For120‐Acronyms - ConnorEast/Tech-Journal GitHub Wiki

Forensics Definitions

Acronym Definitions

  • SATA [Serial Advanced Technology Attachment]:
  • PATA [Parallel Advanced Technology Attachment]:
  • IDE [Integrated Developmnent Enviornment]:
  • SCSI [Small Computer System Interface]: storage based on Molex Power
  • HDD [Hard Drive Disk]: A non-volatile data storage disk.
  • LBA [Logical Block Analysis]: A linear addressing scheme to locate data blocks
  • ECC [Error Correcting Code]: An encoding
  • NVME = A small SSD which can be connected to the motherboard
  • SSD [Solid state drives] = Storage chips mounted/soldered to a circuit board (use SATA)
  • NAND [NOT AND] Flash= A non-volatile memory
  • HPA [Host Protected Area]: A reserved area on a hard disk drive
  • DCO [Device Configuration Overlay]: A hidden area on a hard disk drive
  • dd/Raw: the original format for forensic imaging. This does not contain addition metadata and is a bit-by-bit copy. The images themselves should match the data source when hashed
  • E01 [Encase EWF]: Proprietary format from EnCase, supports metadata, compression, encryption, hashing, and split files.
  • FTK SMART: Proprietary format of AccessData. A image format which allows for metadata, compression, encryption, hashing and split files
  • AFF [Advanced Forensic Format]: AFF images include all of the expected features of a forensic format + encryption. Open source and extensible file format.

Terminology

Term Definition
Cylinder: a group of tracks in a hard drive that can be accessed at the same time by the read/write head. Cylinder = total number of tracks.
Heads: the number of sides according to platter type
Sector: How much data can be stored [1 sector = 512Bytes] Typically sectors have an ID, A Synchronization Field and a ECC. Sectors can become damaged due to Excessive Rewrites, Viruses, or Sudden voltage surges
Track: Tracks are numbered from 0 and start on the outside of the platter.
Blocks a section of storage in an SSD [1 megabyte].
Cage a chain of blocks
Section a group of Cages which equal 512 bytes
Stale: A sector which has been blocked for rewriting
Unparticipation: An area which has not been formatted to hold data
Partition: An area which is formatted and active to hold data
Evidence container: A term referring to forensic file formats

Equations:

Capacity = Cylinder * Head * Sector_Size
⚠️ **GitHub.com Fallback** ⚠️