The EDRM Collection Standards Glossary is a glossary of terms defined as part of the EDRM Collection Standards.
“.Ex01” is the current EnCase evidence file format. An “.Ex01” file is a byte-for-byte representation of a physical device or a logical volume. It has LZ compression, AES256 encryption with keypairs or passwords, and options for MD5 hashing, SHA-1 hashing, or both.
Procedures used for acquiring electronic information in a manner that ensures it is “as originally discovered” and is reliable enough to be admitted into evidence. Such procedures are defined in part by the US Department of Justice publication “Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations”.
A computer that is powered up and actively logged in.
With a logical evidence file, you can selectively choose which files or folders you want to preserve, instead of acquiring the entire drive. Unlike copying files from a device and altering critical metadata, logical evidence files preserve the original files as they existed on the media and include additional information such as file name, file extension, last accessed, file created, last written, entry modified, logical size, physical size, MD5 hash value, permissions, starting extent, and original path of the file.
When forensic imaging process targets a logical portion of the media such as the C:\ drive or other logical volume or partition.
mbox is a common format for storing email messages. An mbox is a single file containing zero or more email messages.