Note: The terms in this glossary may have other uses in other fields. The uses discussed here are for general use in computer science & email forensics.



Acquisition: The stage in a computer forensic investigation wherein the data involved is collected. Often the means used is a bit-by-bit copy of the hard disk or other media in question.

Active Files, Active Data: Data on a computer that is not deleted and is generally accessible and readily visible to the user under normal use.

Allocated space / sector / block: The logical area on a hard disk or other media assigned to a file by the Operating System

Ambient Data: The converse of active data. Ambient data is information that lies in areas not generally accessible to the user. This data lies in file slack, unallocated clusters, virtual memory files and other areas not allocated to active files.

Archival data: Often backups, archival data is generally kept on another media, such as on tape or CD, and is often compressed. Such data is not usually immediately available to the user and may need to be restored from the archival media to be accessed.

ASCII: Stands for “American Standard Code for Information Exchange.” Pronounced “Ass-key.” Often referred to as “ASCII text.” ASCII assigns a numerical code for each character on a keyboard; hence ASCII text is often comprehensible to humans without much interpretation.

Audit Trail: A chronological record of system activities on a computer or network security system that may keep track of user actions such as logins, file access, and other activities.

Back door: A means of accessing or controlling a computer that bypasses normal authentication, while remaining hidden from the casual user. A backdoor may be a program that has been installed surreptitiously, or may be a hidden function of a legitimate program.

Backdoor Trojan: A generic name for Trojan horse programs that open a backdoor and allow an unauthorized user remote access to a computer.

Backup: A copy of data that is kept as an emergency measure against data loss in a system or media failure, and/or for the purpose of keeping archival data. Backups may be compressed or encrypted, and are usually kept separate from the system containing the active version of the data that is being backed up.

Backup Server: A computer on a network that is designed to be used to back up data from other computers on the network. A Backup Server may also be used as a File Server, a Mail Server or as an Application Server.

Backup media: The media on which backup data is kept. May be almost any form of media, such as tapes, CD-ROM, DVD, external hard disks, floppy diskettes, magneto-optical disks, WORM disks, Zip disks, Jaz disks, and many others.

Bit: The smallest unit of data, consisting of a zero or a one, stands for “binary digit.”

Bitstream or bit-by-bit copy: A copy of every consecutive sector on a hard disk or other media, without regard to allocation of data. Sometimes confused with mirroring.

Buffer: An area of memory used to temporarily hold data. May be written to a buffer file.

Burn: The process of creating a CD-ROM or DVD.

Byte: Eight consecutive bits. The unit in which computer storage and computer memory is measured. The amount of data necessary to make a single character (such as a letter or a number) of data. Part of the words kilobyte (KB), megabyte (MB), gigabyte (GB), terabyte, petabyte.

Cache: French for “hide.” A storage area where frequently accessed data may be kept for rapid access. There are three main types of cache: disk cache, memory cache, and program cache. See these entries for further explanation

Chain of Custody: As in other fields, a record of the chronological history of (electronic) evidence.

Cluster: Also known as allocation blocks, a cluster is a contiguous group of sectors that is the smallest amount of space assigned to a file by an operating system such as Microsoft Windows. Clusters generally range in size from 4 sectors to 64 sectors.

Compressed file, zipped file: A file that has been encoded using less space than the original file in its uncompressed state. A zipped file may contain more than on compressed file.

Computer Forensics: A practice and methodology that may involve any or all of the following: electronic imaging, electronic discovery, forensic analysis of discovered information, preparation of information in a manner useful to the client or court, presentation of findings to the client or attorney, such as in written, oral and/or electronic reports, testimony in a court of law, when necessary, by an expert witness, including deposition and jury trial.

Must read:  Forensic stuff

Cookie: In Internet or browser usage, a small file accessed by a web browser and written to the user’s computer. A shortened form of the term, “magic cookie,” cookies are used for tracking, authenticating, and maintaining information about users, generally to ease interaction between a website and a user. Cookies stored on a user’s computer often contain the times and dates that the user accessed a given website.

Corrupt Data, Corrupt File: A file that is damaged. Damage may have occurred inadvertently during transmission, copying, through operating system error, physical damage to the media on which the data was stored, or through other means.

Data: Information stored on a computer that is not part of a program.

Disk: Generally, a hard disk. Floppy diskettes are often referred to as disks.

Disk cache: RAM used to speed up access to stored data. May be part of a computer’s RAM, or may be RAM integrated into the disk drive itself.

Disk Mirroring: Data copied to another hard disk or to another area on the same hard disk in order to have a complete, identical copy of the original.

