Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.

 
Electronic Evidence Retrieval - COmputer Forensics - Data Recovery - Expert Witness Testimony

Computer Forensics Terminology

Computer Forensics - Data Recovery - Expert Witness Testimony
 
Computers and computer forensics are highly specialized fields that utilize many special terms. We have prepared this glossary to assist you in further understanding these terms. Throughout articles and other information on this site you will find these terms underlined and hyperlinked. Clicking on any underlined term will open a new window containing an explanation of the term. The main glossary below is arranged alphabetically for your convenience.

 
  BIOS - BIOS stands for Basic Input Output System, which is information written in computer code and stored in the ROM so that it is available when the computer is turned on. BIOS information tells the computer how to read information contained on the computer’s various drives, and includes the boot strap loader, which is the first code executed when the computer is turned on.
 
  bit - This is an abbreviation for binary digit and is the smallest unit of computer data. A bit consists of either 0 or 1. Eight bits make up a byte.  
  boot sector - The very first sector on a hard drive. It contains the codes necessary for the computer to start up. It also contains the partition table, which describes how the hard drive is organized. Also called the Master Boot Record.
 
  boot strap loader - The first code executed when the computer is turned on.  
  byte - This is an abbreviation for binary term. A byte is a measurement unit of computer data that consists of a single character. A single byte usually consists of 8 bits.  
  clusters - Clusters are groups of sectors where folders and files are stored on the hard drive.  
  cluster bitmaps - Used in NTFS to keep track of the status (free or used) of clusters on the hard drive.
 
  cylinder - The set of tracks on both sides of each platter in the hard drive that are located at the same head position. A cylinder can be visualized as a cross section taken across all the platters of a hard drive at the same head position.
 
  drive geometry - A computer hard drive is made up of a number of rapidly rotating platters that have a set of read/write heads on both sides of each platter. Each platter is divided into a series of concentric rings called tracks. Each track is further divided into sections called sectors, and each sector is sub-divided into bytes. Drive geometry refers to the number and positions of each of these structures.
 
  disk partition - A hard drive containing a set of consecutive cylinders. Before files can stored on a disk partition it must be formatted to create a logical volume.
 
  driver - A driver is a computer program that controls various devices such as the keyboard, mouse, monitor, etc.  
  extended partitions - If a computer hard drive has been divided into more than four partitions, extended partitions are created. Under such circumstances each extended partition contains a partition table in the first sector that describes how it is further subdivided.
 
  FAT - This stands for File Allocation Table. It is used in Windows® to keep track of where the files are stored on a hard drive, which is formatted as a FAT volume or file system.
 
  file slack - The unused space on a cluster that exists when the logical file space is less than the physical file space.
 
  file system - A disk partition organized so that files can be stored on it. In Windows®, a disk partition with a file system on it is called a volume. The most common types of file systems used by Windows® are FAT and NTFS.
 
  fragmented - In the course of normal computer operations when files are saved, deleted, moved, etc. the files or parts thereof may be scattered in various locations on the computer's hard drive or other storage medium. In regard to computer forensics, fragmented data can frequently yeild important evidence. Computer forensics techniques allow technicians to locate and examine fragmented files.  
  head - Each platter on a hard drive contains a head for each side of the platter. The heads are devices which ride very closely to the surface of the platter and allow information to be read from and written to the platter. The heads are physically attached to an arm, which is in turn attached to the head stack assembly. Usually all heads move together and are positioned together on the same track.
 
  inter-partition space - Unused sectors on a track located between the start of the partition and the partition boot record. This space is important because it is possible for a user to hide information here.
 
 

Return to Index
 

Go to Page 2
 

Return to EER Home Page

Learn more about Electronic Evidence Retrieval and the services we offer.
What is Computer Forensics and how can it help you?
Contact EER for more information.
Read articles related to the world of Computer Forensics.
Broaden your knowledge base with Web links to related topics.
Get answers to commonly asked questions.