Tech Terms

Question 1

Active File v. File Fragment

Answer 1

Definition: An active file is a complete, unaltered file that can be accessed normally by a user. A file fragment is an incomplete part of a file, often due to deletion or corruption.
Forensic Importance: Active files are easier to analyze, whereas file fragments can be key in reconstructing deleted or corrupted evidence.
Lay Audience: Think of an active file as a complete puzzle, while a file fragment is like a few scattered pieces of that puzzle.

Question 2

App v. Program

Answer 2

Definition: An “app” typically refers to lightweight software, often designed for mobile devices, while a “program” is broader and can include complex software for desktops and servers.
Forensic Importance: Apps often store user data in cloud services or mobile storage, while programs may keep logs and files on hard drives.
Lay Audience: An app is like the tool you download on your phone (e.g., Instagram), while a program is more like what runs on your computer (e.g., Microsoft Word).

Question 3

American Standard Code for Information Interchange v. Unicode

Answer 3

Definition: ASCII is a character encoding standard that uses 7 bits to represent characters. Unicode is a more comprehensive encoding system that supports many more characters across multiple languages.
Forensic Importance: Unicode allows for a wider analysis of data, especially in international investigations where multiple languages are involved.
Lay Audience: ASCII is like a simple codebook for English, while Unicode is a universal translator for most languages.

Question 4

Backup Software v. Volume Shadow Copy

Answer 4

Definition: Backup software creates copies of files to restore in case of data loss. Volume Shadow Copy is a Windows feature that periodically saves system snapshots for data recovery.
Forensic Importance: Backup files and shadow copies can be crucial for recovering deleted or overwritten data.
Lay Audience: Backup software is like making photocopies of documents, while Volume Shadow Copy is like having an automatic “undo” button for your files.

Question 5

Carved File v. Recovered Deleted File

Answer 5

Definition: Carved files are recovered from unallocated space without relying on file system metadata. Recovered deleted files are found by referencing metadata.
Forensic Importance: Carving is essential when file metadata is missing or corrupted, allowing recovery from fragmented files.
Lay Audience: Carving is like finding bits of a document in a shredder, while recovering deleted files is like retrieving them from the recycling bin.

Question 6

Cloud Storage v. Network Drive

Answer 6

Definition: Cloud storage involves storing data on remote servers accessed via the internet, while a network drive is a physical drive on a local network.
Forensic Importance: Cloud data can be hard to access due to encryption and legal hurdles, while network drives are more locally accessible.
Lay Audience: Cloud storage is like renting storage space on the internet, while a network drive is like sharing a hard drive within your office.

Question 7

Cluster v. Sector

Answer 7

Definition: A cluster is a group of sectors, the smallest units of data storage on a disk.
Forensic Importance: Clusters and sectors are key to understanding file systems and where data is physically stored on a disk.
Lay Audience: A sector is like a single page in a book, while a cluster is a group of pages.

Question 8

Container Email v. Web Email

Answer 8

Definition: Container email is stored on a local client (e.g., Outlook PST files), while web email is stored on a server accessed via a browser (e.g., Gmail).
Forensic Importance: Container emails provide easier access to local data, while web email requires network access or subpoenas to retrieve.
Lay Audience: Container email is like keeping your letters in a personal filing cabinet, while web email is like letters stored in a cloud-based mailbox.

Question 9

Device Configuration Overlay v. Host Protected Area

Answer 9

Definition: Device Configuration Overlay (DCO) and Host Protected Area (HPA) are reserved areas on a hard drive. DCO limits the accessible storage, while HPA stores system files.
Forensic Importance: These areas may contain hidden or overlooked data, crucial for investigations.
Lay Audience: DCO and HPA are like hidden drawers in a filing cabinet where secret or system files might be stored.

Question 10

DD v. E01 Image

Answer 10

Definition: DD (Disk Dump) creates a raw disk image, while E01 (EnCase) is a forensic image format that includes metadata and compression.
Forensic Importance: E01 allows for more efficient storage and verification of forensic integrity through hash values.
Lay Audience: DD is like making a raw photocopy of a hard drive, while E01 is a specialized, compressed photocopy with added notes and authenticity checks.

