download pdf file from folder in asp.net c#: Modify pdf metadata Library application API .net azure windows sharepoint forensic-explorer-user-guide.en35-part1495

Ap p e n d i x 6 - D e f i n i t i o n s

35 1 | P a g e

Appendix 6 - Definitions

APPENDIX 6 - DEFINITIONS

Alternate Data Stream

An Alternate Data Stream (ADS) is a feature of the NTFS file system. ADS

were originally included in Windows NT for compatibility with Macintosh

HFS file systems resource fork and a data fork. The ADS provides a means

to allow programmers to add additional metadata to be stored for a file,

without adding this data directly to the file. The additional data is

attached as a stream which is not normally visible to the user.

ANSI character set

The ANSI character set was that standard character encoding for English

versions of Microsoft Windows, including Windows 95 and NT. The ANSI

format stores only the 128 ASCII characters and 128 extended characters,

using 1 byte per character. Not all of the Unicode characters are

supported.

ASCII

The American Standard Code for Information Interchange (ASCII) is a 7-bit

character encoding scheme that allows text to be transmitted between

electronic devices in a consistent way. The ASCII character set comprises

codes 0–127, within which codes 0–31 and 127 are non-printing control

characters. The addition of Codes 128–255 make up the Extended ASCII

character set (see http://www.ascii-code.com/ for more information)

(10).

Bookmarks

Forensic Explorer enables any item (file, folder, keyword, search hit etc.),

or sections of items, to be marked and listed in the Bookmarks module.

Bookmarks are used to note items of interest.

BpB

͞ ytes per lock͟. Used in the Forensic Explorer File Extent tab to display

the number of Bytes per Block (cluster) for the highlighted file.

BpS

͞ ytes per Sector͟. Used in the Forensic Explorer File Extent tab to diplay

the number of Bytes per Sector for the highlighted file.

Byte Plot view (Forensic

Explorer)

A view in Forensic Explorer which includes for a selected file: A graphical

representation of a binary file; A Character Distribution graph

representing the frequency that each ASCII character is displayed in the

file. See ͞Byte Plot and Character Distribution͟ page 91.

Carved (file)

Files located by ͞file carving͟ with Forensic Explorer are displayed as

͞ arved_ [fileytpe].ext. This is because a file system record for these files

les

no longer exists so they are in effect lost to the file system.

Because file and folder information is only stored with the file system

record, a carved file does not retain its original file or folder name.

me.

Modify pdf metadata - add, remove, update PDF metadata in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF

Allow C# Developers to Read, Add, Edit, Update and Delete PDF Metadata

bulk edit pdf metadata; extract pdf metadata

Modify pdf metadata - VB.NET PDF metadata library: add, remove, update PDF metadata in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF

Enable VB.NET Users to Read, Write, Edit, Delete and Update PDF Document Metadata

pdf metadata editor; edit pdf metadata online

352 | Page

Ap p e n d i x 6 - D e f i n i t i o n s

Case File

A case file is the store of investigational activities for an individual case in

Forensic Explorer. The case file records the location of the examined

devices and holds the results of searching, sorting, bookmarks, reports

etc.

A case file is designed to build over time as a record of an investigation, in

the same way as would a paper based file in a traditional matter.

Cluster

A cluster is the smallest logical unit of disk storage space on a hard drive

that can be addressed by the computers Operating System. A single

computer file can be stored in one or more clusters depending on its size.

Cluster Boundaries

A cluster boundary refers to the start or the end position of a cluster (a

group of sectors). If a file is fragmented (stored in non-contiguous

clusters), the fragmentation happens at the cluster boundary, as there is

no smaller unit of storage space that can be addressed by a computer.

Examining data at cluster boundaries can be an important technique to

improve the speed of some search routines. For example when file carving

for file headers, it is faster to search the cluster boundary (i.e. the

beginning of a cluster) rather than a sector by sector search of the drive.

Codepage

Codepage is another term for character encoding. It consists of a table of

values that describes the character set for a particular language. When a

keyword search is conducted in Forensic Explorer, the correct codepage

should be selected.

Computer forensics

Computer forensics is the use of specialized techniques for recovery,

authentication, and analysis of electronic data with a view to presenting

evidence in a court of law.

