BIOS – BIOS stands for Basic Input Output System, which is information written in computer code and stored in the ROM so that it is available when the computer is turned on. BIOS information tells the computer how to read information contained on the computer’s various drives, and includes the boot strap loader, which is the first code executed when the computer is turned on.
bit – This is an abbreviation for binary digit and is the smallest unit of computer data. A bit consists of either 0 or 1. Eight bits make up a byte.
boot sector – The very first sector on a hard drive. It contains the codes necessary for the computer to start up. It also contains the partition table, which describes how the hard drive is organized. Also called the Master Boot Record.
boot strap loader – The first code executed when the computer is turned on.
byte – This is an abbreviation for binary term. A byte is a measurement unit of computer data that consists of a single character. A single byte usually consists of 8 bits.
clusters – Clusters are groups of sectors where folders and files are stored on the hard drive.
cluster bitmaps – Used in NTFS to keep track of the status (free or used) of clusters on the hard drive.
cylinder – The set of tracks on both sides of each platter in the hard drive that are located at the same head position. A cylinder can be visualized as a cross section taken across all the platters of a hard drive at the same head position.
drive geometry – A computer hard drive is made up of a number of rapidly rotating platters that have a set of read/write heads on both sides of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sections called sectors, and each sector is sub-divided into bytes. Drive geometry refers to the number and positions of each of these structures.
disk partition – A hard drive containing a set of consecutive cylinders. Before files can stored on a disk partition it must be formatted to create a logical volume.
driver – A driver is a computer program that controls various devices such as the keyboard, mouse, monitor, etc.
extended partitions – If a computer hard drive has been divided into more than four partitions, extended partitions are created. Under such circumstances each extended partition contains a partition table in the first sector that describes how it is further subdivided.
FAT – This stands for File Allocation Table. It is used in Windows® to keep track of where the files are stored on a hard drive, which is formatted as a FAT volume or file system.
file slack – The unused space on a cluster that exists when the logical file space is less than the physical file space.
file system – A disk partition organized so that files can be stored on it. In Windows®, a disk partition with a file system on it is called a volume. The most common types of file systems used by Windows® are FAT and NTFS.
fragmented – In the course of normal computer operations when files are saved, deleted, moved, etc. the files or parts thereof may be scattered in various locations on the computer’s hard drive or other storage medium. In regard to computer forensics, fragmented data can frequently yeild important evidence. Computer forensics techniques allow technicians to locate and examine fragmented files.
head – Each platter on a hard drive contains a head for each side of the platter. The heads are devices which ride very closely to the surface of the platter and allow information to be read from and written to the platter. The heads are physically attached to an arm, which is in turn attached to the head stack assembly. Usually all heads move together and are positioned together on the same track.
inter-partition space – Unused sectors on a track located between the start of the partition and the partition boot record. This space is important because it is possible for a user to hide information here.
logical file space – The actual amount of space occupied by a file on a hard drive. The amount of logical file space differs from the physical file space because when a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, or previously deleted/overwritten files or fragments thereof.
logical volume – An area on the hard drive that has been formatted so that files can be stored there. A hard drive may contain a single or multiple volumes. Each volume appears as if it is a single hard drive. In Windows®, the first volume is referred to as “C:”, while subsequent letters, such as “D:”, “E:”, etc., may refer to additional volumes or may identify devices such as a CD/ROM drive.
master boot record – The very first sector on a hard drive. It contains the codes necessary for the computer to start up. It also contains the partition table, which describes how the hard drive is organized. Also called the Boot Sector.
media – In the context of this site, media refers to various types of devices used for data storage, such as hard drives, floppy disks, CD-ROM disks, etc.
meta data – Refers to small bits of information stored by some computer programs such as Microsoft Word®. Meta data can contain the history of the document, including all users who have modified and/or saved it, the directory structure of all machines it was saved on, and names of printers it was printed on.
