Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Forensic Science

Effective Date: September 2013

advertisement 
Effective Date: September 2013
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 1: Legal and Ethical Principles ...................................................................................................4
Key Areas of Knowledge ........................................................................................................................4
Domain 2: Investigations .............................................................................................................................6
Overview ...................................................................................................................................................6
Key Areas of Knowledge ........................................................................................................................6
Domain 3: Forensic Science .......................................................................................................................9
Overview ...................................................................................................................................................9
Key Areas of Knowledge ........................................................................................................................9
Domain 4: Digital Forensics...................................................................................................................... 12
Overview ................................................................................................................................................ 12
Key Areas of Knowledge ..................................................................................................................... 12
Domain 5: Application Forensics ............................................................................................................ 16
Overview ................................................................................................................................................ 16
Key Areas of Knowledge ..................................................................................................................... 16
Domain 6: Hybrid and Emerging Technologies .................................................................................... 18
Overview ................................................................................................................................................ 18
Key Areas of Knowledge ..................................................................................................................... 18
REFERENCES ............................................................................................................................................... 20
SAMPLE EXAM QUESTION ......................................................................................................................... 22
GENERAL EXAMINATION INFORMATION ................................................................................................ 23
Computer Based Testing (CBT) ............................................................................................................... 23
Registering for the Exam .......................................................................................................................... 23
Scheduling a Test Appointment ............................................................................................................. 24
Non Disclosure ........................................................................................................................................... 27
Day of the Exam ....................................................................................................................................... 27
Any questions? ...................................................................................................................................... 30
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
1
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
A Cyber Forensics Professional possesses expertise in information technology and is a
recognized expert in forensic techniques and procedures, standards of practice, and legal and
ethical principles that assure the accuracy, completeness and reliability of digital evidence.
This expert level ability is measured against a globally recognized common body of
knowledge.
This Candidate Information Bulletin provides the following:
• Exam blueprint to a limited level of detail that outlines major topics and sub- topics
within the domains,
• Suggested reference list,
• Description of the format of the items on the exam, and
• Basic registration/administration policies
Candidates must meet the following requirements prior to taking the CCFP examination:
•
•
•
•
Candidates must have a four-year degree leading to a Baccalaureate, or regional
equivalent, plus 3 years of full time digital forensics or IT security experience in three
out of six Domains of the credential.
For those candidates who do not hold a four-year degree leading to a
Baccalaureate, or regional equivalent, six years of full time digital forensics or IT
security experience in three out of the six Domains of the credential are required.
For those candidates who do not hold a four-year degree leading to a
Baccalaureate, or regional equivalent, but hold an alternate forensics certification
approved by (ISC)², five years of full time digital forensics or IT security experience in
three out of the six domains of the credential are required. Please see link
https://www.isc2.org/CCFP-experience-waiver for a list of Forensics certifications
approved by (ISC)².
NO ONE may claim both the four-year degree and the alternate certification
exemption.
•
Attest to the truth of his or her assertions regarding professional experience, and
legally commit to abide by the (ISC)² Code of Ethics (Section 3).
•
Before candidates are allowed to take the test at testing centers, they must respond
“yes” or “No” to the following four questions regarding criminal history and related
background:
1. Have you ever been convicted of a felony; a misdemeanor involving a
computer crime, dishonesty, or repeat offenses; or a Court Martial in military
service, or is there a felony charge, indictment, or information now pending
against you? (Omit minor traffic violations and offenses prosecuted in juvenile
court).
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
2
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
2. Have you ever had a professional license, certification, membership or
registration revoked, or have you ever been censured or disciplined by any
professional organization or government agency?
3. Have you ever been involved, or publicly identified, with criminal hackers
or hacking?
4. Have you ever been known by any other name, alias, or pseudonym? (You
need not include user identities or screen names with which you were publicly
identified).
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
3
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 1: Legal and Ethical Principles
Overview
Legal and Ethical Principles domain addresses ethical behavior and compliance with
applicable regulatory frameworks.
