Digital Forensics Tools and Techniques
Expert-defined terms from the Certificate in AI for Digital Forensics course at London School of International Business. Free to read, free to share, paired with a globally recognised certification pathway.
Access Control List (ACL) refers to a list of rules used to filter traffic on a… #
Related terms include discretionary access control and mandatory access control. In digital forensics, ACLs are analyzed to determine the level of access a user had to a system or resource, which can help investigators understand the scope of a security breach. For example, an investigator may analyze an ACL to determine if a user had read or write access to a sensitive file.
Active scanning is a technique used in digital forensics to detect and an… #
This involves using tools to scan a network or system for open ports, running services, and other signs of activity. Related terms include passive scanning and network discovery. Active scanning is used to identify potential security threats and to gather information about a system or network.
Address Resolution Protocol (ARP) is a protocol used to resolve IP addresses to… #
In digital forensics, ARP is used to analyze network traffic and identify the source and destination of packets. Related terms include IP address and MAC address. For example, an investigator may use ARP to identify the IP address of a device that sent a malicious packet.
Algorithm refers to a set of instructions used to solve a specific problem or pe… #
In digital forensics, algorithms are used to analyze data, identify patterns, and detect anomalies. Related terms include machine learning and data mining. For example, an investigator may use an algorithm to analyze a large dataset of network traffic to identify potential security threats.
Artificial Intelligence (AI) refers to the use of computer systems to perform ta… #
In digital forensics, AI is used to analyze data, identify patterns, and detect anomalies. Related terms include machine learning and deep learning. For example, an investigator may use AI to analyze a large dataset of network traffic to identify potential security threats.
Authentication refers to the process of verifying the identity of a user or devi… #
In digital forensics, authentication is used to analyze login attempts, access controls, and other security measures. Related terms include authorization and identification. For example, an investigator may analyze authentication logs to determine if a user's account was compromised.
Authorization refers to the process of granting access to resources based on use… #
In digital forensics, authorization is used to analyze access controls, permissions, and other security measures. Related terms include authentication and access control. For example, an investigator may analyze authorization logs to determine if a user had access to a sensitive file.
Automated analysis refers to the use of computer systems to analyze data… #
In digital forensics, automated analysis is used to analyze large datasets of network traffic, system logs, and other data. Related terms include machine learning and data mining. For example, an investigator may use automated analysis to identify potential security threats in a large dataset of network traffic.
Binary analysis refers to the process of analyzing binary code to underst… #
In digital forensics, binary analysis is used to analyze malware, identify vulnerabilities, and understand system behavior. Related terms include reverse engineering and code review. For example, an investigator may use binary analysis to understand how a piece of malware works.
Botnet refers to a network of compromised devices used to conduct malicious acti… #
In digital forensics, botnets are analyzed to understand their command and control structure, identify the source of the attack, and disrupt their operations. Related terms include malware and distributed denial-of-service (DDoS) attacks. For example, an investigator may analyze a botnet to identify the IP addresses of the compromised devices.
Cache analysis refers to the process of analyzing cache memory to underst… #
In digital forensics, cache analysis is used to analyze system performance, identify malware, and understand user activity. Related terms include memory analysis and system monitoring. For example, an investigator may analyze cache memory to identify potential security threats.
Certificate Authority (CA) refers to an entity that issues digital certificates… #
In digital forensics, CAs are used to analyze digital certificates, identify potential security threats, and verify the authenticity of data. Related terms include public key infrastructure (PKI) and digital signatures. For example, an investigator may analyze a digital certificate to verify the identity of a user.
Chain of custody refers to the process of documenting the handling and st… #
In digital forensics, chain of custody is used to ensure that evidence is properly handled and stored to prevent tampering or alteration. Related terms include evidence handling and evidence storage. For example, an investigator may document the chain of custody of a piece of evidence to ensure its integrity.
Cloud computing refers to the use of remote servers and infrastructure to… #
In digital forensics, cloud computing is used to analyze cloud-based data, identify potential security threats, and understand cloud architecture. Related terms include cloud storage and cloud security. For example, an investigator may analyze cloud-based data to identify potential security threats.
Command and Control (C2) refers to the communication channel used by attackers t… #
In digital forensics, C2 is used to analyze the communication channel, identify the source of the attack, and disrupt the operations. Related terms include botnet and malware analysis. For example, an investigator may analyze the C2 channel to identify the IP addresses of the compromised devices.
