EDRM Collection Standards Glossary

Glossaries | EDRM Glossary | Collection Standards Glossary | Collection Standards Glossary index | Submit a Definition

The EDRM Collection Standards Glossary is a glossary of terms defined as part of the EDRM Collection Standards.

.E01 file

".E01" is a legacy EnCase evidence file format. An ".E01" file is a byte-for-byte representation of a physical device or a logical volume. 1

.Ex01 file

".Ex01" is the current EnCase evidence file format. An ".Ex01" file is a byte-for-byte representation of a physical device or a logical volume. It has LZ compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing, SHA-1 hashing, or both. 2

Bitstream image

  • A sector-by-sector, bit-by-bit copy of a physical hard drive or a logical drive.
  • See Bitstream copy: Bit stream backup (also referred to as mirror image backup) involves the backup of all areas of a computer hard disk drive or another type of storage media. Such a backup exactly replicates all sectors on a given storage device. Thus, all files and ambient data storage areas are copied. Bit stream backups - sometimes also referred to as "evidence grade" backups - differ substantially from traditional computer file backups and network server backups. 3

Certified forensic examiner

A person holding one of a number of commonly recognized certifications in the field. Due to a lack of industry wide certifications it is critical to research the certifications and any requirements within your state or jurisdiction.

Clean install

A clean install is a software installation in which any previous version is eradicated. The alternative to a clean install is an upgrade, in which elements of a previous version remain. 4


To copy a piece of data to a temporary location and then make a new copy of the object in a new location. This is usually done by clicking the right mouse button while holding the mouse cursor over the relevant file and then clicking “copy” from the menu that appears. The mouse pointer is then moved to the destination location, a right mouse click brings up the same function menu and “paste” is selected to copy the file(s) to the new location.

Database administrator

A database administrator (short form DBA) is a person responsible for the installation, configuration, upgrade, administration, monitoring and maintenance of databases in an organization. 5


Microsoft Outlook Express stores your messages in a folder that contains several different .dbx files. These files (folders.dbx, inbox.dbx, outbox.dbx) contain all your messages. 6

dd file

A "dd" file is a raw image file created using the dd forensic imaging tool, a command line program that uses command line arguments to control the imaging process. 7


A common way to move or copy a file or folder is to highlight it and literally “drag” a copied version of it to another location. First the mouse would be used to highlight the file. Then while holding down the left mouse button, the name of the file would be dragged to a new location. In the background, the operating system creates a new copy and places it in the new location. For example, you can drag a file to the Recycle Bin to delete the file, or to a folder to copy or move it to that location.


EML is a file extension for an e-mail message saved to a file in the MIME RFC 822 standard format by Microsoft Outlook Express as well as some other email programs. 8

Forensically sound procedures

Procedures used for acquiring electronic information in a manner that ensures it is “as originally discovered” and is reliable enough to be admitted into evidence. Such procedures are defined in part by the US Department of Justice publication “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations,” http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm. 9 10

Graphical user interface

Abbreviated GUI (pronounced GOO-ee). A program interface that takes advantage of the computer's graphics capabilities to make the program easier to use. Well-designed graphical user interfaces can free the user from learning complex command languages. 11

Live machine

A computer that is powered up and actively logged in.

Logical evidence file

With a logical evidence file, you can selectively choose which files or folders you want to preserve, instead of acquiring the entire drive. Unlike copying files from a device and altering critical metadata, logical evidence files preserve the original files as they existed on the media and include additional information such as file name, file extension, last accessed, file created, last written, entry modified, logical size, physical size, MD5 hash value, permissions, starting extent, and original path of the file.

Logical target

When forensic imaging process targets a logical portion of the media such as the C:\ drive or other logical volume or partition.


mbox is a common format for storing email messages. An mbox is a single file containing zero or more email messages. 12


The term metadata refers to "data about data". The term is ambiguous, as it is used for two fundamentally different concepts (types). Structural metadata is about the design and specification of data structures and is more properly called "data about the containers of data"; descriptive metadata, on the other hand, is about individual instances of application data, the data content. In this case, a useful description would be "data about data content" or "content about content" thus metacontent. 13


Acronym for disk operating system. The term DOS can refer to any operating system, but it is most often used as a shorthand for MS-DOS (Microsoft disk operating system). Originally developed by Microsoft for IBM, MS-DOS was the standard operating system for IBM-compatible personal computers. 14


The Microsoft Outlook Item (.msg) File Format is used to format a Message object, such as an e-mail message, an appointment, a contact, a task, and so on, for storage in the file system. 15


Databases in IBM Notes, formerly Lotus Notes, are Notes Storage Facility (.nsf) files, containing basic units of storage known as a "note". 16

Physical target

When the forensic imaging process targets the entire physical drive or data storage media.