CCFP candidates should fully understand legal and ethical principles concepts, methodologies
and their implementation within centralized and decentralized environments across an
organization’s computing environment.
The Candidate needs to display the ability to communicate findings orally (i.e. in court), in
writing and to communicate cohesively with all members of the investigative
team/organization/corporation.
Key Areas of Knowledge
A. Analyze the Nature of Evidence and its Characteristics
A.1
A.2
A.3
A.4
A.5
A.6
Authority to Acquire
Provenance
Reliability/Credibility/Validity
Admissibility
Fragility
Authentication
B. Analyze the Chain of Custody
Initiation
B.1
B.2
Sealing, Labeling and Tagging
B.3
Exchange
B.4
Storage
B.5
Disposition/Destruction
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
4
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
C. Analyze the Significance of Rules of Procedure
Roles and Responsibilities of Investigators
C.1
C.2
C.3
C.4
Roles and Responsibilities of Forensic Examiners
Roles and Responsibilities of Experts
Admissibility of Evidence
D. Analyze the Role of Expert Witness
D.1
D.2
D.3
D.4
D.5
D.6
Bearing, Demeanor and Appearance
Expert as Technician
Expert as Teacher
Expert as Consultant/Advisor
Expert as Learner
Scientific Conclusions, Opinions and Recommendations
E. Apply Codes of Ethics
E.1
E.2
E.3
E.4
E.5
Professional Ethics
(ISC)2 Code of Ethics
AAFS Code of Ethics
ISO Code of Ethics
Privacy and Confidentiality Issues
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
5
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 2: Investigations
Overview
The candidate is expected to demonstrate an understanding of Investigations as it relates to
data communications in local area and wide area networks, remote access,
internet/intranet/extranet configurations. Candidates should be knowledgeable with network
equipment such as switches, bridges and routers, as well as networking protocols (e.g., TCP/IP,
IPSec), and VPNs.
Key Areas of Knowledge
A. Analyze the Investigative Process
A.1
Preparation and Initiation
A.2
Authority and Objectives
A.3
Evidence Collection
A.4
Evidence Transport
A.5
Evidence Analysis and Examination
A.6
Elements of Crime/Allegation
A.7
Chain of Evidence
A.8
Evidence Reporting and Presentation
B. Analyze Evidence Management
Evidence Preservation
B.1
B.2
Evidence Tracking
B.3
Evidence Access Control
B.4
Evidence Disposition
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
6
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
C. Analyze Criminal Investigations
Authority (National/Federal/State/Local/Special) and Limitations
C.1
C.2
Violations
C.3
Elements of a Crime
C.4
Exculpatory Evidence
C.5
Burden of Proof
D. Analyze Civil Investigations
D.1
Authority, Privilege and Limitations
D.2
Torts and Delict
D.3
Nature of Litigants
D.4
Burden of Proof
E. Analyze Administrative Investigations
E.1
Authority, Privilege and Limitations
E.2
Nature of Parties
E.3
Burden of Proof
E.4
Liability
F. Analyze Forensic Response to Security Incidents
F.1
Incident Response Steps
F.2
Business Continuity
F.3
Liability
F.4
Potential Criminal or Civil Action
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
7
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
G. Analyze Electronic Discovery
G.1
Definition of Discovery
G.2
Spoliation
G.3
Scope of Discovery
G.4
Forensic versus Non-Forensic E-Discovery
G.5
E-Discovery Steps
G.6
Liability
H. Analyze Intellectual Property (IP) Investigation
H.1
Types of Intellectual Property (Copyrights, Trademarks, Trade Secrets,
Licensing, Patents)
H.2
Investigation Steps
H.3
Potential Criminal or Civil Action
H.4
Liability
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
8
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 3: Forensic Science
Overview
Forensic Science domain entails applying a broad spectrum of sciences and technologies to
investigate and establish facts in relation to criminal or civil law. The evidence collected must
satisfy suitability for admission as fact and must be able to persuade based upon proof. Forensic
Science is the application of science to law and is ultimately utilized throughout the legal
process.
