Glossary - MSAB

MSAB Digital Forensics Glossary

Key Terms and Definitions

Welcome to Our Digital Forensics Glossary — A resource for clear, concise definitions of key terms used in digital forensic investigations. This glossary includes terminology used in the field of smartphone investigations, mobile data extraction, and the analysis of digital evidence from mobile devices.

As mobile phones become central to cybercrime and digital investigations, it’s essential to understand critical concepts such as IMEI, mobile data acquisition, app artifacts, and SIM card analysis. You’ll also find definitions of broader digital forensics terms like hash values, metadata, and chain of custody — all explained in a straightforward, accessible format. Whether you’re a mobile forensics specialist, law enforcement officer, cybersecurity professional, or student, this glossary offers up-to-date explanations to help you navigate the rapidly evolving field of mobile forensics.

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z

Access Service

MSAB digital forensic experts use advanced forensically sound techniques to recover and decrypt the data from even the most challenging mobile phones to help you get to the previously unattainable intelligence and digital evidence you need to solve cases.

ACPO (Association of Chief of Police)

ACPO Guidelines for computer-based evidence, these are a set of guidelines followed by forensic examiners across the globe and consists of 4 principles. Which are: ACPO Principle 1: That no action is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence […]

Acquisition

The process of collecting digital evidence from devices, often by creating a forensically sound copy or image.

Active Data

Information on a storage device that is readily accessible to the operating system (as opposed to deleted or hidden data).

ADB (Android Debug Bridge)

A command-line tool used to communicate with and control Android devices, commonly used in forensic extraction of data from Android phones. ADB, or Android Debug Bridge, is a versatile command-line tool that allows communication between a computer and an Android device. Developed by Google as part of the Android SDK (Software Development Kit), ADB […]

ADS (Alternate Data Streams)

ADS – A feature of the NTFS file system that allows a single file to contain multiple data streams. These secondary streams are not visible in traditional file directory listings, which means data (or even malware) can be hidden in a file’s ADS without altering the primary file content. Forensic analysts examine ADS to uncover any hidden or […]

Adware

Malicious or unwanted software that automatically displays advertisements and is often bundled with free programs.

AES (Advanced Encryption Standard)

A widely used symmetric encryption algorithm that encrypts data in fixed block sizes with a secret key.

After First Unlock (AFU)

AFU: after first unlock, means the device is locked, but it has been unlocked since it booted up at least once. This is when the encryption keys are stored in RAM already and allows for a larger attack surface compared to BFU. AFU vs. BFU In contrast to AFU, there is another term called BFU […]

Airplane Mode

Airplane mode is used by forensic practitioners to isolate a mobile device from any incoming radio signals. Forensic practitioners need to be aware that may still need to manually deactivate WIFI or Bluetooth than may remain active when airplane mode is turned on. Airplane mode is useful if you do have access to faraday equipment.

Allocated Space

Allocated Space is the area on a device’s memory that stores data in an organized manner and contains its operating system and user data. Logical extractions obtain data from allocated space only.

Android Backup

An Android backup refers to the copy of data from a mobile Android device that investigators can use to analyze and extract digital evidence. It is done in a forensically sound manner and communicates with the device OS to create a backup from the Android Mobile device.

Android Forensics

Android applications store data in various formats, such as SQLite databases, XML files, and SharedPreferences. Analyzing application data can provide valuable insights into user activities, communication records, and other relevant information. Android forensics is a branch of digital forensics that focuses on the acquisition, analysis, and reporting of data from Android-powered devices. As Android […]

Anti-Forensics

Techniques used by perpetrators to obstruct forensic analysis (e.g., data wiping, encryption, or altering metadata).

APFS (Apple File System)

APFS, or Apple File System, is a proprietary file system developed by Apple Inc. for macOS, iOS, iPadOS, watchOS, and tvOS devices. Introduced in 2017, APFS replaced the older HFS+ (Hierarchical File System Plus) as the default file system for Apple devices. Understanding APFS is crucial for forensic investigators dealing with iOS and other Apple […]

API (Application Programming Interface)

In the context of mobile forensics, an API (Application Programming Interface) refers to a set of protocols, routines, and tools that facilitate communication and data exchange between mobile applications and operating systems. APIs play a crucial role in enabling forensic tools to acquire data from mobile devices and applications. Uses of APIs in Mobile […]

APK (Android Package Kit)

The Android package with the file extension apk is the file format used by the Android Operating System and several other Android based operating systems for installation of mobile apps, mobile games and middleware.

Apple Account

User accounts are used to access all Apple services and devices, including the App Store, iCloud, iMessage, FaceTime and more. Used to be called an Apple ID. For use with iPhones, iPad, iPod, and Mac computers including iMac, MacBook Pro/Air.

APT (Advanced Persistent Threat)

A stealthy, sophisticated cyber-attack where an unauthorized user gains prolonged access to a network, often state sponsored.

Artifact (Digital Artifact)

Any file, metadata, or residue that is evidence of digital activity (e.g., logs, registry keys, link files).

Asymmetric Encryption

An encryption method using a pair of keys – a public key for encryption and a private key for decryption (also known as public-key encryption).

Attribution

In a forensic context, attribution is the process of linking digital evidence or actions to a specific individual or entity. Investigators use clues such as metadata, user account info, document ownership, and activity logs to “attribute” an action to an individual.

Audio File Forensics

Audio file forensics is a specialized branch of digital forensics that deals with the analysis, authentication, and enhancement of digital audio evidence. As digital audio recordings become increasingly common in legal cases and investigations, audio file forensics plays a crucial role in verifying the integrity and authenticity of these recordings Techniques in Audio File […]

Audit Trail

A chronological record of system or user activities. Audit trails log events like logins, file access, changes, or network operations. In forensics, audit logs are analyzed to reconstruct events, verify authorized vs. unauthorized actions, and maintain accountability by showing who did what and when on a computing system. Audit logs can also be kept by […]

Autopsy

An open-source digital forensics platform (graphical interface for The Sleuth Kit) used to analyze disks, smartphones, and other data sources.

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at MSAB, corporate identity number 556244-3050 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Personalization cookies

In order to provide a better experiance we place cookies for your preferances

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data