Compound File

A compound file is a file that is a container for other files or data, such as

a .Zip or .Pst (Microsoft Outlook mail file). See Chapter 19.5 - Expand

compound file.

Data carve

See file carve.

Data View

A data view describes the different methods available in Forensic Explorer

to examine evidence. For example a single file may be examined in the

Hex, Text or Display data views, with each view giving a different

perspective on its content.

Deleted File

A deleted file is one which has been marked as deleted by the file system

(usually as a result of being sent to and emptied from with Recycle Bin). A

deleted file can be recovered by reading the file system record for the file,

then reading and restoring the file data. As long as the data for the file is

intact (i.e. the space once occupied by the file has not been used to store

new data) the recovered file will be valid.

How to C#: Modify Image Metadata (tag)

VB.NET How-to, VB.NET PDF, VB.NET Word, VB.NET Excel, VB.NET PowerPoint, VB.NET Tiff, VB.NET Imaging, VB.NET OCR, VB How to C#: Modify Image Metadata (tag).

analyze pdf metadata; modify pdf metadata

VB.NET PDF File & Page Process Library SDK for vb.net, ASP.NET

VB.NET PDF - How to Modify PDF Document Page in VB.NET. VB.NET Guide for Processing PDF Document Page and Sorting PDF Pages Order.

remove metadata from pdf; remove pdf metadata

Ap p e n d i x 6 - D e f i n i t i o n s

35 3 | P a g e

In some cases the file system record itself can be overwritten and

destroyed. If this is the case the file can only be recovered by ͞file carving͟

(see 22.4- File carving). Because file and folder information is only stored

with the file system record, a carved file does not retain its original file or

folder name.

Delphi Basics©

Delphi Basics© is a documentation package for the Delphi programming

language (see http://www.delphibasics.co.uk/). Delphi Basics© is installed

with and licensed for use only with Forensic Explorer. Delphi Basics© is

provided as a reference guide only. Not all commands/features in the

documentation are available in Forensic Explorer.

Device

A device refers to the electronic media being examined. It usually refers to

a physical device, such as a hard drive, camera card etc., but can also

mean the forensic image of a device in DD, E01 or other formats.

Directory

See Root Directory

Directory Entry (FAT)

A component of the FAT file system. Each file or folder on a FAT partition

has a 32 byte directory entry which contains its name, starting cluster,

length and other metadata and attributes.

Disk Slack

The area between the end of a partition and the end of the disk. It is

usually considered to be blank, but can hold remnants of previous disk

configurations or could be used to purposely hide data.

Disk view (Forensic

Explorer)

A graphical representation in Forensic Explorer of sectors on the

examined device. Disk view can be used to:



Examine the content of the data in a specific sector/s;



Quickly navigate to a desired sector position on the device;



Obtain a graphical overview of the file types which make up the

drive and where they are position on the examined media;



Identify the location and fragmentation of individual files.

DST

Daylight Savings Time

dtSearch®

dtSearch® (www.dtsearch.com) is third party index search software built

into Forensic Explorer and accessed via the Index Search module tab (see

Chapter 13 - Index Search Module, for more information).

Entropy

Entropy is an expression of disorder or randomness. It is used in computer

forensics to measure the randomness of data. For example, a compressed

file will have a high entropy score. A text file will not. An entropy score is

included in Forensic Explorer the Byte Plot data view of the File System

module.

C# PDF File & Page Process Library SDK for C#.net, ASP.NET, MVC

Image: Copy, Paste, Cut Image in Page. Link: Edit URL. Bookmark: Edit Bookmark. Metadata: Edit, Delete Metadata. C# PDF - Modify PDF File and Page Using C#.

get pdf metadata; delete metadata from pdf

C# Raster - Modify Image Palette in C#.NET

in PDF, C#.NET edit PDF bookmark, C#.NET edit PDF metadata, C#.NET VB.NET How-to, VB.NET PDF, VB.NET Word, VB.NET C# Raster - Modify Image Palette in C#.NET.

embed metadata in pdf; change pdf metadata creation date

354 | Page

Ap p e n d i x 6 - D e f i n i t i o n s

E01

A forensic file format used to create disk image files. Developed by

Guidance Software (http://www.guidancesoftware.com/)

Evidence Items

Items of evidence that have been added to the case, such as forensic

image files, email files, registry files etc.

