Glossary

Acquisition – the act of duplicating some form of digital media in order to examine it without damaging or disrupting the original.

Android – open-source operating system for modern smartphones.

eDiscovery – short for electronic discovery.  Refers to the discovery process during litigation, specifically relating to the exchange of information in electronic format.

Encryption – the conversion of plaintext into obscured code, which can only be deciphered with the proper key.

Hashing – taking a digital fingerprint of a file.  Essentially, hashing takes the contents of a file, and runs it through an algorithm to create a unique set of numbers.  By comparing hash values, files that are exact duplicates can more easily be discovered.  Common algorithms used to create hash values are MD5 and SHA1.

Image – created during the acquisition process, an image is the resulting file which should be an exact duplicate of the suspect media.  An image can be a logical image, which is often used during a targeted collection, or a physical image, during which an entire piece of media is acquired.

Unallocated space – clusters on a hard drive not currently being used to store data.  Unallocated space can contain important evidence if data was previously stored there and not securely deleted.

Verification – verification of the successful capture of an image is typically performed with a hash function.  First, a hash value of the suspect media is calculated, then it is compared to a hash value calculated by the acquired image.

Write-blocker – piece of hardware (or software) that ensures a device that is used to acquire an image cannot write to the suspect media, which could potentially spoil the data.