Official (ISC)2® Guide to the CCFP CBK

Editor-in-Chief: Dr. Peter Stephenson is a cyber criminologist, digital investigator, and digital forensic scientist at Norwich University (Vermont). He is a writer, researcher, and lecturer on information assurance, digital investigation, and forensics on large-scale computer networks. He has lectured extensively on digital investigation and security, and has written, edited, or contributed to 19 books and several hundred articles in major national and international trade, technical, and scientific publications. He is an associate professor teaching network attack and defense, digital forensics, and cyber investigation on both the graduate and undergraduate levels. Dr. Stephenson is the chief information security officer for the university and is the director of the Norwich University Center for Advanced Computing and Digital Forensics. He has received the Distinguished Faculty Award in the College of Graduate and Continuing Studies. He has lectured or delivered consulting engagements for the past 37 years in 11 countries plus the United States and has been a technologist for 50 years. He operated a successful consulting practice for over 20 years and has worked for such companies as Siemens, Tektronix, and QinetiQ (UK). Dr. Stephenson began his information assurance career in 1964 as a crypto tech in the US Navy.

Domain 1: Legal and Ethical Principles
References

The Nature of Evidence and its Characteristics
Cyber Forensics
Digital Evidence
The Investigative Process
Use of Evidence in Legal Proceedings
Authenticity and Reliability
Terms to Know
Points to Ponder
References

Chain of Custody
Initiating a Chain of Custody
Logging and Tracking Evidence
Marking, Securing, and Protecting Evidence
Computers and Laptops
Removable Media
Cell Phones and Other Electronic Devices
Storing Evidence
Transferring Evidence within an Agency
Transferring Evidence to Another Agency

Rules of Procedure
Roles and Responsibilities of Investigators
Roles and Responsibilities of Forensic Examiners
Roles and Responsibilities of Experts
Admissibility of Evidence
Terms to Know
Points to Ponder

Role of the Expert Witness
Types of Witnesses
The Rules of Expert Testimony
Expert Testimony Standards and Key Court Cases
Qualifying as an Expert in Court
Expert Roles
Scientific Conclusions, Opinions and Recommendations
Bearing, Demeanor, and Appearance
Correcting Testimony
Depositions
Legal Terms to Know

Codes of Ethics
Demystifying the Code of Ethics
Ethical Decision Making
The Need for Ethics in Digital Forensics
The Training of Ethics in Digital Forensics
The Regulation of Ethics in Digital Forensics
The Privacy and Confidentiality Issues of Digital Forensics
Work-Product Doctrine
Attorney-Client Privilege and Confidentiality
The Special Obligations of Litigation Support in Digital Forensics
The Legality of Investigation Techniques in Digital Forensics
Ethics
(ISC)2 Code of Ethics
AAFS Code of Ethics
ISFCE Code of Ethics and Professional Responsibility
Points to Ponder
Endnotes

Domain 1: Review Questions

Domain 2: Investigations

The Investigative Process
The Investigation Process
Addressing the Complaint
Case Preparation Phase
Routine Investigative Activities: A Jumping-Off Point for Any Investigation
The Perishable Nature of Data
Team Effort
Seeking Out Sources of Data
Let the Experts Do It
Putting It All Together
Follow-Up
References

Evidence Management
Evidence Issues
Evidence Preservation
Tracking Evidence
Disposing of Evidence
Points to Ponder
For Further Thought
References

Criminal Investigations
Criminal versus Civil Actions
Launching a Criminal Investigation
Elements of a Crime
What is a Crime?
Points to Ponder
For Further Thought
References

Civil Investigations
Civil Investigator
Civil versus Criminal
Methods, Privileges, and Limitations of Civil Investigators
Nature of Litigants
Torts
Burden of Proof
Points to Ponder
References

Administrative Investigations
A Definition of Administrative Investigations
Employee Misbehavior and Corruption
The Role of the Inspector General
Evidence Found in Workplace Technology
Confidentiality
Points to Ponder
References

Forensic Response to Security Incidents
Implementing an Incident Response Plan
Ensuring Business Continuity
Understanding and Limiting Liability
Avoiding Legal Issues
Attaining Certification
Points to Ponder

Electronic Discovery
Defining Discovery
Understanding Spoliation
Noting Changes in E-Discovery Law
Limiting Scope of Discovery
Choosing Forensic or Non-Forensic E-Discovery
Forensic E-Discovery
Non-Forensic E-Discovery
Following an E-Discovery Standard
Reviewing Liability
Points to Ponder

Intellectual Property Investigations
Intellectual Property Investigations
Types of Intellectual Property
Investigation Steps
Potential Criminal Action
Liability
Points to Ponder

Domain 2: Review Questions

Domain 3: Forensic Science

Fundamental Principles
Introduction to Forensic Science
Locard’s Principle of Transference
The Inman-Rudin Paradigm
The Philosophy of Science
The Scientific Method
The Characteristics of Forensic Science
References

Forensic Science Processes
The Purpose of Forensic Examination
Identification
The Digital Evidence Categorization Model
Individualization/Classification
Association
Reconstruction
Relational Analysis
Functional Analysis
Temporal Analysis
References