There are two types of Outlook Data Files used by Outlook. An Outlook Data File (.pst) is used for most accounts.... Outlook Data Files (.pst) are used for POP3, IMAP, and web-based mail accounts. When you want to create archives or back up your Outlook folders and items on your computer, such as Exchange accounts, you must create and use additional .pst files.... A Personal Folders file (.pst) is an Outlook data file that stores your messages and other items on your computer. This is the most common file in which information in Outlook is saved by home users or in small organizations.... 17

RAW image file

A RAW image file is a bit-by-bit copy of data on a disk or volume, without additions, deletions, or metadata. Originally used by dd, the RAW image format is supported by most computer forensic applications. 18

Self collection

A process where individual custodians identify and copy potentially relevant files for discovery.

Structured data

Data that resides in a fixed field within a record or file is called structured data. This includes data contained in relational databases and spreadsheets. 19

System administrator

A system administrator, or sysadmin, is a person who is responsible for the upkeep, configuration, and reliable operation of computer systems; especially multi-user computers, such as servers. 20


Pronounced yoo-niks, a popular multi-user, multitasking operating system developed at Bell Labs in the early 1970s. Created by just a handful of programmers, UNIX was designed to be a small, flexible system used exclusively by programmers. 21


Julie Brown, Vorys (project lead)
Teri Christensen, Faegre Baker Daniels
Kevin Clark
Justin Coffey
Sean d’Albertis, Faegre Baker Daniels
Kevin Esposito
Faisal Habib, AccessData Group
Valerie Lloyd, Excel Energy
Rick Nalle, KPMG
Andrea Donovan Napp, Robinson & Cole
John Wilson


  1. EnCase Forensic Imager, Version 7.06, User's Guide. Guidance Software.
  2. EnCase Forensic Imager, Version 7.06, User's Guide. Guidance Software.
  3. Fenwick & West LLP, FWPS eDiscovery Terminology (11/6/2005). Citing NTI's Computer Forensics Definitions, http://www.forensics-intl.com/def2.html
  4. http://searchitchannel.techtarget.com/definition/clean-install.
  5. http://en.wikipedia.org/wiki/Database_administrator.
  6. Import messages into Windows Mail from Outlook Express, http://windows.microsoft.com/en-us/windows-vista/import-messages-into-windows-mail-from-outlook-express.
  7. http://www.forensicswiki.org/wiki/Dd
  8. EML File Format, http://whatis.techtarget.com/fileformat/EML-Microsoft-Outlook-Express-mail-message-MIME-RFC-822.
  9. RenewData, Glossary (10/5/2005).
  10. Vinson & Elkins LLP Practice Support, EDD Glossary.
  11. http://www.webopedia.com/TERM/G/Graphical_User_Interface_GUI.html
  12. http://www.qmail.org/qmail-manual-html/man5/mbox.html.
  13. http://en.wikipedia.org/wiki/Metadata
  14. http://www.webopedia.com/TERM/D/DOS.html
  15. [MS-OXMSG]: Outlook Item (.msg) File Format- Introduction, http://msdn.microsoft.com/en-us/library/ee160779(v=exchg.80).aspx.
  16. http://en.wikipedia.org/wiki/IBM_Notes.
  17. Introduction to Outlook Data Files (.pst and .ost), http://office.microsoft.com/en-us/outlook-help/introduction-to-outlook-data-files-pst-and-ost-HA010354876.aspx.
  18. http://www.forensicswiki.org/wiki/Raw_Image_Format
  19. http://www.webopedia.com/TERM/S/structured_data.html.
  20. http://en.wikipedia.org/wiki/System_administrator.
  21. http://www.webopedia.com/TERM/U/UNIX.html