Cyber Forensics Final Exam - Parry (Cedarville University)

1. Cyber Forensics - The application of computer science to identify, collect, examine, and analyze data while preserving its integrity and maintaining a strict chain of custody.

2. Incident Response Process - Comprises preparation, detection, analysis, containment, eradication/recovery, and post-incident activities.

3. Preparation in Incident Response - Involves proactive measures like planning, training staff, acquiring forensics tools, and conducting regular exercises.

4. Chain of Custody - A documented process ensuring evidence is not tampered with from collection to courtroom presentation.

5. Detection in Incident Response - Reactive phase where incidents are identified via Endpoint Detection and Response (EDR), Security Information and Event Management (SIEM), user reports, ISPs, or law enforcement.

6. Analysis in Incident Response - Involves collecting and analyzing memory, log/registry files, network activity, and disk images to determine the root cause and threat actor's actions.

7. Order of Volatility - Collect volatile data (e.g., CPU cache, system memory) before less volatile data (e.g., disk images, registry entries) to preserve rapidly changing information.

8. Containment in Incident Response - Stopping a threat actor from pivoting to other resources, communicating with command and control (C2), or exfiltrating data without alerting them prematurely.

9. 1-10-60 Rule - Detect threats in 1 minute, understand them within 10 minutes, and respond within 60 minutes.

10. Eradication and Recovery - Terminate access, remove malware, change compromised accounts, restore backups, and perform audits and vulnerability scans.

11. Post-Incident Activity - Document lessons learned, write a detailed report, and conduct a thorough analysis to improve future responses.

12. CSIRT - Computer Security Incident Response Team tasked with both proactive (hardening systems) and reactive (responding to incidents) security measures.

13. Incident Response Framework - Includes the CSIRT structure, Incident Response Charter, service catalog, and operational procedures for managing incidents.

14. Digital Forensics - Supports the incident response process by providing evidence and analysis, often during the analysis and post-incident phases.

15. Incident Response Plan - High-level document that outlines the organizational approach to incidents, including personnel, communication plans, and training exercises.

16. Incident Classification - Assigns levels (high, medium, low) to incidents based on severity, such as ransomware (high) or policy violations (low).

17. Incident Response Playbooks - Step-by-step guidelines for handling specific scenarios like malware or phishing.

18. Evidence Acquisition - Collecting forensic evidence using methods like imaging disks, preserving logs, and maintaining chain of custody.

19. Rules of Evidence - Govern admissibility in court, emphasizing relevance, authentication, and expert testimony.

20. Forensically Sound Evidence - Evidence obtained without altering its integrity, verified using methods like hashing, and documented thoroughly.

21. Incident Detection Methods - Include monitoring tools like EDR, SIEM, and anomaly detection via user reporting or third parties.

22. Containment Challenges - Balancing rapid response to threats while avoiding alerting attackers prematurely.

23. CSIRT Roles - Include analysts, engineers, and coordinators responsible for executing and managing the incident response process.

24. Memory Acquisition - High-priority step for volatile data collection, often performed using tools like FTK Imager or WinPMem.

25. Digital Forensic Process - Steps include identification, preservation, collection, examination, analysis, and presentation.

26. Windows Registry Analysis - Investigating forensic artifacts stored in the registry, such as autostart entries and user preferences.

27. Forensic Triage - Quick collection of critical evidence to accelerate incident analysis while full data imaging is underway.

28. Autostart Extension Points (ASEP) - Registry keys used by malware for persistence, such as Run or RunOnce keys.

29. Prefetch Files - Contain information about the last 8 times an application was executed, useful for tracking program usage.

30. KAPE Tool - Enables efficient collection and processing of evidence via targets and modules, supporting forensic investigations.

31. Diamond Model - A framework linking adversaries, capabilities, infrastructure, and victims in a cyber intrusion.

32. Cyber Kill Chain - A model describing the stages of a cyberattack, including reconnaissance, weaponization, delivery, exploitation, installation, C2, and actions on objectives.

33. Volatility Tool - Used for memory analysis to identify processes, malware, and network connections in memory dumps.

34. Admissibility in Court - Evidence must be collected with proper documentation, chain of custody, and explanation of methods.

35. Post-Incident Lessons - Organizations should review what went well, what didn’t, and improve their response strategies.

