What is digital forensics? What do terms like forensic image, chain of custody, hash value, volatile data, and incident response actually mean?
This glossary defines essential terminology used to identify, preserve, collect, analyze, and present digital evidence. Whether you’re an attorney, corporate legal professional, investigator, or IT leader, this resource provides clear explanations of the concepts and processes that support defensible digital investigations.
A
Acquisition: The process of collecting and preserving electronically stored information (ESI) from digital devices or sources in a forensically sound manner while maintaining the integrity of the original data.
Active Data: Electronically stored information (ESI) that is currently accessible and available for collection during eDiscovery without specialized recovery techniques. Examples include user-created files, emails, databases, and documents stored on active systems, servers, or cloud platforms.
Admissibility: The legal standard determining whether digital evidence can be accepted and considered in court proceedings.
Archival Data: Electronically stored information (ESI) maintained for historical, regulatory, or business purposes that is outside an organization’s active systems. Because it may reside on backup systems, removable media, or other storage platforms, retrieving archival data may require additional technical processes before it can be reviewed or collected for eDiscovery.
Artifact: A piece of digital evidence created by user activity, system processes, or applications. Examples include browser history, registry entries, emails, and application data.
Authentication: The process of verifying that digital evidence is genuine and has not been altered since collection.
B
Bit-by-Bit Copy (Forensic Image): A complete copy of a digital storage device that captures all allocated and unallocated data, including deleted information and system artifacts.
Browser Forensics: The examination and analysis of web browser data, including browsing history, cookies, cached files, downloads, and saved credentials.
C
Chain of Custody: A documented record that tracks the collection, handling, transfer, storage, and analysis of evidence to demonstrate that it has remained secure and unaltered.
Cloud Forensics: The process of identifying, collecting, preserving, and analyzing data stored within cloud environments and applications.
Collection: The process of gathering electronically stored information from devices, systems, applications, or cloud platforms for investigation or litigation purposes.
Computer Forensics: The examination of computers and digital storage devices to identify, preserve, recover, and analyze electronic evidence.
D
Data Breach: A security incident in which sensitive, protected, or confidential information is accessed, copied, disclosed, transmitted, stolen, or otherwise used by an unauthorized individual or entity. A breach occurs when data is compromised through events such as a cyberattack, insider threat, or accidental exposure, resulting in confidential information leaving a secure environment or becoming accessible to unauthorized parties.
Data Carving: A forensic recovery technique used to extract files or data fragments from storage media when file system information is missing, damaged, or deleted.
Data Collection (also Data Acquisition): The systematic, defensible process of identifying, gathering, and securing digital evidence from devices, networks, applications, or cloud environments. The goal is to extract relevant information for investigation or analysis while preserving the integrity of the original data and ensuring that evidence is not altered, compromised, or contaminated.
Data Extraction: The process of retrieving information from digital devices, applications, or systems for forensic examination.
Data Recovery: The process of retrieving lost, deleted, corrupted, or inaccessible data from digital storage media. In digital forensics, data recovery is performed using forensically sound methods to preserve the integrity of potential digital evidence for investigation and legal proceedings.
Deleted Data Recovery: The recovery and analysis of files, messages, records, or other information that has been deleted but may still exist on a device or storage system.
Digital Evidence: Information stored or transmitted electronically that may be used to support investigations, litigation, regulatory matters, or internal reviews.
Digital Forensics: The process of identifying, collecting, preserving, analyzing, and reporting on electronically stored information while maintaining evidentiary integrity.
Digital Forensics Examiner: A trained professional who collects, analyzes, and interprets digital evidence using specialized forensic tools and methodologies.
Digital Forensics and Incident Response (DFIR): The combination of two complementary cybersecurity disciplines: Digital forensics, which focuses on investigating cyber incidents and collecting digital evidence for analysis, legal proceedings, or internal investigations; and incident response, which involves identifying, containing, and mitigating active cyber threats. By integrating these capabilities, DFIR enables organizations to respond to attacks more quickly while preserving critical evidence that may otherwise be compromised or lost during remediation efforts.
E
Electronic Discovery Reference Model (EDRM): The standard, globally recognized framework that outlines the lifecycle of eDiscovery. It breaks down the process of finding, securing, and analyzing digital evidence (electronically stored information or ESI) into distinct, defensible, and cost-effective stages for legal and regulatory proceedings.
Electronically Stored Information (ESI): Information created, stored, or transmitted in electronic format. Examples include emails, documents, text messages, social media content, databases, and files stored on computers or cloud platforms.
Email Forensics: The analysis of email communications, metadata, attachments, routing information, and user activity to support investigations or legal matters.
Evidence Preservation: The process of protecting potentially relevant digital information from alteration, deletion, or destruction.
F
File System Analysis: The examination of how files are organized, stored, modified, and accessed on digital storage devices.
Forensic Collection: The process of identifying, collecting, and preserving electronically stored information (ESI) using industry-accepted methods that maintain the integrity and authenticity of the data. These practices help ensure the evidence is defensible and admissible in legal proceedings.
Forensic Image: An exact, bit-for-bit copy of a digital storage device that captures all data, including active files, deleted files, file fragments, and unallocated or slack space. Because it preserves the device’s contents without altering the original, a forensic image is commonly used during digital investigations and legal proceedings.