Forensic Analysis and Examination
Documentation and Case Notes
Examination/Investigation Goals
Hypothesis Formulation/Criteria
Experimental Design and Tool Selection
Examination Plan Execution
Results Review and Evaluation
Conclusion and Opinion Formulation
Points to Ponder
For Further Thought

Report Writing and Presentation
Rational for Reporting
Preparing for the Reporting Phase
Designing Your Report
Incorporation of Examination Results in the Report
Conclusions and Opinions
Clarity and Scientific Accuracy
Report/Presentation appropriate to the Audience and Venue
Points to Ponder
For Further Thought

Quality Assurance in Forensic Science
Introduction
Quality, Quality Control, and Quality Assurance
Quality Assurance Practices in Digital Forensics
General Quality Assurance in the Digital Forensic Process
Quality Assurance Practices with Regards Laboratory Software
Quality Assurance Practices Regarding Laboratory Hardware
Forensic Practitioner Certification and Licensing
Formal Laboratory Accreditation Programs
Issues with Quality Assurance in Forensic Science
References


Domain 3: Review Questions

Domain 4: Digital Forensics

Media and File System Forensics
Locations where Evidence May Reside
Storage Media
Hardware, Firmware, Interfaces
Disk Geometry and Partitioning
Disk Geometry
Disks, Volumes, and Partitions
DOS Partitions
Dynamic Disks and RAID Systems
RAID Implementation
File Systems
NTFS File System
MFT Concepts
MFT Entry Attributes
MFT Entry’s Internal Structure
MFT’s Index Attributes for Directories
MFT’s $DATA Attribute
NTFS File System Forensics
File Metadata
Encrypted Drive
Corrupted/Damaged Media
Media/File System Forensic Process Steps
Points to Ponder
References

Computer and Operating System Forensics
Technical Background
Live Forensics
Operating Systems
References


Network Forensics
Network Forensics
TCP/IP
Points to Ponder
For Further Thought
References

Mobile Device Forensics
Evidence Collection and Preservation
Types of Mobile Devices
GPS Devices
Cell Phones/Tablets
Vendor Identification
Carrier Identification
Network Identification/Classification
Physical Characteristics of a Cell Phone
Smart Phones vs. Feature Phones
Examination Preparation
Tools
Tool Classification
Processing and Examination
Verification
Reporting
References

Embedded Device Forensics
Technical Background
Types of Devices

Multimedia and Content Forensics
Introduction to Multimedia Evidence
The Role of Multimedia Evidence in Investigations
Multimedia File Formats
Embedded Multimedia
Steganography
References

Virtual System Forensics
Types of Virtual Machines
Types of Virtual Machines
Products
VMWare Workstation
VMWare Fusion
Virtual PC
Parallels
VirtualBox
Virtualization Forensics

Forensic Techniques and Tools
Getting Started
Points to Ponder
For Further Thought
References

Anti-Forensic Techniques and Tools
Hiding Techniques
Encryption
Steganography
Packing
Destruction Techniques and Tools
Spoofing
References
Points to Ponder

Domain 4: Review Questions

Domain 5: Application Forensics


Software Forensics
File Formats
Internal File Metadata
Traces of Execution
HKLM/Software
Software Analysis
Points to Ponder
For Further Thought

Web, Email, and Messaging Forensics
Web Forensics
How the Internet Works
Email Forensics
Messaging Forensics

Database Forensics
The Need for Data
Points to Ponder
References

Malware Forensics
Introduction to Malware
Types of Malware
Malware Analysis
Points to Ponder
References


Domain 5: Review Questions

Domain 6: Hybrid and Emerging Technologies

Cloud Forensics
Cloud Computing
The Five Essential Characteristics of Cloud Computing
Types of Cloud Service Models
Types of Cloud Deployment Models
Service Level Agreements
Cloud Forensics
Dimensions of Cloud Forensics
Challenges for Forensic Investigators
Jurisdictional Issues
References

Social Networks
Types and Applications of Social Networks
Evidentiary Basis of Social Media
Location of Social Networking Information
Third Party Doctrine

The Big Data Paradigm
Digital Surveillance Technology (DST)
Points to Ponder
References

Control Systems
Control Systems
SCADA
Distributed Control System
Forensics on Control Systems
References
Points to Ponder
For Further Thought


Critical Infrastructure
Critical Infrastructure
Critical Infrastructure and SCADA
Critical Infrastructure at the Organizational Level
IT and Communications Sectors
Transmission Line Redundancy
Digital Threat Detection, Prevention, and Mitigation
Computer Forensics and Critical Infrastructure
Points to Ponder
References

Online Gaming and Virtual/Augmented Reality
Online Gaming
Virtual Reality
Augmented Reality vs. Virtual Reality
Augmented Reality
Uses of Augmented Reality
Social Challenges of Augmented Reality
Points to Ponder
For Further Thought

Domain 6: Review Questions

Appendix A: Answers to Domain Review Questions


Index