Digital Forensics and Incident Response

Glossary of Terms

This glossary provides definitions for common terms encountered in the field of Digital Forensics and Incident Response (DFIR). Understanding this terminology is crucial for both aspiring professionals and those seeking to comprehend the intricacies of digital investigations.

Acquisition (Forensic Acquisition)

The process of creating a duplicate (forensic image) of digital media, such as a hard drive or RAM, for examination. This is done in a way that ensures the original evidence is not altered.

Anti-Forensics

Techniques used to obstruct or mislead forensic investigations by destroying, hiding, or altering evidence, or by making its analysis more difficult.

Artifact (Digital Artifact)

A piece of data or information created or modified on a digital device as a result of user activity or system processes. Artifacts can include files, logs, registry entries, metadata, etc.

Chain of Custody

A chronological documented record of the sequence of control, transfer, analysis, and disposition of physical or electronic evidence. It is vital for maintaining the admissibility of evidence in legal proceedings.

Data Carving

A forensic technique for recovering files from unallocated space or slack space on a storage medium by searching for known file headers and footers, regardless of file system metadata.

Encryption

The process of converting data into a coded form to prevent unauthorized access. Decryption requires a key to revert the data to its original form. For more on data protection, see resources on Homomorphic Encryption.

Forensic Image

A bit-for-bit, sector-by-sector copy of a source storage medium, including all allocated and unallocated space, and slack space. Hashing is used to verify its integrity.

Hashing (Cryptographic Hashing)

A process that generates a fixed-size string of characters (a hash value or message digest) from an input data set. It is used to verify data integrity; if the data changes, the hash value will also change. Common algorithms include MD5 and SHA-256.

Incident Response (IR)

An organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Live Forensics

The acquisition and analysis of data from a running computer system (volatile data like RAM contents, running processes) rather than from a powered-down system.

Malware (Malicious Software)

Software designed to disrupt, damage, or gain unauthorized access to a computer system. Examples include viruses, worms, trojan horses, ransomware, and spyware.

Metadata

Data that provides information about other data. For example, file metadata can include creation date, modification date, author, file size, etc.

SIEM (Security Information and Event Management)

Technology that supports threat detection, compliance and security incident management through the collection and analysis (both near real-time and historical) of security events from a wide variety of event and contextual data sources. Its effective use often involves Data Visualization Techniques.

Slack Space

The unused space in a disk cluster between the end of a file and the end of the cluster. It can contain remnants of previously stored information.

Steganography

The practice of concealing a file, message, image, or video within another file, message, image, or video. It is a form of covert communication and can be used to hide malicious payloads or exfiltrate data.

Volatile Data

Data that is lost when a computer system is powered down, such as the contents of RAM, running processes, network connections, and temporary system files.