If you only learn five terms, learn these: BFU/AFU (whether a phone has been unlocked since reboot, which controls what can be acquired), Advanced Data Protection (when iCloud goes end-to-end encrypted and Apple can no longer comply with a warrant), FRE 902(14) (the self-authentication rule that lets forensic extracts come into evidence without live testimony), CSLI (the warrant-required cell tower history defined by Carpenter), and hash value (the math that proves a copy matches the original).
A
Advanced Data Protection (ADP)Optional Apple iCloud feature that end-to-end encrypts most iCloud categories including iCloud Backup, Drive, Photos, Notes, and Wallet. When enabled, Apple does not hold the encryption keys and cannot produce plaintext content in response to legal process (Apple Legal Process Guidelines, October 2025).
AFU (After First Unlock)A mobile device state in which the user has unlocked the phone at least once since boot. Class B and C encryption keys are loaded into the Secure Enclave (iOS), or Credential-Encrypted storage is available (Android). Most user data is reachable to an authorized examiner.
APFSApple File System, used on all current iPhone, iPad, and Mac devices. Uses copy-on-write and per-file encryption keys, which substantially reduce the recoverability of deleted data on modern Apple Silicon.
B
BFU (Before First Unlock)A mobile device state in which the phone has rebooted and has not yet been unlocked. Most user data partitions remain locked under hardware-bound encryption, so contacts, messages, photos, and most app data are unavailable. iOS 18 and later return idle phones to BFU after roughly 72 hours.
Business Email Compromise (BEC)An attack class in which criminals compromise or spoof a business email account to redirect wires, payroll, or vendor payments. Per the FBI IC3 2024 Annual Report, BEC caused $2.77 billion in reported U.S. losses across 21,442 complaints in 2024.
C
Call Detail Record (CDR)Carrier-generated metadata for each call: numbers, timestamps, duration. Contains no call content. Federal regulation 47 C.F.R. 42.6 requires carriers to retain toll records for at least 18 months.
Carpenter v. United States585 U.S. 296 (2018). U.S. Supreme Court decision holding that the government generally must obtain a warrant to access seven days or more of historical cell-site location information.
Cell-Site Location Information (CSLI)Historical records from a wireless carrier showing which cell towers a phone connected to over time. Subject to the warrant requirement of Carpenter.
Chain of CustodyThe continuous documented record of every person who handled an item of evidence, every transfer, every storage location, and every action taken. In digital cases it also includes hash values at each step.
CloudTrail Event HistoryAWS account-level log of management events, enabled by default in every Region. Retains the past 90 days; longer retention requires configuring a Trail that delivers to S3 or another log lake.
Contact Key VerificationApple iMessage feature introduced in iOS 17.2 that lets users verify no unexpected encryption keys have been inserted into Apple’s key directory, defending against sophisticated key-server attacks.
D
Data ExfiltrationThe unauthorized transfer of data from a system or organization to an attacker-controlled destination. Common channels: cloud uploads, encrypted tunnels, email, USB removable media, and DNS tunneling.
Direct Boot (Android)Android capability that lets certain apps (alarms, accessibility) run after boot but before the user unlocks the device, using only Device-Encrypted storage.
Dwell TimeThe total elapsed time between an attacker’s initial access and the defender’s detection. IBM CODB 2025 reported a global mean of 241 days to identify plus contain a breach.
E
E2E Encrypted Backup (WhatsApp)WhatsApp’s optional backup encryption (available since 2021) that protects iCloud or Google Drive backups with a key held only by the user or stored in WhatsApp’s hardware security module. When enabled, neither Apple, Google, nor Meta can produce plaintext.
F
File-Based Encryption (FBE)The Android encryption model splitting storage into Device-Encrypted (available pre-authentication) and Credential-Encrypted (post-credential) domains. Required on all Android 10+ launches.
Fla. Stat. 90.803(6)Florida’s business records exception to hearsay. Records of regularly conducted business activity, including carrier records and cloud platform records, are admissible when authenticated by a custodian or qualified witness.
Fla. Stat. 90.901Florida’s basic authentication rule, requiring evidence sufficient to support a finding that the matter is what its proponent claims. Applies to all digital evidence.
Forensic ImageA bit-for-bit copy of a storage medium produced under a controlled process and verified by hash. All subsequent analysis is performed on the working copy; the original is sealed.
FRE 902(13)Federal Rule of Evidence 902(13), effective December 1, 2017. Self-authenticates a certified record generated by an electronic process or system.
FRE 902(14)Federal Rule of Evidence 902(14), effective December 1, 2017. Allows a record copied from an electronic device or storage medium to be self-authenticated through a certification that the copy was made by a process of digital identification (typically hash verification).