Computer forensics refers to the process of analyzing computer systems an… #
In digital forensics, computer forensics is used to analyze computer systems, identify potential security threats, and understand system behavior. Related terms include digital forensics and cyber forensics. For example, an investigator may analyze a computer system to identify potential security threats.
Cookie analysis refers to the process of analyzing cookies to understand… #
In digital forensics, cookie analysis is used to analyze user activity, identify malware, and understand system behavior. Related terms include web analysis and browser forensics. For example, an investigator may analyze cookies to identify potential security threats.
Cryptography refers to the use of algorithms and protocols to secure data and pr… #
In digital forensics, cryptography is used to analyze encrypted data, identify potential security threats, and understand cryptographic protocols. Related terms include encryption and decryption. For example, an investigator may analyze encrypted data to identify potential security threats.
Cyber security refers to the practice of protecting computer systems and… #
In digital forensics, cyber security is used to analyze security measures, identify potential security threats, and understand system vulnerabilities. Related terms include information security and computer security. For example, an investigator may analyze security measures to identify potential security threats.
Data acquisition refers to the process of collecting and preserving data… #
In digital forensics, data acquisition is used to collect and analyze data, identify potential security threats, and understand system behavior. Related terms include data collection and data preservation. For example, an investigator may collect data from a computer system to analyze it for potential security threats.
Data analysis refers to the process of analyzing data to identify pattern… #
In digital forensics, data analysis is used to analyze data, identify potential security threats, and understand system behavior. Related terms include data mining and data visualization. For example, an investigator may analyze data to identify potential security threats.
Data hiding refers to the process of concealing data within a computer sy… #
In digital forensics, data hiding is used to identify hidden data, analyze steganography, and understand data concealment techniques. Related terms include steganography and data concealment. For example, an investigator may analyze a computer system to identify hidden data.
Data mining refers to the process of analyzing large datasets to identify… #
In digital forensics, data mining is used to analyze large datasets, identify potential security threats, and understand system behavior. Related terms include machine learning and data analysis. For example, an investigator may use data mining to identify potential security threats in a large dataset.
Data recovery refers to the process of recovering data from damaged, corr… #
In digital forensics, data recovery is used to recover data, analyze data loss, and understand data storage systems. Related terms include data restoration and data reconstruction. For example, an investigator may recover data from a damaged computer system to analyze it for potential security threats.
Data visualization refers to the process of presenting data in a graphica… #
In digital forensics, data visualization is used to present data, identify patterns, and understand system behavior. Related terms include data analysis and data mining. For example, an investigator may use data visualization to present data and identify potential security threats.
Database analysis refers to the process of analyzing databases to underst… #
In digital forensics, database analysis is used to analyze databases, identify potential security threats, and understand system behavior. Related terms include database forensics and data analysis. For example, an investigator may analyze a database to identify potential security threats.
Deep learning refers to a type of machine learning that uses neural netwo… #
In digital forensics, deep learning is used to analyze data, identify potential security threats, and understand system behavior. Related terms include machine learning and artificial intelligence. For example, an investigator may use deep learning to analyze a large dataset of network traffic to identify potential security threats.
Digital evidence refers to any data or information that is stored or tran… #
In digital forensics, digital evidence is used to investigate cybercrimes, analyze computer systems, and understand system behavior. Related terms include digital forensics and computer forensics. For example, an investigator may analyze digital evidence to investigate a cybercrime.
Digital forensics refers to the process of analyzing computer systems and… #
In digital forensics, digital forensics is used to analyze computer systems, identify potential security threats, and understand system behavior. Related terms include computer forensics and cyber forensics.
Digital signature refers to a cryptographic technique used to verify the… #
In digital forensics, digital signatures are used to verify the authenticity of data, analyze digital certificates, and understand cryptographic protocols. Related terms include cryptography and encryption. For example, an investigator may analyze a digital signature to verify the authenticity of data.
Disk imaging refers to the process of creating a bit #
for-bit copy of a computer's hard drive or other storage device. In digital forensics, disk imaging is used to preserve data, analyze computer systems, and understand system behavior. Related terms include data acquisition and data preservation. For example, an investigator may create a disk image of a computer's hard drive to analyze it for potential security threats.