E-mail: Electronic mail. Messages transmitted over a computer network or networks, directed to a given user, either individually or in bulk. Email may be stored in a large text format, or in an encrypted form. Microsoft Outlook stores email messages in an encrypted file; most other email programs store messages primarily as text.

Some email types are:

Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML (Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC 833

Encryption: A process to render a file unreadable to unauthorized persons or devices.

Extension, File Extension: Part of a file’s name, usually follows a “dot,” or period in a file name. Some operating systems, such a Microsoft Windows, depending on the extension to know what program is used to open the given file. Microsoft Word documents, for instance, have “.doc” as their extension.

Filename: The name of a file. Sometimes refers to the name of a file minus its extension.

File Attribute: Properties associated with a file that is kept with the file directory listing. Such attributes include the date and time the file was last accessed, created, or modified,

File signature: Information contained within a file that identifies its type, even though the file’s extension may have been altered.

File slack: Information at the end of a cluster that has not been completely filled, or overwritten by a file. The file may end before the end of the cluster; hence the cluster may contain data from a previous file

Forensic image: A forensically sound and complete copy of a hard drive or other digital media, generally intended for use as evidence. Such copies include unallocated space, slack space, and boot record. A forensic image is often accompanied by a calculated Hash signature to validate that the image is an exact duplicate of the original.

GIF: A common format for storage of digital images. An acronym for Graphic Interchange Format. Pronounced “Jiff.” GIFs have the file extension “gif”

GUI: Graphical User Interface. An image and icon-based interface designed to make manipulation of computer data easy. Common GUIs are Microsoft Windows and the Macintosh OS.

Hard disk: Currently the primary storage medium for data on most computers, consists of a sealed chassis containing a rapidly spinning metal-coated platter, or stack of platters that are magnetically encoded as data is written to them by enclosed magnetic read/write heads.

Hash, hash value: A hash is a number generated from a string of text. A hash value may be generated for a single file, or for an entire hard disk. A matching hash virtually guarantees that a copy is identical to the original. It does not absolutely guarantee this.

HTML: An authoring language, written in text that is used to create documents for access on the World Wide Web. Such documents may be web pages, or otherwise enhanced documents or email messages. Stands for Hypertext Markup Language.

Instant Messaging: Abbreviated as IM. A text-based electronic communication in real time. It is similar to a telephone call in its immediacy; it is different in that it is generally text-based.

IP Address: An electronic identifier for a specific computer or device on the World Wide Web or other (internal or external) electronic network using the TCP/IP protocol. An IP address is a series of four numbers separated by periods (“dots”), Each number is a value from 0 to 255. An example could be “IP” stands for “Internet Protocol”

ISP: Internet Service Provider. A provider of access to or connected to the Internet. Some large ISPs include Earthlink, Yahoo, Roadrunner, SBC Global.

JPEG: A common format for storage of digital images. An acronym for Joint Photographic Experts Group. Pronounced “jay-peg.” JPEGs have the file extension, “jpg”

Keylogger: A program or device designed to keep a record of the keys types on a computer. May be used for monitoring, or espionage, such as to collect passwords. Some keyloggers may be accessed remotely.

Keyword search: A common technique used in computer forensic and electronic discovery, a keyword search is usually performed to find and identify every instance on a computer or other media of a given word or phrase, even if said word or phrase occurs in unallocated space or in deleted files.

Log files, or Logfile: A record kept by many applications and operating systems of various activities by saving to a file – the Logfile.

Mail Server: A server on a network that processes incoming and outgoing electronic communications, especially email. A mail server generally has security policies in place to allow only authenticated users access to given email communication. The mail server may store a copy of users’ data in various forms, or may not store copies of users’ data. A mail server may be utilized for multiple functions, including as a File Server, Application Server, or Backup Server.

MAC dates: File attributes in the Windows operating system. Thee MAC dates are the date a file was last Modifies, Last Accessed, and Created.

Master File Table, or MFT: In an NTFS file structure (used in most versions of Windows from 1993-2014 (so far). The MFT contains substantial metadata about all files in a given volume, including file physical locations, MAC dates (times), file permissions, file size, the file’s parent directory, entry modification time, and at times, the entire content of small files.

Memory Cache: Also known as RAM cache, it is high-speed memory designed to store frequently accessed or recently accessed data for quick use. On the Macintosh, RAM cache may also be disk cache.

Native format, native environment: The original configuration or program in which a file or other data was produced.

Network: A group of computers electronically linked so as to be able to share files or other resources, or for electronic communication. The World Wide Web is a particularly large network.

NTFS: NEW Technology File System. An operating system developed by Microsoft and released in 1993 with Windows NT 3.1. It has subsequently been used in versions of Windows through Windows 8.1. Previous versions of Windows had been dependent on the DOS operating system.

