Recovery and Digital Forensics
`4D 5A` ("MZ")
a whole executable living in memory that the disk knows nothing about. That is the fileless payload. `windows.ldrmodules` adds a second technique in a *different* process: inside `explorer.exe`, a mapped, executable region reports `False / False / False` across the three PEB module lists with no pat → Data Recovery and Digital Forensics
`bplist00`
a **binary property list**. (b) A text editor shows garbage because the body is packed binary (offset tables, typed objects), not text; convert it with **`plutil -convert xml1 -o - file.plist`** (or `plistutil`). (c) An **XML** plist instead begins with `` d → Answers to Selected Exercises
`DateTimeOriginal` (0x9003)
when the photograph was *taken*: the moment the shutter fired. This is the timestamp you usually mean when you ask "when was this photo taken?" - **`CreateDate` / `DateTimeDigitized` (0x9004)** — when the image was *digitized*. For a digital camera this equals `DateTimeOriginal`; for a scanned film → Data Recovery and Digital Forensics
`docProps/core.xml`
`dc:creator` (original author) vs `cp:lastModifiedBy` (last saver), created/modified dates, `revision` count; **`docProps/app.xml`** — `Application`/`AppVersion`, `Company`, `Template` path, and `TotalTime` (cumulative editing minutes); **`word/document.xml` + `word/settings.xml`** — tracked changes → Data Recovery and Digital Forensics
`index.md`
read actively, not passively. When the text shows a hex dump or an offset calculation (`sector × sector_size = byte offset`), reproduce it yourself in `xxd` before moving on. Budget the most time here. 2. **`exercises.md`** — do them. The hands-on labs ("recover from this image," "build the timeline → Syllabus — Self-Paced
`kMDItemWhereFroms`
the URL(s) a downloaded file came from, and often the page it was linked from. - **`kMDItemDownloadedDate`** / **`kMDItemDateAdded`** / **`kMDItemLastUsedDate`** / **`kMDItemUseCount`** — when it arrived, when it was last opened, how many times. → Data Recovery and Digital Forensics
`RecentDocs`
recently opened documents, grouped into subkeys by extension (`.docx`, `.pdf`, `.sldprt`…). Each value is binary (the filename in UTF-16 plus a reference to the matching LNK), and the `MRUListEx` value encodes the order they were opened, most-recent first. The extension subkey's last-write time is t → Data Recovery and Digital Forensics
~500–1,000 nm
a boulder on the runway. A struck particle gouges magnetic material off the surface, and that data is *gone forever*. Head swaps therefore require **ISO 14644-1 Class 5** air (the old FED-STD-209E **Class 100**). But most shops do not need a six-figure walk-in room: a **laminar-flow clean bench** (H → Data Recovery and Digital Forensics
📁 M1
open the case file; verify `mha-laptop.E01`; write the Investigation Plan | → Syllabus — Self-Paced
📁 M15
draft the court-admissible report | | 27 | [Expert Testimony](../part-4-legal-framework-and-reporting/chapter-27-expert-testimony/index.md) | 6 | 🎤 | self-administer the cross-examination drill | | 28 | [Ethics in Data Recovery and Digital Forensics](../part-4-legal-framework-and-reporting/chapter-2 → Syllabus — Self-Paced
📁 M16
detect the anti-forensic activity (CCleaner artifacts; anchor #2) | | 31 | [Cloud Forensics](../part-5-advanced-topics/chapter-31-cloud-forensics/index.md) | 6 | 📝 | — | | 32 | [Malware Forensics](../part-5-advanced-topics/chapter-32-malware-forensics/index.md) | 7 | 🧪 | — (post-incident analysis on → Syllabus — Self-Paced
📁 M2
recover deleted files via MFT/inode analysis | | 07 | [File Carving](../part-2-data-recovery/chapter-07-file-carving/index.md) | 9 | 🧪 | **📁 M3** — carve where the MFT was overwritten | | 08 | [Hard Drive Recovery (mechanical failure, clean room)](../part-2-data-recovery/chapter-08-hard-drive-recove → Syllabus — Self-Paced
📁 M4
acquire forensically; dual-hash; open chain of custody | | 15 | [Live Response and Triage Forensics](../part-3-digital-forensics/chapter-15-live-response-and-triage/index.md) | 7 | 🧪 | **📁 M5** — write a triage/live-collection plan (order of volatility) | | 16 | [Windows Forensics (registry, event l → Syllabus — Self-Paced

A

a number plus a convention
you must know the **epoch** (zero point) and the **resolution** (tick size) before the number means anything. Wrong epoch lands an event in the wrong century; false precision lands you in trouble on cross. - The two you meet most: **FILETIME** (100-ns ticks since **1601** UTC — NTFS, registry, `.evt → Data Recovery and Digital Forensics
A qualifications proffer
a one-page CV plus the short narrative the retaining attorney will use to qualify you. Nothing on it you cannot document. Pull real credentials from [Appendix I — Certification Roadmap](../appendices/appendix-i-certification-roadmap.md). (The padded-CV failure mode is the spine of [Chapter 27 Case S → Mock Trial Exercise Guide
A scored platter is permanent loss
once the magnetic layer is machined off a track, the data on that track is gone at any budget. **A drive that degrades a little with every power-on cannot be retried indefinitely** — there is a real, finite number of spin-ups left, and spending them on hope rather than on a single careful imaging pa → Data Recovery and Digital Forensics
a snapped USB connector
the most common "dead" USB drive — is often just mechanical: if the NAND and controller survived, a flash lab can read the chip directly. Never assume a physically broken stick means lost data until the chip itself is assessed. → Data Recovery and Digital Forensics
A13
class device — and seized it during an arrest. Critically, the phone was **powered on and unlocked** at the moment of seizure: the suspect had been using it. In the language of this chapter, it was **AFU** — booted and unlocked at least once since boot, its Data Protection (Class C) keys live in mem → Data Recovery and Digital Forensics
A5 through the A11
that is, roughly the iPhone 4S through the **iPhone 8, 8 Plus, and X**. Because the flaw is in read-only bootrom code, Apple *cannot patch it* on affected hardware; it is permanent for those models. For forensics, checkm8-class capability enables booting a custom environment that can perform **BFU e → Data Recovery and Digital Forensics
absence proves nothing
an unmarked file is not therefore fake. It is only as trustworthy as the **signer** (a credential signed by an untrusted or self-issued key asserts only what that signer chose to assert). And it records that AI *was* used when an honest tool reports honestly; it cannot force a malicious pipeline to → Data Recovery and Digital Forensics
ACE
AccessData Certified Examiner | **Exterro** (formerly AccessData) / **FTK** | Driving FTK for acquisition, processing, and review | $$ | | **MCFE** — Magnet Certified Forensics Examiner | **Magnet Forensics** / **AXIOM** | AXIOM artifact analysis across computer, mobile, cloud | $$$ | | **X-PERT** — → Appendix I — Certification Roadmap
acquire memory before power-off
the decision is irreversible, because a drive can be re-imaged but RAM is captured exactly once. - **Write to external, removable media**, never the system's own disk; **hash immediately** and log the tool, version, times, size, and SHA-256. - **What the hash proves:** integrity *since capture* — no → Data Recovery and Digital Forensics
Acquisition
The process of creating a forensic copy of evidence from a source device, the first technical step of every investigation. Done correctly it is *forensically sound*: nothing on the source is altered, and the copy is verified by *hash*. *See also* forensic image, write blocker (Ch. 14; introduced Ch. → Glossary
acquisition ladder
manual → logical → file-system → physical → JTAG/ISP → chip-off — and pick the *lowest rung that answers the question*; (2) contrast iOS and Android security (Secure Enclave + data-protection classes + keychain vs. FBE + TEE/StrongBox) and explain how **AFU vs. BFU** decides which keys, and thus whi → Chapter 24 — Teaching Notes (Mobile Device Forensics)
Activities / labs
*Role-lattice map (15 min, small groups):* place the four anchors on a whiteboard career lattice; annotate each with an entry point, one credential, and a pay range. - *Mock informational interview (20 min, pairs):* one plays a hiring examiner, one a candidate pitching the capstone portfolio; swap r → Chapter 40 — Discussion Guide
Actuator arm
The pivoting mechanical assembly in a hard disk drive that positions the *read/write heads* over the correct track on the spinning *platter*. Failure of the actuator or its voice-coil motor is a common mechanical fault requiring clean-room repair (Ch. 3; Ch. 8). → Glossary
address-type match
the change is a `bc1q…` native-segwit address like the inputs, while the payment is a legacy `1…` address; (2) **fresh address** — the change address was "never seen before," typical of an auto-generated change output; (3) **non-round "leftover" amount** — 0.0499 BTC is a remainder, not a deliberate → Answers to Selected Exercises
Admin SDK Reports API
which gives *content* and which gives *activity logs*? (b) Name the single Drive audit event that "wins exfiltration cases," and say in plain English what it captures. (c) State the typical retention of the Drive audit log in the admin console and where organizations send it for longer history. **(a → Data Recovery and Digital Forensics
Advanced Encryption Standard (AES)
the block cipher (originally the Rijndael algorithm) selected by NIST in 2001 and now the de facto worldwide standard, approved by the U.S. government for classified information up to TOP SECRET at the 256-bit key length. AES operates on fixed 128-bit (16-byte) blocks and supports key sizes of 128, → Data Recovery and Digital Forensics
Advanced Format
A hard-drive sector standard using 4,096-byte physical sectors instead of the legacy 512-byte sector. Drives that emulate 512-byte logical sectors over 4 KB physical sectors are **512e**; drives exposing native 4 KB sectors are **4Kn**. Misaligned partitions on Advanced Format media degrade performa → Glossary
AES (Advanced Encryption Standard)
The symmetric block cipher (128/192/256-bit keys) underlying nearly all modern full-disk and file encryption, including *BitLocker*, *FileVault*, *LUKS*, and *VeraCrypt*. Without the key, AES-protected data is effectively unrecoverable by brute force. *See also* encryption (Ch. 29). → Glossary
AFF4 (Advanced Forensic Format 4)
An open, extensible forensic image container supporting very large evidence sets, sparse and remote sources, and rich metadata. An alternative to *E01* and raw images (Ch. 14). → Glossary
AFU
it booted and someone unlocked it once, and it has not rebooted — then the keys for the bulk of the data are live in memory, and a cooperative-owner recovery is straightforward: the OS will hand you files normally. If a phone is **BFU** — freshly booted, never unlocked — then even the operating syst → Data Recovery and Digital Forensics
agent or instrument of the government
the police ask you to "look a little further," or to search areas the client never authorized, or you're effectively doing the government's investigating for it — you can be transformed into a state actor, and from that moment forward the Fourth Amendment binds *you*. Courts assess agency by asking → Data Recovery and Digital Forensics
AI-Assisted Forensics and Deepfake Detection
confronts the flip side of all this evidence: when machine learning helps you triage oceans of IoT and disk data faster than any human could, and when the same technology fabricates the photos, voices, and videos you will be asked to authenticate — the frontier where the examiner must prove not just → Data Recovery and Digital Forensics
Allocation unit
*See* cluster (Ch. 2; Ch. 4). → Glossary
Alternate Data Stream (ADS)
An NTFS feature allowing a file to carry additional named data streams beyond its main `$DATA` stream, written as `filename:streamname`. Legitimately used for the `Zone.Identifier` *Mark-of-the-Web*, ADS is also abused to hide data because the hidden stream does not appear in a normal directory list → Glossary
AmCache
A Windows registry hive (`C:\Windows\AppCompat\Programs\Amcache.hve`) recording program execution and installation, including each executable's full path, size, and **SHA-1 hash** — invaluable for proving a specific binary ran, even after deletion (Ch. 16). → Glossary
An IDS alert is a lead, not a finding
corroborate with flow, proxy, Zeek, and any capture before you write a word. → Data Recovery and Digital Forensics
Anti-forensics
Techniques intended to defeat, mislead, or complicate forensic analysis: secure deletion, *timestomping*, log clearing, *steganography*, and encryption. This book treats anti-forensics from the standpoint of *detection*, not evasion: nearly every technique leaves its own artifact (Ch. 30). → Glossary
Anti-Forensics (and detecting it)
turns from suspects who *encrypt* to suspects who try to *erase, hide, and falsify* the traces of what they did. You will see how wiping tools, timestomping, log deletion, and steganography work — and, in keeping with theme three, how each of them leaves its own tell-tale trace for the examiner who → Data Recovery and Digital Forensics
ANY.RUN
an interactive *online* sandbox: you watch the detonation in a browser in real time and can click through dialogs the malware waits on (defeating some user-interaction checks). Fast and powerful, but it is a public, cloud service — uploading carries the same exposure risk as VirusTotal, so it is for → Data Recovery and Digital Forensics
APFS
the Apple File System. It replaced HFS+, which had served since 1998, and it changed the forensic game in one decisive way: APFS is **copy-on-write**. We met the concept in [Chapter 4](../../part-1-foundations/chapter-04-file-systems/index.md); here it pays off. Under copy-on-write, when a file's co → Data Recovery and Digital Forensics
APFS (Apple File System)
Apple's default file system since 2017 (macOS, iOS), featuring copy-on-write metadata, native snapshots, container/volume design, strong encryption, and nanosecond timestamps. Replaced *HFS+* (Ch. 4). → Glossary
APFS-Fuse
an open-source FUSE driver that mounts an APFS image read-only on Linux, *including individual snapshots and (with the password or recovery key) FileVault-encrypted volumes.* - **mac_apt** (macOS Artifact Parsing Tool) — a Python framework that ingests an E01/DD/DMG image and runs dozens of plugins → Data Recovery and Digital Forensics
API acquisition
Collecting cloud evidence through a provider's application programming interface (e.g., Microsoft Graph, Google Workspace APIs) rather than by imaging physical media, because the underlying storage is inaccessible and multi-tenant. *See also* cloud forensics (Ch. 31). → Glossary
AppCompatCache
*See* ShimCache (Ch. 16). → Glossary
Appendices
[Appendix C — Tool Reference](appendix-c-tool-reference.md) — what each certified tool does. - [Appendix E — Legal Frameworks Reference](appendix-e-legal-frameworks-reference.md) — the law behind the eDiscovery/legal certs. - [Appendix J — Practice Images and Lab Setup](appendix-j-practice-images-an → Appendix I — Certification Roadmap
Appendices:
[Appendix C — Tool Reference](appendix-c-tool-reference.md) — tool validation supporting Daubert reliability. - [Appendix D — Forensic Artifact Locations](appendix-d-forensic-artifact-locations.md) — what your warrant scope must reach. - [Appendix F — Chain of Custody and Report Templates](appendix- → Appendix E — Legal Frameworks Reference
AppID
identifies the application that opened the files (a published list maps AppIDs to apps; SolidWorks, Word, Notepad, and "Quick Access" all have known IDs). Parse with **JLECmd**. The result answers "*which application* opened *which file*, *when*, and *how many times*" — and, like LNKs, it survives t → Data Recovery and Digital Forensics
Application temporary and autosave files
Microsoft Office leaves `~$` lock files and `.tmp`/`.asd` autosave copies; many apps write working copies the ransomware's extension filter skipped. - **Thumbnail caches** — `thumbcache_*.db` holds small renders of images and document previews; not the full file, but sometimes enough to identify or → Data Recovery and Digital Forensics
areal density
bits per square inch — and the entire history of the HDD is the history of squeezing it higher. → Data Recovery and Digital Forensics
artifact parsing
especially apps, chat platforms, cloud services, and the messy modern sources that change constantly. It layers on conveniences that speed real casework: **Connections**, a graph view that links an artifact (a file, a message) to every place it appears and every account it touches; **Magnet.AI**, wh → Data Recovery and Digital Forensics
as an original `.eml` with full headers intact
not a forwarded copy, which would have buried the real headers inside a new message and stripped the `Authentication-Results`. He hashed the `.eml`, logged it, and only then began reading. *The original is sacred* applies to a single email as surely as to a disk image. → Data Recovery and Digital Forensics
Assign it; this guide complements it.
[Chapter 37 — Building a Forensic Lab](../part-6-tools-and-career/chapter-37-building-a-forensic-lab/index.md): the *professional* lab your teaching lab models. - [Chapter 36 — The Forensic Toolkit](../part-6-tools-and-career/chapter-36-the-forensic-toolkit/index.md) and [Appendix C — Tool Reference → Lab Setup Guide
assist the trier of fact
the judge or jury — not to win for the side that hired them. You are, in a real sense, the court's teacher on a subject the court cannot evaluate on its own. The moment you start advocating instead of explaining, you stop being an expert and become a hired mouthpiece, and a competent cross-examiner → Data Recovery and Digital Forensics
Asymmetric encryption
RSA, or elliptic-curve schemes like Curve25519 — uses a *pair* of mathematically linked keys. What the public key locks, only the private key can open, and you cannot derive the private key from the public one in any practical amount of time. This solves the distribution problem elegantly: the attac → Data Recovery and Digital Forensics
attenuation
and explain why no competent examiner *plans* to rely on any of them. **(answer in Appendix)** → Data Recovery and Digital Forensics
Attribute (NTFS)
A typed component of an NTFS *MFT* record. Key attributes include `$STANDARD_INFORMATION`, `$FILE_NAME`, and `$DATA`. Small attributes are *resident* (stored inside the MFT record); larger ones are *non-resident*, described by *data runs* pointing to clusters (Ch. 4). → Glossary
Attribution
You must give appropriate credit, provide a link to the license, and indicate if changes were made. You may do so in any reasonable manner, but not in any way that suggests the licensor endorses you or your use. - **ShareAlike** — If you remix, transform, or build upon the material, you must distrib → License
The evidentiary requirement (U.S. Federal Rule of Evidence 901; self-authentication under 902(14) via hash) to show that evidence is what its proponent claims. Hashing and *chain of custody* are how digital evidence is authenticated. *See also* best evidence rule (Ch. 25). → Glossary
authority and scope
what authorized your exam, what it permitted, and how your search methodology stayed inside it; (2) **conflicts** — that you checked, and any you found (or that you found none, and how you checked); (3) **sensitive-data handling** — any medical/financial/intimate/privileged material encountered and → Data Recovery and Digital Forensics
Authority and Scope Memo.
**Write the "stop" card.** Make the physical Stop-and-Escalate decision card from the exercises and keep it where you work. The instinct to pause is a skill, and skills are built by rehearsal, not by reading. → Data Recovery and Digital Forensics
authorization
a warrant, consent, or corporate authority — and the disciplined scope that authority imposes. The method also draws the line between the two disciplines this book teaches: recovery borrows imaging and hashing for *speed and irreplaceability* and skips the legal overhead, while forensics adds the fu → Data Recovery and Digital Forensics
authorized
the first connection pops a dialog showing the host's RSA key fingerprint, and the user must tap *Allow*. No unlock, no authorization, no `adb` access to user data. That gate is a feature. → Data Recovery and Digital Forensics
Autopsy
The open-source graphical front end to *The Sleuth Kit (TSK)*; a full-featured, free forensic platform for disk analysis, keyword search, timeline, and artifact parsing (Ch. 36; Ch. 5). → Glossary
avalanche property
a single changed bit flips ~half the digest — so any mismatch (even a typo in the log) invites the argument that the evidence is not what you say it is; the discrepancy must be found and explained (usually a transcription error, proven by re-hashing). (c) **FRE 902(14)** makes electronic data **self → Answers to Selected Exercises

B

B-tree
A balanced tree data structure used by file systems (NTFS directory indexes, APFS, HFS+, ext4 HTree) to store and look up file names and metadata efficiently (Ch. 4). → Glossary
back
and the limits of when you can't | | **III — Digital Forensics** | 14–24 | Acquisition; live/triage; Windows, macOS/Linux; browser, email/chat, photo/video/document; timeline; memory; network; mobile | Finding and **preserving** evidence; the longest, most lab-heavy part | | **IV — Legal Framework a → Instructor Guide — Data Recovery and Digital Forensics
Backup (3-2-1 rule)
The recovery doctrine of keeping **3** copies of data on **2** different media with **1** copy off-site (or offline/immutable). The single most reliable defense against ransomware and hardware failure — and the lesson the ransomware anchor case drives home (Ch. 12). → Glossary
Bad sector / bad block
A region of media that can no longer reliably store data. Drives remap known-bad sectors to spares (*see* reallocated sector); a rising bad-sector count is an early failure warning visible via *SMART* (Ch. 3; Ch. 8). → Glossary
before any quote and before any desoldering
diagnose first, promise second. → Data Recovery and Digital Forensics
Before the term
☐ Build, snapshot, and **export** both golden VMs (§3.3); stage the OVAs on the share/USB. - ☐ Pre-download + **hash-verify** the minimum image set (§6); host read-only. - ☐ Confirm the share's free space (~0.5–1 TB) and that masters are `chmod 444` / read-only. - ☐ Coordinate isolation with campus → Lab Setup Guide
Berla iVe
tracklogs + paired-phone contacts/call logs), the **EDR** black box (**Bosch CDR**, ~5 s of crash dynamics, 49 CFR Part 563), and the **connected-car cloud** (legal process to the maker). - **Embedded/firmware:** **UART** (often a root shell), **JTAG** boundary scan, **SPI** flash read in-circuit (c → Data Recovery and Digital Forensics
Best evidence rule
The U.S. evidentiary principle (FRE 1001–1004) that an original is preferred, but an accurate duplicate — such as a verified *forensic image* — is admissible to the same extent. This is why imaging does not weaken a case (Ch. 25). → Glossary
BFU vs. AFU
the power/lock state at the moment you receive the device decides what is reachable (preview the order-of-volatility idea from Ch.15). Counterpart lesson: the best "recovery" is usually a **backup**, not heroics on the silicon. → Chapter 11 — Teaching Notes (Mobile Device Recovery)
bias attack
*"you were hired by the prosecution, you're paid, so you found what they wanted"* — lands hardest on examiners who actually shaded a conclusion. (a) Identify the three things you did *months before trial* that make this attack fail. (b) Write the strong answer that combines calm neutrality with a *d → Data Recovery and Digital Forensics
Binary
The base-2 number system of two states (`0`/`1`); the only thing any storage device physically holds. *See also* bit, hexadecimal (Ch. 2). → Glossary
binary plists
files beginning with the magic `bplist00`: → Data Recovery and Digital Forensics
biome
segmented, protobuf-encoded streams under `~/Library/Biome/` and `/private/var/db/biome/` — which `mac_apt` and emerging tools are learning to parse. The lesson of theme #4 again: the *container* changes (ASL → Unified Log; knowledgeC → biome), the *intelligence* persists, and your job is to follow → Data Recovery and Digital Forensics
Bit
A *binary digit*, the smallest unit of information: a single `0` or `1`. Eight bits make a *byte* (Ch. 2). → Glossary
BitLocker
Microsoft's full-disk encryption for Windows, typically sealed to a *TPM* and optionally a PIN or USB key, with a 48-digit numeric *recovery key*. Acquisition usually requires the recovery key, a captured key from memory, or a logged-in (decrypted) live system (Ch. 29). → Glossary
blend
the boundary where generated face meets real head. → Data Recovery and Digital Forensics
block
hundreds of pages, often around 4 MB — at once. There is no "overwrite this 4 KB page" operation in NAND. To modify data, the controller must write the new version to a *different* already-erased page, mark the old page stale, and reclaim that whole block later. No host-visible "sector" maps permane → Data Recovery and Digital Forensics
Block (Linux/storage)
In Unix file systems, the basic allocation unit (equivalent to a *cluster*); in flash, an erase unit composed of many *pages*. Context determines the meaning (Ch. 4; Ch. 3). → Glossary
block explorers
blockchair.com, mempool.space, blockstream.info, and for clustering history the venerable walletexplorer.com — let you paste any address or TXID and read its complete history, inputs, outputs, and links. For Ethereum, **Etherscan** is indispensable. Every illustrative output in this chapter is the k → Data Recovery and Digital Forensics
Blockchain
A distributed, append-only, cryptographically chained public ledger of transactions underpinning cryptocurrencies. Because most chains are public and permanent, they are a powerful — and permanent — source of financial evidence. *See also* UTXO, mixer (Ch. 33). → Glossary
board-level revival has physical limits
some water-damaged or impact-damaged boards are simply destroyed, taking the only readable copy of the key with them. → Data Recovery and Digital Forensics
Bodyfile
An intermediate, pipe-delimited text format (produced by The Sleuth Kit's `fls`/`ils`) listing file metadata and MAC times; converted by `mactime` into a chronological *timeline*. *See also* super-timeline (Ch. 21). → Glossary
Boot sector
The first sector of a partition (the *Volume Boot Record*), containing file-system parameters and bootstrap code; on the whole disk, the first sector is the *MBR*. A frequent target of partition-recovery work (Ch. 4). → Glossary
both inculpatory and exculpatory evidence
your loyalty is to the facts, not to the side that retained you. The same disciplined examination that proves a USB device was attached at 02:14 also proves, in the next case, that it was not; an examiner who reports only the favorable half has become an advocate, and the court will eventually treat → Data Recovery and Digital Forensics
both unnecessary and unreliable
it hammers the drive with writes without guaranteeing the original physical cells are touched. - The correct way to sanitize flash is at the controller level: the ATA **SECURITY ERASE UNIT** (Secure Erase) command, or better, a **cryptographic erase** (SANITIZE crypto-scramble) on a self-encrypting → Data Recovery and Digital Forensics
boundaries
the deshielding moment when value leaves the shielded pool to a transparent address (often en route to an exchange) is where amounts and timing can betray a flow. Zcash also supports **viewing keys**, which permit selective disclosure; a cooperating party (or one compelled by court order) can hand o → Data Recovery and Digital Forensics
bridged
it appeared on the firm's physical LAN as just another machine, exactly as if a second laptop had been plugged into the wall. There was no isolated virtual switch, no host-only network, no simulated internet, no clean snapshot to revert to. The technician's mental model was "it's a VM, so it's conta → Data Recovery and Digital Forensics
browsed
including now-deleted folders and removable/network paths | → Appendix D — Forensic Artifact Locations
Brute force / dictionary attack
Recovering a passphrase by trying many candidates: *brute force* tries all combinations; a *dictionary attack* tries likely words and known-leaked passwords. Feasibility depends entirely on password strength and key-derivation cost. *See also* encryption (Ch. 29). → Glossary
Building a Forensic Lab
takes the toolkit you now know how to choose and validate and gives it a *home*: the physical and virtual workstation, write-blockers and storage, the SIFT/CAINE/commercial software stack, evidence-handling layout, network isolation, accreditation (ISO/IEC 17025), and the documented procedures that → Data Recovery and Digital Forensics
building your index
a custom, alphabetized table that maps concepts, commands, and artifacts to the exact book and page where they appear, so that under exam pressure you can find "Shimcache parsing" or "the `$UsnJrnl` record structure" in seconds instead of flipping. Veterans treat the index as the real deliverable of → Data Recovery and Digital Forensics
built to contain no real illegal material
they use benign stand-ins precisely so you can train safely. But train the reflex anyway: if, on any real device, you ever encounter material that even *might* be child sexual abuse material (CSAM), **stop, do not copy or further view it, document, and report** under your jurisdiction's mandatory-re → Appendix J — Practice Images and Lab Setup
burnout
and list four of the symptoms it enumerates. Then explain, in two or three sentences, why these are "the predictable, *normal* response of a healthy nervous system to abnormal input" rather than a sign of weakness, and why treating them as a personal failing is itself part of the problem. **(answer → Data Recovery and Digital Forensics
By evidence item
all findings from Item 01, then all from Item 02 — suits cases with several devices and a verification-minded reader, because the opposing expert can check each device in isolation. **By investigative question** — "Was removable media attached? Were the files accessed? Is there evidence of upload?" → Data Recovery and Digital Forensics
by hash, without a human re-viewing the content
both to make the review tractable and, deliberately, to limit how much an examiner must look at. That is a designed-in mitigation of the secondary trauma this work carries. Configure these hash sets *first* in any case where contraband may be in scope. Mandatory reporting (18 U.S.C. §2258A), scope d → Appendix C — Tool Reference
by its inode / MFT-entry address
the step that actually recovers a deleted file once `fls` and `istat` have located it? - A) `mmls` - B) `fls` - C) `blkls` - D) `icat` → Final Exam
Byte
Eight *bits*, holding one of 256 values (0–255), written as two *hex* digits. The fundamental unit of storage: file sizes, offsets, and sectors are all measured in bytes (Ch. 2). → Glossary
Byte offset
The position of a byte measured from the start of a file or device, often computed as *sector* number × sector size. The bridge between logical structures and physical locations; always label its base (hex vs. decimal) (Ch. 2). → Glossary