Distributed denial #
of-service (DDoS) attack refers to a type of cyber attack that involves overwhelming a computer system or network with traffic from multiple sources. In digital forensics, DDoS attacks are analyzed to understand the attack vector, identify the source of the attack, and disrupt the operations. For example, an investigator may analyze a DDoS attack to identify the IP addresses of the compromised devices.
Domain Name System (DNS) refers to a protocol used to resolve domain names to IP… #
In digital forensics, DNS is used to analyze network traffic, identify potential security threats, and understand system behavior. Related terms include IP address and domain name. For example, an investigator may analyze DNS traffic to identify potential security threats.
Email analysis refers to the process of analyzing email messages and head… #
In digital forensics, email analysis is used to analyze email messages, identify potential security threats, and understand system behavior. Related terms include email forensics and network analysis. For example, an investigator may analyze email messages to identify potential security threats.
Encryption refers to the process of converting plaintext data into ciphertext to… #
In digital forensics, encryption is used to analyze encrypted data, identify potential security threats, and understand cryptographic protocols. Related terms include cryptography and decryption.
Error analysis refers to the process of analyzing error messages and logs… #
In digital forensics, error analysis is used to analyze error messages, identify potential security threats, and understand system behavior. Related terms include system monitoring and system logging. For example, an investigator may analyze error messages to identify potential security threats.
File analysis refers to the process of analyzing files and file systems t… #
In digital forensics, file analysis is used to analyze files, identify potential security threats, and understand system behavior. Related terms include file forensics and data analysis. For example, an investigator may analyze a file to identify potential security threats.
File carving refers to the process of extracting files from a disk image… #
In digital forensics, file carving is used to recover deleted files, analyze file systems, and understand data storage systems. Related terms include data recovery and data restoration. For example, an investigator may use file carving to recover deleted files from a disk image.
File system analysis refers to the process of analyzing file systems to u… #
In digital forensics, file system analysis is used to analyze file systems, identify potential security threats, and understand system behavior. For example, an investigator may analyze a file system to identify potential security threats.
Firewall analysis refers to the process of analyzing firewall logs and co… #
In digital forensics, firewall analysis is used to analyze firewall logs, identify potential security threats, and understand system behavior. Related terms include network analysis and system security. For example, an investigator may analyze firewall logs to identify potential security threats.
Forensic analysis refers to the process of analyzing data and systems to… #
In digital forensics, forensic analysis is used to analyze data, identify potential security threats, and understand system behavior. Related terms include digital forensics and computer forensics. For example, an investigator may analyze data to investigate a cybercrime.
Hash analysis refers to the process of analyzing hash values to verify th… #
In digital forensics, hash analysis is used to verify the authenticity of data, analyze digital certificates, and understand cryptographic protocols. For example, an investigator may analyze a hash value to verify the authenticity of data.
Incident response refers to the process of responding to and managing sec… #
In digital forensics, incident response is used to respond to security incidents, analyze data, and understand system behavior. Related terms include security incident response and computer forensics. For example, an investigator may respond to a security incident by analyzing data and identifying potential security threats.
Intrusion Detection System (IDS) refers to a system that monitors network traffi… #
In digital forensics, IDS is used to analyze network traffic, identify potential security threats, and understand system behavior. Related terms include intrusion prevention system and network security. For example, an investigator may analyze IDS logs to identify potential security threats.
IP address refers to a unique address assigned to a device on a network #
In digital forensics, IP addresses are used to analyze network traffic, identify potential security threats, and understand system behavior. Related terms include IP address resolution and domain name system. For example, an investigator may analyze IP addresses to identify potential security threats.
Key logging refers to the process of recording keystrokes and other user… #
In digital forensics, key logging is used to analyze user behavior, identify malware, and understand system behavior. Related terms include user monitoring and system logging. For example, an investigator may analyze key logs to identify potential security threats.
Live analysis refers to the process of analyzing a computer system or net… #
In digital forensics, live analysis is used to analyze system behavior, identify potential security threats, and understand system behavior. Related terms include real-time analysis and system monitoring. For example, an investigator may analyze a computer system in real-time to identify potential security threats.
Log analysis refers to the process of analyzing system logs and other log… #
In digital forensics, log analysis is used to analyze system logs, identify potential security threats, and understand system behavior. For example, an investigator may analyze system logs to identify potential security threats.
Malware analysis refers to the process of analyzing malware to understand… #
In digital forensics, malware analysis is used to analyze malware, identify potential security threats, and understand system behavior. Related terms include malware reverse engineering and malware forensics. For example, an investigator may analyze malware to understand its behavior.