Operating System, OS: The suite of programs that allow a computer to operate. The OS controls signals from and to input devices (such as a mouse, keyboard, microphone), peripherals (such as hard disks, CD-ROM drives, and printers), output devices (such as monitors and speakers) and performs the basic functions needed for a computer to operate. Common operating systems include Windows XP, Macintosh OS X, and Linux.

Partition: A logical delineation on a disk drive such that a single drive acts as two, smaller disk drives.

PDF: An Adobe Acrobat document. A common format for graphic and text files that is not easily altered. Stands for Portable Document Format.

Protocol: An agreed-upon standard format for communicating, connecting, or transferring data between two computers or devices. There are many communications protocols, such as TCP (Transmission Control Protocol).

RAM: Random Access Memory. Computer chips that store digital data in electronic form.

Sector: The basic and smallest unit of data storage on a hard disk or other electronic media. Generally, consists of one contiguous area able to hold 512 bytes of data.

Server: A computer on a network that shares data with other computers on the network.

Shadow Volume: Also known as Shadow Copy, Volume Snapshot Service, Volume Shadow Copy Service, or VSS, is included with Microsoft Windows and makes automated backup copies of some files and operating system components from time to time on NTFS-based computers.

Steganography: A means of writing hidden messages such that only the intended recipient knows of its existence. A modern example may be the replacing a few pixels of a digital image with a digital message. The slight change in the image may be unnoticeable to a person who does not know where in the image to look. Older forms of Steganography, which means “covered writing” in Greek, date back more than 2.000 years.

TCP/IP: A suite of communications protocols used to allow communication between computers on a network, such as on the Internet. Stands for Transmission Control Protocol / Internet Protocol.

Unallocated: The area on a hard disk or other media that is not (or is no longer) assigned to a file by the Operating System. May contain intact deleted files, remnants thereof or other data.

Web Browser: Often simply referred to as “browser.” A program used to find and display web pages. Popular browsers as of this writing are Microsoft Internet Explorer) often abbreviated as “Explorer,” Netscape Navigator, Mozilla Firefox, and Apple Safari.

Windows Swap File: Also known as the Page file, or Pagesys file. A virtual memory file used by Microsoft Windows as a kind of scratch pad during most operations. The Swap file is usually quite large and often contains records of operations or remnants of files not found elsewhere.

.msg file

An individual email file, commonly associated with Outlook or Outlook Express.

.nsf file

A database store for Lotus Notes. Typically contains email, contacts, calendar items and journal entries. Similar to Outlook’s .pst file


American Standard Code for Information Interchange. Standard text with no formatting which means it can be read by most computer programs.


Unit of measurement for digital data. One byte = one character.

Electronic Discovery

Acquiring digital media for production in litigation. Has also been used to describe the process of converting paper files to digital media (e.g., TIFF and OCR files).

Evidentiary Image

Same as a bit-stream copy. An exact sector by sector copy of a hard drive that allows for retrieval of deleted files.

File extension

Typically, the last three characters of a file name after the period that indicates the program or application used to create the document. For example, Word documents end with a .doc file extension, Excel spreadsheets have a .xls file extension and Word Perfect uses .wpd file extension.


The ability to determine the geographic location of a device using a number of data sets including the Internet Protocol (IP address), RFID, Wi-Fi positions and GPS coordinates.   Some of this information may be captured in pictures taken with a cell phone further increasing the ability to identify the location of a device at a particular point in time.  See tablets and cell phones

Hash value

The “DNA” or fingerprint for a digital file. A string of characters that is unique to that particular file or group of files. MD-5 and SHA are the two most common algorithms used to create hash values. Hash values can be used to de-dupe files or to confirm authenticity.

Lotus Notes

Made by IBM. One of the two most common corporate email programs. The other is Microsoft’s Outlook.


Data about data. Information such as the author, date created and date modified. There is file or system meta data and document or application metadata. File metadata is assigned by the computer’s operating system whereas document metadata is assigned by the application or program used to create the file. If a file is moved from one location to another the file metadata will change, but most of the document metadata will remain intact.


Optical Character Recognition. A software program converts the text of a printed document to digital format so the document can be searched. Accuracy rates can vary widely depending on numerous factors such as the quality of the original and the program used for scanning which obviously impacts the validity of any search results.

OST file

Offline Storage Table. Similar to a .pst file but typically used by remote users that will read and respond to email offline and then synchronize it with their company’s Exchange server when Internet access is available.  An OST file is now the default local email storage for Exchange 2007 and higher.


One of the two most common corporate email programs (the other is Lotus Notes). Made by Microsoft and needs to be purchased, but typically comes as part of one of the Microsoft Office packages.

