Joint Test Action Group (JTAG)
A hardware interface standard used primarily for testing and debugging embedded systems
Non-Volatile Storage
Like hard drives, holds permanent data and is analyzed through forensic imaging
Order of Volatility
Sequence in which digital evidence should be collected during a forensic investigation
Registers and CPU cache
Routing tables, ARP cache, process tables, kernel statistics, and RAM
Temporary file systems or swap space
Disks
Remote logging and monitoring data
Physical configurations and network topologies
Archival media such as backup tapes
Forensic Imaging
Process of creating an exact bit-by-bit copy of digital data from a storage device to preserve its integrity for use in court
Slack Space
Unused space between a file’s end and the storage unit’s end
dd
Native to Unix/Linux systems, creates a bit-by-bit copy of a storage device
dcfldd
Forensic version of the dd command, was developed by the US Department of DCFL to enhance dd for forensic data acquisition and secure wiping
Includes on the fly hashing and progress indicators for forensic work
FTK Imager
Creates bit-by-bit copies, automates hash generation, and ensures data integrity of both the original and the copy
Reverse Engineering
Breaks down software or hardware components to understand their structure, functionality, and potential vulnerabilities
Byte Code
Low-level representation of code that can be executed by virtual machines
Acts as an intermediate form between high-level programming and machine code for platform independent execution
Binary Code
Machine-level code that the computer directly executes and is made up of ones and zeroes
Disassembly
Process of converting binary code into assembly language to analyze how the software operates
Decompilation
Translates executable code into a higher-level language for easier understanding
binwalk
Inspects firmware images to extract components like archives, file systems, and executable code for reverse engineering
hexdump
Used to display binary files in a human-readable hexadecimal format, allowing analysts to examine the structure and content of a file
strace
Tracks system calls by a running binary, revealing system interactions and suspicious actions like unauthorized file access
ldd
Identifies shared libraries a binary relies on to understand dependencies and detect malicious modifications
Incident Response Process
Preparation
Detection and Analysis
Containment, Eradication, and Recovery
Post-Incident Activity
-
Governance28
-
Risk Management19
-
Compliance33
-
Resilient System Design45
-
Secure Architecture Design16
-
Security in Systems38
-
Access, Authentication, Authorization5
-
Hardware Security7
-
PKI Architecture39
-
Troubleshooting IAM15
-
Troubleshooting Network Infrastructure26
-
Cloud Security31
-
Specialized System Security9
-
Automated Security Operations7
-
Integrated Security and Automation16
-
Artificial Intelligence17
-
Vulnerabilities and Attacks26
-
Detection and Mitigation7
-
Threat Modeling Considerations5
-
Threat Modeling Frameworks15
-
Attack Surface Determination11
-
Indication Analysis19
-
REVIEW217
-
Cryptographic Types13
-
802.1x and Authentication Protocols9