C

C2PA
the Coalition for Content Provenance and Authenticity, formed in 2021 (Adobe, Microsoft, Intel, Arm, BBC, Truepic, Sony, and others, merging the earlier Content Authenticity Initiative and Project Origin). C2PA defines **Content Credentials**: a cryptographically signed **manifest** attached to a me → Data Recovery and Digital Forensics
Cache (browser)
Locally stored copies of web content (images, pages, scripts) kept to speed up browsing; a rich forensic source showing what a user actually viewed and when, even after history is cleared (Ch. 18). → Glossary
candidate carriers
a folder of large, oddly uniform images, or images whose size is anomalous for their visible content; - a **pristine original to compare** — if you have the un-modified source image (from a camera, a website, a backup), a hash mismatch or pixel diff against the suspect copy is decisive; - a **passph → Data Recovery and Digital Forensics
capabilities
persistence (run keys, services, scheduled tasks, the fileless WMI subscription), keylogging, exfiltration, lateral movement, and command-and-control — and mapped them to MITRE ATT&CK. You organized findings into **indicators of compromise**, weighted by the Pyramid of Pain so your best detections t → Data Recovery and Digital Forensics
capture one from your own analysis VM
then you know exactly what is in it: → Appendix J — Practice Images and Lab Setup
Capture volatile memory
a full RAM image — before anything else. 2. **Document and collect** the on-screen ransom note, network state, and running processes. 3. **Then** acquire a forensic disk image (write-blocked source where possible — see [Chapter 14](../../part-3-digital-forensics/chapter-14-forensic-acquisition/index → Data Recovery and Digital Forensics
career-changer
looked thinner at a glance. Thirty-four, eight years in IT support with a side data-recovery hustle ([Chapter 13](../../part-2-data-recovery/chapter-13-the-data-recovery-business/index.md)), no employer who would pay for training, and exactly *one* forensic certification: a **CCE** (ISFCE), earned t → Data Recovery and Digital Forensics
Carving
*See* file carving (Ch. 7). → Glossary
CCleaner
the same anti-forensic pattern that threads through this book's IP-theft anchor (developed in [Chapter 16 — Windows Forensics](../../part-3-digital-forensics/chapter-16-windows-forensics/index.md), [Chapter 21 — Timeline Analysis](../../part-3-digital-forensics/chapter-21-timeline-analysis/index.md) → Data Recovery and Digital Forensics
CCO (Operator)
*get the data off the phone*: logical, file-system, and physical extractions with UFED. - **CCPA (Physical Analyst)** — *make sense of the data*: decoding, carving, app analysis, and reporting in Physical Analyzer. - **CCME (Mobile Examiner)** — the capstone practical that proves end-to-end competen → Appendix I — Certification Roadmap
CEDS
Certified E-Discovery Specialist | **ACEDS** | End-to-end eDiscovery process and the EDRM lifecycle | $$ | | **Relativity** (Certified User, **RCA** Admin, Certified Expert/Master) | **Relativity** | The dominant review-platform ecosystem | $ / $$ | | **CFE** — Certified Fraud Examiner | **ACFE** | → Appendix I — Certification Roadmap
Cellebrite
are not required to teach a single chapter here, but exposure helps students who'll meet them on the job. Bridge the gap at no cost: most vendors run **academic programs** and **time-limited trials** (Magnet and Belkasoft also release CTF images and free utilities — MAGNET RAM Capture, Encrypted Dis → Lab Setup Guide
Cellebrite / UFED
A market-leading commercial mobile-forensics platform (Universal Forensic Extraction Device) for logical, file-system, and physical extraction from phones and tablets, plus decoding of app data (Ch. 24; Ch. 36). → Glossary
Certifications and Professional Development
turns from doing the work to proving you can: the certifications that signal competence to employers and courts (EnCE, GCFE, GCFA, GNFA, CCE, CFCE, CHFI), how to choose a path for your track, and how to keep your skills current in a field where the technology never stops changing — the credentials t → Data Recovery and Digital Forensics
chain
the map of which clusters follow the first one. And here is the consequence that defines FAT recovery: → Data Recovery and Digital Forensics
Chain of custody
The documented, unbroken record of who handled a piece of evidence, when, why, and what they did to it, from seizure to courtroom. Combined with hashing, it is how you move from "I found this" to "I can prove this is unaltered." Breaks in the chain can render evidence inadmissible. *See also* Append → Glossary
Chapter 12
ransomware recovery is your crisis to manage — and for the image-first discipline that opens the part. 🔍 **Forensic Examiners** will recognize **Chapters 6 and 7** as the bedrock of evidence recovery and should study them closely; you can move more briskly through the hardware mechanics of **Chapter → Data Recovery and Digital Forensics
Chapters
[Chapter 5 — The Forensic Process](../part-1-foundations/chapter-05-the-forensic-process/index.md) — the methodology every forensic cert tests. - [Chapter 13 — The Data Recovery Business](../part-2-data-recovery/chapter-13-the-data-recovery-business/index.md) — the apprenticeship/tool model of recov → Appendix I — Certification Roadmap
Chapters:
[Chapter 5 — The Forensic Process](../part-1-foundations/chapter-05-the-forensic-process/index.md) — preservation, hashing, and chain of custody that these rules presuppose. - [Chapter 14 — Forensic Acquisition](../part-3-digital-forensics/chapter-14-forensic-acquisition/index.md) — imaging/write-bl → Appendix E — Legal Frameworks Reference
checkm8
A permanent (unpatchable) bootrom exploit affecting Apple devices with A5–A11 chips, enabling forensic access below the operating system on those older models. An example of how hardware-level flaws shape acquisition options (Ch. 24). → Glossary
child sexual abuse material (CSAM)
a crime wholly outside the fraud warrant. What she did next is the entire case study. → Data Recovery and Digital Forensics
Chip-off
A destructive physical-extraction technique: the NAND flash memory chip is desoldered from the device's board and read directly in a programmer. A last resort used when the device is damaged or otherwise inaccessible. *See also* JTAG, ISP, BGA (Ch. 11; Ch. 24). → Glossary
chip-off last
desolder, dump raw, then reverse ECC → scramble → XOR → interleave → L2P. It is defeated by encryption (ciphertext) and by TRIM-plus-GC (zeros), and never guaranteed even on healthy silicon. **Monolithic** flash (USB sticks, SD) must be read *through* the package; eMMC/UFS via JTAG/ISP. - **Non-dete → Data Recovery and Digital Forensics
chokepoint
a regulated exchange that holds KYC identity for the account - D) The blockchain itself, which lists the legal owner of each address → Data Recovery and Digital Forensics
circular and small
typically 128 MB regardless of disk size — so it overwrites itself constantly. On a busy server, the inode copy you need may have been recycled within minutes of the deletion. ext4-journal recovery is therefore a *fresh-deletion* technique: brilliant for "I rm'd it an hour ago," far weaker for "it w → Data Recovery and Digital Forensics
Civil litigants cannot get content from providers
compel the party/custodian instead. - **Jurisdiction:** the **CLOUD Act** reaches a U.S. provider's data wherever stored, but **GDPR Art. 48** can forbid disclosure; executive agreements help, **MLAT** is slow and may outlast retention. → Data Recovery and Digital Forensics
civil process
and identify the limits, scope, and withdrawal conditions of each. > - Apply civil eDiscovery obligations under the **FRCP**: the duty to preserve, litigation holds, Rule 26 proportionality, Rule 34 form-of-production, and Rule 37(e) spoliation (and prove intent from forensic traces). > - Recognize → Data Recovery and Digital Forensics
clarity, never overstating, withstanding cross
carry the most weight. Print one sheet per examiner; the jury's clarity ballot feeds row 2. → Mock Trial Exercise Guide
Class 100
no more than 100 particles of 0.5 µm or larger per cubic foot of air). In practice, most labs do not flood an entire room to that spec; they use a **laminar-flow clean bench** (a clean-air hood that blows HEPA-filtered air across the work surface toward the technician), which creates a Class 100 zon → Data Recovery and Digital Forensics
Clean room
A controlled, particle-filtered environment (e.g., ISO Class 5 / Class 100) required to open a hard drive and perform invasive repairs such as a *head swap* without contaminating the *platters* (Ch. 8). → Glossary
clear key
an unprotected protector sitting in plaintext on the disk — so a suspended BitLocker volume is effectively *not* protected at all, and tools will mount it without any secret. Second, BitLocker offers **auto-unlock** for non-system (data) volumes, storing that volume's key wrapped under the *system* → Data Recovery and Digital Forensics
clinically
it tests the *legal duty and the handling reflex only*. No description of any such material is sought or permitted in your answer. → Final Exam
clipboard, ARP cache, DNS resolver cache
on your own machine, using the OS-appropriate commands for **both** Windows and Linux. Your DNS-cache capture will look something like this: → Data Recovery and Digital Forensics
Clock skew
The difference between a device's recorded time and true time, from a wrong time-zone, an un-synced clock, or drift. Must be measured and corrected before merging sources into a *timeline* (Ch. 21). → Glossary
CLOUD Act (2018)
U.S. legislation (Clarifying Lawful Overseas Use of Data Act) allowing compelled production of data held by U.S. providers regardless of where it is physically stored, and establishing executive agreements with other nations. Central to cross-border *cloud forensics*. *See also* MLAT (Ch. 31; Ch. 25 → Glossary
Cloud Forensics
moves the investigation off the endpoint entirely, to data that lives on someone else's servers: where the artifacts you have learned to read are replaced by API logs, provider records, and legal process, and where the very *location* of the evidence becomes a jurisdictional question — proof, once m → Data Recovery and Digital Forensics
cloud-only
present in the personal account, never fully downloaded back to this disk. Browser history confirms repeated visits to `onedrive.live.com` and a personal Gmail. → Data Recovery and Digital Forensics
cloud-tethered, ephemeral state
and the modern answer of isolating rather than powering off. You weighed **live imaging against dead-box imaging**, internalizing the *smear* (a live image is a blurred, non-reproducible composite) and the shifted meaning of the hash (integrity from acquisition forward, not bit-for-bit reproducibili → Data Recovery and Digital Forensics
Cluster
The smallest unit of disk space a file system will allocate to a file, made of one or more *sectors* (commonly 4,096 bytes = eight 512-byte sectors). Because files rarely fill their last cluster exactly, *slack space* results. Also called an *allocation unit* or *block* (Ch. 2; Ch. 4). → Glossary
Command and control (C2)
The infrastructure and channels an attacker uses to direct compromised hosts. Identifying C2 traffic and *IOCs* is central to network and malware forensics (Ch. 23; Ch. 32). → Glossary
command line
C) Its file size - D) Its desktop icon → Data Recovery and Digital Forensics
commercial exploit service
Cellebrite Premium, Grayshift's GrayKey — whose success is *model-, OS-version-, and patch-level-dependent and frequently lags the latest iOS by months or fails outright.* There is no public, durable, A12-and-later "just unlock it" capability, and any vendor who implies otherwise is selling hope. Th → Data Recovery and Digital Forensics
compassion fatigue
describes a predictable, *normal* injury of a healthy mind to abnormal input, not a personal weakness. The **incident responder** lives on adrenaline and broken sleep through breach after breach, and burns out on tempo even without trauma. The **recovery technician** absorbs, week after week, the gr → Data Recovery and Digital Forensics
A legal basis for searching a device without a warrant, valid only if voluntary and within the scope granted by someone with authority. Scope and revocation matter enormously in practice (Ch. 25). → Glossary
container hash
the SHA-256 of the `.E01` file as a file, which proves transit integrity: → Data Recovery and Digital Forensics
Contested
some courts now hold compelled biometric unlock is testimonial (e.g., *In re Search of a Residence in Oakland*, N.D. Cal. 2019) | → Appendix E — Legal Frameworks Reference
contiguity
that a file's bytes are laid out in one unbroken run. When the file is **fragmented**, every naive carver fails, splicing in foreign data or truncating at the gap. → Answers to Selected Exercises
Contiguous file
A file stored in one unbroken run of clusters. Contiguous files carve cleanly header-to-footer; *fragmentation* is what makes carving hard. *See also* file carving (Ch. 7). → Glossary
continuing professional education credits
CPEs (also called CEUs or CMUs depending on the body) — which you earn by doing things that keep you current: attending training and conferences, taking courses, publishing, teaching, even reading and reviewing in structured programs. → Data Recovery and Digital Forensics
A small data item a website stores in the browser to track sessions and preferences; forensically, evidence of site visits, account use, and timing (Ch. 18). → Glossary
Core
a primary source for that credential's objectives; teach it thoroughly if the cert is your goal. | | **◐** | **Supporting** — reinforces or partially covers a domain; useful, not sufficient on its own. | | **·** | **Tangential** — touched only in passing for that credential. | → Certification Mapping
corroboration
no second photo in the series, no file-system times, no carrier metadata. A manipulation finding requires *convergence across independent methods plus a plausible account of how the edit was produced*; this report had one over-read test and a borrowed coordinate. → Data Recovery and Digital Forensics
could not be compelled
the government could not show it knew what, if anything, was on the encrypted drives, so the foregone-conclusion exception did not apply. - ***Commonwealth v. Davis*** (Pa. 2019): the Pennsylvania Supreme Court held that compelling a *passcode* violates the Fifth Amendment, treating the passcode its → Data Recovery and Digital Forensics
credibility wound
and credibility, once opened, bleeds across an entire testimony. Her closing use of it was predictable and devastating in its economy: *if he was casual with the truth about his own certification, a thing he could have checked in thirty seconds, how careful was he with the things in this case you ca → Data Recovery and Digital Forensics
cross-view difference
enumerating the same data with trusted/kernel-level tools and diffing against the subject's tools - C) Running an antivirus scan - D) Reinstalling `netstat` from the subject's package manager → Data Recovery and Digital Forensics
Crypto erase
key gone, ciphertext permanent | → Data Recovery and Digital Forensics
Cryptocurrency
Digital assets (Bitcoin, Ethereum, and others) recorded on a *blockchain* and controlled by *private keys*. Frequently encountered in fraud, ransomware, and dark-market investigations (Ch. 33). → Glossary
Cryptocurrency Investigation
follows the money the weapon was built to extract: when the WEB-07 operators (or the ransomware crew of Chapter 12) demand payment in Bitcoin, you trace the wallets, cluster the addresses, and follow the blockchain — turning the C2's profit motive into another evidentiary trail. → Data Recovery and Digital Forensics
CSAM (child sexual abuse material)
Illegal imagery of the sexual abuse of minors. This book addresses it **only** clinically — procedure, law (*mandatory reporting*), and examiner well-being — and never describes content. Discovery triggers immediate scope and reporting duties. *See also* NCMEC, 18 U.S.C. §2258A (Ch. 28). → Glossary

D

Data carving
*See* file carving (Ch. 7). → Glossary
Data events
object-level S3 access (`GetObject`, `PutObject`), Lambda invocations — are *not* logged by default and must be explicitly enabled, which is why "did the attacker read the bucket?" so often has no answer. Crucially, the actions an attacker takes to blind you are *themselves* CloudTrail events: `Stop → Data Recovery and Digital Forensics
Data Recovery
the hashing, carving, and EXIF scripts are daily tools. 🔍 **Forensic Examiner** — every script here turns a manual artifact into a repeatable, documentable step. 🛡️ **Incident Response** — the SQLite, timeline, and hash-set scripts triage a host fast. 📜 **Legal/eDiscovery** — understanding *how* the → Appendix B — Python Forensics Toolkit
Data Recovery and Digital Forensics
*Finding What's Lost, Proving What Happened* → Final Exam
Data remanence
The residual physical representation of data that persists after deletion or even after a nominal erase — the phenomenon that makes recovery possible and motivates *secure deletion*. *See also* "deleted ≠ destroyed" (Ch. 2; Ch. 30). → Glossary
Data run (cluster run)
In NTFS, the compact encoding inside a non-resident `$DATA` attribute that lists the starting cluster and length of each fragment of a file. Reconstructing data runs is the core of NTFS logical recovery (Ch. 4; Ch. 6). → Glossary
Daubert standard
The U.S. federal test (from *Daubert v. Merrell Dow*, 1993; FRE 702) under which a judge acts as gatekeeper for expert testimony, weighing testability, peer review, known error rate, standards, and general acceptance. The reason your methods must be validated and documented. *See also* Frye standard → Glossary
dc3dd / dcfldd
Forensically enhanced versions of the Unix `dd` imaging tool that add on-the-fly *hashing*, progress, error handling, and logging — purpose-built for acquisition. *See also* Appendix H (Ch. 14). → Glossary
dd
The classic Unix utility that copies data block-by-block; the simplest way to make a raw *bit-stream* image. Powerful but unforgiving (a reversed `if=`/`of=` can destroy evidence) (Ch. 14). → Glossary
ddrescue (GNU ddrescue)
An imaging tool designed for *failing* media: it reads the easy areas first, retries bad regions, and logs a mapfile so imaging can resume — the recovery engineer's workhorse for unstable drives (Ch. 8). → Glossary
Debrief discussion prompts:
How can an expert be technically excellent and still excluded? (Case Study 1's judge "did not doubt the witness's technical competence.") - Where in the case's life — lab, report, pretrial, or stand — was the case actually won or lost? - Which is the harder skill: getting the analysis right, or *not → Mock Trial Exercise Guide
Decode a data run by hand
`21 18 34 56 00` — then check it against `icat`'s output. (Exercise 4.10.) - **Create and delete a file on a loopback ext4 image**, then recover it with `extundelete` — and watch how a few writes shrink the window. (Exercise 4.28.) → Data Recovery and Digital Forensics
decorated candidate
looked unbeatable on paper. A computer-science background and five certifications: CHFI, Security+, a vendor tool cert, and two more, every one of them a knowledge exam he had studied hard and passed. His résumé was a clean wall of letters. What it did not contain, the manager noticed, was anything → Data Recovery and Digital Forensics
Decryptor
A tool that reverses a specific ransomware family's encryption, sometimes released after a key leak or law-enforcement takedown; the best-case (and often unavailable) ransomware outcome. *See also* ransomware (Ch. 12). → Glossary
Deep packet inspection (DPI)
Examination of packet payloads (not just headers) to identify applications, extract files, and detect malicious content in captured network traffic. *See also* PCAP (Ch. 23). → Glossary
default
metadata journaled, data forced to disk first), `writeback` (metadata only). Because it records metadata *before* commit, it frequently holds a recent **pre-deletion copy of an inode**, including the block map you need. → Appendix G — File System Reference
defended in court
so every step is documented and the evidence is provably unaltered. - C) Recovery is a legal activity; forensics is a law-enforcement-only activity. - D) Recovery works only on hard drives; forensics works only on solid-state drives. → Midterm Exam
Defense attorney
leading questions that are genuinely leading; builds from handling to interpretation; springs the overstatement trap cleanly; does *not* argue facts with the witness (that's the witness's loss to give, not the lawyer's to take). - **Retaining attorney** — direct goes foundation-first; redirect actua → Mock Trial Exercise Guide
deleted `client_export_FINAL.xlsx`
the file the engineer is alleged to have copied out and then deleted to cover the act. Three tools, three codebases, one truth. → Data Recovery and Digital Forensics
Deleted ≠ destroyed
deletion removes the *pointer*, not the data; it persists until overwritten. The foundation of both disciplines. 2. **The original is sacred** — never work on the original. Image first, verify with hashes, work on the copy (forensics for admissibility; recovery because the original is irreplaceable) → _continuity.md — Data Recovery and Digital Forensics (INTERNAL — do not publish)
deletion removes the pointer, not the data
rendered into everyday terms: → Data Recovery and Digital Forensics
Deliverable 1
a one-page **Authority and Scope Memo**: civil framework; basis of authority (ownership + signed AUP + banner, all pre-dating the incident); in-and-out scope with the date window and search terms; litigation-hold confirmation, with the verified image as preservation of record. **Deliverable 2** — a → Chapter 25 — Teaching Notes (The Legal Framework)
demonstrative exhibits
a one-page diagram, a blown-up screenshot of matching hashes, a simple timeline graphic. Pick one of your findings and describe the single demonstrative you would build, and the two things you must confirm about it before trial (that your attorney has it, and that it is accurate enough to survive it → Data Recovery and Digital Forensics
device activity versus identity
you can place a *device* at a location, in active use, running a particular app, at a precise time, but you cannot prove *whose hands were on the glass*; attribution must come from corroboration (biometrics, account activity, witnesses). → Data Recovery and Digital Forensics
Device Configuration Overlay (DCO)
A hidden, vendor-settable area that can shrink the apparent capacity of an ATA drive, concealing sectors from the OS. Like the *HPA*, it must be detected and removed at acquisition so no data is missed (Ch. 14). → Glossary
DFIR engagement
acquisition under pressure, triage at scale, multi-source artifact analysis, timeline reconstruction, anti-forensics detection, and an incident report that drives containment, eradication, and recovery. It is built on eleven core chapters: **5, 14, 15, 16, 17, 21, 22, 23, 30, 32, 26**, with the rest → Syllabus — Incident Response track
Digital forensics
The application of investigative and analytical techniques to identify, preserve, analyze, and present digital evidence in a legally admissible manner. Its priority is *provable accuracy*, not speed (Ch. 1). → Glossary
Direction
does parity start on the *last* disk and march left (left layouts), or start on the *first* disk and march right (right layouts)? 2. **Symmetry** — *asymmetric* lays data blocks left-to-right across the non-parity slots, numbering independent of the parity position. *Symmetric* starts the next data → Data Recovery and Digital Forensics
Directory Table Base (DTB)
the value the CPU loads into the `CR3` register when it schedules that process. This is why a memory analysis tool's very first job is to find a DTB: without it, a virtual address in a process is just a number it cannot resolve to a physical page. (It is also why the **pagefile/swap matters** — a vi → Data Recovery and Digital Forensics
Discovery API
what does each return, what format, and which requires Enterprise Grid? (b) A user "deleted" a message that nonetheless appears in a compliance export. Explain why, citing the book's first theme and the fact that retention is set at the workspace level rather than by the user. (c) Name the API scope → Data Recovery and Digital Forensics
Disk 2
the original "failure" — turned out to be almost entirely readable; it had dropped not from a head crash but from a marginal firmware glitch that a patient, single-pass image read straight through. **Disk 4**, by contrast, the one that died *during* the rebuild, had genuine media defects: 214 unread → Data Recovery and Digital Forensics
Disk order
which physical disk is member 0, 1, 2, … - **Stripe (chunk) size** — 16 KB? 64 KB? 256 KB? - **Parity rotation and direction** — left vs. right, synchronous vs. asynchronous (where parity sits relative to data in each successive stripe) - **Start offset** — where the data area begins on each member → Data Recovery and Digital Forensics
Disk order is not bay order
controllers number internally, drives get re-seated, and bays get swapped during panic. Order is recovered by finding structures that *span* a stripe and seeing which sequence makes them continuous. The richest anchors live at the very front of the volume, which sit on the disk holding stripe 0, blo → Data Recovery and Digital Forensics
distinct timestamps
`DateTimeOriginal` (taken, *local, no zone*), `CreateDate` (digitized), `ModifyDate` (last modified), and `GPSDateStamp`/`GPSTimeStamp` (**UTC**). The local-vs-UTC gap *recovers the timezone*. - **GPS** is degrees/minutes/seconds rationals + a hemisphere ref → convert to signed decimal degrees (`deg → Data Recovery and Digital Forensics
DKIM (DomainKeys Identified Mail)
An email-authentication method using a cryptographic signature in the headers to verify a message's domain and integrity; with *SPF* and *DMARC*, central to assessing whether an email is spoofed (Ch. 19). → Glossary
DLL injection
A technique (legitimate and malicious) of forcing a process to load a library into its address space; in memory forensics, injected or hidden code is hunted with tools like Volatility's `malfind`. *See also* malware forensics (Ch. 22; Ch. 32). → Glossary
do not carry per-event wall-clock timestamps
the event IDs are a strictly increasing counter, not a clock. You establish *order* directly from the IDs, and approximate *time* from the gzip file's own modification time plus correlation with timestamped sources (the Unified Log, Spotlight, knowledgeC). Second, FSEvents logs at *directory* granul → Data Recovery and Digital Forensics
do not copy
is a legal line and not lab etiquette, citing **18 U.S.C. §2252/§2252A**: which acts besides creation the statutes criminalize, why a law-enforcement examiner's possession is lawful while a private party's is not, and what the narrow **affirmative defense** in §2252A actually requires (promptly repo → Data Recovery and Digital Forensics
Document your negative findings
e.g., whether you found evidence of anti-forensic tools or timestomping (theme #3), and whether anything *contradicts* exfiltration. If your timeline and the `$FILE_NAME` vs. `$STANDARD_INFORMATION` timestamp comparison from [Chapter 21](../../part-3-digital-forensics/chapter-21-timeline-analysis/in → Data Recovery and Digital Forensics
documentation / chain of custody
it is not a fifth phase because it is not something you finish and move past; it is continuous, recorded at every step in every phase. → Answers to Selected Exercises
documented alternative hypotheses
saying in one sentence each how it works. Finish by explaining the chapter's quietest tell ("notice when you are *relieved* by a result") and why **noble-cause corruption** is the most dangerous rationalization in this field *precisely because it feels virtuous* — using anchor case #4 (the child-exp → Data Recovery and Digital Forensics
DoD 5220.22-M
A historically cited multi-pass disk-wiping pattern. Modern guidance (NIST SP 800-88) notes a single overwrite suffices for magnetic media, and that flash requires cryptographic erase. *See also* secure deletion, Gutmann method (Ch. 30). → Glossary
double-fault stripes
stripes where disk 4's unreadable sectors fell in the *same* stripe rows that also needed a block from the originally-failed member, leaving two blocks missing from one stripe. RAID 5 parity reconstructs *one* missing block per stripe; two is one too many, and those bytes were genuinely, mathematica → Data Recovery and Digital Forensics
draft a voir-dire-proof CV credentials block
only true, current credentials, with issue/expiry dates and certificate numbers held as documentation, historical credentials clearly marked. This completes the qualifications record [Chapter 27](../../part-4-legal-framework-and-reporting/chapter-27-expert-testimony/index.md) asked you to begin and → Data Recovery and Digital Forensics
Drive slack
*See* slack space (Ch. 2). → Glossary
Dual-tool verification
The professional practice of confirming a significant finding with a second, independent tool, so a conclusion never rests on one program's correctness. A Daubert-friendly habit (Ch. 36; Ch. 28). → Glossary

