Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.

 

Computer Forensics Terminology
 


 
  ROM - Stands for Read Only Memory; this is a chip within the computer where a permanent program is stored that contains the necessary information for starting up the computer. Information in the computer’s ROM is permanently maintained even when the computer is turned off.  
  sector - A group of bytes on any given track of a hard drive’s platters and the smallest area of information that can be accessed on the drive. Sectors are numbered sequentially starting with 1 on each individual track. Thus, Track 0, Sector 1 and Track 5, Sector 1 refer to different sectors on the same hard drive. Usually, drives have sectors that contain 512 bytes each.  
  slack space - The unused space on a cluster that exists when the logical file space is less than the physical file space. Also known as file slack.  
  swap file - A file used to temporarily store code and data for programs that are currently running. This information is left in the swap file after the programs are terminated, and may be retrieved using forensic techniques. Also referred to as a page file or paging file.  
  temporary file - Temporary files are files stored on a computer for temporary use only, and are most commonly created by Internet browsers. These "temp" files store information about Web sites that a user has visited, and allow for more rapid display of the Web page when the user revisits the site. Forensic techniques can be used to track the history of a computer's Internet useage through the examination of these temporary files.  
  track - Each of the series of concentric rings contained on a hard drive platter.  
  unallocated space - The area of computer media, such as a hard drive, that does not contain normally accessible data. Unallocated space is usually the result of a file being deleted. When a file is deleted, it is not actually erased, but is simply no longer accessible through normal means. The space that it occupied becomes unallocated space, i.e., space on the drive that can be reused to store new information. Until portions of the unallocated space are used for new data storage, in most instances, the old data remains and can be retrieved using forensic techniques.  
  volume - A volume is a specific amount of storage space on computer storage media such as hard drives, floppy disks, CD-ROM disks, etc. In some instances, computer media may contain more than one volume, while in other cases, one volume may be contained on more than one disk.  
  volume boot sector - When a partition is formatted to create a volume, a volume boot sector is created to store information about the volume. One volume contains the operating system and its volume boot sector contains code used to load the operating system when the computer is booted up.  
 

Return to Index
  

Back to Page 2
  

Return to EER Home Page
Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.