Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.

 

Computer Forensics Terminology
 


 
  logical file space - The actual amount of space occupied by a file on a hard drive. The amount of logical file space differs from the physical file space because when a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, or previously deleted/overwritten files or fragments thereof.
 
  logical volume - An area on the hard drive that has been formatted so that files can be stored there. A hard drive may contain a single or multiple volumes. Each volume appears as if it is a single hard drive. In Windows®, the first volume is referred to as “C:”, while subsequent letters, such as “D:”, “E:”, etc., may refer to additional volumes or may identify devices such as a CD/ROM drive.
  
  master boot record - The very first sector on a hard drive. It contains the codes necessary for the computer to start up. It also contains the partition table, which describes how the hard drive is organized. Also called the Boot Sector.  
  media - In the context of this site, media refers to various types of devices used for data storage, such as hard drives, floppy disks, CD-ROM disks, etc.  
  meta data - Refers to small bits of information stored by some computer programs such as Microsoft Word®. Meta data can contain the history of the document, including all users who have modified and/or saved it, the directory structure of all machines it was saved on, and names of printers it was printed on.  
  NTFS - Stands for New Technology File System. This is a newer type of computer file system that was developed for use by Windows NT®, Windows 2000®, and Windows XP®.  
  page or paging file - A file used to temporarily store code and data for programs that are currently running. This information is left in the swap file after the programs are terminated, and may be retrieved using forensic techniques. Also referred to as a swap file.  
  partial file - When a user deletes information from a computer, the data is not actually erased. Instead, the space the data occupied is marked as available for reuse. If new data is stored in that location, but does not occupy as much storage space as the old data, the result is a partial file, which still contains bits of the old data. This old data can be examined through the use of forensic techniques.  
  partition - A partition is an individual section of computer storage media such as a hard drive. For example a single hard drive may be divided into several partitions. When a hard drive is divided into partitions, each partition is designated by a separate drive letter, i.e., C, D, etc.  
  partition table - The partition table indicates each logical volume contained on a disk and its location.
 
  partition waste space - After the boot sector of each volume or partition is written to a track, it is customary for the system to skip the rest of that track and begin the actual useable area of the volume on the next track. This results in unused or “wasted” space on that track where information can be hidden. This “wasted space” can only be viewed with a low level disk viewer. However, forensic techniques can be used to search these “wasted space” areas for hidden information.
  
  physical disk - An actual piece of computer media, such as the hard disk or drive, floppy disks, CD-ROM disks, Zip disks, etc.  
  physical file space - When a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, previously deleted/overwritten files or fragments thereof.
  
  platter - One of several components that make up a computer hard drive. Platters are thin, rapidly rotating disks that have a set of read/write heads on both sides of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sections called sectors, and each sector is sub-divided into bytes.  
  RAM - Stands for Random Access Memory -- the area on the computer where the operating system (i.e. Windows®), programs and drivers are loaded when the computer is started up. The content of a computer’s RAM is lost each time the computer is turned off.  
 

Return to Index

Back to Page 1

Go to Page 3
  

Return to EER Home Page
Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.