528
EnCase Forensic Version 6.11 Userʹs Guide
Cyclical Redundancy Check (CRC)
The CRC is a variation of the checksum. Its
advantage is that it is order sensitive. The
string ʺ1234ʺ and ʺ4321ʺ produces the same
checksum, but not the same CRC.
D
Device Configuration Overlay (DCO)
The Device Configuration Overlay
(sometimes called Disk Configuration
Overlay) is similar to the Host Protected
Area. It is an optional feature within the
ATA‐6 standard and is supported by most
hard disks. Like the HPA, it can also be used
to segment a portion of the hard disk drive
capacity from view by the OS or file system,
usually for diagnostic or restoration
purposes.
Disk Slack
This is the area between the end of the
volume and the end of the device.
E
EnCase® Forensic
EnCase Forensic is recognized as the
standard computer forensic software used
by more than 15,000 investigators and 40 of
the Fortune top 50 companies. EnCase
Forensic provides law enforcement,
government and corporate investigators
reliable, court‐validated technology trusted
by leading agencies worldwide since 1997.
Encryption
The process of encoding information to
make it unreadable without a key to decode
it.
EnScript® Language
A programming language and Application
Program Interface (API) that has been
designed to operate within the EnCase
environment.
Evidence File
The central component of the EnCase
methodology is the evidence file. This file
contains three basic components (header,
checksum, and data blocks) that work
together to provide a secure and self‐
checking description of the state of a
computer disk at the time of analysis.
Examiner
A general destination folder to place data
copied from the evidence folder.
Export Folder
A general destination folder to place data
copied from the evidence file.
F
FastBloc®
FastBloc is a collection of hardware write‐
blockers and one software write blocker.
File Allocation Table (FAT)
Refers to a file system used primarily in
DOS and Windows operating systems.
There are several levels designed to cope
with larger devices. FAT12 is usually used
for removable media, whereas FAT16 was
initially used on hard drives. FAT16 has a
2GB size limit, so FAT32 was introduced for
larger hard drives. FAT32 has been
superseded by the New Technology File
System (see NTFS) and is the recommended
file system for Windows 2000 and later.
Glossary of Terms
529
File Signature
Unique identifiers published by the
International Standards Organization and
the International Telecommunications
Union, Telecommunication Standardization
Sector (among others) to identify specific file
types.
File Slack
The area between the end of a file and the
end of the last cluster or sector used by that
file. This area is wasted storage, so file
systems using smaller clusters utilize disk
space more efficiently.
Filter Pane
The Filter pane is typically located in the
lower‐right quadrant of the four pane
display. It provides access to EnScript
programs, filters, conditions, and queries.
(Also see Tree Pane, View Pane, and Table
Pane.)
Font
A coordinated set of glyphs designed with
stylistic unity. A font usually comprises an
alphabet of letters, numerals, and
punctuation marks.
G
Globally Unique Identifier (GUID)
A GUID is a pseudo‐random number used
in software applications. While each
generated GUID is not guaranteed to be
unique, the total number of unique keys (2
128
or 3.4 x 10
38
) is so large that the probability of
the same number being generated twice is
exceptionally small.
GREP
An acronym for search Globally for lines
matching the Regular Expression, and Print
them.
GREP is a command line utility originally
written for use with the Unix operating
system. The default behavior of GREP takes
a regular expression on the command line,
reads standard input or a list of files, and
outputs the lines containing matches for the
regular expression. The GREP
implementation in EnCase has a smaller
subset of operators than GREP used in Unix.
GUID
See Globally Unique Identifier.
H
Hash
A method used to generate a unique
identifier for the data the hash value
represents. There are several standardized
hashing algorithms. EnCase uses the 128‐bit
MD5 hashing algorithm which has 2^128
unique values. This ensures that the chance
of finding an identical hash value using a
different data set is exceptionally small.
Hash Sets
Collections of hash values for groups of
files.
Hexadecimal
A numeral system with a radix or base of 16
usually written using the symbols 0‐9 and
A‐F or a‐f. For example, the decimal
numeral 79 whose binary representation is
01001111 can be written as 4F in
hexadecimal (4 = 0100, F = 1111).