Full File System ExtractionMobile extraction method that captures the complete file system, including app sandbox contents, system databases, and many deletion artifacts. Increasingly limited on current locked iPhones and flagship Android devices.
Financial SextortionExtortion scheme in which a perpetrator obtains intimate images of a victim (often a minor) and demands money under threat of distribution. NCMEC received approximately 100 reports per day in 2024; FinCEN issued a formal advisory in September 2025.
G
Geofence WarrantA search warrant directing a provider (typically Google) to disclose accounts whose location placed them within a geographic perimeter during a specified time. The U.S. Supreme Court granted certiorari in United States v. Chatrie on January 20, 2026.
Google TakeoutGoogle service that lets an account holder export their Gmail, Drive, Photos, Chrome history, Maps timeline, YouTube history, and other account data. Commonly used in civil litigation when the account holder cooperates.
H
Hash ValueA fixed-length cryptographic fingerprint (e.g., SHA-256) derived from a file’s contents. Identical files produce identical hashes; any change of even one bit changes the hash. Hashing is the standard mechanism for proving forensic copies match originals.
I
iCloud BackupApple’s whole-device cloud backup. Includes most app data, Camera Roll, iMessage/SMS when iCloud Messages is enabled, call history, and HomeKit configuration. End-to-end encrypted only when ADP is on.
Insider ThreatA current or former employee, contractor, or trusted partner who misuses authorized access to harm an organization. Forensic indicators include unusual data staging, USB exfiltration, personal cloud uploads, and email-to-self before departure.
K
Keyword WarrantA search warrant directing a search provider to disclose accounts that ran queries containing specified terms during a window. Constitutionality remains unresolved at the federal circuit level as of late 2026.
L
Litigation HoldA written directive issued by counsel to preserve relevant electronically stored information once litigation is reasonably anticipated. Failure to honor a litigation hold can result in spoliation sanctions.
Logical AcquisitionA mobile extraction method that copies only user-accessible files and databases through normal device interfaces. Faster and less invasive than full file system extraction but recovers less deleted data.
N
NCMEC CyberTiplineThe National Center for Missing & Exploited Children’s federal reporting mechanism for suspected online child sexual exploitation. Received 20.5 million reports in 2024.
P
PhishingSocial engineering that tricks a user into giving up credentials, installing malware, or authorizing a fraudulent transaction. Part of the 60 percent of breaches Verizon DBIR 2025 attributes to the human element.
R
RansomwareMalware that encrypts or steals data and demands payment. Verizon DBIR 2025 found ransomware in 44 percent of analyzed breaches; Coveware Q3 2025 put the average payment at $376,941 and the overall payment rate at a historical-low 23 percent.
RCS (Rich Communication Services)IP-based replacement for SMS/MMS supported on most modern Android devices and on iPhone since iOS 18. Carrier networks do not store RCS content.
Recently DeletedApple’s 30-day grace period for deleted Photos and Messages on iOS 26 before permanent purge. Content in Recently Deleted is recoverable via standard logical acquisition; content past the window is generally not directly recoverable from the device.
Riley v. California573 U.S. 373 (2014). Unanimous U.S. Supreme Court decision holding that law enforcement must generally obtain a search warrant before examining the digital contents of a cell phone seized incident to arrest.
S
Sealed Sender (Signal)Signal protocol feature that encrypts the sender identity inside the message envelope so Signal infrastructure cannot determine which user sent a given message.
Secure EnclaveA hardware-isolated processor on Apple devices that handles cryptographic operations and enforces passcode-attempt rate limiting. The reason brute-force passcode attacks on current iPhones are not publicly demonstrated.
SpoliationThe destruction, alteration, or failure to preserve evidence in pending or reasonably foreseeable litigation. Courts can sanction spoliating parties up to and including case-terminating sanctions.
SQLite VACUUMA SQLite command (or automatic process) that rebuilds the database, repacking pages and freeing space held by deleted rows. After a vacuum, previously deleted data is generally no longer recoverable from the database file.
U
Unified Audit Log (UAL)Microsoft 365’s tenant-wide log of user and admin activity across Exchange, SharePoint, OneDrive, Teams, and Entra ID. Default retention is 180 days under Purview Audit Standard for events on or after October 17, 2023; one year under Audit Premium; extendable to 10 years with add-on SKU.
W
WAL (Write-Ahead Log)A SQLite database journal mode that stages new transactions in a separate file before they are checkpointed back into the main database. WAL files can contain forensic artifacts that have not yet been merged or vacuumed.
Write BlockerA hardware or software device that allows read access to a storage medium while preventing any write operation. Used during forensic imaging to guarantee the source media is not altered.
Missing a term you need?
Tell us what to add. We refresh this glossary every quarter so it stays current with iOS, Android, cloud platform, and case-law changes.
Contact an Examiner
Elite Digital Forensics Assistant