E

E01 (EnCase Evidence File / Expert Witness Format)
The most common forensic image container: it stores the *bit-stream* copy with embedded metadata, per-block CRCs, and stored MD5/SHA hashes, and supports compression and splitting. *See also* AFF4, raw image (Ch. 14). → Glossary
Each session
☐ Students **revert to the clean snapshot** before starting (always after any malware/untrusted work). - ☐ Confirm network mode is **not attached** unless the lab says otherwise. - ☐ Re-verify the day's image hash against the published value. - ☐ Open the lab notebook; record tool versions and objec → Lab Setup Guide
earlier state of the file tree
letting you see files and folders that were present before the user's most recent sync/cleanup, even after they were removed from the current `.dat`. → Answers to Selected Exercises
early
retention timers delete evidence you could have saved. → Data Recovery and Digital Forensics
Early-warning signs.
They reach for a calculator to convert `0x200` and still hesitate. - Answers are wrong by a clean factor of **8** (they assumed 512-byte sectors on a 4Kn drive) or a factor of **512** (they forgot to multiply at all). - Off-by-one errors because they counted from 1; the first sector is **LBA 0**, an → Common Student Struggles (and How to Help)
eDiscovery (electronic discovery)
The legal process of identifying, preserving, collecting, and producing *ESI* in litigation, governed in U.S. federal court by the *FRCP*. *See also* litigation hold, spoliation (Ch. 25). → Glossary
the cloud analogue of "the original is sacred," implemented as policy because you cannot attach a write-blocker to Exchange Online — and you immediately export the sign-in logs and the UAL before either erodes. You hash each export the instant it lands and record the chain-of-custody line: cmdlet, t → Data Recovery and Digital Forensics
EDR (event data recorder)
A vehicle's "black box," which records pre-crash parameters (speed, braking, seatbelt status); a key data source in *vehicle forensics*. **Note:** in incident-response contexts, "EDR" instead means *endpoint detection and response* — a security agent that logs and blocks host activity (Ch. 34; IR se → Glossary
eight
a full MACB set in the `$STANDARD_INFORMATION` attribute (type `0x10`) and another full MACB set in the `$FILE_NAME` attribute (type `0x30`). (Strictly, a file can carry more than one `$FILE_NAME` — one for its long name and one for the 8.3 short name — so the count can exceed eight; the canonical t → Data Recovery and Digital Forensics
Electronic Discovery Reference Model (EDRM)
Identification, Preservation, Collection, Processing, Review, Analysis, Production, Presentation — and shows how the book's four-phase forensic process maps cleanly onto it. → Syllabus — eDiscovery for Paralegals and Attorneys
Email header
The metadata block preceding a message body, containing `From`, `To`, `Subject`, `Date`, `Message-ID`, and the chain of `Received` lines that trace the message's path. Often the most truthful part of an email. *See also* X-Originating-IP (Ch. 19). → Glossary
Email, Chat, and Social Media Forensics
follows the conversation off the web page and into the inbox and the DM: PST/OST and mbox/EML stores, webmail and message headers, and the chat and social-platform artifacts where so much modern intent is recorded — proof, again, that *technology changes, principles don't.* → Data Recovery and Digital Forensics
eMMC
managed NAND with an embedded controller — rather than a small SPI chip. Reading it is the same problem you met in [Chapter 9](../../part-2-data-recovery/chapter-09-ssd-and-flash-recovery/index.md) and [Chapter 11](../../part-2-data-recovery/chapter-11-mobile-device-recovery/index.md): either solder → Data Recovery and Digital Forensics
eMMC / UFS
Embedded flash storage standards in phones and embedded devices: **eMMC** (embedded MultiMediaCard) is older and slower; **UFS** (Universal Flash Storage) is newer and faster. Their packaging dictates *chip-off* and *ISP* feasibility (Ch. 11; Ch. 24). → Glossary
EnCase
A long-established commercial forensic suite (OpenText) for imaging and analysis; origin of the *E01* format and the *EnCE* certification (Ch. 36; Ch. 39). → Glossary
EnCE
EnCase Certified Examiner | **OpenText** (formerly Guidance Software) | Computer forensics *and* the EnCase platform | 64 hrs authorized training **OR** 12 months CF experience | Two-phase: Phase I written (~170 Q, online proctored); Phase II take-home practical against a provided evidence file (~60 → Appendix I — Certification Roadmap
EnCE, GCFE, GCFA, CCE, CFCE, and CHFI
so you can tune a section, a track, or a whole course to the credential your students are chasing, see at a glance where the book carries the load, and know exactly where you must add hands-on practice the textbook cannot supply. → Certification Mapping
encrypted
FileVault on a Mac, and hardware encryption that is effectively always-on for iOS devices. Without the key or passphrase, the on-disk bytes are ciphertext and no file-system knowledge helps. Recognizing these limits early (theme #5) means you pivot to the sources that *do* survive — snapshots, Time → Data Recovery and Digital Forensics
Encrypted Device Forensics
turns from the ethics of what you may do to the technical wall of what you sometimes *cannot*: BitLocker, FileVault, LUKS, and VeraCrypt, where strong cryptography can make data genuinely unrecoverable, the Fifth Amendment meets the password, and "know your limitations" stops being a maxim and becom → Data Recovery and Digital Forensics
encrypted, redundant, immutable (WORM)
and for each name a concrete mechanism from the chapter. Then explain the precise division of labor between **hashing** and **WORM**: which one *detects* alteration and which one *prevents* it, and why a defensible lab wants both rather than either alone. → Data Recovery and Digital Forensics
Encryption
The transformation of data into ciphertext using a key, so that without the key it is unreadable. The single greatest honest limit on both recovery and forensics: strong, properly implemented encryption without the key is unbreakable. *See also* AES, full-disk encryption (Ch. 29). → Glossary
Endianness
The byte order in which multi-byte values are stored. **Little-endian** (least-significant byte first; x86, most file systems) and **big-endian** (most-significant first; network order). Getting it wrong corrupts every parsed timestamp and offset (Ch. 2). → Glossary
Eric Zimmerman (EZ) suite
a family of fast, focused .NET utilities, each of which turns one messy binary artifact into clean CSV. Their deep use belongs to [Chapter 16 — Windows Forensics](../../part-3-digital-forensics/chapter-16-windows-forensics/index.md) and [Chapter 21 — Timeline Analysis](../../part-3-digital-forensics → Data Recovery and Digital Forensics
Eric Zimmerman suite roster
one artifact, one parser, CSV out (load the CSV into **Timeline Explorer** to filter, tag, and pin exhibits): → Appendix C — Tool Reference
Error Level Analysis (ELA)
An image-forensics technique that re-saves a JPEG and compares compression error across regions to flag inconsistent (possibly edited) areas. Suggestive, not conclusive. *See also* PRNU, deepfake (Ch. 20; Ch. 35). → Glossary
escalate and seek guidance
from a supervisor, from counsel, from a trusted senior peer, from your professional body's ethics resources — rather than improvising alone at the keyboard. "I am not certain this is within my authority, so I stopped and asked" is never the wrong answer. Like "the evidence is insufficient to reach a → Data Recovery and Digital Forensics
ESI (electronically stored information)
The FRCP term for any information created or stored electronically that is discoverable in litigation — documents, email, databases, metadata, logs. *See also* eDiscovery (Ch. 25). → Glossary
Establish and record authority plus the two clocks
the legal/engagement basis for acting live, and subject time vs. trusted time with skew. (2) **Isolate via EDR (not power-off) and image memory first** — power-off could re-lock an encrypted volume and lose the active connection and any key in RAM; isolation stops the upload while preserving volatil → Data Recovery and Digital Forensics
Ethics in Data Recovery and Digital Forensics
turns from how you defend your findings to what you owe while making them: independence over advocacy, the duty to seek and disclose exculpatory evidence, mandatory reporting when you encounter the unthinkable, scope discipline, and the real cost the work exacts on the people who do it — including y → Data Recovery and Digital Forensics
even after history was cleared
the user wiped `History` but forgot `Favicons`. The same logic applies to **`Top Sites`** (thumbnails of frequent destinations) and **`Shortcuts`** (the omnibox autocomplete database, which records what the user typed and which suggestion they chose — pure intent). - **`Sessions\`** holds `Session_* → Data Recovery and Digital Forensics
Event Data Recorder
read with the **Bosch CDR** tool via OBD-II or directly at the airbag module, with **owner consent or a warrant**; (3) the **connected-car cloud** — obtained by **legal process to the manufacturer**. Full credit for the three systems each paired with a correct tool/authority. → Data Recovery and Digital Forensics
Event Data Recorder (EDR)
the automotive "black box." It is not a continuous trip logger; it is a crash recorder. Built into or associated with the airbag control module (variously the ACM, SDM, or RCM depending on the maker), the EDR continuously buffers a few seconds of vehicle dynamics and *captures* that buffer when a cr → Data Recovery and Digital Forensics
Event log (.evtx)
Windows's binary logging format (`C:\Windows\System32\winevt\Logs\`), recording security, system, and application events with FILETIME stamps — a backbone of Windows timelines and intrusion analysis (Ch. 16). → Glossary
every sector of all three surviving disks
a brutal, sustained, end-to-end stress test on three other drives that were exactly as old as the one that had just failed. At hour nineteen, with the rebuild at 86%, aging **disk 4** hit a sector it could not read — an **unrecoverable read error (URE)** — and the controller, unable to complete the → Data Recovery and Digital Forensics
evidence-management system
even a disciplined spreadsheet or a database, ideally a purpose-built one — that assigns each item a unique number, barcodes it, and records its description, hashes, location, and complete custody history. The system answers, instantly, "where is item 2026-0142-03 right now, and who has touched it?" → Data Recovery and Digital Forensics
exactly
correct issuer, correct status (active vs. lapsed), correct scope. Listing an expired credential as current, or implying a tool cert is a vendor-neutral examiner qualification, is the kind of misrepresentation that ends careers and gets reports excluded. The same integrity you bring to evidence (see → Appendix I — Certification Roadmap
Exams (with solutions)
`midterm-exam.md` / `midterm-solutions.md` — covers the foundations and recovery/early-forensics material (Parts I–III) - `final-exam.md` / `final-solutions.md` — comprehensive, weighted toward Parts III–IV and the advanced topics → Instructor Guide — Data Recovery and Digital Forensics
Exchange-Y, a U.S.-registered MSB
a domestic chokepoint. Third, and decisively, about **110,000 USDT** was still *sitting* at an unspent address, not yet cashed out. → Data Recovery and Digital Forensics
Exclusionary rule
The U.S. doctrine that evidence obtained through an unconstitutional search or seizure is generally inadmissible; its extension, *fruit of the poisonous tree*, excludes evidence derived from the illegal act. Why lawful authority precedes every acquisition (Ch. 25). → Glossary
exFAT
Microsoft's lightweight file system for flash media and large removable drives; like *FAT* it lacks journaling, but supports large files and stores timestamps with a UTC-offset field (Ch. 4). → Glossary
exfiltration and concealment vector
data smuggled out of an organization inside an innocuous cat picture, or contraband payloads hidden in ordinary-looking media. Our treatment here is strictly **detection** (theme of defensive framing throughout this book); we do not teach embedding. → Data Recovery and Digital Forensics
Exhaustive
reproducible audit trail | | **Speed vs. rigor** | Speed weighted higher | Rigor weighted higher | | **Deliverable** | Recovered files | A court-admissible **report** | → Data Recovery and Digital Forensics
Exhibit 2024-0731-002
Dell Latitude 5540, serial 7QJ4XK3, 512 GB NVMe SSD, Windows 11 / NTFS. Acquired with **FTK Imager 4.7.1.2** through a **Tableau hardware write-blocker** confirmed read-only beforehand; image written to E01. > > **Acquisition hashes** (recorded at intake, re-verified the morning of testimony): > ``` → Mock Trial Exercise Guide
EXIF (Exchangeable Image File Format)
Metadata embedded in photos (and many videos): camera make/model, settings, date-taken, and often **GPS coordinates**. A frequently decisive artifact — and one anti-forensics tries to strip. *See also* geotag (Ch. 20). → Glossary
exigent circumstances
and few things establish exigency like *evidence being actively destroyed in front of you* (ransomware encrypting, a remote-wipe countdown, a wiper armed for shutdown). Note the basis in your log before the first command. "I had authority because…" written at 02:16 is far stronger than the same sent → Data Recovery and Digital Forensics
Expert Testimony
takes the report you just learned to write and puts you in the witness chair to defend it: qualification as an expert under *Daubert* and FRE 702, direct and cross-examination, the *voir dire* challenge, explaining the Master File Table to a jury, and the cross-examination drill on the very anchor-c → Data Recovery and Digital Forensics
expert witness
see [Chapter 27 — Expert Testimony](../part-4-legal-framework-and-reporting/chapter-27-expert-testimony/index.md). → Appendix E — Legal Frameworks Reference
explainability
many models are black boxes that cannot say *why* they scored an input, and post-hoc tools (SHAP, LIME, Grad-CAM) are approximations, not the model's reasoning; **bias** — training-data skew produces documented demographic disparities (NISTIR 8280); **reproducibility** — nondeterminism and silent ve → Data Recovery and Digital Forensics
ext4 (fourth extended file system)
The common Linux file system, organized around *inodes* and block groups, with journaling and nanosecond timestamps (including `crtime`). Deletion zeroes block pointers, complicating recovery relative to older ext versions (Ch. 4). → Glossary
extents
`(logical_block, length, physical_block)` triples that map contiguous ranges efficiently. The `i_block` area holds an extent **tree**: a 12-byte header (magic `0xF30A`) plus up to four inline entries; larger/fragmented files push the tree into index blocks. → Appendix G — File System Reference

F

factory reset is crypto erase
the key is destroyed, the ciphertext is permanent. Throughout, the same artifacts serve two disciplines: a backup or a carved JPEG is *recovery* when the owner asks for their data and *forensics* when it might land in court, and the only difference is your authority, goal, and rigor. Recognizing the → Data Recovery and Digital Forensics
factory-resets `userdata`
destroying the very evidence you came for. Never do it on an evidence device without certainty about its wipe behavior; prefer temporary/exploit root that touches no persistent partition. - **Stopping at a logical extraction when a file-system extraction was achievable.** Logical pulls miss app-priv → Data Recovery and Digital Forensics
Faraday bag
A radio-frequency shielding enclosure that isolates a seized phone from cellular, Wi-Fi, and Bluetooth signals to prevent remote wiping or alteration before acquisition (Ch. 15; Ch. 24). → Glossary
fast and lightweight
it runs from a USB stick, installs nothing, sips resources, and processes evidence faster than far heavier suites — at a fraction of the licensing cost of EnCase or FTK. The trade-off is a **steep learning curve** and a dense, expert-oriented interface that assumes you already understand file system → Data Recovery and Digital Forensics
FAT (File Allocation Table)
A simple, durable file-system family (FAT12/16/32) built around a table mapping cluster chains; still ubiquitous on small and removable media. Stores times in local time at coarse (2-second) resolution. *See also* exFAT (Ch. 4). → Glossary
field-standard and independently tested
the NIST Computer Forensic Tool Testing (CFTT) program publishes results for write-blockers and imaging tools against a documented specification; the algorithms (SHA-256, the file-system structures) are public and peer-reviewed; you used a **specific, version-pinned** tool whose version you recorded → Data Recovery and Digital Forensics
File carving
Recovering files by recognizing their content — *signatures*, structure, and *footers* — directly from raw data, **without** relying on file-system metadata. The primary recovery method when the file system is gone or the file's entry was overwritten. *See also* PhotoRec, header/footer (Ch. 7). → Glossary
File signature (magic number)
A short, fixed byte sequence at (usually) the start of a file that identifies its type regardless of extension — e.g., JPEG `FF D8 FF`, PNG `89 50 4E 47`, PDF `25 50 44 46` (`%PDF`), ZIP/Office `50 4B 03 04`. The anchor of *file carving* and type verification. Full table in [Appendix A](appendix-a-f → Glossary
File slack
*See* slack space (Ch. 2). → Glossary
File system
The on-disk structure and rules that organize raw storage into named files and directories, tracking which clusters belong to which file and what is free. What "deleted" means depends entirely on the file system. *See also* NTFS, ext4, APFS, FAT (Ch. 4). → Glossary
File Systems
moves up one layer: now that you know how the *hardware* stores raw sectors, you will learn how NTFS, ext4, APFS, FAT, exFAT, and HFS+ organize those sectors into files and directories — and exactly what each one does, and leaves behind, when a file is "deleted." → Data Recovery and Digital Forensics
file-system damage layered on top of array damage
a crash that corrupted the MFT during the failure — means a correct reconstruction still needs Chapter 6 logical recovery and Chapter 7 carving to finish the job. "I reconstructed the array correctly and *this much* is recoverable; the rest is mathematically or physically lost" is a complete, honest → Data Recovery and Digital Forensics
filename and the former inode number
and from there, metadata if the inode hasn't been reused — even when the block map is gone. The journal (`jbd2`) sometimes holds a stale copy of the inode with its extents intact, which is the other route back. → Answers to Selected Exercises
FILETIME
The Windows timestamp: a 64-bit count of 100-nanosecond intervals since 1601-01-01 UTC, used throughout NTFS, the registry, `.evtx`, and LNK files. Convert to Unix seconds by subtracting `116,444,736,000,000,000` and dividing by 10,000,000. *See also* Unix time (Ch. 21; Ch. 16). → Glossary
FileVault
Apple's full-disk encryption for macOS (XTS-AES), tied to user credentials and a recovery key, and on modern Macs to the *Secure Enclave*. *See also* full-disk encryption (Ch. 29). → Glossary
Final deliverables.
**Incident report** — executive summary (for the CISO), technical findings (separated from conclusions), evidence inventory with dual hashes + chain of custody, tools-with-versions, methodology, and **containment / eradication / recovery recommendations** plus a lessons-learned section. Built on the → Syllabus — Incident Response track
finding what you weren't looking for
has one core response for every role: stop, do not copy, preserve, isolate, document (path, hash, time, method — never content), and escalate now, because possession and reproduction of CSAM are themselves crimes under 18 U.S.C. §2252/§2252A, because the §2258A CyberTipline duty falls on providers w → Data Recovery and Digital Forensics
Findings
The conclusions an examiner draws from the evidence, stated in the *forensic report* with the supporting basis and appropriate qualification. "The evidence is insufficient to reach a conclusion" is itself a valid finding (Ch. 26). → Glossary
Firmware
Low-level software embedded in a device's hardware (drive controllers, phones, IoT, vehicles). On hard drives the *service area* holds firmware; firmware corruption is a recoverable failure mode, and firmware images are key evidence in embedded forensics (Ch. 34; Ch. 8). → Glossary
first anchor case
irreplaceable images, the recovery technician as both engineer and human service — in its darkest variant. In [Chapter 1](../../part-1-foundations/chapter-01-two-disciplines/index.md) the deleted wedding photos came *back*, because deletion only removes the pointer. Here the same theme meets its one → Data Recovery and Digital Forensics
fitness tracker
and the building uses a **smart-lock access system**. Three independent devices, three independent clocks, none of them touched by the CCleaner run on the laptop, because anti-forensics that scrubs a Windows workstation cannot reach a car's head unit, a wearable's cloud, or a door controller. You ac → Data Recovery and Digital Forensics
Five syllabi
`syllabus-digital-forensics-15-week.md` — the academic forensic-examiner course (🔍) - `syllabus-data-recovery-vocational.md` — hands-on recovery technician track (💾) - `syllabus-incident-response.md` — corporate security / IR emphasis (🛡️) - `syllabus-ediscovery-paralegal.md` — legal / eDiscovery tr → Instructor Guide — Data Recovery and Digital Forensics
Flash Extractor / Soft-Center
a widely used chip-off reconstruction suite with its own controller-profile database. - **Rusolut Visual NAND Reconstructor (VNR)** — strong at the visual, manual analysis of raw dumps when no profile exists: spotting the page structure, deducing the ECC and scrambler by inspection, working out the → Data Recovery and Digital Forensics
Flash Translation Layer (FTL)
The controller logic in SSDs and flash media that maps logical block addresses the OS sees to ever-changing physical NAND locations, implementing *wear leveling*, *garbage collection*, and *TRIM*. The FTL is why an SSD's logical-to-physical mapping is opaque and recovery is unpredictable (Ch. 3; Ch. → Glossary
Flat fee
predictable for clients; fails when a "simple" job turns invasive (you eat the loss or cut corners). **Tiered by difficulty** — matches price to effort; fails if tiers are vague or you misclassify on intake. **No-data-no-charge (NDNC)** — humane and trust-building; fails as a *pure* model because ev → Answers to Selected Exercises
A fixed byte sequence marking the **end** of a file type (e.g., JPEG `FF D9`), used with the *header* to bound a carve. Not all formats have one. *See also* file carving (Ch. 7). → Glossary
footprint on the endpoint
a disk you *can* image — where sync clients leave rich, retention-proof artifacts: OneDrive's `.dat` sync database (parsed with OneDriveExplorer, with `cloud-only` flags that prove a file lived in the cloud without ever fully downloading) and its de-obfuscated ODL operation logs; Google Drive's → Data Recovery and Digital Forensics
for the student
which credential to chase, what it costs, how to keep it alive, and which career column it belongs to. This document is written **for you** — domain-by-domain, which chapters do the work, what they leave uncovered, and how to wire the gap shut with labs. Read the appendix for the *why*; use this fil → Certification Mapping
foremost / scalpel
header/footer carvers with configurable signature databases ([Ch.7](../../part-2-data-recovery/chapter-07-file-carving/index.md)). - **ddrescue / dcfldd / dc3dd** — error-tolerant and forensic imaging ([Ch.8](../../part-2-data-recovery/chapter-08-hard-drive-recovery/index.md), [Ch.14](../../part-3-d → Data Recovery and Digital Forensics
Forensic Acquisition
takes the image-first discipline you have been practicing as good recovery hygiene and tightens it to courtroom standard: write-blocking, forensic imaging formats, cryptographic verification, and the chain of custody that makes an image admissible — the moment your work formally crosses from recover → Data Recovery and Digital Forensics
Forensic Case File
a complete, court-style investigation you build one skill at a time, beginning in earnest with the assignment and acquisition in [Chapter 5](../chapter-05-the-forensic-process/index.md). Chapter 2's contribution is the literacy everything else assumes. Before the next chapter, do three concrete thin → Data Recovery and Digital Forensics
forensic duplicators
appliances that combine write-blocking, imaging, and verification in one box and can run unattended, sometimes cloning several drives at once. The **Tableau TX1**, the **Logicube Falcon-NEO**, and the **Atola TaskForce** are the workhorses; they image to E01/raw/AFF4, compute dual hashes, log everyt → Data Recovery and Digital Forensics
Forensic Examiner
registry, event logs, and execution artifacts are the daily bread of Windows DFIR. 🛡️ **Incident Response** lives here too: logon events, service installs, and autostart keys are how you find persistence and lateral movement. 📜 **Legal/eDiscovery** practitioners should read the USB-history and LNK/J → Data Recovery and Digital Forensics
Forensic image
A complete, verified, bit-for-bit copy of source media (also *forensic duplicate*), stored as raw/`dd`, *E01*, or *AFF4*. You analyze the image, never the original — protecting evidence integrity for forensics and the irreplaceable original for recovery. *See also* hash, write blocker (Ch. 5; Ch. 14 → Glossary
Forensic soundness
The property that an acquisition and analysis altered nothing on the evidence (or that any unavoidable change is documented and explained), and that results are *reproducible*. The bedrock requirement for admissibility (Ch. 5). → Glossary
forensics
the identical extraction, but acquired under a warrant, hashed, custody-documented, and parsed against a verified copy so the tracklog can be defended on the stand. One board, two postures. → Data Recovery and Digital Forensics
Fourth Amendment
The U.S. constitutional protection against unreasonable searches and seizures; the source of the *warrant* requirement and its exceptions (*consent*, *plain view*, exigency). Defines the lawful authority to search a device (Ch. 25). → Glossary
Fragmentation
if a file's clusters are not contiguous, header-to-footer carving splices in unrelated data or stops short; only smart carvers (PhotoRec) and file-system-aware recovery handle this. (2) **No metadata** — a carved file has no name, path, owner, or timestamp; you cannot prove *when* it was created or → Appendix B — Python Forensics Toolkit
Fragmentation defeats linear carving
the big one; non-contiguous files come out spliced and corrupt. Bifragment gap carving rescues some two-fragment cases; three-plus in arbitrary order generally cannot be reassembled by content alone. - **No distinctive header, no carve** — plain text, CSV, many logs (use `bulk_extractor` for *conten → Data Recovery and Digital Forensics
FRCP (Federal Rules of Civil Procedure)
The rules governing U.S. civil litigation, including *eDiscovery* obligations and the Rule 37(e) framework for sanctions over *spoliation* of *ESI* (Ch. 25). → Glossary
FRE (Federal Rules of Evidence)
The rules governing admissibility in U.S. federal court; key ones for examiners are 702 (expert testimony / *Daubert*), 901 and 902(14) (*authentication*, including by hash), and 1001–1004 (*best evidence*) (Ch. 25). → Glossary
freelist
the old row content lingers in **freelist pages and in unused (slack) areas of B-tree pages**. (b) The sidecars are the **`-wal`** (write-ahead log) and **`-shm`** (shared-memory index). The `-wal` can contain **committed-but-not-yet-checkpointed transactions** *and* **superseded older page images** → Answers to Selected Exercises
Friday 18:39–18:43
pulled down from corporate storage minutes before the personal-OneDrive upload at 18:44. The `AuditData` JSON gives client IP `203.0.113.47` for each. → Data Recovery and Digital Forensics
Fruit of the poisonous tree
The doctrine extending the *exclusionary rule* to evidence derived from an initial illegal search or seizure (Ch. 25). → Glossary
Frye standard
The older "general acceptance" test for scientific evidence (*Frye v. United States*, 1923), still used in some U.S. states instead of *Daubert* (Ch. 25; Ch. 27). → Glossary
Full-disk encryption (FDE)
Encryption of an entire volume or drive so that all data is ciphertext at rest until unlocked. *BitLocker*, *FileVault*, *LUKS*, and *VeraCrypt* are the major examples; FDE reshapes acquisition strategy toward live capture and key recovery (Ch. 29). → Glossary