Forensics: The process of identifying, collecting, preserving, examining, and analyzing electronically stored information (ESI) using scientifically sound methods that protect the data's integrity and authenticity, helping ensure it is admissible as evidence in legal proceedings.
Forensically Sound: A process or method that preserves the integrity, authenticity, and reliability of digital evidence.
H
Hash (also Hash Coding, Hash Value): An algorithm that generates a unique value for each document. It is referred to as a digital fingerprint and is used to authenticate documents and to identify duplicate documents. During eDiscovery, hash values help confirm that data has not been altered and allow processing tools to identify and remove exact duplicate files, reducing the volume of data requiring review.
Hardware Write Blocker: A forensic tool that prevents data from being modified on a storage device during collection.
Hosting: Defines a service provided by a third-party litigation support firm that provides access to documents relating to a particular matter within a review software platform. The platform can be accessed via the internet by logging in with a username and password.
I
Identification: The process of learning the location of all data which a law firm or client may have a duty to preserve and potentially disclose in a pending or prospective legal proceeding. This is typically done during the interview phase of a legal hold.
Image (Drive): To make an identical copy of a drive including its empty space; “mirror image.”
Image (File): To make a picture copy of a document. The most common image formats in eDiscovery are TIFF and PDF.
Incident Response: The process of identifying, containing, investigating, and recovering from cybersecurity incidents such as data breaches or unauthorized access.
Internet of Things (IoT) Forensics: The collection and analysis of evidence from connected devices such as smart home technology, wearable devices, and other internet-enabled systems.
L
Legal Hold: A communication requesting the preservation of information that is potentially relevant to a current or reasonably anticipated legal matter and the resulting preservation.
Live Acquisition: The collection of digital evidence from a device while it is powered on, allowing investigators to capture volatile information such as memory data.
Load File: A file used to import data into an eDiscovery system. It defines document parameters for imaged documents and often contains metadata for all electronically stored information (ESI) it relates to.
Logical Extraction: A method of collecting accessible files, folders, and user-created data from a device without capturing the entire physical storage media.
M
Mac Forensics: The examination and analysis of Apple computers, operating systems, applications, and associated digital artifacts.
Metadata: Information about a file or digital record that provides details such as creation date, modification history, author information, and file properties.
Mobile Device Forensics: The process of collecting and analyzing evidence from smartphones, tablets, and other mobile devices, including calls, texts, applications, location data, and user activity.
N
Native Format: A file that is maintained in the format in which it was created. This format preserves metadata and details about the data that might be lost when the documents are converted to image format, e.g. pivot tables in spreadsheets.
Native File: An electronic document or data file maintained in the original format created by its source application. Unlike converted formats such as PDF or TIFF, native files preserve the original content, formatting, functionality, and metadata. Common examples include Microsoft Word (.docx), Microsoft Excel (.xlsx), and Microsoft Outlook email (.msg).
Network Forensics: The capture and analysis of network activity to identify security incidents, unauthorized access, or other relevant digital activity.
Normalization: Reformatting data so that it is stored in a standardized format.
P
Password Recovery: The process of recovering or bypassing access restrictions to obtain relevant digital evidence from protected devices or files.
Physical Extraction: A forensic acquisition method that captures a complete copy of data stored on a device, including deleted and hidden information when available.
Preservation: The process of identifying and protecting electronically stored information (ESI) to prevent its alteration, deletion, or destruction when litigation, an investigation, or another legal matter is reasonably anticipated.
R
RAM (Random Access Memory) Analysis: The examination of volatile memory to identify active processes, encryption keys, malware, network connections, and other temporary data.
Remote Collection: The process of acquiring digital evidence from devices or systems without requiring physical access to the location where the device is stored.
S
Slack Space: Unused space within a storage device that may contain remnants of deleted files or previous data.
Social Media Forensics: The collection and analysis of social media content, account activity, metadata, and communications for investigative purposes.
Spoliation: The destruction or alteration of evidence, or the failure to preserve the evidence properly.
Steganography: The practice of hiding information within another file, such as embedding data within an image or document.
Structured Data: Data stored in a structured format such as a database. Structured data can create challenges in eDiscovery.
T
Tagged Image File Format (TIFF): This file format allows storage of multiple bitmap images and introduces no compression artifacts, making it ideal for archiving intermediate files. TIFF images are the most common file formats for scanned hard copy documents.
Timeline Analysis: The process of organizing digital artifacts and events chronologically to understand user activity, system changes, or security incidents.
Triaging: The process of quickly evaluating digital devices or data sources to identify potentially relevant evidence and prioritize further examination.
U
Unallocated Space: Most often, this is space created on a hard drive when a file is marked for deletion. This space is no longer allocated to a specific file. Until it is overwritten, it still contains the previous data and can often be retrieved.
V
Volatile Data: Information that may disappear when a device is powered off, such as RAM contents, active network connections, and running processes.
W
Windows Registry Analysis: The examination of the Windows Registry to uncover system configurations, user activity, installed applications, connected devices, and other forensic evidence.
Write Blocker: A device or software tool that prevents changes from being made to digital evidence during collection.