Outlook Express

An email program that comes standard on all Microsoft operating systems. Depending on their email provider, a user could download their web-based email and view it with this program.

PST file

Personal Stores Table. The compressed file used by Outlook to store an individual user’s email, contacts, calendar items, journal entries, and notes. Similar to Lotus Notes’. nsf file.

Slack Space

A portion of the hard drive between where one file ends and another file begins. This can be an important place to look if searching for old deleted data.


Tagged Image File Format. A graphic file that is commonly used by litigation support vendors to create pictures of either digital or paper documents.

Unallocated Space

The portion of the hard drive that is not allocated to active files. When a file is deleted, only the link to the file is removed. The actual file remains in the unallocated space of the hard drive until it has been overwritten.

Web-based email

As the name implies, email that is accessed and stored on the Internet. This includes programs such as Hotmail, Gmail, Yahoo, and others. Typically, these programs store the email on their own servers, but the email can be moved down to the user’s computer

APOP (Authenticated Post Office Protocol)

APOP, short for Authenticated Post Office Protocol, is an extension of the Post Office Protocol that allows passwords to be sent in encrypted form. APOP is more secure than normal plain text POP authentication but also suffers from serious shortcomings.


An attachment is a file (such as an image, a word processing document or an mp3 file perhaps) that is sent along with an email message.


Backscatter is a delivery failure report generated by a junk email that used an innocent third party’s email address as the sender (which address receives the delivery failure message).


Base64 is a method for encoding arbitrary binary data as ASCII text, to be used, for example, in an email body.

Bcc (Blind Carbon Copy)

A Bcc, short for “blind carbon copy”, is a copy of an email message sent to a recipient whose email address does not appear (as a recipient) in the message.


A Blacklist collects known sources of spam. Email traffic then can be filtered against a blacklist to remove spam from these sources.


A Cc, short for “carbon copy”, is a copy of an email message sent to a recipient whose email address appears in the message’s Cc header field.

Email Address

An email address is a name for an electronic postbox that can receive (and send) email messages on a network (such as the internet or a local network not connected to the wider internet).

Email Body

The email body is the main part of an email message that contains the message’s text, images and other data (such as attached files).

Email Client

An email client is a program (on a computer or mobile device, for example) used to read and send electronic messages.

Email Header

Email header lines make up the first part of any email message. They contain information used to control the message and its transmission as well as metadata such as the Subject, origin and destination email addresses, the path an email takes, and maybe its priority.

Email Server

An email server is a program running at Internet Service Providers and large sites used to transport mail. Users normally do not interact with email servers directly: email is submitted with an email client to an email server, which delivers it to the recipient’s email client.

How email works

This slideshow requires JavaScript.


The “From:” header field, in an email, contains the message’s author. It must list the email address, and one can add a name as well.

IMAP (Internet Messaging Access Protocol)

IMAP, short for Internet Messaging Access Protocol, is an internet standard that describes a protocol for retrieving mail from an email (IMAP) server. IMAP allows email programs to access not only new messages but also folders on the server. Actions are synchronized between multiple email programs connected through IMAP.

LDAP (Lightweight Directory Access Protocol)

LDAP, short for Lightweight Directory Access Protocol, defines a means to find and edit information in white pages. Using LDAP, email, groupware, contact and other software can access and manipulate entries on a directory server.


Mailto is an HTML tag that allows visitors to a site to click on a link that creates a new message in their default email program. It is possible to set not only a default email recipient but also default Subject and message body content.

MIME (Multipurpose Internet Mail Extensions)

MIME, short for Multipurpose Internet Mail Extensions, specify a method to send content other than ASCII text via email. Arbitrary data is encoded as ASCII text for MIME.


Phishing is a fraudulent practice in which private data is captured on web sites or through an email designed to look like a trusted third party. Typically, phishing (from “password fishing”) scams involve an email alerting the user to a problem with their bank or another account.

Must Read Phishing tips:

Public Key Cryptography

Public key cryptography uses a key with two parts. The public key part is used for encryption exclusively for the recipient, whose private key part is applied for decryption. For public key cryptography to be save it is important that only the intended recipient knows the private part of the key.

RFC (Request for Comments)

Request for Comments (RFC) is the format Internet standards are published in. RFCs relevant for email are published by the Internet Engineering Task Force (IETF) and include RFC 821 for SMTP, RFC 822, which specifies the format of Internet email messages, or RFC 1939, which lays down the PO protocol.

SMTP (Simple Mail Transfer Protocol)

SMTP, short for Simple Mail Transfer Protocol, is the protocol used for email on the Internet. It defines a message format and a procedure to route messages through the Internet from source to destination via email servers.