G

gap has coordinates
a wiped log or a stopped history is dated evidence. → Data Recovery and Digital Forensics
Garbage collection
The SSD background process that consolidates valid data and erases blocks marked free (often via *TRIM*) so they are ready to write. Combined with TRIM, it can permanently destroy deleted data within seconds — minutes, making SSD recovery time-critical (Ch. 9). → Glossary
GCFA
`renew_by = 2030-04-01`, `cpe_required = 36`, `cpe_logged = 10`. - **EnCE** — `renew_by = 2028-09-01`, `cpe_required = 32`, `cpe_logged = 32`. (a) For each credential, compute `days_left` and the CPE gap, and state whether `renewals_due` returns it. (b) The GCFA is *years* from expiry yet is still f → Data Recovery and Digital Forensics
GCFE (FOR500)
Windows host forensics: the registry, Prefetch, AmCache, LNK files, browsers, the `$Recycle.Bin`. Maps almost one-to-one to [Chapter 16 — Windows Forensics](../part-3-digital-forensics/chapter-16-windows-forensics/index.md) and [Chapter 18 — Browser and Internet Forensics](../part-3-digital-forensic → Appendix I — Certification Roadmap
GDPR (General Data Protection Regulation)
The EU's comprehensive data-protection law, governing the lawful processing, transfer, and minimization of personal data — a constant constraint in cross-border investigations and *cloud forensics* (Ch. 25; Ch. 31). → Glossary
geolocation
shared photos carry EXIF GPS (the domain of [Chapter 20 — Photo, Video, and Document Forensics](../chapter-20-photo-video-document-forensics/index.md)), some platforms tag posts with coarse location, and IP addresses geolocate approximately (city/ISP, not a street); **device identifiers** — `User-Ag → Data Recovery and Digital Forensics
Geotag
Geographic coordinates embedded in media metadata (chiefly *EXIF* `GPSLatitude`/`GPSLongitude`), placing a photo or video at a specific location and time. Frequently pivotal — and easy to overlook (Ch. 20). → Glossary
get the file back
replay the old inode, follow its extents to blocks 34816–37375, write out the 10 MB tarball, hand it over, done. A 🔍 forensic examiner asks the journal a *different* question: not only "what were the bytes?" but "**when did this exist, and when was it deleted?**" The journal's transaction sequence, → Data Recovery and Digital Forensics
Gone
no software, effectively no chip-off | | Seconds after deletion, power pulled before OS trims | TRIM never flushed | **Recoverable** — image before re-powering into an OS | | TRIM disabled at the OS | Drive never learned blocks were free | **Recoverable** like an HDD | | External / USB-bridged SSD ( → Data Recovery and Digital Forensics
GPT (GUID Partition Table)
The modern partitioning scheme that replaced the *MBR*: it supports drives larger than 2 TB and many partitions, uses GUIDs, and keeps a backup table at the end of the disk plus a protective MBR. *See also* partition table (Ch. 4). → Glossary
Grad-CAM
help indicate *which inputs* drove a decision, but they are themselves approximations, not the model's actual reasoning, and must not be oversold as such. → Data Recovery and Digital Forensics
GrayKey
A commercial law-enforcement device (Grayshift) for accessing and extracting data from locked iOS (and some Android) phones. *See also* mobile device forensics (Ch. 24). → Glossary
Griffeye
that let their examiners triage by hash without rendering every file. Her content-free discovery log became the clean record of how a private party lawfully encountered the material, stopped, secured it, and handed it off. Because she had logged the path, the hash, the time, and the method and *noth → Data Recovery and Digital Forensics
Gutmann method
A 35-pass overwrite scheme designed for obsolete drive encodings; effectively overkill on modern media but still cited in wiping discussions. *See also* secure deletion (Ch. 30). → Glossary

H

hallucinate
assert facts not in the source. The rule is unbending: AI-derived summaries, translations, and classifications are *leads to verify against primary evidence*, never quotations of record. If your suite used a model to reach a conclusion, you must be able to name the model, its version, and its known → Data Recovery and Digital Forensics
Hard disk drive (HDD)
A storage device that records data magnetically on rotating *platters* read by flying *heads* on an *actuator arm*. Mechanical, with characteristic failure modes (head crash, motor seizure, *bad sectors*) and, crucially, recoverable deleted data because there is no *TRIM* (Ch. 3). → Glossary
Hard Drive Recovery
moves from logical destruction to physical failure: what to do when the drive itself is the problem. You'll learn to read the click of a failed head, decide when a drive belongs in a clean room and when it never should be powered on again, and understand the imaging-the-dying-patient techniques (`dd → Data Recovery and Digital Forensics
hard physical jobs
broken screens, water damage, dead boards — where the goal is to get a living device to cooperate just long enough to hand you its data. Third, the **wall**: the realization that on a modern, passcode-protected, full-disk-encrypted phone, when the owner is gone or the passcode is lost and there is n → Data Recovery and Digital Forensics
Hardware dongles (USB)
classic for EnCase and X-Ways; the license is a physical key you must protect and, for a single dongle, can only use on one machine at a time. - **Node-locked** — tied to a specific machine; predictable, but inflexible if hardware changes. - **Subscription / floating** — annual cost, often with a li → Data Recovery and Digital Forensics
Hardware write-blockers
Tableau (now OpenText), WiebeTech/CRU, and others — are dedicated bridges for SATA, SAS, IDE, USB, NVMe, and more. They are the gold standard precisely because the blocking is enforced in hardware, independent of any operating-system setting you might forget. The U.S. NIST Computer Forensics Tool Te → Data Recovery and Digital Forensics
has not changed since capture
integrity from that instant forward. It cannot prove the capture was atomic; a running system mutates memory during acquisition (page smear), and there is no stable original to hash against. Overstating this is how acquisitions get impeached. → Data Recovery and Digital Forensics
Hash (cryptographic hash)
A fixed-length fingerprint computed from data such that any change yields a different value and the input cannot be derived from it. Hashing proves a *forensic image* matches its source and that evidence is unaltered. *See also* MD5, SHA-256, hash verification (Ch. 5). → Glossary
Hash collision
Two different inputs producing the same hash. Practical collisions exist for *MD5* and *SHA-1*, which is why *SHA-256* is preferred for forensic integrity, though MD5/SHA-1 remain useful for de-duplication and known-file matching (Ch. 5). → Glossary
Hash set
A collection of known file hashes used to filter evidence: **known-good** sets (e.g., NIST's *NSRL*) exclude standard OS/application files to reduce review volume; **known-bad** sets flag contraband or malware. *See also* PhotoDNA (Ch. 20). → Glossary
Hash the image you obtain
it certifies *the image*, not the dying original; document every unreadable byte range. → Data Recovery and Digital Forensics
Hash the source during acquisition
as the tool reads the source it computes `H_src`, the fingerprint of the evidence as acquired, in the single read you must perform anyway; this captures the as-seized state. (2) **Hash the image and compare** — read the written image back, compute `H_img`, and confirm `H_img == H_src`, proving the c → Data Recovery and Digital Forensics
hash value
the SHA-256 you computed in [Chapter 5](../../part-1-foundations/chapter-05-the-forensic-process/index.md) is the mechanism the rules use to let your image in without you authenticating every byte by hand. The **best-evidence** rules (FRE 1001–1003) treat an accurate **duplicate** as admissible as a → Data Recovery and Digital Forensics
Hash verification
Re-computing a hash after acquisition (and again before analysis) and comparing it to the original to confirm the image is a faithful, unaltered copy. The mechanical proof behind *chain of custody* (Ch. 5; Ch. 14). → Glossary
hashing
computing a fixed-length cryptographic fingerprint of data. A hash function takes input of any size and returns a short value (SHA-256 produces 64 hexadecimal characters; the older MD5 produces 32). Two properties make it the bedrock of integrity: the *same* input always yields the *same* hash, and → Data Recovery and Digital Forensics
Hashing wrong/insufficient
no source hash taken before imaging, and only a single MD5 of the *output*, so nothing proves fidelity. *Correct:* hash the source and the image and *compare*; use MD5 + SHA-256. (Ch. 5, 14.) 4. **Chain-of-custody gap** — a three-day hole with no entries or transfer signatures. *Correct:* a contempo → Final Exam — Solutions
Head crash
A catastrophic HDD failure in which a *read/write head* contacts the *platter* surface, scoring it and destroying data in the affected tracks. Often requires clean-room work and is sometimes unrecoverable (Ch. 8; Ch. 3). → Glossary
Head swap
A clean-room procedure replacing a hard drive's failed head assembly with one from a matching donor drive to read the original platters. Highly specialized and risky (Ch. 8). → Glossary
Header
A fixed byte sequence marking the **start** of a file type (the *file signature*); the primary anchor of *file carving* (Ch. 7). → Glossary
find header, scan to next footer, carve between. Byte-perfect on contiguous JPEG/PNG/GIF. The gold standard. - **Header-and-maximum-size** — for footer-less formats; carve a capped length and trim later. - **Header-only** — crudest fallback; most junk and truncations. - **Smart carving (object valid → Data Recovery and Digital Forensics
Hearsay
An out-of-court statement offered for its truth, generally inadmissible; machine-generated records often qualify under the business-records exception, which matters when admitting logs (Ch. 25). → Glossary
hexadecimal
base 16 — and it is the working language of this entire field. When you open a "hex editor" or run `xxd`, hex is what you are reading. → Data Recovery and Digital Forensics
Hexadecimal (hex)
Base-16 notation (`0`–`9`, `A`–`F`) in which one digit equals one *nibble* and two digits equal one *byte*; the working language of low-level data examination and *hex dumps* (Ch. 2). → Glossary
HFS+ (Hierarchical File System Plus)
Apple's legacy macOS file system (pre-*APFS*), using catalog and extents B-trees and a 1904 epoch for some timestamps (Ch. 4). → Glossary
Hibernation file (hiberfil.sys)
A Windows file holding a compressed image of RAM written at hibernation; a valuable source of *memory forensics* evidence recoverable from disk. *See also* pagefile (Ch. 16; Ch. 22). → Glossary
hidden volumes
a second, secret volume tucked inside the apparent free space of an outer "decoy" volume, with its own header at a fixed offset (e.g., 0x10000) — so that a holder compelled to reveal *a* password can surrender the decoy while the hidden volume's existence remains unprovable. This is **plausible deni → Data Recovery and Digital Forensics
high-value artifacts
on Windows: the registry hives, the Windows event logs (`.evtx`), the `$MFT` and NTFS journals (`$J`/`$UsnJrnl`, `$LogFile`), Prefetch, Amcache, SRUM, scheduled tasks, and browser history. Together these are a few hundred megabytes, collectible in *minutes* per host. So instead of imaging everything → Data Recovery and Digital Forensics
historical cell-site location information (CSLI)
the records of which towers a phone connected to, held by the carrier — is a Fourth Amendment search requiring a warrant, because that location trail is so revealing and so inescapably generated that it is not meaningfully "voluntary." *Carpenter* is narrow on its face but enormous in implication: i → Data Recovery and Digital Forensics
History and typed URLs
visits to `mail.google.com`, `outlook.live.com`, `mail.proton.me`; the registry's `TypedURLs` (Chapter 16) catching a hand-typed webmail address; search-bar terms. - **Cache** — Chromium's cache (the `Cache_Data/` block files or Simple-Cache `f_*`/`_0` entries) can hold rendered message fragme → Data Recovery and Digital Forensics
Home Assistant
open-source, self-hosted software that, by default, records the entire state history of every connected device into a *local* SQLite database, `home-assistant_v2.db` (larger installs use MariaDB/PostgreSQL). Because it is local, you reach it by imaging the device it runs on (a Raspberry Pi's SD card → Data Recovery and Digital Forensics
host and network artifacts
the mutex `Global\MSCTF_x7f3a2b`, the `/gate` URI, the `WH/1.2` user-agent, the `WindowsHostUpdate` task name — which the attacker would have to modify their tooling to change, and which therefore catch variants that defeat the hashes. At the top, **TTPs** (the *behaviors*: "spawns `cmd.exe` to run → Data Recovery and Digital Forensics
Host Memory Buffer (HMB)
cheaper, and a meaningful difference in how a sudden power loss can corrupt the map. → Data Recovery and Digital Forensics
Host Protected Area (HPA)
A reserved, hidden area at the end of an ATA drive, invisible to the OS, sometimes used to conceal data. Must be detected and removed at acquisition. *See also* DCO (Ch. 14). → Glossary
Hot spare
A standby disk in a RAID array that automatically replaces a failed member and rebuilds, reducing exposure to a second failure. *See also* RAID (Ch. 10). → Glossary

I

IACIS membership and the BCFE course
the course aligns to the competencies, it does not replace the IACIS process. → Certification Mapping
icat
A Sleuth Kit command that extracts the content of a file by its metadata address (inode or MFT number), including deleted files still referenced by metadata. *See also* fls, mmls (Ch. 36; Ch. 6). → Glossary
Identification
find every source of data, including the volatile and the hidden. **Preservation** — protect the original from any alteration (write-block, image, hash, chain of custody). **Analysis** — examine the verified copy and test hypotheses, seeking the truth. **Reporting** — explain the findings to a non-t → Data Recovery and Digital Forensics
image only the few that earn it
that *is* the rigor, applied to scale. → Data Recovery and Digital Forensics
images, video, and other media
to a local cache. These files were written to disk by the browser automatically, often without any deliberate act by the user, and they persist after the page is closed. That makes the cache simultaneously one of the most evidentially powerful and one of the most legally delicate artifacts in this c → Data Recovery and Digital Forensics
Imaging
*See* acquisition, forensic image (Ch. 14). → Glossary
imaging first
capturing volatile **memory** (where keys may live) before the disk, hashing everything, and maintaining chain of custody, because a ransomware incident is presumptively bound for insurance, regulators, and possibly court. Then work the five recovery options strictly in order of reliability: **(1) r → Data Recovery and Digital Forensics
IMEI (International Mobile Equipment Identity)
A unique identifier for a mobile device, used to identify the handset (distinct from the SIM/subscriber). Key for device attribution. *See also* SIM (Ch. 24). → Glossary
imphash
a hash of a PE's import table (the list of DLLs and functions it imports, in order). Because samples built from the same source with the same compiler tend to import the same functions in the same order, a shared imphash links variants that have different content hashes. It is one of the cheapest at → Data Recovery and Digital Forensics
impossible travel
no human flew there. The "MFA satisfied by token" detail is the tell: the attacker did not defeat multi-factor authentication head-on; they replayed a stolen session token (an adversary-in-the-middle phishing kit), which is exactly why a cached token is so dangerous and why session artifacts matter. → Data Recovery and Digital Forensics
in use
a live file. If it is clear, the record is **free** — but, crucially, the rest of the record is left exactly as it was. The deleted file's name, timestamps, and pointer to its data all remain until the OS recycles that MFT entry for a new file. That single bit is the difference between a file the OS → Data Recovery and Digital Forensics
In-class activities
**Deletion autopsy (40 min lab).** On a read-only practice image, delete-then-inspect: `fls`/`istat` (NTFS) and a hex editor (FAT `0xE5`). Each pair documents what a recovery tool would still find per file system. - **Comparison grid (15 min).** Groups fill a 4×4 table — NTFS / ext4 / APFS / FAT-exF → Chapter 4 — Discussion Guide
In-class activities / labs
**Teardown lab.** Disassemble junk HDDs; sketch and label platters, heads, actuator, spindle, PCB. Safety/e-waste focus — the magnets are strong. Never on evidence or client media. - **SMART triage station.** From provided smartctl output (no live execution), flag reallocated/pending sectors, power- → Chapter 3 — Discussion Guide
In-class activities / labs.
**Hex hunt (20 min):** Give pairs an `xxd` printout; have them mark JPEG, PNG, PDF, and ZIP signatures by hand and predict carver output before running anything. - **Carve-and-validate (40 min):** Run Foremost, then PhotoRec, on the same staged unallocated dump; diff the results, validate with `file → Chapter 7 — Discussion Guide
Incident Response
you will lean on slack space and data persistence when you reconstruct what an attacker tried to wipe. 📜 **Legal/eDiscovery** — you do not need to decode a hex dump byte by byte, but you must understand *why* "deleted" files are routinely producible in litigation, because opposing counsel will, and → Data Recovery and Digital Forensics
Incident response (IR)
The discipline of detecting, containing, investigating, and remediating security incidents, often under time pressure and on live systems. One of the four learning paths in this book (🛡️). *See also* live response, order of volatility (Ch. 15). → Glossary
Indicator of Compromise (IOC)
An observable artifact suggesting an intrusion — a malicious hash, IP, domain, file path, registry key, or behavior — used to detect and scope incidents and to hunt across systems. *See also* YARA, C2 (Ch. 23; Ch. 32). → Glossary
indicators of compromise (IOCs)
the concrete, machine-matchable facts that let *anyone* detect this threat without repeating your analysis. You have collected them all along; now you organize them and, critically, weight them, because not all indicators are equal. → Data Recovery and Digital Forensics
InInitializationOrder
and a normally-loaded DLL appears in **all three**. **`ldrmodules`** cross-references every memory-mapped image against those three lists and flags any that are missing from some or all of them. → Data Recovery and Digital Forensics
inode
by default **256 bytes** — containing the mode, owner, size, link count, four timestamps (access, change, modify, and crucially `dtime`, the **deletion time**), and a small **extent tree** describing where the data blocks are. ext4 replaced the old ext2/ext3 system of direct/indirect block pointers → Data Recovery and Digital Forensics
Inode (index node)
In Unix-family file systems, the metadata record for a file (permissions, owner, size, timestamps, and pointers to data blocks) — but **not** the file's name, which lives in the directory entry. The Linux analogue of an NTFS *MFT* record. *See also* ext4 (Ch. 4). → Glossary
Instructor guide
[progressive-project-guide.md](progressive-project-guide.md) — running the capstone as a graded practical exam. - [mock-trial-guide.md](mock-trial-guide.md) — the testimony reps behind the courtroom-facing certs. - [lab-setup-guide.md](lab-setup-guide.md) — standing up the hands-on environment every → Certification Mapping
insufficient to determine authenticity
and "the evidence is insufficient to reach a conclusion" is a valid, professional, court-defensible finding. Forcing a conclusion the data will not support is how examiners are discredited and how the liar's dividend wins. The skill that matters most in AI-assisted forensics is the same one that has → Data Recovery and Digital Forensics
Intake
client interview notes, symptom triage, open a chain-of-custody entry. 2. **Read-only evaluation** — *the evaluation is the product*: diagnose the tier, prognosis, and a firm number. Never a destructive "let's just try it." 3. **Written quote** — consistent with the student's own price sheet: tier b → Syllabus — Data Recovery (vocational track)
integration
the judgment that decides which technique to apply, in what order, how to make independent findings corroborate one another, and how to fold forty hours of disparate analysis into one document a stranger will trust under oath. A capstone is not a review. It is the demonstration that you can do the a → Data Recovery and Digital Forensics
integrity
the image equals the source as acquired and nothing changed. It says nothing about guilt, malware, or encryption. **Ch 5 / Ch 14.** | | A12 | **B** | The residual MFT record retains name, size, timestamps, and often the data runlist until the slot is reused — the most reliable NTFS undelete path. ** → Midterm Exam — Solutions
integrity only
not authorship, origin, ownership, or guilt. Confusing "the hash matches" with "the suspect did it" is a category error. - The **chain of custody** proves the *handling*: who had it, when, what they did, with two signatures per transfer and no gaps. The hash proves the bits; the chain proves the peo → Data Recovery and Digital Forensics
IoT, Vehicle, and Embedded Device Forensics
leaves the ledger for the physical world of tiny computers everywhere: smart-home devices, infotainment and telematics in cars, wearables, and embedded flash — where the artifacts are weirder, the storage is rawer, and, once again, *technology changes, principles don't.* → Data Recovery and Digital Forensics
ISO/IEC 17025
The international standard for the competence of testing and calibration laboratories; the accreditation many forensic labs pursue to demonstrate quality and validated methods. *See also* NIST CFTT, SWGDE (Ch. 37). → Glossary
Isolate
unplug network/Wi-Fi, leave machines **powered on** | Rebooting (kills RAM keys and live state) | | 2. **Do not run AV "clean/remove"** | Scan-and-remove (destroys the encryptor sample and forensic artifacts) | | 3. **Photograph the ransom note; don't open encrypted files** | Opening files to "check → Answers to Selected Exercises
Isolate absolutely
dedicated host, snapshots, simulated internet. - **Skipping tool validation.** Trusting a tool's output without a known-answer test or a dual-tool check leaves your central findings resting on faith. Validate every tool, every version, and **keep the log** — it is your *Daubert* defense. - **Updatin → Data Recovery and Digital Forensics
Isolate it from all networks immediately
airplane mode and/or a Faraday bag — to prevent a remote wipe or remote lock, and **keep it powered/charged** so it does not drop into a more-locked (e.g., before-first-unlock) state. - Document its state; do not let it lock further if avoidable. - Attempt the appropriate extraction (logical / file- → Midterm Exam — Solutions
ISP (In-System Programming)
A mobile-extraction technique that reads the flash chip directly via its test/communication pads while still on the board, avoiding the desoldering of *chip-off*. *See also* JTAG (Ch. 11; Ch. 24). → Glossary
it is still powered on and logged in
left running at the desk, screen unlocked. The encrypted volume is *mounted*. This is the best possible starting condition: while the machine runs with the volume mounted, the BitLocker **Full Volume Encryption Key (FVEK)** is held in RAM so the OS can read the disk transparently. A clean memory cap → Data Recovery and Digital Forensics
it must have been enabled
auditing has shipped on-by-default for new tenants for several years, but older or reconfigured tenants may have had it off, in which case there is *no* retroactive log to search. Both facts make the very first action in any M365 case a race against the retention clock, addressed under "Common mista → Data Recovery and Digital Forensics

J

JBOD (Just a Bunch Of Disks)
A non-RAID configuration that presents drives individually or spanned/concatenated, with no striping or redundancy. *See also* RAID (Ch. 10). → Glossary
Journaling
A file-system feature that logs pending metadata (and sometimes data) changes before committing them, so the file system can recover consistency after a crash. NTFS (`$LogFile`), ext4, APFS, and HFS+ journal; FAT/exFAT do not. The journal and NTFS *$UsnJrnl* are also forensic goldmines (Ch. 4). → Glossary
JTAG (Joint Test Action Group)
A hardware debug interface used in mobile/embedded forensics to read a device's memory through its test access port; more invasive than *ISP*, less than *chip-off* (Ch. 11; Ch. 24). → Glossary
Jump List
Windows artifacts (`AutomaticDestinations`/`CustomDestinations`) recording recently and frequently used files per application — strong evidence of file access and user activity (Ch. 16). → Glossary

K

KAPE (Kroll Artifact Parser and Extractor)
A widely used triage tool that rapidly collects and parses high-value forensic artifacts from a live or mounted Windows system using modular targets and modules. *See also* triage (Ch. 15). → Glossary
Keep the references next to your keyboard
the [file-signatures](appendices/appendix-a-file-signatures-reference.md), [artifact-locations](appendices/appendix-d-forensic-artifact-locations.md), and [command-line](appendices/appendix-h-command-line-reference.md) appendices are built for daily use. - **Mind the law and the ethics.** Before you → Data Recovery and Digital Forensics
Kernel DMA Protection
and state, in one sentence, why these exotic attacks are mostly for *older or unhardened* hardware while live capture remains the workhorse. → Data Recovery and Digital Forensics
key protector
TPM, TPM+PIN, TPM+startup key, password, recovery password, startup key, or a Data Recovery Agent certificate. → Data Recovery and Digital Forensics
Keychain
Apple's encrypted credential store (macOS/iOS) holding passwords, keys, and certificates; a high-value target whose accessibility depends on device state and unlock. *See also* Secure Enclave (Ch. 24). → Glossary
Keys in memory
live capture, cold-boot, or DMA — but *only* if the machine is running with the volume **unlocked**. Power-off purges the key in seconds. This is why "don't pull the plug" can be the most expensive reflex in modern forensics. 3. **Extract the key** from a RAM image, `hiberfil.sys`, page file, or cra → Data Recovery and Digital Forensics
knowledge exam vs. practical exam
the axis that most separates a credential practitioners respect from one they do not. (a) Define each. (b) Rank these by how practical they are, most-hands-on first: CHFI, EnCE, CFCE, the X-Ways X-PERT, a CompTIA Security+. (c) Explain the one-sentence reason practitioners trust practical-heavy cred → Data Recovery and Digital Forensics
Known file filtering
Using a *hash set* to exclude known-good files (or surface known-bad ones) and shrink the review set. *See also* NSRL (Ch. 20). → Glossary
known-material hash sets
the Project VIC / CAID ecosystem, accessed through their triage tooling — using robust perceptual hashing. The point that the director repeated to every new examiner was the humane one: a robust-hash match to a *previously catalogued* item meant that item could be flagged, hashed, logged, and handle → Data Recovery and Digital Forensics
KYC (Know Your Customer)
Identity-verification requirements imposed on regulated cryptocurrency exchanges; the point where a pseudonymous *blockchain* address can be tied to a real person via subpoena. *See also* exchange (Ch. 33). → Glossary

