The purpose of this page is to generate and maintain a resource for digital forensic and eDiscovery practitioners, lawyers and legal professionals, and anyone generally looking to understand and/or explain (by way of analogy) some of the technology concepts that may arise during expert testimony. As a digital forensic practitioner, I often find difficult the task of adequately explaining technology concepts such that attorneys, judges, and jurors “get it”. In my experience, the best means for creating clear understanding in these situations is through the use of analogies.
Although there may be better analogies for these terms/concepts (suggestions are welcomed), remember the analogies are not intended to be absolutely technically accurate. Instead, they are intended to provide a means to communicate and establish a general understanding of technical concepts. Everyone is encouraged to send their favorite analogies by posting them in the comments section below, or via email (analogies(at)sjdcforensics(dot)com). This is meant to be a community driven list for the benefit of all and citations/credit will be given for all submissions (unless the contributor desires to remain anonymous). Be sure to also send/post any information you would like included in the credit (e.g., website, email address, name, etc).
As this page evolves, I will be creating a parallel reference sheet (in .pdf format) to download and/or print for court.
I will be frequently updating this page, and the related .pdf document, with additional analogies as they are suggested. There can be numerous analogies for a single term or concept.
Digital Forensic Analogies for the Courtroom
Artifact – Like a toolmark, digital evidence becomes an artifact when it’s been properly identified and interpreted. Without this identification a toolmark is just a scratch and digital evidence is just 1’s and 0’s.
CPU (Central Processing Unit) (See also CPU/RAM/Hard Drive)
CPU/RAM/Hard Drive (HDD) – CPU=Carpenter, RAM=Workbench, HDD=Woodshed; CPU=Plane, RAM=Airport, HDD=Town (credit to various respondents in this thread)
Digital Evidence (AKA Electronic Evidence) –
Disk Image – (See also E01, Disk Cloning, Forensic Image, Image, Raw Image)
Electronic Discovery – (AKA eDiscovery)
File Allocation Table – A file allocation table system is like a filing cabinet full of hanging folders. At the front of the cabinet is list of all the files, and within which folders they are contained. When a file is deleted, the entry for that file on the list is marked as available to be used, but the folder is not emptied until you replace it with a new file (reference thread here).
File Deletion – File deletion is generally removing the index entry for a file (like removing the reference card for a book in a library). When you delete a file (by-passing the recycle bin) you are removing the reference to the data for that file from the MFT. This is like removing the card from the card catalog in a library (or the reference data in the library database – for you not-so-dated folks), but leaving the book on the shelf. Referring to how deleted data can be recovered from a disk, recovering data is like finding a book in the library without having the card from the card catalog (see also Data Recovery).
Another analogy, discovered here, is that data on a hard drive is like houses in a neighborhood. Data deletion is like removing the address number of the houses. That makes the houses difficult to reference/distinguish, be directed to or to find, but the house itself remains. See also MFT or Data Recovery.
Hard Disk Drive (HDD)
Metadata –(data about data). Your biography would contain information about where you were born, when you were born, who your parents were, and a bunch of other things about you. This is what metadata is, the biography of a file, and, just as the amount of information recorded about a person in a biography can vary, the same is true of files and their metadata (credit to Sam in the comments).
MFT (Master File Table) – Analogous to the old card catalog used in a library. This is where most of the information (metadata) regarding where a file (the book) is stored. See also File Deletion or Data Recovery.
RAM (Random Access Memory) – Hard drive data is like a book (data) on a bookshelf that can be accessed at anytime, whereas data in RAM is like having the book in your hand (credit to various respondents in this thread).
Solid State Drive (AKA- SSD) –
SSD Wear Leveling – SSD drives use flash memory which, similar to the tires on your car, has a shelf-life. SSDs use wear leveling to wear flash storage evenly. (credit to SANS – https://digital-forensics.sans.org/