Spam is unsolicited email. Not all unsolicited email is spam, however. Most spam is sent in bulk to a large number of email addresses and advertises some product or—considerably less often—political viewpoint.


A spammer is a person or entity (such as a company) that sends spam emails


The “Subject” of an email message should be a short summary of its contents. Email programs usually display it in a mailbox display together with the sender.


Threadjacking (also threadwhacking) is to steer off the original topic in an email thread, especially on a mailing list. Threadjacking can also apply to other conversations on the internet, of course, say on message boards, blogs or social networking sites. Whether the threadjacker changes the subject line to reflect the change in subject or retains the original email subject, to take over a thread can be regarded as threadjacking in either case.


The To: line of an email contains its primary recipient or recipients. All recipients in the To: line are visible to all other recipients, possibly by default.


Unicode is a way to represent characters and symbols on computers and devices with support for most of the world’s writing systems (including African, Arabic, Asian and Western).

Web-based Email

Web-based email provides email accounts that are accessed through a web browser. The interface is implemented as a website that provides access to the various functions like reading, sending or organizing messages.

Attachment: An audio, video or other data file that is attached to an email message.

Autoresponder: A computer program that automatically responds with a prewritten message to anyone who sends an email message to a particular email address or uses an online feedback form.

Authentication: A term that refers to standards, such as Sender ID, SPF and DomainKeys/DKIM, that serve to identify that an email is really sent from the domain name and individually listed as the sender. Authentication standards are used to fight spam and spoofing.

Blacklist: A list containing email addresses or IP addresses of suspected spammers. Blacklists are sometimes used to reject incoming mail at the server level before the email reaches the recipient.

Block: An action by an Internet Service Provider to prevent email messages from being forwarded to the end recipient.

Bounces: Email messages that fail to reach their intended destination. “Hard” bounces are caused by invalid email addresses, whereas “soft” bounces are due to temporary conditions, such as overloaded inboxes.

CGI: Common Gateway Interface – A specification for transferring information between a Web server and a CGI program. CGI programs are often used for processing email subscriptions and Web forms.

Challenge-Response: An authentication method that requires a human to respond to an email challenge message before the original email that triggered the challenge is delivered to the recipient. This method is sometimes used to cut down on spam since it requires an action by a human sender.

Click-through tracking: The process of tracking how many recipients clicked on a particular link in an email message. This is commonly done to measure the success of email marketing campaigns.

CRM: Customer Relationship Management – The methodologies, software, and Internet capabilities that help a company manage customer relationships in an efficient and organized manner.

Database Management System: A database system that provides possibilities for users to connect LISTSERV® to a database back-end and, hence, send out personalized messages to customers, according to their demographic information and preferences.

DNS: Domain Name Server (or system) – An Internet service that translates domain names into IP addresses.

Domain name: A name that identifies one or more IP addresses. Domain names always have at least two parts that are separated by dots (for instance The part on the left is the second-level domain (more specific), while the part on the right is the top-level domain (more general).

Email harvesting: The disreputable and often illegal practice of using an automated program to scan Web pages and collect email addresses for use by spammers.

False positive: A legitimate email message that is mistakenly rejected or filtered by a spam filter.

FTP: File Transfer Protocol – Used for uploading or downloading files to and from remote computer systems on a network using TCP/IP, such as the Internet.

Gateway: This is a hardware or software set-up that functions as a translator between two dissimilar protocols. A gateway can also be the term to describe any mechanism providing access to another system (e.g. AOL might be called a gateway to the Internet).

Host: When a server acts as a host it means that other computers on the network do not have to download the software that this server carries.

IMAP: Internet Message Access Protocol – A protocol used to retrieve email messages. Most email clients use either the IMAP or the POP protocol.

Intranet: Contrary to the public Internet, an intranet is a private network inside a company or organization.

IP address: An IP (Internet Protocol) address is a unique identifier for a computer on the Internet. It is written as four numbers separated by periods. Each number can range from 0 to 255. Before connecting to a computer over the Internet, a Domain Name Server translates the domain name into its corresponding IP address.

LAN: Local Area Network, which is a computer network, although geographically limited, usually to the same building, office, etc.

Mail-merge: A process that enables the delivery of personalized messages to large numbers of recipients. This is usually achieved using email list management software working in conjunction with a database.

Plain text: Text in an email message that contains no formatting elements.

POP: Post Office Protocol – A protocol used to retrieve email from a mail server. Most email clients use either the POP or the newer IMAP protocol.

Privacy: A major concern of Internet users that largely involves the sharing of personally identifiable information, which includes name, birth date, Social Security number and financial data, for example.