Question 11

Deleted Files v. Recycle Bin Files

Answer 11

Definition: Deleted files are no longer visible in the file system but may still exist on disk. Recycle Bin files are “soft-deleted” files that can be easily restored until the bin is emptied.
Forensic Importance: Recycle Bin files are easier to recover, while deleted files may require specialized tools for data recovery.
Lay Audience: Deleted files are like throwing something away, but it’s still in the trash. Recycle Bin files are like items you’ve put in a trash can but haven’t taken out to the curb yet.

Question 12

DHCP v. Static IP Address

Answer 12

Definition: DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses to devices, while static IP addresses are manually set and don’t change.
Forensic Importance: Tracking a device’s network activity is easier with a static IP, while DHCP can make it harder to trace which device had which IP at a given time.
Lay Audience: DHCP is like automatically getting a parking space, while static IP is like always parking in the same reserved spot.

Question 13

Digital Forensics v. General Forensics

Answer 13

Definition: Digital forensics focuses on recovering and investigating data from digital devices, while general forensics includes physical evidence like fingerprints, DNA, and more.
Forensic Importance: Digital forensics is critical in cybercrime, fraud, and many modern investigations.
Lay Audience: Digital forensics is like being a detective for computers and phones, while general forensics is solving crimes with fingerprints and DNA.

Question 14

Encryption v. Password Protection

Answer 14

Definition: Encryption transforms data into unreadable code that can only be unlocked with a key. Password protection restricts access to a file or system but doesn’t necessarily encrypt the data.
Forensic Importance: Encrypted data is much harder to recover without the key, while password protection can sometimes be bypassed with cracking techniques.
Lay Audience: Encryption is like putting your data in a locked vault that only a specific key can open, while password protection is like putting a lock on the front door.

Question 15

ESE v. SQLite Database

Answer 15

Definition: Extensible Storage Engine (ESE) is a database format used by Microsoft systems (e.g., Windows Mail), while SQLite is a lightweight, self-contained database format used in many applications.
Forensic Importance: Both database formats store valuable user data that can be crucial for investigations.
Lay Audience: ESE is like Microsoft’s specialized database format, while SQLite is a smaller, portable type of database used in many apps.

Question 16

Event Log v. USN Journal ($J)

Answer 16

Definition: Event logs record system activities like login attempts and errors, while the USN Journal tracks changes to files and directories on NTFS drives.
Forensic Importance: Event logs are useful for tracking system activity, while the USN Journal can provide insights into file changes.
Lay Audience: Event logs are like a diary of what’s happened on your computer, while the USN Journal is a list of changes to files and folders.

Question 17

FAT v. MFT

Answer 17

Definition: FAT (File Allocation Table) and MFT (Master File Table) are file system structures. FAT is used in simpler systems, while MFT is used in the more advanced NTFS.
Forensic Importance: MFT is more robust and contains more metadata about files, making it a richer source of information for investigations.
Lay Audience: FAT is like a basic map of where files are, while MFT is a more detailed map with extra information about each file.

Question 18

File Date v. Metadata Date (such as EXIF)

Answer 18

Definition: File dates (creation, access, modification) are recorded by the file system, while metadata dates (e.g., EXIF for photos) are embedded within the file itself.
Forensic Importance: Both types of dates can help establish timelines, but metadata can sometimes be more reliable if the file system has been tampered with.
Lay Audience: File dates are like the timestamps on a letter’s envelope, while metadata dates are like details on the letter itself.

Question 19

File Extension v. File Signature

Answer 19

Definition: A file extension (e.g., .jpg, .pdf) is the part of the filename that tells the operating system what type of file it is. A file signature is a unique sequence of bytes identifying the file type.
Forensic Importance: File signatures can reveal the true type of a file even if the extension has been changed to disguise it.
Lay Audience: File extensions are like labels on boxes, while file signatures are like the contents of the box that can tell you what’s really inside.

Question 20

File Path v. Filename

Answer 20

Definition: A file path is the location of a file on the system (e.g., C:\Documents\file.txt), while the filename is just the name of the file (e.g., file.txt).
Forensic Importance: File paths provide context on where a file is stored and can give insights into user behavior.
Lay Audience: The file path is like the full address of a house, while the filename is just the house number.

Question 21

Formatting v. Partitioning a Drive

Answer 21

Definition: Formatting prepares a drive for use by creating a file system, while partitioning divides a drive into sections that can be managed separately.
Forensic Importance: Both operations can destroy or obscure data, making recovery more difficult.
Lay Audience: Formatting is like laying down new flooring in a house, while partitioning is like dividing the house into separate rooms.

