Critical Thinker

Someone who uses 

specific criteria to 

evaluate reasoning, 

form positions, and 

make decisions.

argument

A conclusion 

about an issue that is 

supported by reasons.

conclusion

A position taken about an issue, also called a claim or an opinion; in deductive reasoning, the inference drawn from the major and minor premises; in research, the meaning and significance of the data as interpreted by the researcher. 

issue

the question or subject

under discussion

reasons

statements of evidence given to support conclusions

assumptions

beliefs, usually taken for granted, 

that are based on the experiences, observations, or desires of an individual or group

values

beliefs, ideals, or principles 

that are considered worthy and 

held in high regard

value assumptions

beliefs about what is good 

and important 

that forms the basis

 of an individual's 

opinion

on issues

value conflicts

disagreements 

about the priority different 

values should have 

in decision making

value

prioritization

the process of 

choosing the 

most important

values in an issue

morals

principles that distinguish

right from wrong

behavior

(ethics)

ethics

standards of conflict

reflecting

what is considered

right or wrong 

behavior

utilitarianism

a belief system 

where behavior

is considered ethical 

when it promotes general happiness 

and 

minimizes unhappiness

liberatarianism

a belief system in which behavior

is considered ethical 

when it allows for one's individual freedoms

and does not restrict

the freedom 

of others

egalitarianism

a belief system in

which behavior is

considered to be ethical

when equal opportunities

and consequences 

apply to all people

religious values

an ethical system

based on spiritual truth

and the principles 

of loving God

and one's neighbor

prima facie

values

a system of universal ethical

principles, 

such as honesty 

and respect for others

that are considered to be self-evident

and obvious to rational individuals of every culture

ideal value

a value

considered

to be

right and good

real value

a value 

considered to be

right and good 

that is acted 

upon 

in one's life

role

exchange

test

a test for ethical 

decision making 

that involved empathizing with 

the people affected by an 

action 

that is being considered

universal 

consequences 

test

a test for general decision 

making that 

focuses on the 

general consequences

of an action 

under consideration

new

cases

test

a test for ethical decision

making that asks 

whether

a decision is consistent

with decision that would be made

 in similar, harder cases

higher 

principles 

test

an ethical test by which one 

determines

if the principle on which

one is acting is consistent 

with a higher or more general 

principle than one accepts

reality assumptions

Assumptions about what 

is true and factual that 

are sometimes stated 

and sometimes implied; 

these assumptions are 

often taken for granted.

inductive 

reasoning

the process of finding the truth 

by making observations through:

                    -statistical polls

                    -controlled experiments

                    -relevant examples

                    -analogies

deductive

reasoning

the process of inferring 

a conclusion by putting forth 

true premises

in a valid format

deductive

argument

an argument that follows

formal patterns of reasoning

and is aimed 

at establishing a certain conclusion

through presenting 

the premises 

in a valid form

valid

argument

an argument 

structured in a correct, deductive format;

if the premises are true

then the conclusion is true

sound

argument

when the form of an argument is valid 

and the contect is true

syllogism

a deductive argument

consisting of

two premises 

and 

a conclusion

major

premise

The statement in a syllogism 

that sets forth a general 

principle. (The major premise 

contains the term that is the 

predicate of the conclusion.) 

minor

premise

The statement in a syllogism 

that expresses an instance of 

the principle set out in the 

major premise. (The minor 

premise contains the term 

that is the subject of the 

conclusion.)

conclusion

In deductive 

reasoning, the inference 

drawn from the major and 

minor premises of a syllogism. 

categorical

statement

A statement in which 

members of one class are 

said to be included in another 

class. This statement may be 

used as the major premise of a 

syllogism.

conditional

syllogism

In deductive reasoning, a 

syllogism whose major premise 

asserts that if the condition 

cited in the first part of a 

statement is true, then the 

claim cited in the second part 

of the statement will follow. 

modus

ponens

A valid conditional/

hypothetical syllogism in 

which the antecedent is 

affirmed.

hypothetical

syllogism

 A 

syllogism in which the major 

premise presents a condition 

(“if A, then B”) or a possibility 

(“either A or B”) that is 

resolved in the minor premise 

so that a valid conclusion 

can follow. 

modus

tollens

A valid 

conditional/hypothetical

syllogism in which the 

consequent is denied.

chain

argument

a form of argument 

that builds

and depends upon

a series of conditions 

to be met

disjunctive

syllogism

A hypothetical syllogism in 

which two possibilities are 

given in the major premise 

and one is assumed to be 

necessarily true. In the minor 

premise, one of the possible 

alternatives is negated, and 

the remaining alternative 

is then affirmed in the 

conclusion.