Protocol: The set of formal rules that describe how to transmit data, especially across a network of computers.

Reverse DNS Lookup: A Reverse DNS Lookup is the process of looking up and translating an IP address into a domain name. This can be compared to a Forward DNS Lookup, which is the process of looking up and translating a domain name into its corresponding IP address.

Router (Routing System): The role of a route can be described as a bridge between two or more networks. The function of the router is to look at the destination addresses of the packets passing through it, and thereafter decide which route to send these packets on.

Scalability: The ability of a software program to continue to function smoothly as additional volume or work is required of it.

Server: A program that acts as a central information source and provides services to programs in the same or other computers. The term can either refer to a particular piece of software, such as a WWW server, or to the machine on which the software is running.

Sniffing: A method of determining whether email recipients are capable of receiving HTML-formatted messages. This procedure is not recommended as it is flawed and may result in inaccurate findings.

Spam: (Also known as unsolicited commercial email) – Unwanted, unsolicited junk email sent to a large number of recipients.

Spoofing The disreputable and often illegal act of falsifying the sender email address to make it appear as if an email message came from somewhere else.

Tracking: In an email marketing campaign, measuring behavioral activities such as click-through and open-ups.

URL: Uniform Resource Locator – The address of a file or Web page accessible on the Internet (for example,

User Interface: A set of controls such as buttons, commands and other devices that allow a user to operate a computer program.

Virus: A program, macro or fragment of code that causes damage and can be quickly spread through Web sites or email.

For more about Malwares : Must read

Whitelist: A list of pre-authorized email addresses from which email messages can be delivered regardless of spam filters.

Worm: Malicious code that is often spread through an executable attachment in an email message.

XML: Extensible Markup Language – A flexible way to create standard information formats and share both the format and the data on the World Wide Web.

IMAP (Internet Message Access Protocol)

It is a method to access bulletin board messaged or emails residing on mail server, making them visible and acting as if they were stored locally

SMTP (Simple Mail Transfer Protocol)

It receives outgoing mail from clients & validates source and destination, also sends & receives emails to and from other SMTP servers

HTTP (Hypertext Transfer Protocol)

It is used in webmail, and the message resides on the webmail servers

POP3 (Post Office Protocol 3)

Standard protocol for receiving an email that deletes mail on the server as soon as the user downloads it. Standard port for POP3 is 110

CC (Carbon Copy)

Field in the email header that directs a copy of the message to another recipient mail ID


The method of sending binary (non-test) files with e-mails. Common encoding options include BinHex, Mime, Uuencode, etc


An E-mail message is composed of three parts:

  • Header

Email header contains information about the email origin such as the address from where it came, the routing, time of the message, and the subject line

Some of the header information that is usually important to a technician is kept hidden by the email software

  • Body

Body contains the actual message

  • Signature

Used by sender to provide information to the recipient about the sender Email programs can be set to enter this line automatically on all the emails sent


Let’s review the common e-mail reading interfaces and where you can see the e-mail headers in them:

  • Gmail – When you open an e-mail message, at the top there is a link titled “Show original”. Click on it and a new browser window will appear, with the e-mail header at the top.
  • Yahoo Mail – When you open an e-mail message, at the bottom there is a link titled “Full Headers”. Click on it and the windows will re-render showing a very nice presentation of the e-mail header at the top.
  • Outlook express (all versions) – Point to a suspect email in your inbox and right-click. On the context menu, select Properties. A new window will appear. In that window, click on the details tab. The e-mail headers are displayed in the box titled Internet headers for this message.

For other clients:


References: Burgessforensic, Lifewire, ediscoveryinc

Must read about digital forensic:

The term address is used in several ways.


  • An Internet address or Internet Protocol (IP) address is a unique computer (host) location on the Internet.
  • A Web page address is expressed as the defining directory path to the file on a particular server.
  • A Web page address is also called a Uniform Resource Locator, or URL.
  • An e-mail address is the location of an e-mail user (expressed by the user’s e-mail name followed by an “at” sign (@) followed by the user’s server domain name).


A copy is taken of information held on a computer in case something goes wrong with the original copy.


Basic Input Output System. A program stored on the motherboard that controls the interaction between the various components of the computer.


To start a computer, more frequently used as “re-boot”.


Refers to a disk that contains the files needed to start an operating system.


A high bandwidth internet connection e.g. ADSL or cable.


A BBS is like an electronic corkboard. It is a computer system equipped for network access that serves as an information and message-passing centre for remote users. BBSs are generally focused on special interests, such as science fiction, movies, Windows software, or Macintosh systems. Some are free, some are fee-based access and some are a combination.