Question 22

Formatting v. Wiping a Drive

Answer 22

Definition: Formatting removes file system references but doesn’t fully erase data, while wiping completely overwrites data, making recovery difficult.
Forensic Importance: Wiped drives are harder to recover data from than formatted drives.
Lay Audience: Formatting is like erasing the labels on boxes, while wiping is like shredding everything inside the boxes.

Question 23

Free/Unallocated Space v. Slack Space

Answer 23

Definition: Free/unallocated space is unused space on a disk where new data can be written, while slack space is unused space within a file cluster that may still contain remnants of old data.
Forensic Importance: Both areas can hold valuable evidence, such as deleted files or file remnants.
Lay Audience: Free space is like an empty parking lot, while slack space is like extra space in a parked car’s trunk that might still have forgotten items inside.

Question 24

Graphics Interchange Format v. Joint Photographic Experts Group v. Portable Networks Graphics

Answer 24

Definition: GIF is an image format that supports animations and a limited color palette. JPG is a compressed image format for photos, and PNG is a lossless format supporting transparency.
Forensic Importance: Different formats may be used for different types of evidence (e.g., web images, high-quality photos).
Lay Audience: GIFs are like short video clips, JPGs are like smaller, compressed photo files, and PNGs are high-quality images that can have transparent backgrounds.

Question 25

Indexed Search v. Live/grep Search

Answer 25

Definition: Indexed search uses pre-built indexes to quickly find data, while live/grep search scans the actual data in real time without pre-built indexes.
Forensic Importance: Indexed searches are faster but may miss recent changes, while live searches are thorough but slower.
Lay Audience: Indexed search is like looking through a library’s catalog, while live search is like checking every book on the shelves manually.

Question 26

Internet Cache v. Internet History

Answer 26

Definition: Internet cache stores temporary web content (e.g., images, scripts), while internet history records the URLs of websites visited.
Forensic Importance: Both can reveal user behavior, but cache may hold additional artifacts like images from deleted browsing history.
Lay Audience: Cache is like saving a snapshot of a webpage, while history is just a list of places you’ve visited.

Question 27

iOS v. macOS

Answer 27

Definition: iOS is the mobile operating system used by Apple’s iPhones and iPads, while macOS is the desktop operating system used by Apple’s Mac computers.
Forensic Importance: Different operating systems store and manage data in distinct ways, meaning investigators need specialized tools and knowledge for each.
Lay Audience: iOS is like the software that runs your iPhone, while macOS is what powers your MacBook or desktop computer.

Question 28

Jump Lists v. LNK Files

Answer 28

Definition: Jump Lists are a Windows feature that tracks recently and frequently accessed files, while LNK files are shortcuts pointing to the location of files on the system.
Forensic Importance: Both can provide valuable clues about user activity, especially files recently accessed.
Lay Audience: Jump Lists are like a “recently used” list on your phone, while LNK files are like shortcuts on your desktop that lead you to a specific file.

Question 29

Legacy Basic Input/Output System v. Unified Extensible Firmware Interface Booting

Answer 29

Definition: Legacy BIOS (Basic Input/Output System) is an older system for booting computers, while UEFI (Unified Extensible Firmware Interface) is the modern replacement with more features and faster boot times.
Forensic Importance: UEFI has enhanced security features like Secure Boot, which can complicate forensic investigations if not properly configured.
Lay Audience: BIOS is like an old, slow ignition system in a car, while UEFI is a modern, faster ignition with extra security features.

Question 30

Logical Copy v. Physical Image

Answer 30

Definition: A logical copy only includes the active, readable files on a system, while a physical image copies every bit of data, including deleted or hidden files.
Forensic Importance: Physical images allow for more thorough analysis and recovery of hidden or deleted data.
Lay Audience: A logical copy is like copying only the visible pages of a book, while a physical image is copying every page, including ones you tore out or tried to erase.

Question 31

Logical Drive v. Physical Drive

Answer 31

Definition: A logical drive is a partition or segment of a physical drive, often treated as a separate storage unit, while a physical drive refers to the actual hardware.
Forensic Importance: Logical drives can store different operating systems or data, while analyzing the physical drive gives a complete view of all partitions.
Lay Audience: A logical drive is like dividing your hard drive into smaller parts, like rooms in a house, while the physical drive is the entire house.