L

Labs and projects
`lab-setup-guide.md` — building a forensic workstation; free toolchain; sourcing legal practice images (with Appendix J) - `progressive-project-guide.md` — running, milestone-checking, and grading the Forensic Case File - `mock-trial-guide.md` — full mock-trial protocol, role cards, sample cross, an → Instructor Guide — Data Recovery and Digital Forensics
last run of Saturday 09:14:22
the morning after the Friday-evening device connection. Prefetch proves *execution*, not mere presence: → Data Recovery and Digital Forensics
last-access time
overwriting the very timestamps an examiner would later use to establish *when the engineer himself last touched it*, and replacing them with Monday's date under the admin's account. Browsing Recent Items and opening folders seeded still more artifacts. Dragging the profile to an external drive copi → Data Recovery and Digital Forensics
last-write FILETIME
a tight event proxy for single-purpose keys, nearly meaningless for busy ones. → Data Recovery and Digital Forensics
Lay a foundation before findings
establish write-blocking, dual-hash verification, and an unbroken chain of custody *before* saying what the evidence shows, so reliability is settled before interpretation begins (ties to [Chapter 5 — The Forensic Process](../part-1-foundations/chapter-05-the-forensic-process/index.md) and [Chapter → Mock Trial Exercise Guide
lay reader
the judge and especially the jury — must be able to *understand* your findings without specialized knowledge. This is the hardest audience and the one technical writers serve worst. Jargon must be eliminated or defined on first use. Analogies help, but only if they do not distort: comparing unalloca → Data Recovery and Digital Forensics
LBA (Logical Block Addressing)
The modern scheme that addresses every sector on a drive by a single sequential number, replacing geometric *CHS* addressing. The number examiners use to locate data. *See also* sector, byte offset (Ch. 2). → Glossary
legacy Autopsy 2.x
an old Perl/HTML front-end to TSK. It works, but it is not the modern product. - The **modern Autopsy 4.x** (the Java desktop application) is officially built for **Windows**. On Linux you install it by downloading the ZIP from the Sleuth Kit/Autopsy site, installing a matching TSK build and **OpenJ → Appendix J — Practice Images and Lab Setup
civil matter; MHA examines its own property as a private actor (no Fourth Amendment search); FRCP govern if filed; note the state-action contingency. (2) **Basis of authority** — proof of company ownership, signed AUP, login-banner text, all pre-dating the incident. (3) **Scope, in and out** — in: r → Data Recovery and Digital Forensics
*See* litigation hold (Ch. 25). → Glossary
Legal/eDiscovery
acquisition is where admissibility is won or lost. 🛡️ **Incident Response** practitioners read it with one asterisk: sometimes you cannot power a system off (Chapter 15), and the trade-offs start here. 💾 **Data Recovery** technicians should not skip it — "image first, work on the copy" protects an i → Data Recovery and Digital Forensics
legally privileged material
attorney-client communications, attorney work product, doctor-patient and clergy-penitent communications. If the examining side reads privileged communications, it can taint the entire matter and, in extreme cases, disqualify the lawyers. The standard mechanism is a **filter team** (also called a ** → Data Recovery and Digital Forensics
liar's dividend
named by Bobby Chesney and Danielle Citron (2019) — is the deniability that the *mere existence* of deepfakes confers on the guilty: when everyone knows video can be faked, any genuine recording can be *dismissed* as a possible fake. A real confession, a real surveillance clip, a real recorded state → Data Recovery and Digital Forensics
Linear sequential unmasking
analyzing the evidence *before* you absorb the domain narrative, and recording your interpretations as you go so later context cannot quietly rewrite them — keeps the artifacts speaking first. **Blind peer review**, in which a second examiner reaches an independent conclusion before comparing notes, → Data Recovery and Digital Forensics
A directive to preserve all potentially relevant *ESI* once litigation is reasonably anticipated; failing to issue or honor it can lead to *spoliation* sanctions. *See also* eDiscovery (Ch. 25). → Glossary
Live response
Collecting evidence from a running system — RAM, network connections, running processes, logged-in users — that would be lost on shutdown. Necessarily alters the system, so it is documented and follows the *order of volatility*. *See also* triage (Ch. 15). → Glossary
Live Response and Triage Forensics
confronts the case this chapter set aside: the machine you *cannot* simply power off. You will learn the order of volatility, how to capture RAM and running state before they vanish, and how to triage at speed when full imaging must wait. → Data Recovery and Digital Forensics
live-response log
the chain-of-custody narrative of the engagement. Every significant action gets a row: UTC time, what you did, the tool/source, the output and its hash, and (where relevant) a witness. This is the document that gets entered into evidence and the document you read from on the stand: → Data Recovery and Digital Forensics
LNK file
A Windows shortcut that records its target's full path, size, MAC times, and the source volume's serial number — proving a file existed and was accessed even from removable or now-absent media (Ch. 16). → Glossary
Locard's exchange principle
The forensic-science axiom that every contact leaves a trace; the conceptual root of this book's theme that *every action leaves a trace, and the absence of a trace is itself a trace* (Ch. 1; Ch. 5). → Glossary
Log clearing
An *anti-forensic* technique of deleting or truncating logs to hide activity; detectable by the resulting gaps, event ID 1102 (security log cleared), and corroborating artifacts. *See also* anti-forensics (Ch. 30). → Glossary
log2timeline / plaso
The standard open-source engine for building a *super-timeline*: `log2timeline` ingests hundreds of artifact types into a plaso storage file, and `psort` filters and outputs it. *See also* timeline analysis (Ch. 21). → Glossary
Logical extraction
A mobile-acquisition level that pulls data through the device's normal interfaces/backup APIs — fast but limited to what the OS exposes (no deleted data). Contrast *file-system* and *physical extraction* (Ch. 24). → Glossary
Logical recovery
Recovering data from intact media whose file system is damaged, formatted, or has deleted entries — by repairing structures and re-reading metadata — as opposed to *physical recovery* of failed hardware. *See also* data run, partition recovery (Ch. 6). → Glossary
Logical/UART or vendor API
a console or app interface; non-invasive but shallow. (2) **JTAG** — connect to the CPU's debug port via test access pads to read the flash through the processor; moderate, requires pinouts. (3) **eMMC "in-system programming" (ISP)** — tap the eMMC clock/command/data lines to read the flash directly → Answers to Selected Exercises
logon type
2 keyboard, 3 network, 10 RDP), 4672 admin, 4720/4726/4732 account changes, **1102** Security-log cleared, **7045** service installed, 6005/6006/6008 boot/shutdown. OS-set timestamps are your strongest time anchors. - **Access:** LNK files and Jump Lists prove a file was *opened* — with its **volume → Data Recovery and Digital Forensics
LOLBins (living-off-the-land binaries)
Legitimate, signed system tools (PowerShell, `certutil`, `rundll32`, WMI) abused by attackers to avoid dropping detectable malware — a key focus of modern malware and intrusion analysis (Ch. 32). → Glossary
look up the hash, do not upload the sample
uploads are visible to actors who monitor for their own hashes. Self-host (CAPE/FLARE-VM); public services are for commodity malware. → Data Recovery and Digital Forensics
loses exactly that activity
the most recent, most relevant rows are the ones still sitting in the uncheckpointed WAL. → Answers to Selected Exercises
LUKS (Linux Unified Key Setup)
The standard full-disk encryption format on Linux (`dm-crypt`), with a header holding key slots derived from passphrases. Without a passphrase or key, the volume is unrecoverable. *See also* full-disk encryption (Ch. 29). → Glossary
LUKS — the Linux Unified Key Setup
is the standard for disk encryption on Linux, layered over the kernel's `dm-crypt`. It is the most *transparent* of the four to an examiner, because its on-disk header is documented and readable (the *header*, not the data). A LUKS partition begins with a recognizable magic value: → Data Recovery and Digital Forensics
LVM (Logical Volume Manager)
A Linux abstraction layer that pools physical volumes into logical volumes that can span disks and be resized/snapshotted; examiners must reassemble LVM metadata to see the file systems inside (Ch. 17). → Glossary

M

M57-Jean
a single-machine subset (the CFO accidentally leaks an employee spreadsheet). It is small, fast, and the ideal *first* end-to-end case before you commit to the full M57-Patents set. → Appendix J — Practice Images and Lab Setup
Mac absolute time
seconds since 2001-01-01 UTC — and since iOS 11 `sms.db` stores them in *nanoseconds*. Using the Cocoa epoch offset `978307200` (seconds between 1970-01-01 and 2001-01-01): (a) Convert a `knowledgeC.db` value of `721692800` (seconds) to a UTC datetime. (b) Convert an `sms.db` value of `7216928000000 → Data Recovery and Digital Forensics
MACB (Modified, Accessed, Changed, Born)
The four canonical file timestamps: **M**odified (content), **A**ccessed, **C**hanged (metadata; on NTFS the MFT-entry change), and **B**orn (creation). NTFS keeps two MACB sets — in *$STANDARD_INFORMATION* (user-forgeable) and *$FILE_NAME* (kernel-set, truthful) — and the disagreement between them → Glossary
macOS and Linux Forensics
takes the same investigative method to systems with no registry: you will trade hives and `.evtx` for plists, FSEvents, `unified logging`, bash/zsh history, syslog/journald, and ext4/APFS metadata — proof that *technology changes, principles don't.* → Data Recovery and Digital Forensics
Magic number
*See* file signature (Ch. 7). → Glossary
malfind
A Volatility plugin that locates hidden or injected code in process memory by scanning for suspicious memory regions (e.g., executable + writable private pages with no backing file). *See also* DLL injection (Ch. 22). → Glossary
Malware forensics
The post-incident analysis of malicious software to determine what it did, how it persisted, and what it touched — via *static* and *dynamic analysis*. Framed defensively: analysis, not weaponization. *See also* sandbox, YARA (Ch. 32). → Glossary
MAM/Xpress-Huffman compressed
`PECmd` decompresses automatically. → Appendix D — Forensic Artifact Locations
Mandatory reporting
The legal duty to report certain discoveries, most importantly suspected *CSAM*. Under **18 U.S.C. §2258A**, electronic service providers must report apparent CSAM to *NCMEC*; examiners must understand their own reporting obligations and stop, preserve, and escalate on discovery. *See also* ethics ( → Glossary
mandatory, de-stigmatized wellness support
not a poster about an EAP, but a real program with trained peer support and counselors who understand secondary trauma. And under it all, the personal foundation that no employer can supply for you: real boundaries (a stop time; the case does not come home), a decompression ritual between the lab an → Data Recovery and Digital Forensics
Mark-of-the-Web (MOTW)
The `Zone.Identifier` *ADS* Windows attaches to files downloaded from the internet, recording their origin zone (and sometimes URL) — useful provenance evidence (Ch. 16; Ch. 30). → Glossary
Master Boot Record (MBR)
The legacy first sector (512 bytes) of a disk, holding bootstrap code and a four-entry partition table, ending in the signature `0x55AA` at offset 510. Limited to 2 TB; superseded by *GPT*. *See also* boot sector (Ch. 4). → Glossary
Master File Table (MFT)
The central NTFS metadata file: one ~1,024-byte record per file/directory, holding *attributes* including timestamps and either resident data or *data runs*. Deleted files often remain as MFT records flagged unallocated — the heart of NTFS logical recovery. *See also* attribute (Ch. 4; Ch. 6). → Glossary
MBOX
the classic Unix mailbox: every message concatenated into one text file, each one introduced by a line that begins, at column zero, with `From ` (the word "From" followed by a *space*, called the "From_" line) plus the sender and a timestamp. Thunderbird, Apple Mail's internal stores, Evolution, and → Data Recovery and Digital Forensics
MBOX / EML / MSG
Common email storage formats: **MBOX** concatenates messages in one file (Unix, Thunderbird); **EML** is a single RFC 822 message; **MSG** is Outlook's single-message format. *See also* PST/OST (Ch. 19). → Glossary
MBR
first sector (LBA 0), four 16-byte entries at offset 446, signature `55 AA`; caps at ~2.2 TB and four primaries. **GPT** — header at LBA 1 (`EFI PART`), type GUIDs, CRC32, and a life-saving **backup at the end of the disk**. - **The Sleuth Kit pipeline:** `mmls` (partitions) → `fsstat` (file system → Data Recovery and Digital Forensics
MD5 (Message Digest 5)
A 128-bit hash rendered as 32 hex characters. Cryptographically broken (collisions are practical) but still widely used for evidence integrity and known-file matching alongside a stronger hash. *See also* SHA-256, hash collision (Ch. 5). → Glossary
media profile
partition scheme, each partition, and its file system — the first technical artifact of the case file, formally folded in after the Ch.5 acquisition. → Chapter 4 — Teaching Notes (File Systems)
media/surface
and add a one-word note on whether the user data is typically *intact-but-locked-out* or *physically-at-risk*: (a) a shorted TVS diode; (b) a read/write head that has electrically failed; (c) a translator that can no longer map LBAs to physical sectors; (d) a platter with a visible circular gouge; ( → Data Recovery and Digital Forensics
Member set
which disks belong, and is one **stale** (lower event counter)? - **Disk order** — the stripe sequence, which is *not* the bay order. - **Strip size** — per-disk chunk; beware the "stripe size" factor-of-N trap. - **Parity layout** — direction + symmetry; left-symmetric is the `mdadm` default and th → Data Recovery and Digital Forensics
memorized passphrase resembles the combination
it is testimonial, so compelling it is constitutionally fraught (a biometric/physical token leans toward the "key"). The **"foregone conclusion"** doctrine, from **_Fisher v. United States_** (1976), is the narrow exception: if the government already knows, with reasonable particularity, that the de → Answers to Selected Exercises
Memory dump
A captured image of a system's volatile RAM (raw, crash dump, or from *hiberfil.sys*), the input to *memory forensics*. Contains processes, network state, injected code, and sometimes encryption keys and plaintext. *See also* Volatility (Ch. 22). → Glossary
Memory forensics
Analysis of captured RAM to reveal running and hidden processes, network connections, injected code, command history, and keys that never touch disk. Often the only place to catch fileless malware. *See also* Volatility, order of volatility (Ch. 22). → Glossary
Metadata
Data about data: file timestamps, sizes, owners, and embedded document/photo properties (author, GPS, camera). Frequently more probative than file content, and a prime *anti-forensics* target. *See also* EXIF, MACB (Ch. 20; Ch. 5). → Glossary
Microsoft v. United States
the "Microsoft Ireland" case. U.S. law enforcement served an SCA warrant for emails Microsoft stored in a Dublin data center; Microsoft refused, arguing a U.S. warrant could not reach data on foreign soil. The case reached the Supreme Court in 2018 and was rendered moot mid-stream by Congress passin → Data Recovery and Digital Forensics
Mixer (tumbler)
A service that pools and shuffles cryptocurrency to obscure the link between source and destination addresses; a money-laundering technique that *blockchain analysis* aims to defeat. *See also* blockchain (Ch. 33). → Glossary
A treaty mechanism for one country to request evidence from another; historically slow, which is part of why the *CLOUD Act* was enacted. *See also* cloud forensics (Ch. 31; Ch. 25). → Glossary
mmls
A Sleuth Kit command that displays the partition layout of a disk image (partition tables, slots, and gaps), the starting point for analyzing an acquired image. *See also* fls, icat (Ch. 36). → Glossary
Mobile device forensics
The acquisition and analysis of smartphones and tablets, complicated by encryption, lock states (*BFU/AFU*), proprietary formats, and rich app data in *SQLite*. *See also* Cellebrite, chip-off (Ch. 24; recovery in Ch. 11). → Glossary
Mobile Device Recovery
leaves spinning platters and parity behind for the locked, encrypted, soldered-flash world of phones and tablets, where the recovery target is a single device that fights you at every layer. → Data Recovery and Digital Forensics
monolithic
controller, NAND die, and bond wiring are all sealed in one epoxy package, so there is no chip to lift. Recovery means locating the package's exposed **test points**, identifying the pinout, and reading the raw NAND through an ISP jig — and only *then* facing the same FTL reconstruction. It is among → Data Recovery and Digital Forensics
motion in limine
a pretrial motion asking the judge to exclude the examiner's testimony entirely under Federal Rule of Evidence 702 and *Daubert*. The court set a **Daubert hearing**, outside the jury's presence, where the heaviest legal artillery is fired. Three problems, each avoidable, surfaced there. → Data Recovery and Digital Forensics

N

NAND flash
Non-volatile memory storing bits as trapped charge in cells, the basis of SSDs, phones, and memory cards. Read/written in *pages*, erased in larger *blocks*, and worn by *program/erase cycles*. *See also* FTL, SLC/MLC/TLC/QLC (Ch. 3). → Glossary
NAS (Network-Attached Storage)
A file-serving storage appliance on a network, often containing a RAID array and a Linux-based file system; a common recovery and evidence source. *See also* SAN, RAID (Ch. 3). → Glossary
NCMEC CyberTipline
but read carefully, that duty falls on **electronic communication service and remote computing service "providers"** (hosting companies, cloud platforms, ISPs, email and messaging services), *not* directly on a private forensic examiner or a one-person recovery shop. Providers that obtain actual kno → Data Recovery and Digital Forensics
near
duplicate / similar files | Ch. 20, 32 | | **certutil -hashfile** | HASH | Win (CLI) | Built-in (free) | Native Windows hashing when nothing else is installed | Ch. 14 | | **Get-FileHash** | HASH | Win (PS) | Built-in (free) | PowerShell hashing (SHA-256 default) for quick verification | Ch. 14 | → Appendix C — Tool Reference
NetFlow
A network-metadata record (source/destination, ports, bytes, timing) summarizing flows without full packet payloads — efficient for spotting *C2* beaconing and exfiltration at scale. *See also* PCAP (Ch. 23). → Glossary
Network Forensics
follows the beacon you found in memory out onto the wire: packet capture, flow records, protocol analysis, and the artifacts of communication — proving not just *what ran* on a host, but *what it said to the world* — and showing once more that *technology changes, principles don't.* → Data Recovery and Digital Forensics
never accept a contingency fee
payment that rises if your side wins or that is conditioned on a particular finding. It is widely treated as grounds to exclude your testimony entirely, because it pays you to reach a conclusion. You bill for your time and expertise; you are never paid for an *answer*. - **Prior relationships.** You → Data Recovery and Digital Forensics
never claim more than the evidence supports
calibrate your conclusion language to the strength of your findings and stop exactly there. The spectrum: **(strong) establishes/demonstrates** — "the matching hash *establishes* the image is a bit-for-bit copy"; **(defensible middle) consistent with/supports/indicates** — "files recovered from unal → Data Recovery and Digital Forensics
Never on real evidence or real personal data.
**Quizzes.** Every chapter's `quiz.md` is 10–15 questions with a full answer key and a scoring band. They work as-is for low-stakes weekly checks; combine several into per-part quizzes if you prefer fewer grade events. - **Midterm.** Comprehensive through Part III. In the 15-week flagship it lands a → Assessment Overview
never overwrites live data in place
modified blocks are written to new locations and metadata is repointed; old blocks are freed afterward. Consequences that dominate recovery: → Appendix G — File System Reference
never work on the original.
## Write-blocking: making "read-only" a physical fact → Data Recovery and Digital Forensics
Nibble
Four *bits*, equal to one *hex* digit (16 possible values); two nibbles make a byte (Ch. 2). → Glossary
NIST CFTT (Computer Forensics Tool Testing)
A NIST program that publishes specifications and test results for forensic tools (imagers, write blockers, carvers), supporting tool *validation* and *Daubert* defensibility. *See also* validation, SWGDE (Ch. 37; Ch. 36). → Glossary
NIST CFTT / vendor results
and explain why a lab deliberately keeps *overlapping* commercial and open-source tools. → Data Recovery and Digital Forensics
no
must erase the whole block first | | Deleted data after delete | persists until reused (months) | TRIM + GC can physically erase it (seconds–minutes) | | Recovery instinct "we have time" | usually true | **dangerously false** | → Data Recovery and Digital Forensics
no `Make`, `Model`, lens, or GPS data
only image dimensions and a generic `Software` string. The retaining attorney wants you to testify that the absence of camera metadata proves the image is "fake" or "doctored." (a) Explain why absence of EXIF is *not* evidence of forgery. (b) Name the single most common innocent cause of stripped EX → Data Recovery and Digital Forensics
no backing file path
a DLL that was injected, not loaded. `False/False/False` with no `MappedPath` is the canonical reflective-injection signature. → Data Recovery and Digital Forensics
no consistent room acoustics
the reverberation and background that a real recording in a real space always has, or it carries a reverb that does not match the claimed environment. The research community benchmarks this work through the **ASVspoof** challenge series, and the same generalization problem applies: detectors trained → Data Recovery and Digital Forensics
no public decryptor
which mattered not at all, because Option 1 was alive. The team did not rush the restore. They rebuilt the servers from known-good media, *patched the VPN appliance, rotated every credential in the domain, and confirmed the initial-access hole was closed* before a single byte was restored. Only then → Data Recovery and Digital Forensics
no real illegal material
these corpora are built precisely so you can train without it. Treat them with full professional discipline anyway: it is exactly the reflex you want automatic before you ever touch a real case. See [Chapter 28 — Ethics](../part-4-legal-framework-and-reporting/chapter-28-ethics/index.md). → Appendix J — Practice Images and Lab Setup
no single point in time
it is a composite, internally inconsistent snapshot. A file's directory entry might be captured *before* the data it points to was written, or after it was deleted. Memory images smear for the same reason, and worse, because RAM changes far faster than disk. → Data Recovery and Digital Forensics
No spin, no sound, no detection
and the motor is *not* seized (you can sometimes confirm by feel/sound that the spindle is free). - **A burnt smell or a visibly scorched component** — most often a TVS diode or the motor combo chip. - **The drive trips the power supply's over-current protection** or draws no current at all. - **A s → Data Recovery and Digital Forensics
no timestamps
just commands, in order. Timestamps appear only if `HISTTIMEFORMAT` was set, in which case the file interleaves `#` lines before each command. zsh's *extended* history format does carry time: `: :;`. Second, history is written **on shell exit** (or via `history - → Data Recovery and Digital Forensics
no write-blocker
and let Windows mount the NTFS volume read-write so he could browse it. He installed a consumer undelete utility *to the same machine*, pointed it at the source drive, recovered several hundred deleted files into a folder, copied them to a USB stick, and emailed the agency: *"Recovered 412 deleted f → Data Recovery and Digital Forensics
Non-deterministic TRIM
a read of a trimmed-but-not-yet-erased LBA may return the old data, zeros, or anything, and may differ between reads. This is the *recovery-friendly* case: the data may still be physically present until GC erases it. - **DRAT — Deterministic Read After TRIM** — reads return a consistent value, but t → Data Recovery and Digital Forensics
non-graphic
procedure, law, ethics only. Never describe content. Always pair with mandatory-reporting duty (18 U.S.C. §2258A), scope discipline, and examiner well-being (secondary trauma). Ch.28 owns the ethics treatment. - **Defensive/investigative framing only.** Anti-forensics (Ch.30) teaches *detection*, no → _continuity.md — Data Recovery and Digital Forensics (INTERNAL — do not publish)
Non-resident attribute
An NTFS *attribute* (typically `$DATA`) too large to fit in the MFT record, stored instead in external clusters described by *data runs*. Contrast *resident attribute* (Ch. 4). → Glossary
normalizing everything to UTC
using the evidence machine's `TimeZoneInformation` — is non-negotiable. You learned to measure **clock skew** against external references and to read event ID 4616 as the fingerprint of deliberate clock manipulation. You internalized the **MACB** model (Modified, Accessed, Changed-as-in-metadata, Bo → Data Recovery and Digital Forensics
NSRL (National Software Reference Library)
NIST's published hash set of known software files, used to filter out standard OS/application files from review. *See also* hash set (Ch. 20). → Glossary
NTFS (New Technology File System)
The default Windows file system, built around the *MFT*, with *journaling* (`$LogFile`, *$UsnJrnl*), security descriptors, *ADS*, and dual *MACB* timestamp sets. The most analyzed file system in this book. *See also* MFT, $STANDARD_INFORMATION (Ch. 4). → Glossary
NTUSER.DAT
The per-user Windows registry hive (in each profile folder) holding user-specific artifacts such as *UserAssist*, *ShellBags*, and recent-document lists. *See also* registry hive (Ch. 16). → Glossary
Numerical Password
the 48-digit recovery password — identified by a Recovery Key ID. The machine was domain-joined, and the firm's Group Policy escrowed BitLocker recovery information to Active Directory. So the key you needed had been sitting in the directory since the day the laptop was provisioned. You retrieved it → Data Recovery and Digital Forensics

O

Observation
the verifiable fact, what the data shows. (2) **Supporting artifacts** — the paths, offsets, hashes, and timestamps that let anyone confirm it. (3) **Interpretation** — the supported inference or opinion, honestly qualified. (4) **Limitation** — what this finding does *not* establish. Full credit fo → Data Recovery and Digital Forensics
observe
a manager reports that a departing employee may have copied proprietary files. You form a **question** — did files leave the company on removable media before the resignation? You state a **hypothesis** that can be wrong — "On the night before resigning, the user attached a USB device and copied the → Data Recovery and Digital Forensics
off
practice the safety discipline from the first keystroke, exactly as you would on a live weapon. → Data Recovery and Digital Forensics
on the endpoint
OneDrive's own logs recorded the upload, the browser cached the session, the operating system noted the process. A record was created **at the provider** — Microsoft's audit log captured a `FileUploaded` and an `AnonymousLinkCreated` event with a timestamp and an IP address. And the data itself came → Data Recovery and Digital Forensics
only on intent to deprive
which forensic traces are uniquely able to prove (*deleted ≠ destroyed*; *every action leaves a trace*). - **Border** searches are more permissive and split by circuit; the **Fifth Amendment** makes **compelled decryption** an unsettled, jurisdiction-specific question (testimonial vs. foregone concl → Data Recovery and Digital Forensics
open network connections
the foreign IP and port a beacon is talking to right now. **Injected code** sitting in another process's address space. **Decrypted content** of files that are encrypted at rest. **Command history** typed into a console whose window has since been closed. The **clipboard**. Cached **credentials and → Data Recovery and Digital Forensics
open-book
you may bring printed notes and a tabbed index — which surprises newcomers but reflects the reality of the job: nobody works from memory at sector level. Build a strong index and you are halfway there. → Appendix I — Certification Roadmap
Optical character recognition (OCR)
Tesseract in the open-source world, the engines inside Axiom and other suites in the commercial one — reads the words inside scanned documents, photographs of papers, screenshots, and even text baked into images precisely to evade keyword search. **Automatic speech recognition (ASR)** — Whisper-clas → Data Recovery and Digital Forensics
Order of volatility
The sequence for collecting evidence from most to least perishable: CPU/registers and cache → RAM → network state → running processes → disk → archival/backup media. The rule governing *live response* so that fleeting data is captured first (Ch. 15). → Glossary
OST
*See* PST/OST (Ch. 19). → Glossary
Over-provisioning
Spare NAND capacity an SSD reserves (beyond the advertised size) for *wear leveling* and *garbage collection*. It holds copies of data outside the logical address space — occasionally a recovery angle, but controller-dependent and unreliable (Ch. 3; Ch. 9). → Glossary
Overview and policy
`README.md` — this file: philosophy, structure, themes, paths, and how to teach the book - `assessment-overview.md` — the grading scheme and assessment philosophy across quizzes, exercises, the project, exams, and the mock trial - `common-struggles.md` — where students reliably get stuck (hex/offset → Instructor Guide — Data Recovery and Digital Forensics
Overwritten clusters
the absolute limit; one pass is, for recovery, the end. - **Reused metadata** — if the MFT record was recycled, the map is gone; carve instead. - **SSD with TRIM** — deleted blocks are erased by the controller within seconds; recovery often returns zeros (Chapter 9). - **Completed Vista+ full format → Data Recovery and Digital Forensics
Oxygen Forensic Detective
surveyed in [Chapter 36 — The Forensic Toolkit](../../part-6-tools-and-career/chapter-36-the-forensic-toolkit/index.md) and [Appendix C — Tool Reference](../../appendices/appendix-c-tool-reference.md). They wrap acquisition, decoding, deleted-record recovery, and reporting in a GUI and are the field → Data Recovery and Digital Forensics

