Digital forensics glossary.

Active data is the data currently visible to the user through normal operating system access, as opposed to deleted files, slack space, unallocated space, or system-protected artifacts.

An Anton Piller order is an extraordinary civil search order from a Canadian court permitting a plaintiff to enter a defendant's premises without notice to preserve evidence that might otherwise be destroyed.

Cellebrite UFED (Universal Forensic Extraction Device) is a hardware and software platform for forensic acquisition of mobile devices, used by law enforcement, government, and private forensic firms across the world.

Chain of custody is the documented record of every person who handled an evidence item, every transfer between custodians, and every change in storage location, from intake through analysis to archive or release.

Chip-off forensics is the technique of physically desoldering the memory chip (eMMC, eMCP, or NAND) from a device's logic board and reading the raw flash directly with a specialized programmer.

Cloud forensics is the practice of collecting, preserving, and analysing digital evidence from cloud platforms (Microsoft 365, Google Workspace, AWS, Slack, Teams, Salesforce, and others) for litigation, investigation, or regulatory purposes.

Computer forensics is the systematic examination of laptops, desktops, and servers to recover, preserve, and analyse digital evidence to a court-admissible standard.

A cryptographic hash is a fixed-length value computed from a file, an image, or any other input, designed so that any change to the input produces a different output.

Deleted file recovery is the process of reconstructing files that have been removed from the visible file system, using forensic examination of file system metadata, unallocated space, and residual artifacts.

Digital evidence is information stored, processed, or transmitted in binary form that may be used to support a fact at issue in a legal or investigative matter.

EDRM stands for Electronic Discovery Reference Model, a published workflow framework that describes the standard stages of an e-discovery engagement from information governance through final production.

EnCase is a computer forensics software platform owned by OpenText, used for forensic acquisition, analysis, and reporting since the late 1990s. It is one of the most widely court-recognized forensic tools.

ESI stands for Electronically Stored Information and is the umbrella term used in litigation for any digital data subject to preservation, collection, or production in discovery.

An expert witness is a person qualified by a court to give opinion evidence on a topic beyond the ordinary experience of the trier of fact, owing a duty to assist the court that overrides any duty to the retaining party.

A Faraday bag is a shielded enclosure that blocks cellular, Wi-Fi, Bluetooth, GPS, and other radio signals to a contained device, preventing remote access, remote wipe, and post-acquisition contamination.

A forensic image is a bit-for-bit copy of a storage device that captures every byte, including active files, deleted content, slack space, and unallocated space, with hash verification.

A hash value is a fixed-length output computed from any input data using a cryptographic hash function. Identical inputs always produce identical hash values, so any change to the input produces a different hash.

Incident response is the structured process of detecting, containing, eradicating, and recovering from a cybersecurity incident, frequently paired with forensic investigation to produce a defensible record of what happened.

ISP stands for In-System Programming. In mobile forensics, ISP refers to the technique of acquiring a forensic image from a device through the eMMC test points on its printed circuit board, without removing the memory chip.

JTAG stands for Joint Test Action Group, the industry standard for the debug port found on most printed circuit boards. In forensics, JTAG refers to acquiring a forensic image from a device through its manufacturer debug port, without removing the memory chip.

KAPE is the Kroll Artifact Parser and Extractor, a Windows triage tool that collects forensic artifacts (event logs, registry hives, browser history, prefetch, and many more) at speed for fast initial analysis.

A litigation hold is a documented obligation, usually triggered by a hold notice from counsel, to preserve potentially relevant evidence once litigation is reasonably anticipated.

Magnet AXIOM is a digital forensics platform produced by Magnet Forensics in Waterloo, Ontario, used for cross-device acquisition and analysis covering computer, mobile, and cloud sources.

Memory forensics is the analysis of a computer's volatile memory (RAM) to recover running processes, network connections, decrypted content, and other artifacts that exist only while the system is powered on.

Mobile forensics is the systematic acquisition and analysis of evidence from smartphones and tablets, covering iOS, Android, and other mobile platforms.

NIST SP 800-86 is the U.S. National Institute of Standards and Technology's Special Publication 800-86, "Guide to Integrating Forensic Techniques into Incident Response," published in 2006 and widely adopted as a reference for forensic process.

PIPEDA is Canada's federal private-sector privacy statute, governing the collection, use, and disclosure of personal information by organizations engaged in commercial activity, plus mandatory breach notification.

The Sedona Canada Principles are the leading Canadian guide to e-discovery practice, published by the Sedona Conference Canada Working Group, now in their 3rd edition.

Slack space is the unused portion of a disk cluster after a file's content ends. Because file systems allocate clusters in fixed sizes, the leftover bytes often contain residual data from previously deleted files.

Volatility is an open-source memory forensics framework used to analyse RAM images from Windows, macOS, and Linux systems for running processes, network connections, decrypted content, and malware artifacts.

The White Burgess standard is the Supreme Court of Canada framework, confirmed in *White Burgess Langille Inman v. Abbott and Haliburton Co.*, 2015 SCC 23, holding that an expert witness's duty to the court overrides any duty to the retaining party.

A write blocker is a hardware or software device that prevents any write operation to a source storage device during forensic acquisition, ensuring the original evidence is not altered.