"or"

argument

by

elimination

A valid syllogism that seeks 

to logically rule out various 

possibilities until only a single 

possibility remains. 

enthymeme

a syllogism with 

the key part or parts

implied rather than stated

grounds

Evidence offered 

to prove a claim. Grounds can 

consist of statistics, examples, 

research, physical evidence, 

logical reasoning, and expert 

opinion.

stereotyping

Classifying

people, places, or things 

solely on common traits while 

ignoring individual differences 

that make these comparisons 

invalid.

premise

of

contention

The premise of a deductive 

argument that is under 

dispute. This is also often 

called the contentious 

premise.

induction/

inductive reasoning

(often called 

inductive reasoning) 

The process of drawing 

generalizations from known 

facts or research to give 

strength and support to 

conclusions.

statistical evidence

Data collected by polling and 

research studies that can 

be used to make statistical 

generalizations

statistical

generalizations

Inferences drawn from 

statistical evidence that 

are used to give strength to 

inductive arguments. 

characteristic

of interest

The specific question that a 

researcher seeks to answer 

concerning a given population

target population

The group about which 

a researcher wishes to 

generalize.

sample

Members of the 

target population who are 

studied by a researcher. 

representative

A quality of 

a research sample in which 

the sample has the same 

significant characteristics in 

the same proportion as the 

target population. 

biased

A sample that 

does not reflect a random, 

representative population. 

A biased sample does not 

provide adequate evidence to 

support a conclusion.

randomness

A condition 

that allows every member of a 

target population to have an 

equal chance of being chosen 

as part of the sample.

causal generalizations

Generalizations based on 

causal factors; that is, they 

state that a particular factor 

is responsible for a specific 

effect. These generalizations 

are used to strengthen 

inductive arguments.

necessary condition

A condition (state of affairs, 

thing, process) that must be 

present if a particular effect 

is present. Equivalently, if the 

necessary condition is absent, 

then the effect cannot occur. 

sufficient

condition

A condition (state of 

affairs, thing, process) that 

automatically leads to the 

production of another event. 

If the condition is present, 

then the effect will definitely 

occur. The sufficient condition 

creates or causes the effect.

multiple causes

A combination of causes that 

are presumed to lead to a 

specific effect. 

immediate causes

A causal factor that 

immediately precedes the 

effect.

remote causes

Factors or 

conditions that led up to but 

did not immediately precede 

the effect. 

method of

agreement

A theory of causation 

postulating that the cause of 

an effect is found by noting 

that  X is the only factor always 

present when  Y (the problem 

or the good effect) occurs; 

therefore,  X causes  Y . 

method of difference

A theory of causation 

postulating that the cause of 

an effect is found by noting 

that the only difference 

between the event or effect 

(called Y) happening or not 

happening is whether one 

element—X—is present.

forensic

belonging to, used in, or suitable 

to courts of judicature or public discussion and debate.

chain of custody

 the continuous process of logging each 

and every action that is taken on or against a piece of evidence and recording every 

movement that evidence makes.

McKeever Test

Seven part test to determine the usability of digital forensic evidence:

 1. The recording device (or computer) was capable of making the recording.

 2. The operator of the device (or computer) was competent to make the recording.

 3. The recording (or data file or artifact) is authentic and correct.

 4. No changes, additions, or deletions have been made to the recording (or forensic image).

 5. The recording (or digital evidence) has been preserved in the manner as seen by the court.

 6. The speakers (heard or seen in the recording or identified in the digital files) are identified.

 7. The conversation recorded (or material stored on the computer) was made voluntarily and not induced in any way.

Virtual Private Network

(VPN)

A VPN is a way of configuring a network connection over the Internet, allow-

ing people to work at home.

Info to be collected by first responders:

• Contact information for network administrators
• A list of affected hardware, including servers, switches, routers, and workstations
• Copies of relevant log files
• Live analysis of current network connections, open sessions, and open files on suspect systems
• A topographic map of the network, if available

Elements of 

Documenting evidence:

• Where the evidence was found

• Time and date the evidence was collected

• Who found the evidence

• Description of the evidence

• Make, model, and S/N of device (if applicable)

Transporting Evidence:

• Packing boxes

• Antistatic bags

• Antistatic bubble wrap

• Cable ties

• Packing tape

• Evidence tape

• Faraday containers

• A hand truck

Rules for Transporting Evidence:

• Electronic devices and media must be protected from electronic and magnetic 

interference.

• Devices (especially computers) must be protected from impact or excessive 

vibration.

• Evidence must be protected from heat and humidity.

• Precautions must be taken to prevent loss or theft of evidence materials.

• The chain of custody report must be rigorously maintained.

Requirements for Evidence Storage Facilities:

• Access to storage is limited to the evidence custodian.

• All access to the evidence locker is rigorously documented.