The candidate is expected to have an understanding of the basic principles of the Forensic
Sciences. Understand how Forensic Science is used in relation to investigations and law. Have
an understanding of how to analyze forensic data and know how to apply Quality
Assurance/Control measures throughout the Forensic process.
Key Areas of Knowledge
A. Analyze Fundamental Principles
A.1
A.2
A.3
A.4
A.5
A.6
Locard’s Principle of Transference
Inman-Rudin Paradigm (identification, Individualization/Classification,
Association and Reconstruction)
Philosophy of Science (e.g., Verification and Falsifiability)
Scientific Method (e.g., Theory, Hypotheses and Experiments)
Characteristics of Forensic Science (e.g., Constrained by Law,
Argumentation Requirements, Documentation Requirements)
Peer Review
B. Analyze Forensic Methods
Identification
B.1
B.2
B.3
B.4
Individualization/Classification
Association
Reconstruction
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
9
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
B. 5
Forensic Examinations/Investigations are Designed to Address one
or more of the above (Inman-Rudin Questions)
C. Analyze Forensic Analysis and Examination Planning
Documentation and Case Notes
C.1
C.2
C.3
C.4
C.5
C.6
C.7
Examination/Investigation Goals
Hypothesis Formulation/Criteria
Experimental Design and Tool Selection
Examination Plan Execution
Results Review and Evaluation
Conclusions and Opinions Formulation
D. Evaluate Report Writing and Presentation
Structured Report Format
D.1
D.2
D.3
D.4
D.5
D.6
Incorporation of Examination Results in the Report
Clarity and Scientific Accuracy
Distinction between Conclusions and Opinions (e.g., Conclusions
supported by Facts; Opinions supported by Science and Experience)
Report Types and their Components
Report/Presentation appropriate to the Audience and Venue
E. Analyze Quality Assurance, Control, Management and Accreditation Procedures
Quality Management System/Plan
E.1
E.2
Quality Assurance (e.g., SOPs, Tool Calibration and Validation)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
10
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
E.3
Quality Control (e.g., Peer Reviews, Administrative Reviews, Program
Reviews)
E.4
Investigator/Examiner Certification and Licensing (e.g., Professional
Certifications, Vendor Certifications, Organizational Certifications)
E.5
Accreditation (e.g., Laboratory, Unit, Organization; e.g., ISO,
ASCLD/LAB)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
11
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 4: Digital Forensics
Overview
Digital Forensics domain refers to the collection of any digital evidence which can be defined
as data stored or transmitted via electronic means. This process will ultimately establish the
timeline of events of what occurred and will be utilized during the legal process within the court
system.
The candidate needs to show a level of competence in Media and File System structures.
Understand the different types of system memory. The CCFP candidate needs to also
understand Network Protocols, Operating Systems, Virtualization, and Mobile Devices.
