CySA+
  • CySA+ CS0-002 Exam Objectives
  • Threat Intelligence Cycle
  • Intelligence Sources
  • Security Intelligence Sharing
  • Threat Classification and Threat Actors
  • Threat Research and Indicators of Compromise
  • Attack Frameworks and The Cyber Kill Chain
  • Defining Threat Modeling and Threat Hunting
  • Vulnerability Identification and Validation
  • Vulnerability Scan Results and CVSS Scores
  • Nmap and Enumeration
  • Security Controls
  • Defense in Depth Security Baselines
  • Security Trend Analysis
  • Remediation Issues
  • Asset, Change, and Configuration Management
  • Software Development Lifecycle & Development Models
  • Software Assessment and Code Review
  • Mitigating Attack Types Part 1
  • Mitigating Attack Types Part 2
  • Mitigating Attack Types Part 3
  • Password Cracking and Hashing
  • Privilege Escalation & Man-in-the-Middle
  • Network Based IoCs
  • Host Based IoCs
  • Network Architecture and Segmentation
  • Network Traffic, Packet, and Protocol Analysis
  • Pentesting and Active Defense
  • Firewalls
  • URL Analysis & DNS in Malware
  • Network Access Control and Port Security
  • Identity and Access Management (IAM)
  • Web Application Scanners
  • SSL/TLS Digital Certificate Management
  • Mobile Threats
  • Email Threats and Mitigation
  • Data Loss Prevention (DLP)
  • Endpoint Security and Behavior Analysis
  • Hardware Assurance
  • Blackholes and Sinkholes
  • IoT, Embedded Systems & ICS/SCADA Threats
  • Log Analysis & Continuous Security Monitoring
  • SIEM and Event Correlation
  • Malware Analysis
  • Cloud Models and Service Threats
  • Cloud Automation and Other Cloud Threats
  • VDI, Containers, and Microservices
  • CI/CD, IaC, DevOps
  • AI and Machine Learning
  • Digital Forensics
  • Technical Controls for Securing Data
  • Non-Technical Controls for Securing Data
  • Security Policies and Procedures
  • Continuity Planning and Risk Assessment
  • Incident Response Phases and Communication
Powered by GitBook
On this page

Digital Forensics

  • Forensics Scenarios

    • How a security incident happened

    • Confirm if a crime has happened

    • Collecting incriminatory evidence

    • Determining data exposure

    • Checking for compliance

  • Forensic Procedures

    • Identification

      • Security the crime scene

      • What are we looking for? Scope?

    • Collection

      • Authorization

      • Use the right tools

    • Analysis

      • Copies of collected data

      • Disk images

      • Memory

      • Chain of custody

    • Reporting

      • Methods

      • Conclusions

  • Legal Hold – Preserving information

  • Endpoint Forensics – Collecting forensic data from workstations

    • Data acquisition – in order of volatility

      • CPU registers and cache

      • Memory: dump contents, routing table, arp table, process table, kernel statistics, windows registry

      • Persistent mass storage (including free space)

      • Remote logging and monitoring

      • Physical system configuration and network topology

      • Archival media (offline)

  • Forensic Workstations

    • Strict control, hardened, completely isolated

    • Write blockers – makes drives read-only

  • Memory Acquisition – Most valuable source of information for running systems

    • Can store cryptographic information: keys, passwords

    • Methods:

      • Live acquisition – requires privilege

      • Crash dump

      • Hibernation file

      • Page file

  • Disk Image Acquisition

    • Performed bit by bit, including free space

    • Live acquisition vs static (shutdown)

    • Write blocker – blocks any write operations to a drive which can corrupt integrity of evidence

    • Imaging Utilities

      • dd on Linux

    • Hashing (SHA-2, MD5)

      • Windows

        • Certutil -hashfile .\cridex.vmv SHA256

      • Linux

        • Md5sum

        • Sha

    • File carving – Reconstructing files from fragments or deleted areas)

  • Chain of Custody

    • Keeping track of how evidence is handles and who handles it

    • Purpose is to prove that integrity was preserved

  • Network Forensics

    • Capturing traffic from network segments

    • Host vs network capture

  • Mobile Device Forensics

    • Device locks

    • Encryption

    • Faraday cages against remote wipes

    • Call data extraction

    • Carrier logs

    • Geolocation history

  • Virtualization Forensics

    • Hypervisor can read the memory inside virtual machines

    • Disk data is already in image format

    • Fragmentation due to thin disk allocation

PreviousAI and Machine LearningNextTechnical Controls for Securing Data

Last updated 2 years ago