Home > Resources > Glossary > C
computer forensic
Glossary of Terms

Glossary Navigation

Select the first letter of the word you are looking for:


— C —

Cache – Pronounced cash, the cache is a special high-speed storage mechanism that can be either a reserved section of main memory or an independent high-speed storage device, with two types of caching commonly used in personal computers: memory caching and disk caching.

A memory cache, sometimes called a cache store or RAM cache, is a portion of memory made of high-speed static RAM (SRAM) instead of the slower and cheaper dynamic RAM (DRAM) used for main memory. Memory caching is effective because most programs access the same data or instructions over and over, and by keeping as much of this information as possible in SRAM, the computer avoids accessing the slower DRAM.

Disk caching works under the same principle as memory caching, but instead of using high-speed SRAM, a disk cache uses conventional main memory. The most recently accessed data from the disk (as well as adjacent sectors) is stored in a memory buffer. When a program needs to access data from the disk, it first checks the disk cache to see if the data is there. Disk caching can dramatically improve the performance of applications, because accessing a byte of data in RAM can be thousands of times faster than accessing a byte on a hard disk.

When data is found in the cache, it is called a cache hit, and the effectiveness of a cache is judged by its hit rate. Many cache systems use a technique known as smart caching, in which the system can recognize certain types of frequently used data. The strategies for determining which information should be kept in the cache constitute some of the more interesting problems in computer science.

CD-ROM – Compact disks used to store data.

Chain of Custody – A process used to maintain and document the chronological history of electronic evidence. A chain of custody ensures that the data presented is "as originally acquired" and has not been altered prior to admission into evidence. An electronic chain of custody link should be maintained between all electronic data and its original physical media throughout the production process.

Chain of Evidence – The "sequencing" of the chain of evidence follows this order:
  1. Collection & Identification
  2. Analysis
  3. Storage
  4. Preservation
  5. Transportation
  6. Presentation in Court
  7. Return to Owner

The chain of evidence shows:

  1. Who obtained the evidence
  2. Where and when the evidence was obtained
  3. Who secured the evidence
  4. Who had control or possession of the evidence

Check Digit – One digit, usually the last, of an identifying field is a mathematical function of all of the other digits in the field. This value can be calculated from the other digits in the field and compared with the check digit to verify the validity of the whole field.

Cluster – Clusters are fixed length blocks of bytes that store data for Microsoft operating systems. Clusters are, essentially, a consortium of sectors used to allocate the data storage area in all Microsoft operating systems, range in size from one sector to 128 sectors, and vary based on the size of the logical storage volume and the operating system involved.

Coding – Coding involves the process of collecting relevant information, such as the author, created date, sent date, recipient, etc. from a paper document.

Compression – A system used to reduce the size of a file so that the file utilizes less bandwidth.

Computer Evidence – Computer evidence is rather unique when compared to other forms of more traditional documentary evidence. Unlike paper documentation, computer evidence is extremely fragile and it occurs in the form of an identical copy of a specific document that is stored in a computer file. In addition, the legal "best evidence" rules differ for the processing of computer evidence. However, there is the potential for unauthorized copies to be made of important computer files without leaving behind a trace that the copy was made.

Computer evidence is not limited to data stored in computer files, rather most relevant computer evidence is uncovered in uncommonly known locations. For example, on Microsoft Windows and Windows NT-based computer systems, large quantities of evidence can be found in the Windows swap files or Page Files. In addition, computer evidence can also be uncovered in file slack and unallocated file space.

Computer Forensics – Similar to all forms of forensic science, computer forensics is comprised of the application of the law to computer science. Computer forensics deals with the preservation, identification, extraction, and documentation of computer evidence. Like any other forensic science, computer forensics involves the use of sophisticated technological tools and procedures that must be followed to guarantee the accuracy of the preservation of evidence and the accuracy of results concerning computer evidence processing.

Computer Investigations – Computer crimes are specifically defined by federal and/or state statutes and any computer documentary evidence utilized during a computer investigation may include computer data stored on floppy diskettes, zip disks, CDs and computer hard disk drives. The evidence necessary to prove computer-related crimes can potentially be located on one or more computer hard disk drives in various geographic locations. This evidence can reside on computer storage media as bytes of data in the form of computer files and ambient data, however, ambient data is usually unknown to most computer users and is therefore often very useful to computer forensics investigators.

Computer investigations rely upon evidence stored as data and the timeline of dates and times that files were created, modified, and/or last accessed by a computer user. Timelines of activities can be essential when multiple computers and individuals are involved in the commission of a crime. In addition, computer investigations generally involve the review of Internet log files to determine Internet account abuses and analysis of the Windows swap file. Using computer forensics procedures, processes, and tools, computer forensics investigators can identify passwords, network logons, Internet activity, and fragments of email messages that were dumped from computer memory during past Windows work sessions.

Cookies – Holds information on the times and dates a user has visited websites. Other information can also be saved to your hard drive in these text files, including information about online purchases, validation information about the user for "Members Only" websites, etc.


About Us  |  Services  |  Resources  |  Headlines  |  Partners

Contact Us  |  Site Map  |  Legal Notices