36. Memory Smear - Changes in memory during collection that could make parts of a memory dump unusable.

37. Registry Hives - Physical files storing registry data, such as SYSTEM, SOFTWARE, SAM, and user hives like NTUSER.DAT.

38. Evidence Acquisition Tools - Tools like FTK Imager and KAPE assist in capturing forensically sound evidence.

39. Jump Lists - Store information about recently opened files, aiding in forensic investigations of user activity.

40. Shellbags - Registry entries tracking folder access and view preferences, useful in reconstructing user activity.

41. Functional Investigation Methodology - Involves scoping incidents, collecting evidence, correlating data, and reporting findings.

42. Persistence Mechanisms - Techniques like ASEPs and scheduled tasks used by malware to maintain access.

43. Timeline Analysis - Combines evidence from multiple sources to construct a chronological sequence of events.

44. Forensic Tool Suites - Examples include Autopsy, EnCase, and Volatility Workbench for analyzing forensic evidence.

45. Forensic Jump Kits - Portable kits containing tools, write blockers, and documentation for onsite evidence collection.

46. Network Containment - Methods such as isolating infected systems or blocking malicious command and control traffic.

47. Threat Intelligence - Gathering data on threat actors and their techniques to inform defensive strategies.

48. APT Groups - Advanced Persistent Threat actors identified through behaviors and infrastructure patterns.

49. Volatility Plugins - Modules like pstree, malfind, and netscan used for specific memory analysis tasks.

50. Critical Laws - Includes 18 USC § 1030 (Computer Fraud and Abuse Act) addressing unauthorized access and related crimes.

51. Best Evidence Rule - Requires original evidence unless exceptions apply, emphasizing the importance of proper preservation.

52. Incident Impact Assessment - Evaluating the confidentiality, integrity, and availability affected by an incident.

53. Physical Security - Ensuring physical access controls complement digital security measures during investigations.

54. Reporting - Communicating findings clearly to stakeholders, including technical details and executive summaries.

55. Security Orchestration, Automation, and Response (SOAR) - Platforms integrating incident response workflows and automating repetitive tasks.

56. Data Carving - The process of recovering specific data fragments from a larger dataset without metadata, often used in forensic investigations.

57. Steps in Data Carving -

Step 1: Identify raw data sectors or file fragments within the dataset.

Step 2: Use tools (e.g., Scalpel, Foremost) to search for known file signatures.

Step 3: Extract the identified fragments.

Step 4: Validate the integrity of the recovered data using hash comparison or manual review.

Step 5: Document the carving process for forensic reporting.

58. Additional Disk Analysis - Deep examination of disk images to uncover hidden, deleted, or corrupted files using tools like EnCase or FTK.

59. Network Analysis - Investigating network traffic to identify anomalies, malicious activity, or data exfiltration using tools like Wireshark or Zeek.

60. SIEM (Security Information and Event Management) - A centralized platform for monitoring, analyzing, and responding to security events in real-time.

61. Malware Analysis - The process of dissecting malicious software to understand its behavior, origin, and impact, employing static and dynamic analysis techniques.

62. Non-Traditional Evidence Collection - Gathering unconventional data sources such as IoT devices, cloud environments, or encrypted files for forensic examination.

63. Packet Capture Analysis - Reviewing network packet data to trace malicious activities or communications, typically performed using tcpdump or Wireshark.

64. Log Correlation - Combining logs from multiple sources (e.g., firewalls, IDS, SIEM) to identify patterns and anomalies in incident investigations.

65. Disk Imaging - Creating exact replicas of storage media to preserve data integrity and support detailed forensic analysis.

66. Encrypted Disk Analysis - Techniques for handling encrypted storage devices, including decryption attempts and memory extraction for encryption keys.

67. Command and Control Traffic Analysis - Identifying and blocking malicious communication channels used by attackers to control compromised systems.

68. Behavioral Malware Indicators - Observing malware execution in a sandbox to identify behaviors like file creation, registry changes, and network activity.

69. YARA Rules - Customizable rules used to identify malware or specific patterns in files and processes, often integrated into forensic workflows.

70. Cloud Forensics - Analyzing data stored in cloud environments while addressing challenges like access permissions and multi-tenant architecture.

71. IoT Forensics - Investigating Internet of Things devices to extract evidence such as logs, communication data, and firmware artifacts.