Question 32

MAC Address v. IP Address

Answer 32

Definition: A MAC address is a unique identifier assigned to network devices, while an IP address identifies devices on a network.
Forensic Importance: MAC addresses help trace specific hardware devices, while IP addresses are used to track network locations and traffic.
Lay Audience: A MAC address is like a device’s permanent serial number, while an IP address is like its temporary mailing address.

Question 33

Message-Digest Algorithm 5 Hash v. Secure Hash Algorithm 1 Hash

Answer 33

Definition: MD5 and SHA1 are cryptographic hash functions that generate unique fixed-size outputs from data. MD5 is less secure than SHA1 due to vulnerabilities.
Forensic Importance: Both hashes are used to verify data integrity, but MD5 is increasingly being replaced by more secure alternatives like SHA1 or SHA256.
Lay Audience: Hashes are like digital fingerprints for files, with MD5 being a bit outdated and more prone to forgeries, while SHA1 is more secure.

Question 34

Mechanical Hard Drive v. SSD

Answer 34

Definition: Mechanical hard drives (HDD) store data on spinning disks, while solid-state drives (SSD) use flash memory without moving parts.
Forensic Importance: HDDs are more prone to mechanical failure, but SSDs use wear-leveling, which can make data recovery more difficult.
Lay Audience: A mechanical hard drive is like an old record player with spinning disks, while an SSD is like a digital music player with no moving parts, making it faster.

Question 35

Mobile: Android v. iOS

Answer 35

Definition: Android is Google’s open-source mobile operating system, while iOS is Apple’s closed-source system.
Forensic Importance: Android’s open nature provides more access to forensic tools, while iOS is more secure, requiring special methods to access data.
Lay Audience: Android is like an open market where you can customize everything, while iOS is a tightly controlled environment that offers more security.

Question 36

Mobile: Bluetooth v. Wi-Fi

Answer 36

Definition: Bluetooth is a short-range wireless technology for connecting devices, while Wi-Fi is a medium- to long-range wireless technology for connecting to the internet.
Forensic Importance: Bluetooth connections can leave forensic traces, such as device pairings, while Wi-Fi can show a user’s network activity.
Lay Audience: Bluetooth is like a handshake between devices for short distances, while Wi-Fi is like your home internet that reaches further.

Question 37

Mobile: Code Division Multiple Access v. Global System for Mobile Communication v. Long-term evolution

Answer 37

Definition: CDMA and GSM are older mobile network technologies, with GSM being more globally prevalent. LTE is the modern, faster standard for mobile data.
Forensic Importance: Understanding the network type can aid in locating devices and understanding how they connect to mobile towers.
Lay Audience: CDMA and GSM are like older types of cell phone networks, while LTE is the fast, modern internet connection you use on your phone.

Question 38

Mobile: Chat v. Short Message Service/Multimedia Messaging Service

Answer 38

Definition: Chat apps (e.g., WhatsApp, iMessage) use internet data for messaging, while SMS (Short Message Service) and MMS (Multimedia Messaging Service) are carrier-based text and media messages.
Forensic Importance: Chat apps often encrypt messages, while SMS/MMS are easier to intercept through phone records.
Lay Audience: Chat is like using messaging apps with an internet connection, while SMS/MMS are like sending old-fashioned text messages through your cell phone carrier.

Question 39

Mobile: File System v. Logical v. Physical Extraction

Answer 39

Definition: File system extraction pulls data from the file system, logical extraction retrieves active user data, and physical extraction captures all data, including deleted items.
Forensic Importance: Physical extraction is the most thorough, but logical extraction is quicker and can be sufficient in some cases.
Lay Audience: File system extraction is like getting an organized list of files, logical extraction is like copying what’s currently visible, and physical extraction is like copying everything, including hidden or deleted data.

Question 40

Mobile: International Mobile Equipment Identity v. International Mobile Subscriber Identity

Answer 40

Definition: IMEI (International Mobile Equipment Identity) is a unique identifier for mobile devices, while IMSI (International Mobile Subscriber Identity) identifies the SIM card and subscriber.
Forensic Importance: IMEI can help track stolen devices, while IMSI is crucial for identifying users and their network activities.
Lay Audience: IMEI is like your phone’s serial number, while IMSI is like your phone account’s ID number.