• Chain of custody for all items in possession of the facility must be rigorously 

maintained.

• Some form of independently auditing the aforementioned rules exists.

Surveillance systems should meet the following requirements:

• Video capture and recording equipment is not accessible to anyone but authorized personnel.

• Images taken by the system must be of sufficient quality to be usable.

• Surveillance views should include all entrance and exit points for the storage area as well as the public access area.

• Intrusion detection should be able to detect entry through doors and win-dows as well as catastrophic entry that would include the destruction of walls, floors, and ceilings.

• Walls, floors, and ceilings should be hardened to deflect forced entry.

• Air ducts and other conduits should be sized to prevent human entry.

• Air filtration and other systems should be designed to prevent the infiltration of harmful substances

WIPE.EXE

Windows utility for cleansing disk drives

Advantages to working on a copy:

• The hash codes of the original can be compared to the copy to assure authenticity.
• If one makes a mistake, it is easy enough to start over on a fresh copy 
• The approach used for one type of data may not work well with another type, and a fresh copy, complete with matching hash values, assures integrity of the data.
• Loss, theft, or corruption of the copy image does not end the investigation.
• The courts insist that investigators work that way unless demonstrably impossible.

Priority List for Data Acquisition:

• Registers, cache
• Routing tables, ARP cache, process tables, kernel statistics, memory
• Temporary file systems
• Disk
• Remote logging and monitoring data that is relevant to the system in question
• Physical configuration, network topology
• Archival media

Take a copy of the following data before powering down the computer to prevent irretrievable loss:

• Passwords in plain text
• Running processes
• Unencrypted data that is stored in encrypted form on the hard drive
• Instant messages
• Currently logged-in user information
• Open ports
• Evidence of attached devices

User Mode

User mode is a low-privilege 

level of access. Certain commands or processes just aren’t allowed

Kernel Mode

Kernel mode 

is the level of access granted to the core operating system and to the CPU. Any-

thing goes. 

Log File

Includes the following:

• Case data

• Case number

• Evidence identification number

• Description

• Examiner name

• Notes

• Disk information (drive geometry, make and model, interface, volume size, 

and number of sectors)

• Time and date the acquisition started

• Time and date the acquisition completed

• A list of segments that failed to copy successfully

• Image verification results, include hash values calculated

Procedures in Collecting Live Data:

•Document preliminary information, including

        Date and time

        Complete log of the command history

        A photograph of the scene as found

        Operating system running on machine

• Document the exact time of each step in the capture process to establish an 

audit trail of each forensic tool or command used.

• Collect all types of volatile system and network information:

        Memory dump

        Paging files

        Hibernation files

•Document time that the process is completed.

Types of Media Targeting in an Investigation:

• Hard disks

• Floppy disks

• Zip disks

• Optical disks (CD-ROM, DVD, etc.)

• USB flash media (thumb drives, memory cards, etc.)

• Removable and portable hard disks

• Personal electronic devices (digital recorders, music players, PDAs, telephones, etc.)

File formats for storing digital data:

• DD Images (bit-for-bit)
• Expert Witness Format (EWF)
• Advanced Forensic Format (AFF)
• Safeback (by NTI)
• ILook Imager
• ProDiscover File Format

offset value

a method of address-

ing that the OS uses to locate information in memory beyond the absolute address.

Partition

a section of a disk

sector

storage units for data in storage devices

primary partition 

defined in the master boot record of 

the hard drive and can be turned into a bootable partition. There can only be four 

primary partitions on any given physical disk

extended partitions

a division of primary partitions

cluster

anywhere from 4 to 64 sectors collected together

(aka - FAU or file allocation unit)

metadata

file

 a file that 

contains descriptive information about other data.

superblock

“master node.” It contains information about the file system itself. Size, status, and 

definitions of other objects within the file system, such as the inodes and dentries, 

are contained in the superblock.

inode

(index node)

contains all the metadata used by the file system to 

manage objects.

This information includes:

• File owner

• File type

• File permissions

• Modify/Access/Create (MAC) information

• File size

• Pointers to the blocks hosting the file

• Number of links to the file

Unallocated Space

any hard disk space that is not currently 

identified within the file system as hosting live file data.Those clusters have not 

been assigned, or “allocated” as it were, to any given file. It is available for use, 

should the operating system need to store a new file or to extend an existing file 

into additional clusters.

slack space

if the cluster is not completely overwrit-

ten, it may be possible to extract data from the part of the cluster not completely 

overwritten. 

terminal emulator

Terminal emulators are programs that operate within the graphical environ-ment of the OS, but provide pure command-line services. This is frequently called 

simply the shell. Such shells include Terminal, XTerm, BASH, Konsole, and about 

a thousand others.