Explorer View

File display technology written by GetData and used in the Forensic

Explorer File Display tab to show the contents of more than 300 different

file types.

FAT

FAT (File Allocation Table) is the file system that pre-dates NTFS. Once

popular on Windows 95, 98 and XP, it is now primarily used on memory

cards, usb drives, flash memory etc. due to its simplicity and compatibility

between Operating Systems (e.g. Windows and MAC).

For more information see: http://www.forensicswiki.org/wiki/FAT

FAT Slack

The unused space in the last cluster of the FAT where the logical size of

the FAT does not fill the complete cluster.

File carve

File carving is the process of searching for files based on a known content,

rather than relying of file system metadata. This usually involves searching

for a known header and footer of a specific file type.

Forensic Explorer has built in code to data carve for more than 300 file

types.

File Signature

The header component of a file which has unique identifiers that assigns it

to a type, e.g. a jpeg. Most common file types have a signature set by the

International Organization for Standardization (ISO). Identifying a file by

its signature is a more accurate method of assessment that using the file

extension, which can easily be altered.

File Slack

The unused space in the last cluster of a file where the logical size of the

file does not fill the complete cluster. The file slack can contain fragments

of old data previously stored in that cluster.

File system

The organization of files into a structure accessible by the Operating

System. The most common types of file systems used by Widows are FAT

and NTFS. Others include EXT (Linux) and HFS (MAC).

Fileprint

A byte level graphical representation of a file content that may ͞serve as a

distinct representation of all members of a single type of file͟ (9). See

͞Byte Plot and Character Distribution͟ page 91.

Flag

In Forensic Explorer a flag is used to mark a file as relevant. It is a colored

How to C#: Modify Image Bit Depth

text in PDF, C#.NET edit PDF bookmark, C#.NET edit PDF metadata, C#.NET VB.NET How-to, VB.NET PDF, VB.NET Word, VB.NET Excel How to C#: Modify Image Bit Depth.

pdf remove metadata; pdf metadata reader

How to C#: Overview of Using XImage.Raster

See this C# guide to learn how to use RasterEdge XImage SDK for .NET to edit the image file Metadata, Color Palette and modify the compression method.

acrobat pdf additional metadata; edit pdf metadata

Ap p e n d i x 6 - D e f i n i t i o n s

35 5 | P a g e

box (flag) that is applied to a List view when the ͞Flag͟ column is

displayed. Eight colored flags are available for use. Flags are applied by

highlighting and item and double clicking the opaque flag color in the flag

column, or by using the right click ͞Add Flag͟ menu. Flags can also be

applied by running Forensic Explorer scripts.

Folder

See Root Directory

Forensic Image

A "forensic image is a file (or set of files), used to preserve an exact "bit-

bit-

for-bit" copy of data residing on electronic media.

Using non-invasive procedures, forensic software is used to create the

the

image file. The image contains all data, including deleted and system files,

ad is an exact copy of the original.

Most forensic imaging software integrates additional information into the

image file at the time of acquisition. This can include descriptive details

entered by the examiner, as well as the output of mathematical

calculations, an "acquisition hash", which can be later used to validate the

integrity of the image. The forensic image file acts as a digital evidence

container that can be verified and accepted by courts.

Forensic Integrity

In computer forensic the term ͞forensic integrity͟ commonly refers to the

ability to preserve the evidence being examined so that it is not altered by

the investigator or the investigative process. This enables a third party to

conduct an independent examination of the evidence on an identical data

set. Forensic integrity is usually achieved through the use of write blocking

devices (to protect original media from being changed) and the forensic

image process (the acquisition of an identical copy which can be re-

verified at a later date.)

Fragmented File

The distribution of a file on a disk so that it's written in non-contiguous

clusters.

Free Space

Free space is often used to describe unallocated clusters, the available

disk storage space that is not allocated to file storage by a volume. Free

space can however also refer to the unused area of a disk.

Free space in Partition: Space inside the partition that is not used by a

volume (this is usually a small section of space at the end of a

partition). IF there is no volume then this is the entire partition.

Free space on Disk: Space on the disk that does not form part of any

partition but is available for future allocation. Usually consists of some

sectors between the MBR and the first partition, and space at the end of

the disk that was not used in any partition.

