Dictionary · NIST SP 800-72

The examination of acquired data for its significance and probative value to the case.

Hardware-or software-based mechanisms that force users to prove their identity before accessing data on a device.

A method of accessing an obstructed device through attempting multiple combinations of numeric and/or alphanumeric passwords.

A method of overloading a predefined amount of space in a buffer, which can potentially overwrite and corrupt data in memory.

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

A method to ensure data has not been altered after being sent through a communication channel.

A file that has been logically, but not necessarily physically, erased from the operating system, perhaps to eliminate potentially incriminating evidence. Deleting files does not always necessarily eliminate the possibility of recovering all or part of the original data.

Electronic information stored or transferred in digital form.

A duplicate is an accurate digital reproduction of all data objects contained on the original physical item and associated media.

Information and data of investigative value that is stored on or transmitted by an electronic device.

Evidence that tends to decrease the likelihood of fault or guilt.

A technical review that makes the evidence visible and suitable for analysis; tests performed on the evidence to determine the presence or absence of specific data.

A professional who locates, identifies, collects, analyzes, and examines data while preserving the integrity and maintaining a strict chain of custody of information discovered.

An accurate bit-for-bit reproduction of the information contained on an electronic device or associated media, whose validity and integrity has been verified using an accepted algorithm.

1. A mismatch between the internal file header and its external extension; or 2. A file name inconsistent with the content of the file (e.g., renaming a graphics file with a non-graphical extension.

The process of using a mathematical algorithm against data to produce a numeric value that is representative of that data.

An exact bit-stream copy of all electronic data on a device, performed in a manner that ensures that the information is not altered.

Evidence that tends to increase the likelihood of fault or guilt.

A technique used to disguise a file’s content by changing the file’s name to something innocuous or altering its extension to a different type of file, forcing the examiner to identify the files by file signature versus file extension.

The ability to protect a file using a password access control, protecting the data contents from being viewed with the appropriate viewer unless the proper password is entered.

The art and science of communicating in a way that hides the existence of the communication. For example, a child pornography image can be hidden inside another graphic image file, audio file, or other file format.

A device that allows investigators to examine media while preventing data writes from occurring on the subject media.