Table 1 Terms and definitions
Terminology | Definition |
|---|---|
Residual artifacts | Remaining data such as files, images, documents, and web content |
Affirmative link | Judicially devised standard to aid Courts in determining sufficiency of evidence between subject and offense |
ISO image | A computer file that is an exact copy of an existing file, CD, DVD, etc. |
Virtual machine | Simulation of a real machine |
Prefetch files (Windows) | Each time an application is run on a Windows machine, a Prefetch file referencing the loaded application is created to speed boot time |
$I30/$MFT | New Technology File System (NTFS) Index Attribute/Master File Table |
Browser cache | Temporary Internet files (storage) for increasing speed |
RAM | Working memory that is volatile |
Pagefile (paging) | Virtual memory designated on disk |
Memdump | Action of dumping volatile memory into a file to view contents |
Drive free space | Referencing the unallocated space on disk |
Slack space/file slack | Unused space in a disk cluster (area between end of file and end of disk cluster) |
System volume information | Volume shadow copy (snapshots) for system restore/backup |
FTK orphan directory | Contains files that no longer have a parent, and the parent folder is overwritten (using $MFT as a reference) |
Data carving | There are many different types of data carving techniques (block-based, statistical, semantic, etc.) but essentially, most data carvers extract content by looking for file headers/footers and then ‘carving’ data blocks in between |