GeoTag (Geotagging)

Geotagging is the process of adding geographical identification metadata

to files, usually photographs or videos. This data is usually latitude and

longitude co-ordinates.

How to C#: Modify Color and Contrast

How to C#: Modify Color and Contrast. Overview for How to Modify Color and Contrast. Overview. By two. Steps to Modify Color and Contrast.

pdf keywords metadata; add metadata to pdf

VB.NET PDF Library SDK to view, edit, convert, process PDF file

NET developers can redact, delete, view and save PDF metadata. added to a specific location on PDF file page addition, you can easily create, modify, and delete

batch update pdf metadata; edit pdf metadata online

356 | Page

Ap p e n d i x 6 - D e f i n i t i o n s

GREP

Stands for Generalized Regular Expression Parser. Originally a command

line text search utility in UNIX it is now an acronym to describe the format

of a search. It uses a concise but flexible structure to match strings of text,

including characters, words, or patterns of characters. Forensic Explorer

utilizes PCRE (Perl Compatible Regular Expressions) for keyword searching,

of which GREP is a subset.

Hard Link

͞A hard link is the file system representation of a file by which more than

one path references a single file in the same volume͟ Microsoft (22).

Hash

A Hash is a mathematical calculation to generate a unique value for

specific data. The chances of two files that contain different data having

the same hash value are exceedingly small. The most common hash

algorithms in use are MD5, SHA1 and SHA256.

Hash Set

A Hash Sets is a store of mathematical calculations (hash values - usually

created by the MD5 algorithm) for a specific group of files. The hash

values are a ͞digital fingerprint͟ which can then be used to identify a file

and either include or exclude the file from a data set.

Hash Sets are often grouped in the forensic community into two groups:

Good Hash Sets: Operating System files, program installation files, etc.;

;

and Bad Hash Sets: virus files, malware, Trojans, child pornography,

Steganography tools, hacking tools etc.

Hash sets can be created in Forensic Explorer, or downloaded from a

trusted source.

Hex

Hexadecimal is a base 16 numbering system. It contains the sixteen

sequential numbers 0-9 and then uses the letters A-F. In computing, a

single hexadecimal number represents the content of 4 bits. It is usually

expressed as sets of two hexadecimal numbers, such as ͞4 ͟, which gives

the content of 8 bits, i.e. 1 byte.

Image File

See Forensic Image.

Index Search

An Index Search is the process of creating a database of search words in

the case so that after the index is created an instant search is possible.

Forensic Explorer uses the third party application dtSearch®

(www.dtsearch.com) for this process.

INFO2

Windows automatically keeps an index of what files were deleted

including the date and time of the deletion. The index is held in a hidden

file in the Recycle Bin called INFO2.

When the Recycle Bin is emptied, the INFO2 file is deleted.

Recovery and analysis of deleted INFO2 files can provide important

information about files that were once located on the computer.

C# PDF Library SDK to view, edit, convert, process PDF file for C#

NET allows you to read, add, edit, update, and delete PDF file metadata, like Title In addition, you can easily create, modify, and delete PDF annotations.

batch edit pdf metadata; read pdf metadata

How to C#: Modify Alpha Channel

Image Access and Modify. Image Information. Metadata(tag) Edit. |. Home ›› XImage.Raster ›› C# Raster: Modify Alpha Channel. PDF in C#, C# convert PDF to HTML

adding metadata to pdf files; metadata in pdf documents

Ap p e n d i x 6 - D e f i n i t i o n s

35 7 | P a g e

Investigator

In this user guide ͞Investigator͟ is used to describe the computer forensics

examiner, i.e. the user of Forensic Explorer. The investigator is responsible

for creating and developing the case file.

Item

In Forensic Explorer the term ͞item͟ is a generic term used to describe a

piece of data. The data could be a file, folder, partition, metadata entry,

FAT, MFT, unallocated clusters, or other such data that can be isolated

and examined.

ITunes Backup

ITunes Backups are created by iTunes. When an Apple device (iPhone,

iPad, iPod) is connected to a computer for the first time and synced with

iTunes, a folder is created using the unique device ID (UUID). These ITunes

Backup folders are very distinctive, in that they are 40 hexadecimal

characters long. ITunes Backups can be processed with Forensic Explorer.