Memory analysis refers to the process of analyzing memory dumps and other… #
In digital forensics, memory analysis is used to analyze memory dumps, identify potential security threats, and understand system behavior. Related terms include memory forensics and system analysis. For example, an investigator may analyze a memory dump to identify potential security threats.
Network analysis refers to the process of analyzing network traffic and o… #
In digital forensics, network analysis is used to analyze network traffic, identify potential security threats, and understand system behavior. Related terms include network forensics and system analysis. For example, an investigator may analyze network traffic to identify potential security threats.
Network mapping refers to the process of creating a visual representation… #
In digital forensics, network mapping is used to create a visual representation of a network, identify potential security threats, and understand system behavior. Related terms include network discovery and system mapping. For example, an investigator may create a network map to identify potential security threats.
Network protocol analysis refers to the process of analyzing network prot… #
In digital forensics, network protocol analysis is used to analyze network protocols, identify potential security threats, and understand system behavior. Related terms include network analysis and system protocol analysis. For example, an investigator may analyze network protocols to identify potential security threats.
Network scanning refers to the process of scanning a network for open por… #
In digital forensics, network scanning is used to analyze network traffic, identify potential security threats, and understand system behavior. Related terms include network discovery and system scanning. For example, an investigator may scan a network to identify open ports.
Network sniffing refers to the process of capturing and analyzing network… #
In digital forensics, network sniffing is used to capture and analyze network traffic, identify potential security threats, and understand system behavior. Related terms include network analysis and system monitoring. For example, an investigator may capture network traffic to identify potential security threats.
Network topology refers to the physical and logical arrangement of device… #
In digital forensics, network topology is used to understand system behavior, identify potential security threats, and analyze system performance. Related terms include network mapping and system topology. For example, an investigator may analyze network topology to identify potential security threats.
Password cracking refers to the process of guessing or cracking passwords… #
In digital forensics, password cracking is used to analyze password policies, identify potential security threats, and understand system security. Related terms include password analysis and system security. For example, an investigator may analyze password policies to identify potential security threats.
Penetration testing refers to the process of simulating a cyber attack on… #
In digital forensics, penetration testing is used to test system defenses, identify potential security threats, and understand system behavior. Related terms include vulnerability assessment and system testing. For example, an investigator may conduct penetration testing to identify potential security threats.
Protocol analysis refers to the process of analyzing communication protoc… #
In digital forensics, protocol analysis is used to analyze communication protocols, identify potential security threats, and understand system behavior. Related terms include network protocol analysis and system protocol analysis. For example, an investigator may analyze communication protocols to identify potential security threats.
Registry analysis refers to the process of analyzing registry keys and ot… #
In digital forensics, registry analysis is used to analyze registry keys, identify potential security threats, and understand system behavior. Related terms include registry forensics and system analysis. For example, an investigator may analyze registry keys to identify potential security threats.
Reverse engineering refers to the process of analyzing software or hardwa… #
In digital forensics, reverse engineering is used to analyze malware, identify potential security threats, and understand system behavior. Related terms include binary analysis and code review. For example, an investigator may use reverse engineering to analyze malware.
Rootkit analysis refers to the process of analyzing rootkits to understan… #
In digital forensics, rootkit analysis is used to analyze rootkits, identify potential security threats, and understand system behavior. Related terms include malware analysis and system security. For example, an investigator may analyze a rootkit to understand its behavior.
Security information and event management (SIEM) refers to the process of… #
In digital forensics, SIEM is used to collect and analyze security-related data, identify potential security threats, and understand system behavior. Related terms include security logging and system monitoring. For example, an investigator may use SIEM to collect and analyze security-related data.
Security orchestration refers to the process of automating and streamlini… #
In digital forensics, security orchestration is used to automate and streamline security-related tasks, identify potential security threats, and understand system behavior. Related terms include security automation and incident response. For example, an investigator may use security orchestration to automate security-related tasks.
Sniffer analysis refers to the process of analyzing network traffic captu… #
In digital forensics, sniffer analysis is used to analyze network traffic captures, identify potential security threats, and understand system behavior. Related terms include network sniffing and system monitoring. For example, an investigator may analyze network traffic captures to identify potential security threats.