NTFS – Stands for New Technology File System. This is a newer type of computer file system that was developed for use by Windows NT®, Windows 2000®, and Windows XP®.
page or paging file – A file used to temporarily store code and data for programs that are currently running. This information is left in the swap file after the programs are terminated, and may be retrieved using forensic techniques. Also referred to as a swap file.
partial file – When a user deletes information from a computer, the data is not actually erased. Instead, the space the data occupied is marked as available for reuse. If new data is stored in that location, but does not occupy as much storage space as the old data, the result is a partial file, which still contains bits of the old data. This old data can be examined through the use of forensic techniques.
partition – A partition is an individual section of computer storage media such as a hard drive. For example a single hard drive may be divided into several partitions. When a hard drive is divided into partitions, each partition is designated by a separate drive letter, i.e., C, D, etc.
partition table – The partition table indicates each logical volume contained on a disk and its location.
partition waste space – After the boot sector of each volume or partition is written to a track, it is customary for the system to skip the rest of that track and begin the actual useable area of the volume on the next track. This results in unused or “wasted” space on that track where information can be hidden. This “wasted space” can only be viewed with a low level disk viewer. However, forensic techniques can be used to search these “wasted space” areas for hidden information.
physical disk – An actual piece of computer media, such as the hard disk or drive, floppy disks, CD-ROM disks, Zip disks, etc.
physical file space – When a file is created on a computer, a sufficient number of clusters (physical file space) are assigned to contain the file. If the file (logical file space) is not large enough to completely fill the assigned clusters (physical file space) then some unused space will exist within the physical file space. This unused space is referred to as file slack and can contain unused space, previously deleted/overwritten files or fragments thereof.
platter – One of several components that make up a computer hard drive. Platters are thin, rapidly rotating disks that have a set of read/write heads on both sides of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sections called sectors, and each sector is sub-divided into bytes.
RAM – Stands for Random Access Memory — the area on the computer where the operating system (i.e. Windows®), programs and drivers are loaded when the computer is started up. The content of a computer’s RAM is lost each time the computer is turned off.
ROM – Stands for Read Only Memory; this is a chip within the computer where a permanent program is stored that contains the necessary information for starting up the computer. Information in the computer’s ROM is permanently maintained even when the computer is turned off.
sector – A group of bytes on any given track of a hard drive’s platters and the smallest area of information that can be accessed on the drive. Sectors are numbered sequentially starting with 1 on each individual track. Thus, Track 0, Sector 1 and Track 5, Sector 1 refer to different sectors on the same hard drive. Usually, drives have sectors that contain 512 bytes each.
slack space – The unused space on a cluster that exists when the logical file space is less than the physical file space. Also known as file slack.
swap file – A file used to temporarily store code and data for programs that are currently running. This information is left in the swap file after the programs are terminated, and may be retrieved using forensic techniques. Also referred to as a page file or paging file.
temporary file – Temporary files are files stored on a computer for temporary use only, and are most commonly created by Internet browsers. These “temp” files store information about Web sites that a user has visited, and allow for more rapid display of the Web page when the user revisits the site. Forensic techniques can be used to track the history of a computer’s Internet usage through the examination of these temporary files.
track – Each of the series of concentric rings contained on a hard drive platter.
unallocated space – The area of computer media, such as a hard drive, that does not contain normally accessible data. Unallocated space is usually the result of a file being deleted. When a file is deleted, it is not actually erased, but is simply no longer accessible through normal means. The space that it occupied becomes unallocated space, i.e., space on the drive that can be reused to store new information. Until portions of the unallocated space are used for new data storage, in most instances, the old data remains and can be retrieved using forensic techniques.
volume – A volume is a specific amount of storage space on computer storage media such as hard drives, floppy disks, CD-ROM disks, etc. In some instances, computer media may contain more than one volume, while in other cases, one volume may be contained on more than one disk.
volume boot sector – When a partition is formatted to create a volume, a volume boot sector is created to store information about the volume. One volume contains the operating system and its volume boot sector contains code used to load the operating system when the computer is booted up.