Glossary - MSAB

MSAB Digital Forensics Glossary

Key Terms and Definitions

Welcome to Our Digital Forensics Glossary — A resource for clear, concise definitions of key terms used in digital forensic investigations. This glossary includes terminology used in the field of smartphone investigations, mobile data extraction, and the analysis of digital evidence from mobile devices.

As mobile phones become central to cybercrime and digital investigations, it’s essential to understand critical concepts such as IMEI, mobile data acquisition, app artifacts, and SIM card analysis. You’ll also find definitions of broader digital forensics terms like hash values, metadata, and chain of custody — all explained in a straightforward, accessible format. Whether you’re a mobile forensics specialist, law enforcement officer, cybersecurity professional, or student, this glossary offers up-to-date explanations to help you navigate the rapidly evolving field of mobile forensics.

A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z

Cache

A temporary storage area for frequently accessed data (e.g., a browser cache), which can contain forensic evidence of recent user activity.

CAID (Child Abuse Image Database)

CAID is a UK centralized database maintained by the UK Government and is used by UK Law Enforcement such as the NCA, it is used to help combat child sexual abuse material and exploitation online.

Call Detail Record (CDR)

Telecommunications log recording metadata about phone calls or messages (numbers, time, duration, cell tower). Used to trace communications between parties.

Call Log Analysis

Call log analysis is a crucial aspect of mobile device forensics, involving the examination of call records and associated metadata to uncover communication patterns, relationships, and timelines. In many investigations, call logs can provide valuable evidence and insights into a subject’s activities and connections. Call log analysis is a crucial aspect of mobile device […]

Capture digital signature

A method used in the MSAB Frontline Workflow that allows for the capture of a digital signature to help comply with the chain of custody when processing digital evidence.

Carving (Data Carving)

Recovering files or fragments of data from raw disk or memory by searching for file signatures, without reliance on file system metadata. Tools such as XRY and XRY Pro when decoding datasets can be used to carve data even if the file signatures do not match the file type.

Case Management Tool

Tools such as MSAB Unify help to manage and process digital evidence workloads, allowing for the administration and control of evidence related to an incident.

CDMA (Code Division Multiple Access)

CDMA is a cellular network technology used for mobile communication, primarily in North America and parts of Asia. It allows multiple users to share the same frequency band by assigning unique codes to each user’s call.

CDR Mapping

XAMN allows for mapping of CDRs by creating and maintaining templates in order to import them into their relevant format.

Cell Phone Data Recovery

Cell phone data recovery is a critical aspect of mobile device forensics, focusing on the retrieval of deleted, hidden, or damaged data from smartphones and other mobile devices. Recovering this data can provide valuable evidence in criminal investigations, civil litigation, and corporate inquiries. Challenges in Cell Phone Data Recovery Recovering data from cell phones presents […]

Cellphone Extraction Software

Specialized forensic tools used to extract, analyze, and report data from mobile devices. These tools recover data such as call logs, messages, contacts, browser history, app data, and even deleted content. Common examples include MSAB XRY and MSAB XRY Pro for extraction and MSAB XAMN for analysis.

Cellphone Extraction Software for Law Enforcement.

Why is Cell Phone Forensic Software Indispensable for Law Enforcement? This extensive glossary entry drills down into why tools such as MSAB XRY are vital for Law Enforcement. Here are the top 5 most frequently asked questions and their answers about its critical role: 1. Why do law enforcement agencies rely on cell phone forensic […]

Cellular Network Forensics

Cellular network forensics is a branch of digital forensics that focuses on investigating mobile communications and the infrastructure that supports them. This field encompasses the analysis of data from cellular networks, cell towers, and mobile devices to reconstruct events, establish timelines, and identify suspects in criminal and civil cases. Key Concepts in Cellular Network […]

Cellular Tower Dump Analysis

Cellular tower dump analysis is a forensic technique used to investigate mobile device activity within the range of specific cell towers during a given timeframe. This technique involves obtaining and examining call detail records (CDRs) and other data associated with a particular cell tower to identify mobile devices that were active in the area at […]

Chain of custody

The chronological documentation of who handled a piece of evidence, when, and under what conditions. This is essential in ensuring that digital evidence is authentic, untampered, and admissible in court. A broken chain can disqualify key evidence. In digital forensics, the chain of custody refers to the documentation and tracking of the movement and […]

Chat Logs

Recorded message transcripts between users (from chat or messaging apps), often including timestamps. Chat logs can serve as evidence of communications.

Checksum

A computed value used to verify data integrity. If data is altered, the checksum (simple hash or CRC) will not match, indicating corruption or tampering.

Chip Off

An advanced forensic technique where the memory chip is physically removed from a device (usually a smartphone) and read using specialized hardware. Used when software-based extraction methods fail due to encryption, hardware damage, or passcodes. It provides access to raw data but is invasive and risky, potentially damaging the chip. Chip-off forensics is an advanced […]

Clean Room

A controlled, dust-free environment for handling sensitive hardware (like opened hard drives) to prevent contamination or damage during data recovery.

