Term 1
Autopsy Tool
An open-source digital forensics platform used to analyze hard drives, recover deleted files, and uncover evidence from computers and storage media.
Acronym study
Terms 1–17 of 17 CHFI acronyms and key terms. Each entry includes a plain-English definition and a link to the full 800-word glossary page with exam context and practice questions.
Term 1
An open-source digital forensics platform used to analyze hard drives, recover deleted files, and uncover evidence from computers and storage media.
Term 2
Chain of custody is a documented process that tracks the handling, transfer, and possession of evidence or digital assets from the moment they are collected until they are presented in court or used in an investigation.
Term 3
Data carving is the process of recovering files and data fragments from a storage device without relying on the file system metadata.
Term 4
Deleted file recovery is the process of restoring files that have been removed from a storage device, often using specialized tools to retrieve data that has not yet been overwritten.
Term 5
Disk imaging is the process of creating an exact, bit-for-bit copy of a storage drive, preserving all data, deleted files, and unallocated space for forensic analysis or system recovery.
Term 6
EnCase Forensic is a digital forensics software suite used by investigators to acquire, analyze, and report on data from computers and mobile devices in a legally admissible way.
Term 7
Evidence admissibility is the legal and technical standard that determines whether digital evidence can be used in a court of law.
Term 8
FAT File System Forensics is the practice of recovering and analyzing digital evidence from storage devices formatted with the File Allocation Table file system.
Term 9
Forensic evidence collection is the process of identifying, preserving, and gathering digital data from computers and devices in a way that keeps it valid for use in legal investigations or internal incident response.
Term 10
The forensic investigation process is a structured series of steps used to collect, preserve, analyze, and present digital evidence from computers and networks for legal or internal purposes.
Term 11
FTK Imager is a free forensic imaging tool used to create exact copies of computer drives and storage devices for digital evidence analysis.
Term 12
Memory acquisition is the process of capturing the contents of a computer's volatile memory to preserve data for forensic analysis and incident response.
Term 13
NTFS Forensics is the practice of examining New Technology File System structures to recover evidence of user activity, hidden data, and deleted files for cybersecurity investigations.
Term 14
A process memory dump is a snapshot of all the data a specific running program has stored in RAM at a single moment, used for analyzing its behavior and contents.
Term 15
RAM Analysis is the forensic examination of a computer’s volatile memory to uncover evidence of running processes, network connections, malware, and user activity that is lost when the system is powered off.
Term 16
An open-source memory forensics tool used to extract digital evidence from a computer's RAM (random access memory).
Term 17
Wireshark Forensics is the use of packet capture files and analysis techniques to investigate network traffic for signs of security incidents, intrusions, or policy violations.