Keyword

A keyword is a string of data created by the forensic examiner so that the

case can be searched for instances of that data (a keyword search).

A keyword can be an actual word, but can also be raw data.

Complex keywords are usually created using RegEx expressions.

LEF

See Logical Evidence File

LFN (also see SFN)

Long File Name refers to file or folder on a FAT file system which has a

name greater than 8 characters and 3 for the file extension (or one which

contains special characters). The storage of the additional file name

information makes it necessary for Windows to create an additional LFN

directory entry (or entries) to hold the extra information.

Link Files

Link files (.lnk) are Microsoft Windows shortcut files. Link files have their

own metadata and can provide valuable information about files stored on

the computer. (23)

Live Boot

͚Live oot͛ is a component of Forensic Explorer that enables an

investigator to boot a forensic image or write protected physical hard

drive. The investigator can then operate the computer in a real time,

forensically sound, virtual environment. The boot process is achieved

through and integration of Mount Image Pro and VMWare.

Logical Evidence File (LEF)

A Logical Evidence File is a forensic image containing specific files, rather

than the traditional image of an entire volume or physical disk. They are

usually created during a preview where an investigator identifies file

based evidence worthy of preservation, when an image of the entire

volume or device is not warranted.

Common Logical Evidence File formats are L01, created by EnCase® ®

forensic software (www.guidancesoftware.com) or AD1 by Access Data͛s

358 | Page

Ap p e n d i x 6 - D e f i n i t i o n s

Forensic Tool Kit ® (www.accessdata.com).

Forensic Explorer enables files in a case to be exported to a logical

evidence file (LEF) in .L01 format (see 9.6.2 for more information).

Logical file space

The actual amount of space occupied by a file on a hard drive. It may

differ from the physical file size, because the file may not completely fill

the total number of clusters allocated for its storage. The part of the last

cluster which is not completely filled is called the file slack.

Lost OS Clusters

Clusters in a volume that have no file data. For NTFS this is calculated

from accumulating all clusters associated with all the files in the MFT

(including the Unallocated clusters as that was derived from the $BITMAP

record), then working out the space left over. For NTFS this is space that

the OS might not be able to allocate without a check disk or

equivalent. For normal uncorrupted NTFS this would be non-existent or

small. For FAT typically this is non-existent, as the FAT table is used both in

cluster allocation of files and the working out of Unallocated clusters on X

volume.

Master boot record (MBR,

Boot Sector)

The very first sector on a hard drive. It contains the startup information

for the computer and the partition table, detailing how the computer is

organized.

Master File Table (MFT)

͞On an NTFS volume, the MFT is a relational database that consists of

rows of file records and columns of file attributes. It contains at least one

entry for every file on an NTFS volume, including the MFT itself. The MFT

stores the information required to retrieve files from the NTFS partition͟.

(24))

Metadata

Metadata is often referred to as ͞data about data͟. Windows metadata

can include a files create, last accessed and modified dates, as shown in

File List view of Forensic Explorer. File metadata includes information such

as camera make and model in a JPEG, or author name in Microsoft Word.

The File Metadata view in Forensic Explorer is used to show the metadata

in a file. Metadata can also be extracted by a script and added to a

column. See 8.11.1 for more information.

Module

Refers to the horizontal tabs (Evidence, File System, Keyword Search,

Index Search, Bookmarks, Reports, Scripts, Email, and Registry) at the top

of the Forensic Explorer main program window. Each module tab is used

to access a particular function of the program, for example, the Registry

module enables the investigator add and browse registry files.

Mount Image Pro (MIP)

A computer forensics software tool written and sold by GetData

(www.mountimage.com) which enable the mounting of forensic image

files as a drive letter on a Windows computer system. MIP is sold with

Forensic Explorer. It is installed as a separate program but can be run from

a shortcut in the Forensic Explorer toolbar.

Ap p e n d i x 6 - D e f i n i t i o n s

35 9 | P a g e

MRU

Most Recently Used (MRU) is a term used to describe a list of the most

recently opened files by an application. Many Windows applications store

MRU lists as a way of allowing fast and consistent access to most recently

used files. Most MRU lists are stored in the Windows registry.