CLI (Command Line Interface)

In digital forensics, the CLI (Command Line Interface) refers to the use of text-based commands to interact with operating systems, software, and forensic tools. CLI tools are widely used by forensic examiners to perform various tasks, such as data acquisition, analysis, and automation, as they offer greater control, flexibility, and efficiency compared to graphical user […]

Client & Agent

A model where a forensic agent (software component) is installed on the target system or device, and a client (usually the investigator’s interface) communicates with it to collect data, monitor activity, or perform remote extractions. This setup is common in enterprise environments and incident response scenarios.

Clone

An exact bit-by-bit copy of a digital storage device. Often used to preserve original evidence while allowing analysis on the duplicate, ensuring data integrity.

Cloud Forensics

The application of forensic techniques to data stored in cloud services. It often involves acquiring data via provider APIs or legal requests and dealing with logs and virtualized environments. Cloud forensics is a branch of digital forensics that focuses on the investigation and acquisition of evidence from cloud computing environments. With the growing adoption […]

Cloud Forensics Tools

Software solutions designed to preserve, extract, and analyze digital evidence stored on remote cloud servers (e.g., Google Drive, iCloud, Facebook, Dropbox). In the context of mobile investigations, these tools often utilize authentication tokens found on physical devices to gain legal access to cloud-stored data. The Mobile Device as the “Key” While cloud forensics tools target […]

Cluster

A group of sectors that the file system allocates to store a file. If a file’s last cluster isn’t fully filled, the leftover bytes (slack space) may contain remnants of other data.

Connection Analysis

A forensic technique used to examine relationships and communication patterns between devices and persons. It helps identify peer-to-peer communications, malware C2 connections, lateral movement, or linkages between suspects in a case. Tools such as MSAB XAMN Pro offer connection views.

Container File

A file format that packages multiple files into a single unit (e.g., ZIP, TAR, or forensic image files like E01 or XRY). Useful for organizing and transporting forensic evidence with embedded metadata.

Content Analysis

The inspection of digital files for specific content, such as keywords, hashes, or patterns. It is used in early triage, eDiscovery, and identifying contraband materials.

Cookies

Small files stored on a user’s device by web browsers, containing session data, login status, tracking info, and preferences. Cookies are valuable in forensics for reconstructing web activity, login sessions, and identifying visited websites or accounts.

Correlation

The process of linking evidence across multiple data sources—such as logs, devices, emails, and images—to construct timelines or identify behavioral patterns.

Credential Dumping

An attack technique where user credentials (e.g., passwords, hashes, tokens) are extracted from a system, often for lateral movement or privilege escalation. Forensic investigators check for these signs in memory dumps and system logs.

Cross-border Mobile Data Acquisition

Cross-border mobile data acquisition refers to the process of obtaining and analyzing data from mobile devices and cloud services that are located in different countries or jurisdictions. As digital evidence increasingly involves data stored on servers and devices around the world, investigators must navigate complex legal and technical challenges to acquire this data effectively. […]

Cross-Device Analysis

Cross-device analysis is a technique in mobile forensics that involves examining and correlating data from multiple devices to uncover connections, patterns, and evidence that may not be apparent when analyzing a single device in isolation. As individuals increasingly use multiple mobile devices and cloud services, cross-device analysis has become an essential tool for digital investigators. […]

Cross-platform Mobile Forensics

Cross-platform mobile forensics refers to the process of acquiring and analyzing data from mobile devices that run on different operating systems, such as Android and iOS. As digital investigations often involve multiple devices with varying platforms, investigators must be equipped with the knowledge and tools to handle cross-platform forensic challenges effectively. Challenges in Cross-platform […]

Cross-Validation

Verifying findings using multiple forensic tools or techniques to ensure accuracy and credibility of the evidence. It strengthens the integrity of the investigative results.

Crypto (Cryptocurrency and Cryptography)

Crypto is a broad term that can refer to either cryptography or cryptocurrency, both of which are highly relevant in digital forensics. Cryptography The science of securing information through encoding techniques such as encryption and hashing. In digital forensics, cryptography is relevant in: • Encrypted drives and secure messaging apps (e.g., Signal, ProtonMail) • Password-protected […]

Cryptocurrency Wallet Forensics

Cryptocurrency wallet forensics is a specialized branch of digital forensics that focuses on investigating and analyzing transactions involving digital assets, such as Bitcoin, Ethereum, and other cryptocurrencies. As the use of cryptocurrencies grows, both for legitimate purposes and illicit activities, investigators must develop skills to trace and interpret cryptocurrency transactions effectively. Types of Cryptocurrency Wallets […]

CSAM (Child Sexual Abuse Material)

CSAM refers to any visual depiction of sexually explicit conduct involving a minor. Forensics teams work to detect, report, and remove such content, often using automated tools and hash databases like CAID or Project VIC to assist in classification and victim identification.

Cybercrime

Any criminal activity involving a computer or digital network, including hacking, fraud, identity theft, online exploitation, and ransomware attacks. It is a central focus of digital forensics.

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at MSAB, corporate identity number 556244-3050 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Personalization cookies

In order to provide a better experiance we place cookies for your preferances

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data