In most computer systems, a byte is a unit of data consisting of 8 bits. A byte can represent a single character, such as a letter, a digit, or a punctuation mark.


Compact Disk – Recordable. A disk to which data can be written but not erased.


Compact Disk – Read Only Memory or Media. In computers, CD-ROM technology is a format and system for recording, storing, and retrieving electronic information on a compact disk that is read using laser optics rather than magnetic means.


Compact Disk – Rewritable. A disk to which data can be written and erased.


Complementary Metal-Oxide Semi-Conductor. It commonly holds the BIOS preference of the computer through power off with the aid of a battery.


Central Processing Unit. The most powerful chip in the computer. Located on a computer, it is the “brain” that performs all arithmetic, logic and control functions.


Cyclic Redundancy Check. A common technique for detecting data transmission errors.


The process of securing private information that is sent through public networks, by encrypting it in a way that makes it unreadable to anyone except the person or persons holding the mathematical key/knowledge to decrypt the information.


A structured collection of data that can be accessed in many ways. Common database programs are Dbase, Paradox, Access. Uses: various including – address links, invoicing information, etc.


If a subject knows there are incriminating files on the computer, he or she may delete them in an effort to eliminate evidence. Many computer users think that this actually eliminates the information. However, depending on how the files are deleted, in many instances, a forensic examiner is able to recover all or part of the original data.


Denial of Service Attacks are attempted to make a computer resource unavailable to its intended users. e.g. a web site is flooded with requests, which ties up the system and denies access to legitimate users.


Use of cryptography to provide authentication of the associated input or message.


A portion of memory set aside for temporarily holding information read from a disk.


A term for a small external hardware device that connects to a computer to authenticate a piece of software; e.g. proof that a computer actually has a license for the software being used.


Digital Versatile Disk. Similar in appearance to a compact disk, but can store larger amounts of data.


The process of scrambling, or encoding, information in an effort to guarantee that only the intended recipient can read the information.


File clusters that are not currently used for the storage of ‘live’ files, but which may contain data which has been ‘deleted’ by the operating system. In such cases, whole or part files may be recoverable unless the user has used specialist disk cleaning software.


1 Gigabyte = 1024 Megabytes. A gigabyte is a measure of memory capacity and is roughly one thousand megabytes or a billion bytes. It is pronounced Gig-a-bite (with hard Gs).


Persons who are experts with computer systems and software and enjoy pushing the limits of software or hardware. To the public and the media, they can be good or bad. Some hackers come up with good ideas this way and share their ideas with others to make computing more efficient. However, some hackers intentionally use their expertise for malicious purposes, (e.g. to circumvent security and commit computer crimes) and are known as ‘black hat’ hackers. Also, see Cracker.


The hard disk is usually inside the PC. It stores information in the same way as floppy disks but can hold far more of it.


The physical parts of a computer. If it can be picked up it is hardware as opposed to software.


For the purpose of this document, a host machine is one which is used to accept a target hard drive for the purpose of forensically processing.


A central connection for all the computers in a network, which is usually Ethernet-based. Information sent to the hub can flow to any other computer on the network.


Imaging is the process used to obtain all of the data presents on a storage media (e.g. hard disk), whether it is active data or data in free space, in such a way as to allow it to be examined as if it were the original data.


International Mobile Equipment Identifier. A unique 15-digit number that serves as the serial number of a GSM handset.


International Mobile Subscriber Identity. A globally unique code number that identifies a Global System for Mobiles (GSM) handset subscriber to the network.


A virtual meeting place where people from all over the world can meet and talk about a diversity of human interests, ideas and issues. Participants are able to take part in group discussions on one of the many thousands of IRC channels, or just talk in private to family or friends, wherever they are in the world.


Internet Service Provider. A company that sells access to the Internet via telephone or cable line to your home or office. This will normally be free – where the user pays for the telephone charge of a local call – or by subscription – where a set monthly fee is paid and the calls are either free or at a minimal cost.


An operating system popular with enthusiasts and used by some businesses.


lnk (sometimes written LNK in the text) is short for link. Microsoft Windows makes extensive use of shortcut or lnk files, so called because they use that extension (.lnk). Most of the icons on the Windows desktop and most of the items that cascade from the start menu are lnk files. These include the documents item, which lists recently opened document-type files. lnk files can be forensically analyzed.


A virus attached to instructions (called macros) which are executed automatically when a document is opened.


A disk, tape, cartridge, diskette or cassette that is used to store data magnetically.


An algorithm created in 1991 by Professor Ronald Rivest that is used to create digital fingerprints of storage media, such as a computer hard drive. When this algorithm is applied to a hard drive, it creates a unique value. Changing the data on the disk in any way will change the MD5 value.