P

Page (flash)
The smallest unit a NAND *block* can be written/read (commonly 4–16 KB). Pages can be written but not individually erased — erasure happens a whole block at a time, the root of *garbage collection*. *See also* NAND flash (Ch. 3). → Glossary
page smear
and occasionally a process simply will not reconstruct because the page table that mapped it changed mid-read. You disclose this. It does not invalidate the evidence, but it bounds the certainty of any single reconstructed structure, and it is why corroboration across plugins matters so much. → Data Recovery and Digital Forensics
Pagefile (pagefile.sys)
Windows virtual-memory backing on disk; it can contain fragments of process memory — strings, keys, document remnants — making it a useful disk-resident source of otherwise volatile data. *See also* hibernation file (Ch. 16; Ch. 22). → Glossary
pairing record
a lockdown/trust certificate pair — and it was still sitting on the MacBook: → Data Recovery and Digital Forensics
Parity
Redundancy data (computed by XOR) in RAID 5/6 that allows a missing block to be rebuilt from the surviving members. RAID 5 has single parity (survives one disk loss); RAID 6 has dual parity (survives two). The math behind *RAID reconstruction* (Ch. 10). → Glossary
Parse and convert
run an automated parser (Hindsight / BrowsingHistoryView / ESEDatabaseView) for breadth, confirm load-bearing rows with your own read-only SQL, convert each store's epoch correctly, decode transitions/visit types, and cross-check one key finding with a second tool. (3) **Recover what was deleted** — → Data Recovery and Digital Forensics
Part I (Ch. 1–5)
the student receives the assignment, verifies the image, opens a chain of custody, and writes an investigation plan. *The case file is born.* - **Part II (Ch. 6–13)** — recovery skills: logical recovery from surviving metadata, then file carving from unallocated space. *The "what was deleted" layer. → Progressive Project Guide — The Forensic Case File
Part I + Chapter 14 are core for every column
the foundations and acquisition are non-negotiable wherever you point the course. Second, **Chapter 38 (The Capstone Investigation) is the in-course analog of the practical exams** (EnCE Phase II, CFCE certification practical, CCE practicals); it is core for the practical-heavy credentials and shoul → Certification Mapping
particularity
it must describe the place to be searched and the things to be seized with enough specificity that the executing officer's discretion is meaningfully cabined. The particularity requirement exists to prevent the "general warrant" the colonists despised: a license to rummage through everything looking → Data Recovery and Digital Forensics
Partition
A defined region of a disk treated as an independent unit, described in the *MBR* or *GPT* partition table and usually holding one *file system* (one *volume*) (Ch. 4). → Glossary
partition entry array
usually 128 entries of 128 bytes each, occupying 32 sectors. - **Last LBA / preceding sectors:** the **backup GPT header** and a second copy of the entry array. → Data Recovery and Digital Forensics
Partition recovery
Rebuilding or relocating lost/corrupted partition entries (e.g., with TestDisk) so a volume becomes accessible again; a core *logical recovery* technique. *See also* TestDisk (Ch. 6). → Glossary
Partition table
The on-disk structure listing a disk's partitions and their boundaries — the four-entry table in the *MBR* or the GUID entries in *GPT*. Damage here makes volumes "disappear" while data remains intact (Ch. 4). → Glossary
partitions
contiguous ranges of sectors, each of which can hold one file system. The map of those ranges is the **partition table**, and it lives in the very first sectors of the disk. There are two schemes you will meet: the legacy **MBR** and the modern **GPT**. Recognizing and parsing both by hand is a base → Data Recovery and Digital Forensics
PCAP (packet capture)
A captured set of network packets (the `.pcap`/`.pcapng` format) produced by `tcpdump`/Wireshark; the raw material of *network forensics*, from which sessions and even transferred files can be reconstructed. *See also* deep packet inspection (Ch. 23). → Glossary
Per-chapter materials
`chapter-notes-01.md` … `chapter-notes-40.md` — objectives, what to emphasize, common misconceptions, timing/labs, anchor/theme tie-ins, and the progressive-project milestone for each chapter - `discussion-guide-01.md` … `discussion-guide-40.md` — 5–8 discussion prompts plus in-class activities and → Instructor Guide — Data Recovery and Digital Forensics
Persistence mechanism
How malware survives reboot: run keys, scheduled tasks, services, startup folders, WMI subscriptions, and more. Enumerating persistence is central to *malware forensics* and incident scoping (Ch. 32). → Glossary
person at the keyboard
neither of which the forensics establish — and to recalibrate it *before* cross, or to refuse to defend it *on* cross. This is precisely the analytical-gap leap that got the real expert's testimony excluded in Case Study 1. → Mock Trial Exercise Guide
personal photographs
a routine backup of her own data. → Data Recovery and Digital Forensics
Phase II practical exam
a take-home scenario with evidence that you analyze over a fixed window (historically around sixty days), producing answers that demonstrate you can actually run an examination, not just recall facts. Eligibility requires either authorized EnCase training (historically on the order of 64 hours) *or* → Data Recovery and Digital Forensics
Photo, Video, and Document Forensics
follows the *attachments* this chapter kept finding: you will read EXIF GPS and camera data, detect manipulated and AI-generated images, recover Office and PDF internal metadata, and authenticate media — the evidence type at the heart of anchor case #4, handled, as always, clinically. → Data Recovery and Digital Forensics
PhotoDNA
A Microsoft-developed *perceptual hash* technology that matches known *CSAM* images even after resizing or minor edits, used by providers and *NCMEC*. Referenced clinically as a detection/triage tool. *See also* hash set (Ch. 20; Ch. 28). → Glossary
Photograph and document the scene and screen state
powered-on, logged-in, what is displayed; begin the chain of custody. (Ch. 5, 14.) 3. **Do NOT power off / do NOT pull the plug** — if the drive is BitLocker-encrypted and currently unlocked, the volume key is in RAM; power-off purges it and (absent escrow) turns the disk into unreadable ciphertext. → Final Exam — Solutions
Photograph everything as received
the sealed bag, the labels, the device, its serial numbers, its condition — before you open anything. Photos timestamp the as-received state. - **Evidence labels** carry the case number, item number, a description, the seizing person, the date/time and location of seizure, and (once computed) the ac → Data Recovery and Digital Forensics
PhotoRec
A widely used open-source *file-carving* tool (companion to *TestDisk*) that recovers files by signature from images and damaged media independent of the file system. *See also* foremost, scalpel (Ch. 7). → Glossary
Physical Block Addresses (PBAs)
specific die, block, and page — where the data actually sits in NAND. Everything that makes flash usable as a disk, and everything that makes it hard to recover, is the FTL doing its job. → Data Recovery and Digital Forensics
Physical description and identity
manufacturer, model number, serial number, stated capacity, interface, and photographs of all labels and any visible damage. 2. **Media classification** — HDD, SSD, USB flash, SD/eMMC, or RAID member, with the evidence for your call (model-number decode, `lsblk ROTA`, ATA rotation rate, or physical → Data Recovery and Digital Forensics
Physical extraction
A mobile-acquisition level that captures a bit-for-bit image of the device's flash (including unallocated/deleted data) — the most complete and most difficult level, often blocked by encryption. Contrast *logical*/*file-system extraction* (Ch. 24). → Glossary
physical-configuration record
each drive's serial, the bay it occupied, the controller model, with a photograph; (2) a **per-member acquisition log** — image filename, hash, and `ddrescue` map for each disk; (3) a **reconstruction parameters block** — order, strip size, parity layout, and data offset, *and how you derived each* → Data Recovery and Digital Forensics
Plain view doctrine
The rule that incriminating items an officer lawfully positioned can see may be seized without a separate warrant; its application to digital searches is contested and scope-sensitive. *See also* scope (Ch. 25). → Glossary
plaso
*See* log2timeline / plaso (Ch. 21). → Glossary
Platter
The rigid magnetic disk inside an *HDD* on which data is stored; drives stack several, read by flying *heads*. Physical platter damage (a *head crash*) is among the hardest faults to recover (Ch. 3; Ch. 8). → Glossary
plist (property list)
Apple's structured configuration/metadata format (XML or binary) pervasive in macOS/iOS; a primary artifact source for settings, accounts, and app state. *See also* unified log (Ch. 17). → Glossary
powered, un-rebooted, and network-isolated
a reboot or dead battery drops it to BFU and re-locks the lot. - **iOS:** Secure Enclave UID + Data Protection classes; *encrypted* iTunes backups expose keychain + Health that plain backups omit; APFS snapshots can reveal prior states; **checkm8** owns A5–A11 (iPhone 4S–8/X), but **A12+ is a genuin → Data Recovery and Digital Forensics
practical examinations
you analyze provided test media and report your findings, mirroring real casework. It is a strong choice for private-sector examiners and career-changers who want a credible, defensible credential without an agency sponsoring the IACIS path. → Appendix I — Certification Roadmap
Practice images & datasets
the heart of all cert prep, since every one of these exams is ultimately hands-on. Curate from [Appendix J — Practice Images and Lab Setup](../appendices/appendix-j-practice-images-and-lab-setup.md): NIST CFReDS, Digital Corpora scenarios (e.g., *M57* and *Lone Wolf*), and community CTF images. Reus → Certification Mapping
practice only on data you are allowed to touch
practice images, your own disposable media, and public datasets — never on real evidence, never on data you do not own. → Data Recovery and Digital Forensics
Prefetch
Windows execution artifacts (`C:\Windows\Prefetch\*.pf`) that record an application's name, run count, the last several run times, and files it loaded — direct evidence that a program executed and when, even after deletion (Ch. 16). → Glossary
preponderance of the evidence
the judge does not simply take your word that your method is reliable. Second, subsection (d) — that the opinion must reflect a **reliable application** of the method to *this case's* facts — was strengthened specifically because some forensic experts had been **overstating their conclusions**, clai → Data Recovery and Digital Forensics
privacy coins
Monero's ring signatures, stealth addresses, and RingCT, and Zcash's shielded pools — honestly hard, sometimes leaky at the edges and in older data, and best attacked off-chain. You ran the whole method against the ransomware anchor, following a payment from the ransom address through a cluster, a p → Data Recovery and Digital Forensics
private + RWX + `4D 5A` (MZ)
a lead, not a verdict | | `ldrmodules` | Reflective DLL injection | `False/False/False` across the 3 PEB lists, **no path** | | `pstree`+`cmdline` | Process hollowing | wrong parent, wrong path, no `-k`; in-memory image ≠ on-disk binary | | `modules` vs `modscan` | Kernel rootkit | scan finds a driv → Data Recovery and Digital Forensics
Private key
The secret that controls a cryptocurrency address (or unlocks asymmetric encryption); whoever holds it controls the funds. Recovering or seizing keys (often via a *seed phrase*) is decisive in crypto investigations (Ch. 33; Ch. 29). → Glossary
PRNU (Photo-Response Non-Uniformity)
The unique sensor-noise fingerprint of a specific camera, usable to tie an image to a device or to detect manipulation — a deeper image-forensics technique. *See also* ELA, deepfake (Ch. 20; Ch. 35). → Glossary
Producing a passcode is testimonial
it reveals the contents of your mind. Compelling it implicates the Fifth. - **The foregone conclusion doctrine** is the key exception. From *Fisher v. United States*, 425 U.S. 391 (1976): if the government **already knows** the existence, location, and authenticity of the material, the act of produc → Appendix E — Legal Frameworks Reference
profile
a pre-built description of a specific operating-system build's kernel structures (e.g., `Win10x64_19041`, `Win7SP1x64`, `LinuxUbuntu...x64`). You tell it the profile (or let `imageinfo`/`kdbgscan` suggest one), and it knows where the fields live. Profiles are a strength (self-contained) and a weakne → Data Recovery and Digital Forensics
Program/erase (P/E) cycle
One write-then-erase of a flash *block*; NAND endures a finite number (hundreds to tens of thousands depending on *SLC/MLC/TLC/QLC*) before wearing out, which *wear leveling* spreads evenly (Ch. 3). → Glossary
property lists
"plists." A plist is a structured key/value document, and it comes in two on-disk formats you must recognize. **XML plists** are human-readable text beginning ``. **Binary plists** are compact and begin with the magic `bplist00`: → Data Recovery and Digital Forensics
proportional
image and analyze the subject laptop and the custodian's accounts, not every device MHA owns. Under **Rule 34**, plan to produce responsive ESI in a form that preserves metadata (native-with-metadata), because the *timestamps* are the case. → Data Recovery and Digital Forensics
proportionately
never confusing the `jokafor` account with a human operator, "consistent with" with "stole," or your role with the court's; and **survive cross-examination** by pointing every answer back to a discipline already in the report. If the container-vs-acquisition hash distinction, the `$SI`-vs-`$FN` time → Data Recovery and Digital Forensics
Proprietary, undocumented formats
you will reverse-engineer schemas no one published, and they change between firmware versions. - **No standard tooling** — a few commercial tools cover high-value targets (Berla iVe for vehicles); the long tail needs a logic analyzer, a chip programmer, `binwalk`, and your own scripts. - **Volatile, → Data Recovery and Digital Forensics
protectors
a password through a KDF, a recovery key, a TPM sealed to boot measurements, a startup key — and the strength of the whole is the strength of the *weakest enabled protector*. You learned to recognize the four systems on sight: **BitLocker** by its `-FVE-FS-` signature, 48-digit recovery password, an → Data Recovery and Digital Forensics
protects the original
its write-blockers, its working-copy workflow, and its evidence storage exist so that the thing you analyze is provably identical to the thing that was seized, and the thing that was seized is never altered. It **preserves integrity over time** — its hashing, its redundant and immutable storage, its → Data Recovery and Digital Forensics
prove the real
from interrogating pixels to establishing *provenance*, the cryptographically verifiable history of a piece of media. This is the durable, fourth-theme answer: you cannot win a pixel arms race forever, but you can build a chain of evidence about where media came from, and *that* is exactly the kind → Data Recovery and Digital Forensics
Provenance
The documented origin and history of a piece of evidence, established by *chain of custody*, hashing, and *acquisition* records. *See also* authentication (Ch. 5). → Glossary
PST / OST
Microsoft Outlook mail stores: **PST** (Personal Storage Table) is an exportable archive; **OST** (Offline Storage Table) is a synced cache of a server mailbox. Both are major email-forensics containers. *See also* MBOX (Ch. 19). → Glossary
pull the plug over graceful shutdown
you would rather repair a journaling file system than let a wiper run — but you make that call consciously, after you have captured the volatile evidence that the power-off will destroy. → Data Recovery and Digital Forensics

Q

QLC (Quad-Level Cell)
*See* SLC/MLC/TLC/QLC (Ch. 3). → Glossary
qualifications
education, training, certifications, experience, prior testimony, publications, professional memberships — usually walking through your *curriculum vitae* (CV), which is itself marked as an exhibit. Then, before you are permitted to give opinions, opposing counsel may conduct **voir dire of the expe → Data Recovery and Digital Forensics
qualifications proffer
the CV and short narrative your attorney would use to qualify you, including *nothing* you could not document, with certifications drawn from [Appendix I](../../appendices/appendix-i-certification-roadmap.md); (2) a **red-team of your own report** — every attack and your honest answer, with each ove → Data Recovery and Digital Forensics
qualified as an expert
the gatekeeping process of [Chapter 27](../../part-4-legal-framework-and-reporting/chapter-27-expert-testimony/index.md), where the court decides whether a witness's training and experience let his opinions reach the jury. On direct, the prosecutor walked him through his CV, and his certifications w → Data Recovery and Digital Forensics
quick format
NTFS wrote a fresh, nearly empty Master File Table and marked the volume's clusters as free, but it did not overwrite the old data, and crucially it did not zero the old metadata that NTFS keeps scattered through the volume. A full format that wrote zeros across 2 TB would have taken hours and told → Data Recovery and Digital Forensics
Quick format vs. full format
A **quick** format rewrites only the file-system structures, leaving most user data intact and recoverable; a **full** format also reads/zeroes the data area (and on SSDs may issue *TRIM*), often making recovery impossible. The distinction decides whether the wedding-photos case is recoverable. *See → Glossary

R

RAID
Redundant Array of Independent Disks — combines several disks into one logical volume to gain speed, fault tolerance, or both. RAID is everywhere a recovery or IR professional works: file servers, NAS boxes, virtualization hosts, video-surveillance recorders, databases. And RAID generates a distinct → Data Recovery and Digital Forensics
RAID (Redundant Array of Independent Disks)
Combining multiple disks for performance, capacity, and/or redundancy. Recovery requires determining the array's parameters (level, disk order, *stripe* size, *parity* rotation, start offset) and reconstructing the virtual volume. *See also* parity, JBOD (Ch. 10; Ch. 3). → Glossary
RAID 0
now solve order and strip size. Do not confuse RAID 10 with **RAID 01** (0+1, *stripe first, then mirror*), which is less resilient and rarer; a single disk loss in RAID 01 degrades an entire stripe set, and a second loss in the *other* set kills the array. → Data Recovery and Digital Forensics
RAID levels
Common layouts: **RAID 0** stripes for speed/capacity with no redundancy (any disk loss = total loss); **RAID 1** mirrors; **RAID 5** stripes with single distributed *parity* (survives one failure); **RAID 6** adds dual parity (survives two); **RAID 10** mirrors then stripes. (See the quick-referenc → Glossary
RAID Recovery
leaves the single device behind for the array: how data is striped, mirrored, and parity-protected across multiple disks, how to determine an unknown RAID's parameters (level, stripe size, disk order, rotation) from the data itself, and how to virtually reconstruct an array — including the recurring → Data Recovery and Digital Forensics
RAM (Random Access Memory)
Fast volatile working memory cleared on power loss; the subject of *memory forensics* and the highest priority in the *order of volatility*. *See also* memory dump (Ch. 22; Ch. 15). → Glossary
RAM slack
*See* slack space (Ch. 2). → Glossary
Ransomware
Malware that encrypts (or steals and threatens to leak) a victim's data and demands payment. Recovery without a current *backup* is partial at best — shadow copies (often deleted by the malware), unencrypted slack, and stale backups — driving the prevention lesson home. *See also* decryptor, Volume → Glossary
Ransomware Recovery
moves from a single locked phone to a whole locked business: the third anchor case, where there is no current backup, the shadow copies are gone, and you must recover what you can from unencrypted slack, a stale external backup, and hard choices — proving once more that the cheapest recovery is the → Data Recovery and Digital Forensics
Raw image (dd image)
A forensic image that is a plain, uncompressed, byte-for-byte copy of the source with no embedded metadata (often `.dd`/`.raw`/`.img`, sometimes split). Universally readable; contrast *E01*. *See also* forensic image (Ch. 14). → Glossary
RCS
the carrier-grade successor to SMS, used by Google Messages — is stored separately in `bugle_db` (`/data/data/com.google.android.apps.messaging/databases/`), and examiners who only parse `mmssms.db` *miss the RCS conversations entirely*, a common and costly oversight on current Androids. → Data Recovery and Digital Forensics
read-only
the original is sacred, and merely pointing a default `sqlite3` connection at the evidence can checkpoint the WAL and change both the file and its hash. → Data Recovery and Digital Forensics
Read/write head
The tiny transducer that magnetically reads and writes data on an HDD *platter*, flying microns above the surface on an air bearing. *See also* head crash, head swap (Ch. 3; Ch. 8). → Glossary
Reallocated sector
A *bad sector* the drive has remapped to a spare from its reserve (tracked in the **G-list**; factory defects in the **P-list**). A growing reallocated count signals imminent failure. *See also* SMART (Ch. 8). → Glossary
reasonably anticipated
often before a complaint is filed. The seminal guidance is the *Zubulake v. UBS Warburg* line (S.D.N.Y. 2003–04), especially *Zubulake IV* (duty + scope) and *Zubulake V* (counsel's duty to monitor the hold). → Appendix E — Legal Frameworks Reference
Receive the assignment
document scope and authority ([Ch. 25](../part-4-legal-framework-and-reporting/chapter-25-the-legal-framework/index.md)). (2) **Acquire** — write-blocked forensic image, dual-hash (MD5 + SHA-256), open the chain of custody ([Ch. 14](../part-3-digital-forensics/chapter-14-forensic-acquisition/index.m → Answers to Selected Exercises
Received header
The chronological trail of `Received:` lines added by each mail server an email passes through (read bottom-up); the most reliable evidence of an email's true path and origin. *See also* email header (Ch. 19). → Glossary
Reconstruct network activity
exfiltration, beaconing, tunneling — from full packet capture and structured logs, while stating the content-vs-metadata limits. *(Ch. 23)* 6. **Triage a malware sample safely** and produce a documented IOC set mapped to MITRE ATT&CK. *(Ch. 32)* 7. **Build a UTC-normalized supertimeline** and detect → Syllabus — Incident Response track
Record the result in a tool-validation log
tool, version, function, method, result, date. 4. **Validate your write protection.** If you have a hardware blocker, run the Chapter 14 validation drill and log it; if you are using software read-only, document the exact commands/settings you rely on and confirm a forced write fails. 5. **Write two → Data Recovery and Digital Forensics
recoverable
persists until overwritten | | **SSD** | trapped charge in a NAND cell | controller death, NAND wear-out, sudden-power-loss FTL corruption, charge fade | **maybe gone** — TRIM + garbage collection can erase it in minutes | | **Flash (USB/SD)** | trapped charge in NAND | controller death, fake-capaci → Data Recovery and Digital Forensics
recovery
minded professional helping a client account for scattered self-custodied funds can use the same common-input and change heuristics to *reconstruct the client's own wallet history* — discovering forgotten change addresses, mapping which of a dozen wallet apps produced which outputs, and assembling a → Data Recovery and Digital Forensics
Recovery key
A backup credential (e.g., BitLocker's 48-digit key, a FileVault recovery key) that unlocks an encrypted volume without the user's password; obtaining it is often the path into encrypted evidence. *See also* full-disk encryption (Ch. 29). → Glossary
recovery password
a 48-digit numerical key, displayed as eight groups of six digits, each group divisible by 11 (a built-in checksum) and identified by a **Recovery Key ID** (a GUID). Critically for forensics, in managed environments this key is *escrowed*: pushed into **Active Directory** (stored on the computer obj → Data Recovery and Digital Forensics
redirect examination
a chance to repair any damage and let you restore context the cross stripped away. Redirect is where a concession that *sounded* damaging gets explained: "On cross you agreed MD5 collisions exist — can you explain why that does not affect your conclusion in this case?" lets you walk the jury, calmly → Data Recovery and Digital Forensics
Registry (Windows Registry)
Windows's hierarchical configuration database, stored in *hives*, that records system and user settings and an enormous range of forensic artifacts (devices, programs, recent files, network history). *See also* registry hive (Ch. 16). → Glossary
Registry hive
A file holding part of the registry: system hives `SYSTEM`, `SOFTWARE`, `SAM`, `SECURITY` (in `C:\Windows\System32\config\`) and the per-user `NTUSER.DAT`/`USRCLASS.DAT`. Each key carries a *FILETIME* last-write time useful in timelines (Ch. 16). → Glossary
Registry Run keys
`HKCU\...\CurrentVersion\Run` and `HKLM\...\Run`; **Windows Service** — `HKLM\SYSTEM\CurrentControlSet\Services\\ImagePath`, plus Event ID 7045; **Scheduled Task** — `C:\Windows\System32\Tasks\` and the `TaskCache` registry / `schtasks /query`; **WMI event subscription** — `root\subscrip → Data Recovery and Digital Forensics
Reissue and monitor
holds are not "set and forget." 6. **Document** every step (your future defense to a Rule 37(e) motion). → Appendix E — Legal Frameworks Reference
[Appendix A — File Signatures Reference](appendix-a-file-signatures-reference.md): magic numbers for carving the files these artifacts point to. - [Appendix B — Python Forensics Toolkit](appendix-b-python-forensics-toolkit.md): scripts to parse timestamps, registry, and SQLite stores. - [Appendix C → Appendix D — Forensic Artifact Locations
REMnux
a Linux distribution by Lenny Zeltser preloaded with static-analysis and network-emulation tools (`strings`, `yara`, `ssdeep`, `pefile`, `readelf`, `oletools`, `INetSim`, and dozens more). It is the default environment for triaging a sample without Windows in the loop. - **FLARE-VM** — a Windows ana → Data Recovery and Digital Forensics
Reproducibility
The requirement that another competent examiner, given the same evidence and your documented method, can reach the same result. The scientific backbone of the *forensic report* and *Daubert* admissibility (Ch. 26; Ch. 5). → Glossary
reproducibility standard
i.e., it names the independent examiner who must be able to understand, evaluate, and reproduce the work. Then list the three things that definition deliberately *excludes* (it is not a narrative of your adventure, not a transcript of every command, not an argument for one side), and explain in two → Data Recovery and Digital Forensics
rescued victims and arrested offenders worldwide
an investigation conducted, like all such work, by following money and metadata, never by viewing or describing content. Handled this clinically and only this way: the procedure is *trace the payment → cluster → reach the chokepoint → subpoena the identity*; the law includes the mandatory-reporting → Data Recovery and Digital Forensics
resident
the content sits *inside the MFT record itself*, right after the attribute header. For files under roughly 700–900 bytes (whatever fits in the leftover space of the 1024-byte record), the entire file *is* the MFT entry. This has a delightful recovery consequence: recovering a small deleted text file → Data Recovery and Digital Forensics
Resident attribute
An NTFS *attribute* small enough to be stored inside its MFT record (small files' data, names, standard info). Contrast *non-resident attribute* (Ch. 4). → Glossary
Restore from a known-good, offline backup
most reliable; the only true cure. (2) **Volume Shadow Copies / system snapshots** — reliable *if* the malware didn't delete them (it usually tries). (3) **A free, legitimate decryptor** (e.g., No More Ransom) — reliable only for cracked/older families. (4) **Carving and recovering unencrypted remna → Answers to Selected Exercises
retain a qualified examiner and document why
and to be the attorney or paralegal who knows exactly what to ask them for. → Syllabus — eDiscovery for Paralegals and Attorneys
Retention
every cloud log has a clock (Entra ≈30 days, M365 UAL 180 days–1 year, CloudTrail event history 90 days), so the record may have aged out and been deleted by policy. (2) **Default-off / unlicensed logging** — the telemetry may never have been generated at all (M365 auditing not enabled, AWS/GCP data → Data Recovery and Digital Forensics
Rootkit
Malware that hides its presence by subverting the OS (hooking, driver-level concealment), often invisible to the live system but exposed by *memory forensics* and offline disk analysis. *See also* malfind (Ch. 32; Ch. 22). → Glossary
Rule out the cheap stuff first
cables, ports, enclosures, power. Pulling a drive out of a dead external enclosure is the highest-yield five-minute test in the business. → Data Recovery and Digital Forensics