Question 41

Mobile: microSD Card v. Subscriber Identity Module Card

Answer 41

Definition: A microSD card is external storage used for saving data, while a SIM card holds the subscriber’s identity and connects them to the mobile network.
Forensic Importance: microSD cards can hold a wealth of user data, while SIM cards can reveal network-related information.
Lay Audience: A microSD card is like a tiny external hard drive for your phone, while a SIM card is like your phone’s key to connect to the mobile network.

Question 42

Non-Volatile v. Volatile Memory

Answer 42

Definition: Non-volatile memory retains data even when power is off (e.g., hard drives, SSDs), while volatile memory (e.g., RAM) loses data when power is off.
Forensic Importance: Non-volatile memory is key for long-term data recovery, while volatile memory can provide real-time data (if captured before shutdown).
Lay Audience: Non-volatile memory is like keeping your files on paper that stays readable forever, while volatile memory is like writing something in the sand—it disappears when the wind blows.

Question 43

P2P v. Torrent File Sharing

Answer 43

Definition: Peer-to-Peer (P2P) is a decentralized method of sharing files directly between users, while torrenting uses a tracker to coordinate file sharing among multiple peers.
Forensic Importance: P2P and torrenting leave traces that can be used to identify users involved in file sharing, often in cases involving illegal downloads.
Lay Audience: P2P is like swapping files directly between friends, while torrenting is like having a crowd of people sharing bits of a file with each other.

Question 44

Page File v. RAM

Answer 44

Definition: The page file is a section of the hard drive used as extra virtual memory when RAM (Random Access Memory) is full. RAM is the fast, temporary storage for active tasks.
Forensic Importance: The page file can retain portions of data from RAM that were swapped out, making it valuable for retrieving sensitive data like passwords or fragments of active processes. RAM stores real-time data, but it’s lost when the system shuts down unless captured before then.
Lay Audience: RAM is like a whiteboard where you jot down important notes while working, but once erased, it’s gone. The page file is like a notebook where you occasionally write down overflow notes when the whiteboard is full, but you can still look back through it after you’re done.

Question 45

Physical Machine v. Virtual Machine

Answer 45

Definition: A physical machine is a traditional computer or server with hardware resources, while a virtual machine (VM) is a software emulation of a computer that runs on physical hardware.
Forensic Importance: Investigating virtual machines can involve analyzing the virtual environment and underlying host system, while physical machines require direct access to hardware.
Lay Audience: A physical machine is like a real car, while a virtual machine is like a driving simulator that gives you the experience of driving without using an actual car.

Question 46

Formatting v. Wiping a Drive

Answer 46

Definition: Formatting a drive prepares it for use by setting up a file system, but it doesn’t completely remove data; wiping a drive overwrites all data, making it much harder to recover.
Forensic Importance: A formatted drive may still contain recoverable data, while a wiped drive is far more challenging to extract information from.
Lay Audience: Formatting is like cleaning out a room but leaving old documents in the drawers, while wiping is like shredding everything in the room so no one can piece it back together.

Question 47

Plists v. Registry

Answer 47

Definition: Plists (property lists) are configuration files used in Apple systems, while the Windows Registry is a hierarchical database that stores low-level settings for Windows and its applications.
Forensic Importance: Both can contain critical information about user settings, installed software, and system configurations, helping to trace user actions or software use.
Lay Audience: Plists are like instruction sheets for how an app should behave on your iPhone or Mac, while the Windows Registry is like a huge rulebook for how your Windows computer operates.

Question 48

RAID v. Single Drive

Answer 48

Definition: RAID (Redundant Array of Independent Disks) combines multiple drives to improve performance and/or redundancy, while a single drive operates independently without redundancy.
Forensic Importance: RAID setups complicate forensic analysis because data is spread across multiple disks. However, they can offer protection against data loss in the case of drive failure.
Lay Audience: RAID is like having multiple copies of your files spread across several safes, so if one safe fails, your data is still safe. A single drive is like keeping all your valuables in one safe—if it breaks, you could lose everything.

Question 49

Wired v. Wireless Network Connection

Answer 49

Definition: A wired network connection uses physical cables (e.g., Ethernet) to connect devices, while a wireless connection uses radio waves (e.g., Wi-Fi).
Forensic Importance: Wired connections are often more secure and leave more traceable physical evidence, while wireless connections can be intercepted or hacked more easily but leave logs in routers and devices.
Lay Audience: A wired connection is like having a direct phone line to someone, while a wireless connection is like using a walkie-talkie—more convenient, but others could potentially listen in.