Often used as a shorter synonym for random access memory (RAM). Memory is the electronic holding place for instructions and data that a computer’s microprocessor can reach quickly. RAM is located on one or more microchips installed in a computer.


Modulator / Demodulator. A device that connects a computer to a data transmission line (typically a telephone line). Most people use modems that transfer data at speeds ranging from 1200 bits per second (bps) to 56 Kbps. There are also modems providing higher speeds and supporting other media. These are used for special purposes – for example, to connect a large local network to its network provider over a leased line.


A device on which the computer displays information.


This software is usually loaded into the computer memory upon switching the machine on and is a prerequisite for the operation of any other software. Examples include the Microsoft Windows family of operating systems (including 3.x, NT, 2000, XP and Vista) and UNIX operating systems and their variants like Linux, HP-UX, Solaris and Apple’s Mac OSX and BSD.


A high capacity removable hard disk system. ORB drives use magnetoresistive (MR) read/write head technology.


A word, phrase or combination of keystrokes used as a security measure to limit access to computers or software.


Similar in size to credit cards, but thicker. These cards are inserted into slots in a Laptop or Palmtop computer and provide many functions not normally available to the machine (modems, adapters, hard disks, etc.)


A term commonly used to describe IBM & compatible computers. The term can describe any computer useable by one person at a time.

PERSONAL ORGANISER or Personal Digital Assistant

(PDA) These are pocket-sized machines usually holding phone and address lists and diaries. They often also contain other information. Modern PDAs take many forms and may best be described as a convergent device capable of carrying out the functions of a multitude of devices.


The word port has three meanings:

Where information goes into or out of a computer, e.g. the serial port on a personal computer is where a modem would be connected.

In the TCP and UDP protocols used in computer networking, a port is a number present in the header of a data packet. Ports are typically used to map data to a particular process running on a computer. For example, port 25 is commonly associated with SMTP, port 80 with HTTP and port 443 with HTTPS.

It also refers to translating a piece of software to bring it from one type of computer system to another, e.g. to translate a window Programme so that it will run on a Macintosh.


Personal Unblock Key. PUK is the code to unlock a GSM SIM card that has disabled itself after an incorrect PIN was entered three times in a row.


To search or ask. In particular, to request information in a search engine, index directory or database.


Random Access Memory is a computer’s short-term memory. It provides working space for the PC to work with data at high speeds. Information stored in the RAM is lost when the PC is turned off (‘volatile data’).


Items e.g. floppy disks, CDs, DVDs, cartridges, tapes that store data and can be easily removed.


Small-sized data storage media which are more commonly found in other digital devices such as cameras, PDAs (Personal Digital Assistants) and music players. They can also be used for the storage of normal data files, which can be accessed and written to by computers.

There are a number of these including –

  • Smartmedia Card
  • SD Expansion Card
  • Ultra-Compact Flash
  • Compact Flash
  • Multimedia Card
  • Memory Stick

The cards are non-volatile – they retain their data when power to their device is stopped – and they can be exchanged between devices.


Subscriber Identity Module. A Smart Card which is inserted into a cellular phone, identifying the user account to the network and providing storage for data.


The area of disk between the end of live data, and the end of its allocated area on disk. A common form of Slack Space is found between the end of a live file and the end of its allocated disk cluster; this is more specifically referred to as ‘File Slack’ or ‘Cluster Slack’.


A typically a small, flat box with 4 to 8 Ethernet ports. These ports can connect to computers, cable or DSL modems, between specific systems on the network as opposed to broadcasting information to all networked connections.


A computer program that hides or disguises another program. The victim starts what he or she thinks is a safe program and instead willingly accepts something also designed to do harm to the system on which it runs.


A very popular operating system. Used mainly on larger, multi-user systems.


Small storage devices accessed using a computer’s USB ports, can be easily removed, transported – and concealed. They are worn around the neck on a lanyard. They now come in many watch or a Swiss Army knife


A ‘third party’ storage facility on the internet, enabling data to be stored and retrieved from any browser. Examples include Xdrive and


Operating system marketed by Microsoft. In use on desktop PCs, the system automatically loads into the computer’s memory in the act of switching the computer on. MS-DOS, Windows, Windows 3.0, Windows 95, Windows 98, Office XP, Windows XP, Windows NT, Windows Vista and Windows Server are registered trademarks of Microsoft Corporation.


An expansion card presents in a computer that allows cordless connection between that computer and other devices on a computer network. This replaces the traditional network cables. The card communicates by radio signals to other devices present on the network.

Disclaimer: This does not constitute a legal opinion and would not create an Attorney-Client relationship. This article is only for information and awareness purpose and merely a possible interpretation of the law.


One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s