S

SAN (Storage Area Network)
A high-speed network presenting block-level storage to servers as if locally attached; acquisition usually targets the logical volumes (LUNs) rather than raw disks. *See also* NAS, RAID (Ch. 3). → Glossary
Sandbox
An isolated, instrumented environment for *dynamic analysis*, where suspected malware is detonated to observe its behavior (files, registry, network) without risking real systems. *See also* malware forensics (Ch. 32). → Glossary
SANS DFIR Summit
widely regarded as the premier DFIR-specific gathering, with talks that set the year's agenda. - **Techno Security & Digital Forensics Conference** — a long-running, practitioner-and-vendor-heavy event. - **Magnet Summit** and the **Cellebrite** user events — vendor conferences that are nonetheless → Data Recovery and Digital Forensics
scalpel / foremost
Open-source *file-carving* tools driven by a configurable signature database (headers/footers). Fast and scriptable; weaker on *fragmentation* than structure-aware carvers. *See also* PhotoRec (Ch. 7). → Glossary
Scope
The lawful and practical boundaries of a search — what a *warrant* or *consent* authorizes you to examine. Staying within scope (and recognizing when you have exceeded it) is both a legal and an ethical duty, especially on inadvertent discovery. *See also* plain view (Ch. 25; Ch. 28). → Glossary
screen buffer
the commands typed **and** the output the system printed back? - A) `cmdscan` - B) `cmdline` - C) `consoles` - D) `clipboard` → Data Recovery and Digital Forensics
Search warrant
*United States v. Warshak*, 631 F.3d 266 (6th Cir. 2010) held email content has Fourth Amendment protection; DOJ policy now uses warrants for content nationwide | → Appendix E — Legal Frameworks Reference
second fault while the array is already degraded
before the rebuild completes there is zero redundancy, which is why large RAID-5 arrays are dangerous (rebuild time + unrecoverable-read-error probability) and why RAID 6 (two-fault tolerance) exists. → Answers to Selected Exercises
Secondary trauma
The psychological harm examiners can suffer from repeated exposure to disturbing material (especially *CSAM* cases); managing it is a professional and ethical responsibility, not a weakness. *See also* ethics (Ch. 28). → Glossary
seconds since midnight, January 1, 1904 UTC
the QuickTime epoch, which predates the Unix epoch by 2,082,844,800 seconds. Convert with that constant in mind: → Data Recovery and Digital Forensics
Section 0
put `forensic_utils.py` on your `PYTHONPATH` (or in the same folder) before running any other script. - Sample outputs shown in `text` blocks are **illustrative** (hand-constructed, internally consistent) — they show you the *shape* of the result, not a real run. → Appendix B — Python Forensics Toolkit
sections
named regions like `.text` (executable code), `.rdata` (read-only data and the import directory), `.data` (writable data), `.rsrc` (resources), and `.reloc` (relocations) — each with a virtual address, a raw size, and characteristics flags. → Data Recovery and Digital Forensics
Sector
The smallest physically addressable unit of a disk, classically 512 bytes (4,096 on *Advanced Format*). Sectors are grouped into *clusters* by the file system; byte offset = sector × sector size. *See also* LBA (Ch. 2). → Glossary
sector 2048
that offset feeds every later command via `-o 2048`. → Data Recovery and Digital Forensics
Secure deletion
wiping — is the deliberate attempt to defeat that: to actually overwrite the data so the pointer leads nowhere and the bytes are gone. Understanding wiping is therefore understanding the one operation that genuinely defeats recovery, and recognizing it is a core skill for both disciplines. → Data Recovery and Digital Forensics
Secure deletion (wiping)
Deliberately overwriting data (or cryptographically erasing the key) so it cannot be recovered — the legitimate counterpart and the *anti-forensic* abuse. Effective wiping defeats recovery; on flash, *cryptographic erase* is the reliable method. *See also* data remanence, Gutmann method (Ch. 30). → Glossary
Secure Enclave
A dedicated security coprocessor in Apple devices that manages encryption keys and biometrics in isolation from the main OS, making key extraction infeasible without exploiting it. *See also* BFU/AFU, checkm8 (Ch. 24; Ch. 29). → Glossary
Seed phrase (mnemonic / recovery phrase)
A human-readable list of 12–24 words that deterministically regenerates a crypto wallet's *private keys*; finding one (on paper, in a note, in a screenshot) hands an investigator the wallet. *See also* wallet (Ch. 33). → Glossary
semicircle
to-degrees formula, and the **GPS-time** caveat (how many leap seconds, in which direction relative to UTC). In one sentence, explain why you would bake every one of these into a reusable, tested function rather than converting by hand in each case. → Data Recovery and Digital Forensics
Server-side logs of an action the workstation took
an authentication to a domain controller, a file written to a network share, a DHCP lease. The server's clock is your reference. - **Windows event ID 4616, "The system time was changed."** This event records *that* the clock was altered, *by whom*, and the old and new values. A 4616 (especially one → Data Recovery and Digital Forensics
Service area
The reserved, firmware-controlled region of a hard drive (outside the user area) holding the drive's microcode, adaptive parameters, and defect lists (*P-list*/*G-list*). Corruption here bricks a healthy drive; specialists repair it to regain access (Ch. 8). → Glossary
Service providers
DFIR consultancies, eDiscovery vendors, and recovery labs — offer the widest variety of cases, the steepest learning curve, and the highest private-sector pay, in exchange for billable-hour pressure, travel, on-call incident tempo, and up-or-out cultures. **Independent practice** offers autonomy and → Data Recovery and Digital Forensics
SHA-1
gold for catching malicious/unsigned drivers | | `Root\File\` | Older (pre-Win10 1607) file-entry format | → Appendix D — Forensic Artifact Locations
SHA-1 (Secure Hash Algorithm 1)
A 160-bit hash (40 hex characters). Collision-broken (2017) and deprecated for integrity, but still seen in legacy tools and used by *AmCache*. *See also* hash collision (Ch. 5). → Glossary
SHA-256
A 256-bit hash from the SHA-2 family (64 hex characters), the current standard for forensic integrity because no practical collisions exist. The recommended verification hash for images and exhibits. *See also* hash verification (Ch. 5). → Glossary
Share
copy and redistribute the material in any medium or format. - **Adapt** — remix, transform, and build upon the material for any purpose, even commercially. → License
ShellBags
Registry artifacts (in `USRCLASS.DAT`/`NTUSER.DAT`) recording folders a user has browsed in Explorer — including folders on removable or now-deleted media — evidencing knowledge and access (Ch. 16). → Glossary
ShimCache (AppCompatCache)
A Windows compatibility cache in the `SYSTEM` hive listing executables the system encountered, with paths and (on some versions) timestamps — evidence of *presence* (not necessarily execution). *See also* AmCache (Ch. 16). → Glossary
signature
a short, fixed sequence of bytes near the start of the file that announces "I am a file of type X." These signatures are also called **magic numbers**, a term that goes back to early Unix, where the `file` command identified file types by consulting a database of these patterns (today that database → Data Recovery and Digital Forensics
signature analysis
comparing each file's *content* magic number against its *claimed* extension. A "`.jpg`" whose first bytes are `50 4B 03 04` is a ZIP archive, not an image. Autopsy's "Extension Mismatch Detected" module and the Unix `file` command do this automatically; the magic-number reference is [Appendix A — F → Data Recovery and Digital Forensics
silent
platforms routinely strip credentials, so it neither indicts nor exonerates - D) The video was therefore never edited → Data Recovery and Digital Forensics
SIM (Subscriber Identity Module)
The card identifying a mobile subscriber to the carrier (storing the IMSI, some contacts/SMS); distinct from the handset's *IMEI*. A small but useful evidence source (Ch. 24). → Glossary
single MD5
of the recovered output folder, not of the source drive. The intake log names who received the drive but contains a **three-day gap with no entries and no transfer signatures**. While searching (the engagement scope covered only invoice-fraud records) she opened an unrelated folder, encountered an a → Final Exam
Single-pass overwrite
write zeros, or a single pass of random data, across every sector once. Fast, simple, and — on modern drives — sufficient. - **DoD 5220.22-M** — the U.S. Department of Defense's old National Industrial Security Program standard, popularly cited as a "3-pass" wipe: pass 1 writes a fixed character, pa → Data Recovery and Digital Forensics
six parameters
member set, disk order, strip size, parity layout, start offset, and special rules — and virtual reconstruction is the disciplined process of discovering all six and assembling the volume in software, from images of the bare disks, without the original controller. The level dictates the redundancy b → Data Recovery and Digital Forensics
size
so you always know where the file *began* and how big it was. But the **chain is gone**. For a **contiguous** file, that is no problem: start at the first cluster, read `size` bytes' worth of consecutive clusters, done — trivial, reliable recovery. For a **fragmented** file, you have lost the map of → Data Recovery and Digital Forensics
Slack space
Unused bytes between the logical end of a file and the end of its last allocated *cluster*; **RAM/file slack** is the gap to the sector end (historically padded with memory contents), **drive slack** the remaining sectors of the cluster. Slack can preserve fragments of previously deleted files — a c → Glossary
SLC / MLC / TLC / QLC
NAND cell densities storing 1, 2, 3, or 4 bits per cell. More bits per cell means cheaper and denser but slower, less durable (fewer *P/E cycles*), and harder to read reliably. *See also* NAND flash (Ch. 3). → Glossary
Sleuth Kit, The (TSK)
The open-source command-line forensic library/toolset (`mmls`, `fls`, `icat`, `fsstat`, `blkls`, `mactime`) underlying *Autopsy* and much else. *See also* bodyfile (Ch. 36). → Glossary
SMART
the drive's self-recorded health log, and a perfect illustration of theme #3, *every action leaves a trace*: the drive quietly journals its own decline. For a hard drive, watch the reallocation and pending counts: → Data Recovery and Digital Forensics
snaplen
and say whether this capture truncates packets. (c) Give the **linktype** number and what it means. (d) The 16-byte record header begins at offset `0x18`: assemble `ts_sec`, convert it to a UTC date and time, decode `ts_usec` to microseconds, and compare `incl_len` to `orig_len` to confirm the first → Data Recovery and Digital Forensics
snapshots
created constantly by Time Machine — preserve entire prior states of the volume, so a "deleted" file is often sitting intact in a snapshot from an hour ago. Around the file system, macOS layers an unusually rich set of activity stores: **Spotlight** metadata (including `kMDItemWhereFroms` download p → Data Recovery and Digital Forensics
SNI
the server name the client requested in cleartext during the TLS handshake — so even when the payload is encrypted, the *intended destination* is usually visible. And `dns.qry.name` shows the name lookups that precede the connection. Encryption hides *what was said*; it rarely hides *who was contact → Data Recovery and Digital Forensics
Something you know
a password, passphrase, or PIN. Run through a deliberately slow **key derivation function (KDF)** — PBKDF2, Argon2, scrypt, or bcrypt — that stretches the secret into a wrapping key while imposing a heavy per-guess cost. The KDF is the only thing standing between a weak password and an attacker, whi → Data Recovery and Digital Forensics
source attribution and user attribution
what this book calls the at-the-keyboard problem. Your examination can attribute activity to a *device* and a *user account*: "these files were created under the user profile `jdoe` on this laptop, during sessions on these dates." It cannot, on its own, attribute activity to a *human being's hands*, → Data Recovery and Digital Forensics
Source attribution vs. user attribution
the "at-the-keyboard problem" — is the deepest form of the cardinal rule. (a) Define each in one sentence. (b) Explain, with three concrete examples, why your examination can reach the *device-and-account* level but not the *human-hands* level (think shared accounts, known passwords, unlocked machin → Data Recovery and Digital Forensics
special master
saying what it reviews, what it removes, and what it passes on. Then state the examiner's three duties when privilege is in play (recognize it, follow the protocol scrupulously, and stop-and-flag if you hit apparently privileged material *outside* a protocol), and explain the chapter's framing that → Data Recovery and Digital Forensics
specialization plus credibility beats hours
generalists are paid for time, specialists for scarcity. Verify against *this year's*, *your-city*, *your-role* data before you negotiate. → Data Recovery and Digital Forensics
Speculation / unsupported inference
"probably shared them too" (no evidence cited) and "to hide his guilt" (a mental-state claim, see FRE 704(b)). 2. **Legal conclusion** — "his guilt" is the jury's question, not the examiner's. 3. **Emotive / characterizing language** — "obviously," "disgusting." → Answers to Selected Exercises
SPF (Sender Policy Framework)
A DNS-based email-authentication mechanism declaring which servers may send for a domain; with *DKIM* and DMARC, used to judge whether a message is forged (Ch. 19). → Glossary
SPF failed
the sending IP was not authorized for the envelope domain `ferro-supply-billing.com`. **DKIM was absent.** And **DMARC failed** against the *real* `ferrosteel.com`. Two domains were in play: the envelope `Return-Path` used a lookalike (`ferro-supply-billing.com`), while the visible `From:` displayed → Data Recovery and Digital Forensics
Spoliation
The destruction, alteration, or failure to preserve relevant evidence; in litigation it can trigger sanctions (FRCP 37(e)) up to an adverse-inference instruction. The legal teeth behind the *litigation hold*. *See also* eDiscovery (Ch. 25). → Glossary
SQLCipher
a transparently AES-256-encrypted SQLite. The database key is stored encrypted in `shared_prefs`, wrapped by a key held in the **Android Keystore**, which on modern phones is backed by hardware (a TEE or secure element) and does not leave the chip. Practically: without the unlocked, cooperating devi → Data Recovery and Digital Forensics
SQLite
A self-contained, file-based database used pervasively by browsers, phones, and apps (history, messages, contacts). A central skill is parsing SQLite — including recovering deleted rows from freelist pages and write-ahead logs. *See also* browser history (Ch. 18; Ch. 24). → Glossary
SQLite database
Chrome in a file named `History`, Firefox in `places.sqlite`. Private/incognito mode does **not** protect against (any one): DNS cache entries, traffic seen by the network/router/proxy or ISP, server-side and corporate logs, **RAM** (recoverable via memory forensics), or files actually downloaded/sa → Midterm Exam — Solutions
SQLite forensically
copy the WAL trio (`History`, `History-wal`, `History-shm`) together, open read-only, never let the engine checkpoint; parse the Chromium four (`History`, `Cookies`, `Login Data`, `Web Data`), Firefox (`places.sqlite`, `cookies.sqlite`, `formhistory.sqlite`), and Safari (`History.db`, `Cookies.binar → Chapter 18 — Teaching Notes (Browser and Internet Forensics)
SRUM
the System Resource Usage Monitor database `C:\Windows\System32\sru\SRUDB.dat`, a Windows artifact from Chapter 16 — logs bytes sent and received *per application per user*, so it can show `chrome.exe` transferred hundreds of megabytes during a window when "nothing happened." And the **network** nev → Data Recovery and Digital Forensics
SSD and Flash Recovery
leaves the spinning platter behind for a medium with no heads to crash and no motor to seize, but its own far stranger obstacles: the flash translation layer, wear leveling, garbage collection, and the TRIM command that can make deleted data genuinely, permanently unrecoverable in a way no hard driv → Data Recovery and Digital Forensics
stablecoins
`USDT` (Tether) and `USDC` (Circle) — as ERC-20 tokens, because they hold a steady dollar value. The leverage is that these are *centralized* tokens: the issuers can **freeze and blacklist** addresses. Tether and Circle have frozen hundreds of millions of dollars at law-enforcement request, which is → Data Recovery and Digital Forensics
stale
a disk that dropped out earlier while the array kept running, so its data is an older, internally consistent snapshot. Including a stale member is as bad as including a wrong disk: the file system mounts and quietly serves *old* file contents from that disk's strips. Stale members are betrayed by ** → Data Recovery and Digital Forensics
Static vs. dynamic analysis
The two halves of *malware forensics*: **static** examines a sample without running it (strings, headers, disassembly, *YARA*); **dynamic** runs it in a *sandbox* to observe behavior. Used together (Ch. 32). → Glossary
Steganalysis
statistical detection — exists: the chi-square attack and RS analysis detect the statistical fingerprints that LSB embedding leaves, and tools such as `StegExpose`, `zsteg` (PNG/BMP), `stegdetect` (JSteg/JPHide/OutGuess), and ML-based `Aletheia` automate it. But low-payload, passphrase-protected, we → Data Recovery and Digital Forensics
Steganography
Concealing data inside an innocuous carrier (image, audio, document) so its very existence is hidden — an *anti-forensic* and data-exfiltration technique detectable by statistical and tool-based analysis. *See also* anti-forensics (Ch. 30; Ch. 20). → Glossary
still actively running and encrypting
the share was mounted there, and the encryption was crawling through it folder by folder. On **WS-05**, across the studio, a panicked employee had already done the "obvious" thing: held the power button until the machine died, "to stop it." → Data Recovery and Digital Forensics
STOP
one apparent item triggers the duty; confirming the crime is not your job. **DO NOT COPY** — reproduction/possession can be felonies (18 U.S.C. §2252/§2252A). **PRESERVE · ISOLATE · DOCUMENT** (path, hash, time, method — *never* content) **& ESCALATE** now. - **§2258A's** CyberTipline duty binds *pr → Data Recovery and Digital Forensics
stop using this drive immediately
don't save to it, don't 'repair' it, ideally don't even leave it plugged in — because every new file the computer writes could land on top of a photo and overwrite it for good. Bring it to me as it is, and we image it first so we're always working on a copy, never the only surviving original." This → Answers to Selected Exercises
stop, document, investigate.
The **hash proves the bits**; the **chain of custody proves the people.** Courts demand both. Labels, photographs, anti-static and Faraday bags, numbered tamper-evident seals, locked storage, and a transfer log with no gaps: *if it isn't documented, it didn't happen.* → Data Recovery and Digital Forensics
Storage & file systems
[Ch. 2 (data storage)](../part-1-foundations/chapter-02-how-data-is-stored/index.md) · [Ch. 3 (storage tech/RAID)](../part-1-foundations/chapter-03-storage-technology/index.md) · [Ch. 4 (file systems)](../part-1-foundations/chapter-04-file-systems/index.md) - **Process, acquisition, hashing** — [Ch. → Appendix C — Tool Reference
Storage Technology
takes the bit-level physics you just learned and builds out the full machines: the mechanical anatomy of hard drives (platters, heads, actuators, the PCB) and their failure modes, the internal architecture of SSDs (controller, NAND, DRAM, the FTL) and how flash wears out, and the multi-disk worlds o → Data Recovery and Digital Forensics
Stripe
A set of blocks written across the members of a striped *RAID* array; the **stripe size** (block per disk) and the rotation of data/*parity* are parameters you must recover to rebuild the array. *See also* RAID levels (Ch. 10). → Glossary
StrongBox
a dedicated tamper-resistant security chip (for example, Google's Titan M/M2) — with **Weaver**/Gatekeeper throttling that enforces attempt limits in hardware, exactly the way the Secure Enclave does. → Data Recovery and Digital Forensics
Subpoena
A legal demand to produce records or testimony; for stored communications, the level of process required (subpoena vs. court order vs. *warrant*) depends on the data and the *SCA/ECPA*. *See also* CLOUD Act (Ch. 25; Ch. 31). → Glossary
subrogation
sued the recovery shop, alleging that the shop's "negligent handling destroyed recoverable records," a **spoliation** theory: that a party who had a duty to preserve evidence had instead destroyed it. → Data Recovery and Digital Forensics
sudden power-loss corruption
exactly as the chapter describes it. The flash pages holding the engineer's files were, in all likelihood, sitting intact in the NAND. But the mapping table that translates "the file system's view" into "this physical page on that die" had been corrupted mid-update, and without a coherent FTL the ra → Data Recovery and Digital Forensics
Super-timeline
A single chronological list merging every dated event from every source (file system, registry, logs, browser, email, metadata), normalized to one time standard (UTC). The synthesis that turns isolated artifacts into a provable sequence. *See also* MACB, plaso (Ch. 21). → Glossary
Symmetric encryption
AES (Advanced Encryption Standard), or stream ciphers like ChaCha20 and Salsa20 — uses *one* key for both locking and unlocking. It is extremely fast: a modern CPU with the AES-NI instruction set encrypts gigabytes per second. That speed is exactly what ransomware wants, because it needs to encrypt → Data Recovery and Digital Forensics
sync database
folder/file tree, IDs, sync state | | `.ini` / `ClientPolicy*.ini` | Maps the **account to its `cid`** (and tenant/email) | | `ObfuscationStringMap.txt` (or `general.keystore`) | The **key that de-obfuscates the `.odl`** activity logs | | `*.odl` / `*.aodl` (in `logs\`) | The obfuscated **activ → Answers to Selected Exercises
System Event
exported to Cloud Logging and onward to BigQuery for retention. The names differ; the model — a control-plane log that is on by default, a data-plane log that is not, and a retention clock you must beat — is identical across all three. *Technology changes, principles don't.* → Data Recovery and Digital Forensics