Social engineering refers to the process of manipulating individuals into… #
In digital forensics, social engineering is used to analyze phishing attacks, identify potential security threats, and understand system behavior. Related terms include phishing and spam analysis. For example, an investigator may analyze a phishing attack to identify potential security threats.
Steganography refers to the process of concealing data within a non #
secret message, image, or other medium. In digital forensics, steganography is used to analyze digital data, identify potential security threats, and understand data hiding techniques. Related terms include data hiding and digital watermarking. For example, an investigator may analyze digital data to identify hidden messages.
System calls refer to the interactions between a program and the operatin… #
In digital forensics, system calls are used to analyze system behavior, identify potential security threats, and understand system performance. For example, an investigator may analyze system calls to identify potential security threats.
System logging refers to the process of collecting and storing system log… #
In digital forensics, system logging is used to collect and analyze system logs, identify potential security threats, and understand system behavior. Related terms include log analysis and system monitoring.
System monitoring refers to the process of monitoring system activity and… #
In digital forensics, system monitoring is used to monitor system activity, identify potential security threats, and understand system behavior. Related terms include system logging and system analysis. For example, an investigator may monitor system activity to identify potential security threats.
Threat hunting refers to the process of proactively searching for and ide… #
In digital forensics, threat hunting is used to identify potential security threats, analyze system behavior, and understand system performance. Related terms include threat intelligence and incident response. For example, an investigator may use threat hunting to identify potential security threats.
Threat intelligence refers to the process of collecting and analyzing dat… #
In digital forensics, threat intelligence is used to collect and analyze data, identify potential security threats, and understand system behavior. Related terms include threat hunting and incident response. For example, an investigator may use threat intelligence to identify potential security threats.
Trojan horse refers to a type of malware that disguises itself as legitim… #
In digital forensics, Trojan horses are analyzed to understand their behavior, identify potential security threats, and analyze system behavior. For example, an investigator may analyze a Trojan horse to understand its behavior.
Virtual machine refers to a software emulation of a physical computer #
In digital forensics, virtual machines are used to analyze system behavior, identify potential security threats, and understand system performance. Related terms include virtual ization and system emulation. For example, an investigator may use a virtual machine to analyze system behavior.
Virus analysis refers to the process of analyzing viruses to understand t… #
In digital forensics, virus analysis is used to analyze viruses, identify potential security threats, and understand system behavior. For example, an investigator may analyze a virus to understand its behavior.
Vulnerability assessment refers to the process of identifying and assessi… #
In digital forensics, vulnerability assessment is used to identify vulnerabilities, analyze system behavior, and understand system performance. Related terms include penetration testing and system security. For example, an investigator may conduct a vulnerability assessment to identify vulnerabilities.
Web analysis refers to the process of analyzing web traffic and other web #
related data to understand system behavior, identify potential security threats, and analyze system performance. In digital forensics, web analysis is used to analyze web traffic, identify potential security threats, and understand system behavior. Related terms include web forensics and system analysis. For example, an investigator may analyze web traffic to identify potential security threats.
Wireless analysis refers to the process of analyzing wireless network tra… #
In digital forensics, wireless analysis is used to analyze wireless network traffic, identify potential security threats, and understand system behavior. Related terms include wireless forensics and system analysis. For example, an investigator may analyze wireless network traffic to identify potential security threats.
Worm analysis refers to the process of analyzing worms to understand thei… #
In digital forensics, worm analysis is used to analyze worms, identify potential security threats, and understand system behavior. For example, an investigator may analyze a worm to understand its behavior.
XSS (Cross #
Site Scripting) refers to a type of cyber attack that involves injecting malicious code into a website or web application. In digital forensics, XSS is analyzed to understand the attack vector, identify the source of the attack, and disrupt the operations. Related terms include injection attack and web application security. For example, an investigator may analyze an XSS attack to identify the source of the attack.
Zero #
day exploit refers to a type of cyber attack that takes advantage of a previously unknown vulnerability in a system or application. In digital forensics, zero-day exploits are analyzed to understand the attack vector, identify the source of the attack, and disrupt the operations. Related terms include vulnerability assessment and penetration testing. For example, an investigator may analyze a zero-day exploit to identify the source of the attack.
Zip file analysis refers to the process of analyzing zip files to underst… #
In digital forensics, zip file analysis is used to analyze zip files, identify potential security threats, and understand system behavior. Related terms include file analysis and data compression. For example, an investigator may analyze a zip file to identify potential security threats.