Multi-core processing

A multi-core processor is a single computing component with two or more

processors ("cores"). Each core is responsible for reading and processing

program instructions. A multi-core process should be faster than the same

process run on a single core. However users are encouraged to test their

workstations as different hardware configurations can effect multi-core

speed.

Forensic Explorer provides the option to use multi core processing in File

Carving, Hashing and Keyword Search. The option is set using the

͞Priority͟ options, where ͞Low͟ is single core, and Normal, High and

Critical are multi-core.

NTFS

The Windows New Technology File System (NTFS) superseded FAT. It was

released with Windows NT and subsequently Windows 2000, Windows

XP, Windows Server 2003, Windows Server 2008, Windows Vista, and

Windows 7. It uses a Maser File Table (MFT) to store the information

required to retrieve files from the NTFS partition.

Ophcrack

Ophcrack is a free open source program that recovers Windows

passwords by processing LM hashes through rainbow tables. Ophcrack ISO

images can be used with Forensic Explorer Live Boot.

Pane

An area of the Forensic Explorer module. The Forensic Explorer module is

broken down into three panes, Folders view, File List view and File

Display. A pane can contain multiple different windows, such a Hex view,

Text view, Disk view, Console etc.

Pascal

A programming language used to create scripts in Forensic Explorer. See

Module Chapter 18 - Scripts Module.

Partition

A part of a hard disk that can have an independent file system.

PCRE (Perl Compatible

Regular Expression)

Perl Compatible Regular Expressions (PCRE) is a regular expression (RegEx)

library. The PCRE library is incorporated into a number of prominent open

source programs, such as the Apache HTTP Server and PHP language.

RegEx expressions can be used to keyword search evidence in Forensic

Explorer.

Pre-processing (a case)

Pre-processing describes the setup of a case so that core analysis

functions are automatically run prior to investigator review. Core analysis

functions can include hashing, carving and signature analysis.

Pre-processing options are set in Forensic Explorer when a device or

360 | Page

Ap p e n d i x 6 - D e f i n i t i o n s

forensic image file is added. See 10.5 for more information.

Priority

In Forensic Explorer priority refers to the use of threaded multi-core

processing. See ͞Multi- ore Processing͟.

Preview (Evidence Module)

The Preview button in the Evidence module enables an investigator to

quickly add a device or forensic image to Forensic Explorer without first

having to go through the steps to create a new case. The investigator can

choose to save a preview to a case, or if not, when the preview is closed,

no data is saved.

RAID

Redundant Array of Independent Disks.

RAM

Random Access Memory, where programs are loaded and computer code

is executed. The content of RAM is lost when the computer is turned off.

RAM Slack

RAM slack is the data between the end of the logical file and the rest of

that sector. For example, a sector is written as a block of 512 bytes, so if

the last sector contains only 100 bytes, the remaining 412 bytes is padded

with RAM slack. In older Operating Systems, e.g. Windows 95, RAM slack

could contain data from RAM unrelated to the content of the file. In more

recent Operating Systems, RAM slack is filled with zeroes.

Record View (Forensic

Explorer)

Record View displays information directly from the FAT or MFT record. It

provides more complete details for a file than the limited information

displayed in File List view.

Recover My Files

Data Recovery Software authored and sold by GetData at

www.recovermyfiles.com

Regex (Regular Expression)

A regular expression provides a concise and flexible means to "match"

(specify and recognize) strings of text, such as particular characters,

words, or patterns of characters. ͞The concept of regular expressions was

first popularized by utilities provided by Unix distributions, in particular

the editor ED and the filter grep q͟ (http://en.wikipedia.org/wiki/Regex).

Registry

The Windows Registry is a hierarchical database that stores configuration

settings and options for the Microsoft Windows operating systems. For

the computer forensics examiner it can be a wealth of information on all

aspects of the computer and its use, including hardware, applications, and

user configuration.

Ribbon (Toolbar)

The ribbon refers to the Forensic Explorer toolbar and the top of each

module. The contents of the toolbar are controlled by scripts.

Root Directory/Folder

A directory is a container used to organize folders and files into a

Documents you may be interested

download pdf file from folder in asp.net c# : Modify pdf metadata Library application API .net azure windows sharepoint forensic-explorer-user-guide.en35-part1495