T

tamper-evident
what binds the claim to the pixels, and what a validator reports when the pixels are altered. (c) State plainly what a **valid** credential, a **failed** validation, and an **absent** credential each mean for your finding — and why "no credential" must never become "therefore fake." **(answer in App → Data Recovery and Digital Forensics
Targets only
*collect* the artifacts to external media — and you run the **Modules later, on your own workstation**, against the collected copy. You do not run parsers on the subject; that is unnecessary execution on the evidence. → Data Recovery and Digital Forensics
technical and other specialized knowledge
which is precisely what digital forensics is, so you do not escape *Daubert* by calling your work "technical." And *General Electric Co. v. Joiner*, 522 U.S. 136 (1997), held that a court may exclude an opinion when there is too great an **analytical gap** between the data and the conclusion — when → Data Recovery and Digital Forensics
Technical precision
"recovered from sector 15,234,567 of partition 2, NTFS, cluster 3,808,891," not "found it on the drive." 2. **Legal awareness** — every action considers whether it ends up in court: chain of custody, hashing, documentation; "I found this" vs. "I can prove I found this and it's unaltered." 3. **Ethic → _continuity.md — Data Recovery and Digital Forensics (INTERNAL — do not publish)
technological points
the test pads or pins inside the monolith that connect directly to the NAND's data and control lines, bypassing the dead controller. The specialist grinds or x-rays the package to find these points, micro-solders fine wires to them, and reads the raw NAND through an adapter, then performs the same E → Data Recovery and Digital Forensics
Technology changes, principles don't
image first, hash, document, preserve scope — but the legal authority is intensely local. Never assume a U.S. workflow is lawful abroad. → Appendix E — Legal Frameworks Reference
Temporary / exploit root
a vulnerability is used to gain root *for the current boot only*, nothing is written to persistent partitions, and the change evaporates on reboot. This is the *forensically preferable* path because it perturbs the evidence the least. - **Permanent root (e.g., flashing Magisk)** — modifies the `boot → Data Recovery and Digital Forensics
Term
definition (Ch. N).` alphabetical. Bibliography = sectioned (Books / Papers / Documentation / Tools / Online). Each appendix ≥ a few hundred words; the big ones (glossary, answers-to-selected) much longer. - **Instructor `chapter-notes-NN.md`** (~250–400 words): `Objectives.` / `Emphasize.` / `Commo → _style-spec.md — exact file formats (INTERNAL — do not publish)
TestDisk
An open-source tool for *partition recovery* and boot-sector repair (companion to *PhotoRec*); rebuilds or restores lost partition tables to make volumes accessible again (Ch. 6). → Glossary
The Capstone Investigation
puts the whole book to work. In the lab you just built, with the tools you validated and the SOPs you wrote, you will take a case from sealed evidence to a court-ready forensic report — acquiring, recovering, analyzing artifacts, building the timeline, detecting anti-forensics, and writing up findin → Data Recovery and Digital Forensics
The Data Recovery Business
turns from the bench to the business: how recovery shops price jobs and set "no recovery, no fee" expectations, how to handle clients in the worst moment of their digital lives (the wedding-photos client returns), the cleanroom-and-tooling economics, and the ethics and liability of charging money to → Data Recovery and Digital Forensics
The deleted wedding photos
a client's accidentally reformatted drive with 10 years of family photos. Image-first (protect the original) → NTFS MFT still references deleted files → file carving where MFT was overwritten → selective recovery of what matters most. *Recovery as both technical skill and human service.* Introduced → _continuity.md — Data Recovery and Digital Forensics (INTERNAL — do not publish)
The finalized Forensic Case File (M18)
your single strongest artifact. Lead with it. 2. **The forensic report (M15)** — self-grade it against `rubrics.md` (the same rubric a classroom would use) and against the templates in `../appendices/appendix-f-chain-of-custody-and-report-templates.md`. Revise until it scores well. 3. **Your lab not → Syllabus — Self-Paced
the Forensic Case File
and Chapter 1 is where you set it up. The idea is simple and powerful: rather than learning forty disconnected techniques, you conduct *one complete investigation* of a simulated case, adding exactly one analytical skill and one evidence type per chapter, until by [Chapter 38](../../part-6-tools-and → Data Recovery and Digital Forensics
The Forensic Process
turns the recovery instincts you just built into a *defensible* methodology: acquisition with write-blocking, preservation with hashing and chain of custody, systematic analysis, and reporting. It is where the court-bound anchor case (#4) is introduced and where "I found this" becomes "I can prove I → Data Recovery and Digital Forensics
The Forensic Report
takes everything you have lawfully acquired, recovered, and analyzed and turns it into the deliverable that a non-technical judge, jury, attorney, or executive can actually act on: a report that separates fact from opinion, ties each finding to its evidence, states its methods and limits, and surviv → Data Recovery and Digital Forensics
The Forensic Toolkit
steps back from any single technique to survey the instruments themselves: Autopsy and The Sleuth Kit, FTK and EnCase, Cellebrite and the mobile suites, Volatility for memory, Wireshark for the wire — how to choose them, validate them, and combine open-source and commercial tools into a defensible w → Data Recovery and Digital Forensics
The Forensics and Recovery Career
closes the book by building on the credentials and development plan you just drafted: the roles and specializations, the paths from first job to expert and to leadership, the day-to-day reality and the occupational hazards, and the long arc of a working life in finding what's lost and proving what h → Data Recovery and Digital Forensics
the government
*state action*. It does not, by its own force, touch a private citizen, a corporation, or a recovery shop working at the owner's request. - A "search" is judged by *Katz*'s **reasonable expectation of privacy** test; *Riley* (phones), *Carpenter* (CSLI), *Jones* (GPS), and *Kyllo* (thermal) teach th → Data Recovery and Digital Forensics
the inode holds no filename
the name lives only in the directory entry that points to this inode by number. → Appendix G — File System Reference
The installed client
Program Files, an `Uninstall` registry key, prefetch, Amcache; - **Configuration** — `.ovpn`/`.conf` profiles naming the server, embedded or referenced certificates/credentials, and connection **logs** (e.g., under `%ProgramData%\\log\`) that frequently record connect/disconnect times and th → Data Recovery and Digital Forensics
The largest cost is time, and renewal is perpetual
every active cert is a standing subscription paid in CPE hours. The SANS path is most expensive; membership-body and experience/challenge paths give the best value per dollar. - **Funding levers are real:** employer reimbursement (ask in the interview), SANS work-study, scholarships (WiCyS, SANS Div → Data Recovery and Digital Forensics
takes the warrants, consent, compelled-decryption questions, and scope discipline you met repeatedly in this chapter and treats them in full: the Fourth and Fifth Amendments, *Riley* and *Carpenter*, FRCP and eDiscovery, *Daubert* and *Frye*, GDPR, the CLOUD Act, and MLATs — because the most technic → Data Recovery and Digital Forensics
The original is sacred
but in IR that reverence becomes *minimization plus documentation*, a logbook rather than a write-blocker, because you usually cannot take a production host down. And **every action leaves a trace** — the adversary's anti-forensics, like your own tooling, is itself evidence. → Syllabus — Incident Response track
the ransomware recovery
and it is where the cheerful promise of "deleted ≠ destroyed" finally meets its hardest limit: data that was never deleted, only locked, by encryption you cannot break. > > **Learning paths:** This is a four-track chapter. 💾 **Data Recovery** lives here for the recovery-options triage and the brutal → Data Recovery and Digital Forensics
The safe-handling checklist
☐ Download over **HTTPS**; **verify the published hash** before trusting the file. - ☐ Keep the **master copy read-only** (`chmod 444`, or a read-only volume); **work on a copy**. - ☐ **Hash the working copy** and confirm it equals the master before and after analysis. - ☐ **Snapshot** the VM clean → Appendix J — Practice Images and Lab Setup
The Sedona Conference publications
the *Principles* on electronic document production, the *Commentary on Legal Holds*, and the *International Principles on Discovery, Disclosure & Data Protection*. The consensus reference for eDiscovery practice and cross-border data conflicts; widely cited by courts. → Data Recovery and Digital Forensics
the technology never stops changing
new devices, file systems, OS versions, app formats, encryption, and case law appear continually — so a static skill set decays; CPD (and tool re-validation after upgrades) is how an examiner stays both effective and *credible on the stand*. *Full credit:* two real certs + correct signal + the techn → Final Exam — Solutions
The Tor Browser folder and installer
the `Tor Browser` directory itself (often in `Downloads` or on the Desktop), and the downloaded installer `.exe`, with its `:Zone.Identifier` ADS recording the download. - **Execution artifacts** — Prefetch entries for `firefox.exe`/`tor.exe` run *from the Tor Browser path* (the path hash in the `.p → Data Recovery and Digital Forensics
The value of the data
financially and emotionally. A business's only copy of its accounting and customer records can be worth far more than any recovery fee. A teenager's game saves, probably not. 2. **The probability of success** — which the lab's evaluation estimates. A blown PCB is near-certain; a multi-platter helium → Data Recovery and Digital Forensics
three rungs of the hashing ladder
cryptographic, fuzzy, and perceptual — and for each give: the question it answers, one named algorithm, and one forensic job it does. Then answer the discriminating question: a contraband image is shared through a chat app that resizes and re-encodes it, so its SHA-256 no longer matches the catalogu → Data Recovery and Digital Forensics
three-tier storage hierarchy
fast NVMe for system and tools, fast (even striped) scratch you can afford to lose for the working copy, and large, **redundant, encrypted** Tier-3 storage (RAID 6, RAID 10, or self-healing ZFS) for the master images you can never lose. **Write-blockers**, covered for admissibility in Chapter 14, be → Data Recovery and Digital Forensics
Thumbnail / thumbcache
Cached small previews of images. Windows stores them in `thumbcache_*.db`; the resulting previews can persist after the originals are deleted, proving an image once existed. *See also* metadata (Ch. 20; Ch. 16). → Glossary
Timeline analysis
The discipline of reconstructing events by collecting, normalizing, and ordering timestamps from many sources into a *super-timeline*, then reading it as a narrative — the analytical heart of an investigation. *See also* MACB, clock skew (Ch. 21). → Glossary
Timestamp
A recorded point in time stored as a number plus a convention (*epoch* + resolution). Interpreting one requires knowing its format — *FILETIME*, *Unix time*, WebKit, PRTime, DOS — and its time zone. *See also* timeline analysis (Ch. 21). → Glossary
Timestomping
An *anti-forensic* technique of falsifying file timestamps (commonly the *$SI* MACB) to hide when activity occurred. Detectable because the kernel-set *$FILE_NAME* times, *$UsnJrnl*, and sub-second precision usually betray the manipulation — the move that exposes the IP-theft anchor case. *See also* → Glossary
Tool exams need the tool
without EnCase access, EnCE Phase II is unreachable no matter how well you teach the forensics. (2) **Prerequisites are real** — CFCE expects IACIS membership and (usually) BCFE; EnCE expects 64 hours of authorized training *or* 12 months of experience; the course satisfies none of these. (3) **The → Certification Mapping
tough
relearn how to operate | | Tools / Host & Network artifacts | mutex `Global\MSCTF_x7f3a2b`, `WH/1.2` UA, `/gate`, task name | challenging / annoying | | Domains / IPs | `api.cloudmetric-sync.net`, `185.220.101.47` | simple / easy — rotate | | Hash values | `b41c0e9a…` | **trivial** — recompile = new → Data Recovery and Digital Forensics
TPM (Trusted Platform Module)
A hardware chip that securely stores keys and measures boot integrity; *BitLocker* commonly seals its key to the TPM, so the volume auto-unlocks on trusted boot but resists offline attack. *See also* BitLocker (Ch. 29). → Glossary
TPM+PIN
closes this by requiring a human secret before the TPM will unseal, and is the configuration security-conscious organizations mandate. → Data Recovery and Digital Forensics
Trace the forensic process
identification → preservation → analysis → reporting — and map it onto the EDRM and the duties it triggers (Ch. 5). 4. **Draft and administer a defensible litigation hold**, build an ESI data map, and design a **proportionate** preservation and collection plan (Ch. 5, 14, 25). 5. **Apply the FRCP** → Syllabus — eDiscovery for Paralegals and Attorneys
Triage
Rapid, prioritized examination to find the most relevant evidence quickly and decide what to fully acquire — essential when devices are many and time is short. *See also* KAPE, live response (Ch. 15). → Glossary
triage at scale
e.g., clustering or classifying images, surfacing likely-relevant documents in a huge corpus, transcribing audio, or prioritizing files for human review — multiplying the examiner's reach. The limiting principle for **deepfake detection**: a model outputs a *probability*, often from an opaque proces → Final Exam — Solutions
triage container
the evidence base the analytical chapters (16–24) will mine, and that the capstone in [Chapter 38](../../part-6-tools-and-career/chapter-38-the-capstone-investigation/index.md) assembles into the final report. → Data Recovery and Digital Forensics
TRIM
freed blocks are typically discarded/zeroed by the controller within seconds at the FTL level ([Chapter 9](../part-2-data-recovery/chapter-09-ssd-and-flash-recovery/index.md)). So the recovery window for freed content is near-zero; your real sources are **snapshots → Time Machine → iCloud → live acq → Appendix G — File System Reference
trusted toolkit on your own read-only media
statically-linked binaries (no dependency on the subject's possibly-poisoned shared libraries) on a USB stick or optical disc you prepared in advance and verified by hash. On Windows you carry your own copies of the Sysinternals suite and the EZ Tools; on Linux a static `busybox` plus static builds → Data Recovery and Digital Forensics
TSK reads images read-only
it never modifies the evidence, satisfying theme #2 by design. The workflow on a disk image (`.dd`/`.raw`) follows the layers top-down. → Data Recovery and Digital Forensics
twice
what does the `fls`/`mactime` bodyfile spine give you that the `log2timeline`/plaso super-timeline does not, and vice versa? (c) Describe the **anchor → window → expand** triage method, naming the strongest known event you would anchor on in the MHA case. **(answer in Appendix)** → Data Recovery and Digital Forensics
two signatures
released-by and received-by. Every transfer is a two-signature event. Evidence does not move silently. → Data Recovery and Digital Forensics
two-signature event
released-by *and* received-by. Electronic equivalents (see F.5) must be attributable and tamper-evident. - **Contemporaneous, not reconstructed:** fill these in *as the action happens*, not from memory at end of day. "If it isn't documented, it didn't happen." - **Container hash vs. acquisition (bit → Appendix F — Chain of Custody and Report Templates

U

UFS
*See* eMMC / UFS (Ch. 11; Ch. 24). → Glossary
UID
fused into the **Secure Enclave** on the logic board. The flash chip (the NAND) holds only ciphertext and an encrypted keybag; the secret that unlocks the keybag never leaves the SEP and cannot be read or copied: → Data Recovery and Digital Forensics
UID key
a 256-bit AES key fused into the Secure Enclave at manufacture, never readable by software, unique per device — and, for the protected classes, a key **derived from the user's passcode**. Because the passcode must be combined with the hardware UID, and the UID never leaves the chip, passcode guessin → Data Recovery and Digital Forensics
Unallocated space
Clusters the file system currently marks as free — including those holding deleted files not yet overwritten. The primary hunting ground for *file carving* and deleted-data recovery. *See also* "deleted ≠ destroyed", slack space (Ch. 2; Ch. 6). → Glossary
unbreakable
and that is a feature of the math, not a gap in the tool. The realistic paths are the *key* (in a memory image, escrow, TPM, or recovery key), not brute force against the cipher. "The volume is encrypted and the key is unavailable; the data is inaccessible" is a valid, professional finding (*know yo → Appendix C — Tool Reference
Unicode (UTF-8 / UTF-16)
Character-encoding standards covering the world's scripts. **UTF-8** is the web/Linux default (ASCII-compatible); **UTF-16LE** is common in Windows internals (filenames, registry). Recognizing the encoding is essential to reading strings correctly. *See also* ASCII (Ch. 2). → Glossary
Unified Audit Log (UAL)
a tenant-wide record of operations across all the workloads, searchable in the **Microsoft Purview** compliance portal or, far more usefully for an examiner, through Exchange Online PowerShell: → Data Recovery and Digital Forensics
Unified log
Apple's consolidated, high-volume system logging (macOS 10.12+, iOS), stored in a binary `.tracev3` format and queried with `log`; a major macOS timeline source. *See also* FSEvents (Ch. 17). → Glossary
Unified Logging System
a high-volume, binary, structured log shared with iOS. This is simultaneously a goldmine and a headache. → Data Recovery and Digital Forensics
Unix time (POSIX time / epoch time)
A timestamp counting seconds since 1970-01-01 00:00:00 UTC, used by Linux file systems, syslog, and many apps (often extended to nanoseconds). The other epoch you will convert constantly. *See also* FILETIME (Ch. 21). → Glossary
unspent transaction outputs
UTXOs — and your "balance" is simply the sum of all UTXOs your keys can spend. This model shapes every tracing heuristic in the chapter, so internalize it before you trace. → Data Recovery and Digital Forensics
Usage notes.
The four epochs you will meet — and the one mistake that loses cases — are summarized below. Misreading an epoch is the single most common technical error in artifact dating and the easiest for opposing counsel to expose, so state the epoch for every timestamp in your notes. → Appendix B — Python Forensics Toolkit
USBSTOR
a specific SanDisk device (with serial) was connected to *this machine* during the 18:14–18:55 window on 2026-05-02. (A real reported serial — not a Windows-generated `&`-style ID — so it can anchor cross-machine identity.) 2. **MountedDevices + MountPoints2** — that device's volume was mounted **un → Final Exam — Solutions
USBSTOR / USB device history
Registry keys (`SYSTEM\CurrentControlSet\Enum\USBSTOR` and related) recording USB storage devices ever connected — vendor/model, serial, and first/last connection times. Pivotal in IP-theft and exfiltration cases. *See also* registry (Ch. 16). → Glossary
User attribution
generally outside what the digital evidence alone can establish, and a question for the jury - C) Established automatically by a matching hash - D) The examiner's duty to assert with confidence → Data Recovery and Digital Forensics
UserAssist
`NTUSER.DAT` keys logging GUI program launches per user with run counts and last-run times, obfuscated with ROT13. Evidence that a user (interactively) ran a program. *See also* Prefetch (Ch. 16). → Glossary
UTXO (Unspent Transaction Output)
In Bitcoin-style chains, an amount received but not yet spent; the accounting model that *blockchain analysis* follows to trace funds across addresses. *See also* blockchain (Ch. 33). → Glossary

V

Validation (tool validation)
Formally testing that a forensic tool produces correct, reproducible results for its intended use, documented so findings withstand *Daubert*. Supported by *NIST CFTT* and *SWGDE*. *See also* dual-tool verification (Ch. 37; Ch. 36). → Glossary
vault
a JSON blob `{"data":…,"iv":…,"salt":…}` (AES-GCM, key derived via PBKDF2-SHA-256) — inside its LevelDB store under the well-known extension ID `nkbihfbeogaeaoehlefnkodbefgpgknn`. Extract the vault from the `.ldb`/`.log` files and you have a self-contained target for lawful password recovery; the se → Data Recovery and Digital Forensics
vehicle
and then drops to the hardware level, where you extract and analyze the **firmware** that runs all of it. → Data Recovery and Digital Forensics
Vendor free tiers
AccessData/Exterro's historically free ACE training, Autopsy's free training ([Chapter 36](../chapter-36-the-forensic-toolkit/index.md)), and Cellebrite's and Magnet's free webinars — let you build skill and even credentials at little cost. And the **challenge path** — sitting an exam on experience → Data Recovery and Digital Forensics
VeraCrypt
the open-source successor to the discontinued TrueCrypt — is the one designed specifically to frustrate examiners, and it is the most important of the four to understand for exactly that reason. It encrypts containers (files), partitions, or whole system drives, with AES, Serpent, Twofish, or *casca → Data Recovery and Digital Forensics
VeraCrypt / TrueCrypt
Open-source on-the-fly encryption creating encrypted volumes and supporting deniable *hidden volumes*. VeraCrypt is the maintained successor to the discontinued TrueCrypt. *See also* full-disk encryption, hidden volume (Ch. 29). → Glossary
Verification hash
The *hash* recomputed and matched after acquisition to prove the *forensic image* equals the source; the proof step of *forensic soundness*. *See also* hash verification (Ch. 14; Ch. 5). → Glossary
verified
they match. The original drive returns to the laptop or to an anti-static, tamper-evident bag; the bag is sealed, signed, dated, and placed in the evidence locker; and the chain-of-custody form records intake, the acquisition, and the hashes. The original will not be touched again absent a court ord → Data Recovery and Digital Forensics
verify current pricing
these change yearly, and the act of verifying is itself professional diligence. → Data Recovery and Digital Forensics
verify the current number yourself
the act of verifying is itself the professional habit these exercises are training. → Data Recovery and Digital Forensics
Video is harder than photos on every axis
proprietary surveillance formats may resist parsing entirely, container timestamps may be unreliable, and synthetic media increasingly defeats naive authenticity checks ([Chapter 35](../../part-5-advanced-topics/chapter-35-ai-assisted-forensics-and-deepfakes/index.md)). And the hardest limit of all, → Data Recovery and Digital Forensics
VM memory file captured while the guest is paused
the hypervisor freezes the entire guest at one instant, so it is a true point-in-time image (the hibernation file is the closest *native* equivalent, but it reflects the suspend moment, not "now"). → Answers to Selected Exercises
voice-clone fraud
the "CEO call" in which a finance employee receives an urgent voicemail or live call, in a perfectly familiar executive voice, authorizing a wire transfer. For the 🛡️ incident responder, the artifacts above plus the *out-of-band* facts (the call's origin, the absence of corroborating email, the impo → Data Recovery and Digital Forensics
voir dire
The questioning by which a court (and opposing counsel) tests an expert's qualifications before opinion testimony is allowed; the gateway to being accepted as an *expert witness*. *See also* Daubert (Ch. 27). → Glossary
voir dire of the expert
turned up a "CISSP" he had let lapse three years earlier and still listed as current, and a claim of having "testified as an expert over fifty times" that he could substantiate for only about a dozen matters; the rest were depositions that never reached testimony, or cases that settled. Neither exag → Data Recovery and Digital Forensics
Volatile data
Evidence that exists only while a system is powered (RAM contents, running processes, open connections, encryption keys in memory) and is lost on shutdown — hence captured first per the *order of volatility*. *See also* live response (Ch. 15; Ch. 22). → Glossary
Volatility
The leading open-source *memory forensics* framework, with plugins to list processes (`pslist`/`psscan`), connections, loaded modules, and injected code (`malfind`); v2 uses profiles, v3 uses symbol tables. *See also* memory dump (Ch. 22). → Glossary
Volume
A single accessible storage area presented to the OS, usually one *file system* on one *partition* (though LVM/RAID can span disks). *See also* partition (Ch. 4). → Glossary
Volume Boot Record (VBR)
The first sector of a *partition*, holding file-system parameters (BPB) and boot code — distinct from the disk-level *MBR*. *See also* boot sector (Ch. 4). → Glossary
Volume Shadow Copy (VSS)
Windows's snapshot service creating point-in-time copies of volumes; shadow copies can yield earlier versions of files (and deleted files) — a prime recovery source, which is exactly why ransomware tries to delete them. *See also* ransomware (Ch. 16; Ch. 12). → Glossary
Voluntary
judged by the totality of the circumstances; no coercion. *Schneckloth v. Bustamonte*, 412 U.S. 218 (1973). Officers need not warn that consent can be refused, but a knowing/voluntary record is far stronger. - **Scope** — limited to what a reasonable person would understand was authorized. "You can → Appendix E — Legal Frameworks Reference

W

Wallet
Software or hardware that stores the *private keys*/*seed phrase* controlling cryptocurrency; "recovering the wallet" means recovering the keys, not coins on a disk. Wallet files and seed backups are key evidence. *See also* blockchain (Ch. 33). → Glossary
wallet artifacts on a seized device
a Monero wallet's keys and history on a suspect's laptop reveal everything the chain conceals. The on-chain trail may be dark, but people are not airtight. → Data Recovery and Digital Forensics
Warrant
limited by particularity/Attachment B scope (and the second-warrant rule for out-of-scope finds). (2) **Consent** — must be voluntary, is bounded by the *scope* given, can be *withdrawn*, and requires actual or apparent *authority* over the thing searched. (3) **Corporate authority** — over a compan → Data Recovery and Digital Forensics
Warrant (search warrant)
A judicially authorized order, based on probable cause and particular as to place and items, permitting a search/seizure; the default lawful basis for examining a device absent *consent* or an exception. *See also* Fourth Amendment, scope (Ch. 25). → Glossary
Wear leveling
The SSD/flash controller strategy of distributing writes evenly across NAND so no *block* wears out prematurely. A side effect is that logical data moves physically, scattering remnants and frustrating predictable recovery. *See also* FTL (Ch. 3; Ch. 9). → Glossary
WebKit time
The Chrome/Chromium/Safari timestamp: microseconds since 1601-01-01 UTC (a FILETIME-like epoch at microsecond resolution), seen in browser history databases. Contrast Firefox **PRTime** (microseconds since 1970). *See also* timestamp (Ch. 18; Ch. 21). → Glossary
What state is the device in
boots? screen works? water/physical damage? 4. **Is it locked and encrypted?** On modern hardware these are the same question, and the answer is almost always "yes." 5. **What device, exactly, and how old?** A 2012 unencrypted handset and a 2024 flagship are different planets. → Data Recovery and Digital Forensics
what the acquisition changed on the device
and explain in one sentence why omitting it is the cross-examination trap that turns a sound extraction into a contested one. → Data Recovery and Digital Forensics
WhatsApp
`msgstore.db` (unencrypted, needs root/FFS); crypt12/14 backups decrypt with the `files/key`; **crypt15** is E2E with the user's key — no key, no recovery. - **Signal** — SQLCipher with a hardware-backed key: generally **unrecoverable** without the unlocked device. "Encrypted, not recoverable" is th → Data Recovery and Digital Forensics
whether or not the host is doing anything
which is why an SSD can keep changing internally after you stop writing to it. - **Over-provisioning.** Drives reserve spare capacity (the ~7% gap between GiB and GB, plus often more) invisible to the host, giving GC and wear leveling room to work and replacing worn-out blocks. - **Write amplificati → Data Recovery and Digital Forensics
Who physically sat at the keyboard
this is *user attribution*; the evidence establishes *source attribution* (device + account + times) only. (Ch. 27.) - **The person's intent or guilt** — intent is an inference reserved for the trier of fact (FRE 704(b)); the examiner reports artifacts, not mental states. (Ch. 27, 28.) - **That the → Final Exam — Solutions
who you notified and when
and it must contain **nothing of the content**. Then explain, tying to the theme *every action leaves a trace*, why this clean, content-free record of "how I found it, stopped, secured it, and escalated" is precisely what later demonstrates you handled the worst-case discovery correctly. → Data Recovery and Digital Forensics
Windows
registry MRU/`ShellBags` (folders browsed), Prefetch/UserAssist (program *execution*), `$Recycle.Bin` `$I` records, LNK/Jump Lists; **macOS** — unified logs, `FSEvents`, `KnowledgeC.db`/`.plist` preference and app-usage data, Spotlight metadata; **Linux** — `~/.bash_history`, `journald`/`/var/log` s → Final Exam — Solutions
Windows Forensics
takes the registry hives, event logs, Prefetch, Amcache, LNK files, and `$Recycle.Bin` you just *collected* with KAPE and teaches you to *read* them: the artifacts that reconstruct what a user did, when, and with which devices — and that quietly expose the employee who thought they covered their tra → Data Recovery and Digital Forensics
Wiping
*See* secure deletion (Ch. 30). → Glossary
Wireshark
The leading graphical network-protocol analyzer for inspecting *PCAP* captures — dissecting protocols, following streams, and extracting transferred files. Pairs with the CLI `tcpdump`. *See also* deep packet inspection (Ch. 23). → Glossary
without a write-blocker
and compute a hash of **the image only** (never of the source). Overnight, the laptop sits on a shared bench in an unlocked room. The custody log shows the intake entry and the imaging entry, with **nothing in between**. → Midterm Exam
Word / DWORD / QWORD
Multi-byte groupings whose width depends on architecture/context: in the Windows world a **WORD** is 16 bits, a **DWORD** 32 bits (as in the registry's `REG_DWORD`), and a **QWORD** 64 bits. *See also* byte, endianness (Ch. 2). → Glossary
Working copy
The verified duplicate of a *forensic image* that you actually analyze, so the master image (and the original) stay untouched. *See also* forensic image (Ch. 5). → Glossary
Write blocker
A hardware device or trusted software that permits reads from evidence media but blocks all writes, guaranteeing the source is not altered during *acquisition*. The physical embodiment of "the original is sacred." *See also* forensic soundness (Ch. 5; Ch. 14). → Glossary
write-ahead log
the `-wal` side file — holds recent transactions not yet checkpointed into the main database, frequently containing *older versions* of records, including pre-deletion content. This is precisely why a *file-system* extraction (which captures the `.db` **and** its `-wal` and `-journal`) recovers dele → Data Recovery and Digital Forensics
writes to a disk the instant it sees it
mounting, journal replay, timestamp updates, indexing. Every write changes the hash and breaks your ability to prove the evidence is unaltered. That is why write-blocking is non-negotiable. → Data Recovery and Digital Forensics

X

X-Originating-IP
A non-standard email header sometimes added by webmail/clients recording the sender's apparent IP address; corroborate against the *Received* chain rather than trusting it alone. *See also* email header (Ch. 19). → Glossary
X-Ways Forensics
A commercial, highly efficient disk-forensics suite favored for its speed and low-level control; a common alternative to *EnCase*/*FTK*. *See also* forensic toolkit (Ch. 36). → Glossary
xxd
A Unix command-line *hex dump* utility (offset / hex bytes / ASCII columns); the quickest way to inspect raw bytes and confirm a *file signature*. *See also* hexadecimal (Ch. 2; Ch. 36). → Glossary

Y

YARA
A pattern-matching engine and rule language for identifying and classifying files (especially malware) by textual and binary signatures; the standard way to encode and share *IOCs*. *See also* malware forensics (Ch. 32). → Glossary
You find evidence of a crime outside your scope
and *immediately and without exception* if you encounter apparent **CSAM**, in any matter, including a routine recovery. Stop, preserve, minimize exposure, escalate. - **Consent is withdrawn,** or the person who gave it turns out to lack authority. - **You encounter apparent privileged material** (a → Data Recovery and Digital Forensics

Z

Zeroes the file's cluster chain in the FAT
every FAT slot the file used is set back to `0` (free). → Data Recovery and Digital Forensics
Zone.Identifier
*See* Mark-of-the-Web (Ch. 16; Ch. 30). → Glossary