Module 07 — Reference
Forensic Glossary
A quick reference for the technical terms that appear across Academy modules and expert reports. Each entry gives a plain-language definition and a concrete example.
Terms A – Z
Adversarial principle
What it is: the procedural principle that guarantees each party the right to challenge evidence presented by the other.
Example: the defence's technical consultant files a new report using a different methodology to contest the conclusions of the official examiner.
C2PA
What it is: an open standard that embeds a cryptographically signed manifest in images and videos with information about how and where the content was created.
Example: an Adobe Firefly image carries aiAsserted: true in its C2PA manifest with a valid signature — any laboratory reads the same result.
Chain of custody
What it is: a chronological, documented record of who collected, transported and accessed a piece of evidence at each step, from discovery to proceedings.
Example: a WhatsApp export with an SHA-256 hash recorded before submission to court has a preserved chain of custody; the same file without that record can be challenged.
Criminal forensic examiner
What it is: a state-employed examiner (hired through competitive public examination) who works exclusively in criminal investigations by state delegation. Unlike a private examiner, they cannot be hired by the parties.
Example: the criminal forensic examiner from the Civil Police is assigned to examine the seized phone; the parties have no say in who performs that examination.
Deepfake
What it is: AI-synthesised video or audio that replaces or animates the face or voice of a real person in existing content.
Example: a video that appears to show an executive announcing mass layoffs, but was generated by AI from real recordings, is a deepfake.
Diffusion model
What it is: a generative AI architecture that creates images by starting from random noise and removing it in guided steps until coherent content emerges.
Example: Midjourney, DALL-E and Adobe Firefly use diffusion models; the absence of sensor noise in the generated image is one of their forensic markers.
ELA — Error Level Analysis
What it is: a technique that compares a JPEG image to a re-compressed version to detect regions with inconsistent error levels, indicating editing or compositing.
Example: a face digitally pasted onto a document photo shows a different error level from the background in the ELA heat map.
Evidence
What it is: a trace after technical examination that demonstrates its connection to the investigated fact.
Example: the same photo, with editing marks detected in its metadata, becomes evidence of tampering.
EXIF
What it is: a metadata standard embedded in digital images that records camera, date, time and GPS coordinates of the capture.
Example: a crime scene photo has GPS coordinates in its EXIF block that locate the exact spot where it was taken, cross-referenceable with nearby security cameras.
Expert report
What it is: a technical document produced by the forensic examiner describing the method, findings and conclusions of the examination.
Example: a report attesting that a PDF was modified after signing is the documentary proof in a contractual fraud proceeding.
Forensic copy
What it is: a bit-by-bit reproduction of a digital medium, including deleted files and unallocated space, with a hash proving fidelity to the original.
Example: the forensic image of a seized hard drive is used by the examiner for analysis; the original remains untouched and sealed.
Forensic examiner
What it is: any professional with a university degree qualified to conduct forensic examination and sign technical reports for use in legal or extrajudicial proceedings. Can be hired by either party.
Example: a physician hired by the defence to review a toxicology report acts as a forensic examiner — in that context also called a technical consultant, since they were appointed by a party.
Hash
What it is: a fixed-length alphanumeric code generated by a mathematical function that represents a file's content. Any change to the file produces a different hash.
Example: the SHA-256 hash of a contract PDF is a3f8...d291; changing one comma produces f7c2...b104 — completely different.
Homograph attack
What it is: an attack that replaces letters in a domain with visually identical characters from another alphabet, creating URLs that appear legitimate.
Example: pаypal.com with a Cyrillic "а" looks identical to paypal.com but is a fake site — the difference is invisible to the naked eye.
Integrity manifest
What it is: a documented record containing the file's hash, date, time and the responsible party's identification — used as a reference to verify the file has not been altered.
Example: before emailing a medical report, the doctor generates a manifest with the SHA-256 hash; any later version can be compared against this record.
Metadata
What it is: data stored inside a file that describes how, when and by whom it was created — invisible in the normal view but readable by forensic tools.
Example: a smartphone photo carries date, time and GPS coordinates in its EXIF block, invisible in the image itself but recoverable in a forensic examination.
Phishing
What it is: an attack that uses fake messages or pages to trick the victim into handing over credentials, personal data or making payments.
Example: an email with the bank's exact layout asks for password confirmation via a link; the link leads to a fake page that captures the credentials.
Pix scam
What it is: fraud that uses urgency, fake payment confirmations or social engineering to induce Pix transfers before any real transaction exists.
Example: the fraudster sends a forged Pix receipt as proof of payment and demands delivery of the product before the money appears in the account.
SHA-256
What it is: a cryptographic hash algorithm that produces a 64-character hexadecimal sequence. The current standard in digital forensics; no known collisions.
Example: sha256sum contract.pdf always returns the same 64-character sequence as long as the file is not changed.
Social engineering
What it is: psychological manipulation that exploits trust, urgency or fear to induce the victim to act against their own interest.
Example: a fraudster calls pretending to be a bank employee, creates urgency around a "suspicious transaction" and convinces the victim to transfer money.
Spoofing
What it is: falsification of identity in digital communication — can apply to email addresses, phone numbers, IP addresses or website domains.
Example: an SMS received from a number that looks like the real bank's, but the message is fake and its link leads to the fraudster's site.
Synthetic content
What it is: a file (image, audio, video or text) produced by artificial intelligence without capturing the real world — no camera, microphone or physical scene.
Example: a photo of a "person" generated by Midjourney that does not correspond to anyone real is synthetic content, even if it has the appearance of a photograph.
Technical consultant
What it is: a forensic expert hired by one of the parties to review official reports or produce independent opinions.
Example: the accused company hires a technical consultant to challenge the official expert report filed by the prosecution.
Timestamp
What it is: a record issued by a trusted timestamping authority that binds a hash to a precise moment, proving that the content existed at that time.
Example: a contract with a trusted timestamp proves it was signed before a disputed date, regardless of whether the signing algorithm later becomes outdated.
Trace
What it is: any material element with a potential connection to a fact under legal investigation, before technical examination.
Example: a photo received on WhatsApp that may have been tampered with is a trace until a forensic examiner analyses it.
Voice cloning
What it is: AI audio synthesis that mimics a person's voice from short samples, making it appear they said something they never said.
Example: fraudsters use voice cloning to simulate a family member's voice in a fake emergency call, demanding an urgent money transfer.