Key Areas of Knowledge
A. Analyze Media and File System Forensics
Locations where Evidence may Reside
A.1
A.2
Storage Media (e.g., Flash Memory, Cards, CDs/DVDs, Drives, Disk Images)
A.3
Hardware/Firmware/Interfaces
A.4
Partitioning and Disk Geometry (e.g., MBR, RAID)
A.5
File Systems (e.g., NTFS, FAT)
A.6
File Metadata (e.g., Size, Date, Time)
A.7
Encrypted Drives
A.8
Corrupted/Damaged Media
A.9
Media/File System Forensic Process Steps
B. Analyze Computer and Operating Systems Forensics
RAM/CMOS/Volatile Memory (e.g., Live Forensics)
B.1
B.2
Configuration/Control/Registry/Device Drivers
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
12
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
B.3
Operating Systems (e.g., Windows, Linux, Mac, Android, iOS)
B.4
Other Devices (e.g., Printers, Scanners, Fax Machines)
B.5
Computer/OS Forensic Process Steps
C. Analyze Network Forensics
C.1
Types of Networks, Protocols, Operating Systems and Architectures
(e.g., TCP/IP, Wireless, Telecommunications, SANs)
C.2
Network Hardware/Devices (e.g., Routers, Switches, Firewalls, IDS/IPS,
NICs, Servers, Clients, Honeynets)
C.3
P2P Networks and Proxies
C.4
Network Shares
C.5
Network Services
C.6
Log Files
C.7
Network Forensic Process Steps
D. Apply Mobile Device Forensics
Types of Data
D.1
D.2
Locations where Data Resides
D.3
Mobile Device Hardware and Architectures
D.4
Mobile Device Operating Systems (e.g., iOS, Android)
D.5
Non-Invasive versus Invasive Forensics
D.6
Mobile Device Forensic Process Steps
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
13
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
E. Understand Embedded Device Forensics
Types of Embedded Devices (e.g., GPS Devices, Plug Computers,
E.1
Gaming Devices, Credit Card Skimmers)
E.2
Types of Data
E.3
Locations where Data Resides
F. Apply Multimedia and Content Forensics
Types of Multimedia (e.g., images, audio, video)
F.1
F.2
Types of Application Metadata
F.3
Locations where Evidence may Reside (e.g., Headers,
Steganographic/Embedded Data)
F.4
Forensic Process Steps
G. Apply Virtual System Forensics
Types of Virtual Systems
G.1
G.2
Virtual System Architectures
G.3
Locations where Evidence may Reside
G.4
Forensic Process Steps
H. Analyze Forensic Techniques and Tools
Live Forensics
H.1
H.2
Data Recovery
H.3
Password Recovery
H.4
File Carving
H.5
Metadata Carving
H.6
Known File Filtering
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
14
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
H.7
String and Keyword Searching
H.8
Header Analysis
H.9
Timeline Analysis
H.10
Graphical Image Analysis
H.11
Event Correlation
H.12
Cryptanalysis/Steganalysis
H.13
Sandboxing
H.14
Network Sniffing
H.15
Network Traffic Analysis
H.16
Network Path Analysis
H.17
Data Mining
H.18
Evidence Visualization
I. Understand Anti-Forensic Techniques and Tools
Hiding Techniques and Tools (e.g., Encryption, Steganography, Packing,
I.1
Tunneling/Onion Routing)
I.2
Destruction Techniques and Tools (e.g., Wiping, Overwriting, Corruption,
Degaussing)
I.3
Protection/Logging Disabling
I.4
Spoofing (e.g., Address Spoofing, Application and Data Spoofing)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
15
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 5: Application Forensics
Overview
The Application Forensics domain addresses the Forensics complexities of the many application
types that a CCFP candidate may encounter during a forensic investigation. It is important for
the CCFP candidate to have a sound understanding of these application types in order to
support the digital collection of evidence.
The candidate should understand key areas within the application realm to include but not
limited to Databases, Email, Peer to Peer Applications, and Malware.
Key Areas of Knowledge
A. Apply Software Forensics
File Formats
A.1
A.2
Internal File Metadata
A.3
Traces/Remnants and Application Debris (e.g., Registry Entries,
Temporary Files, Spool Files, Page files)
A.4
Software Analysis (e.g., Hashes, Signatures, Patterns, Code
Comparison Techniques)
B. Analyze Web, Email and Messaging Forensics
B.1
B.2
B.3
Web Forensics (e.g., IP Addresses, Protocols, Log Analysis, Scripting,
Backend Applications, Server-Side, Client-Side)
Email Forensics (e.g., Sender/Receiver Attribution, Protocols, Headers,
Types, Content, Attachments, Storage Formats, Signed Email,
Encryption, Email Tracing, Log Files, Server-Side, Client-Side)
Messaging Forensics (e.g., Sender/Receiver Attribution, Protocols,
Formats, Architectures, Content, Log Files, Server-Side, Client-Side)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
16
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
C. Understand Database Forensics
Database Models (e.g., Hierarchical, Network, Relational, ObjectC.1
Oriented, Hybrid)
C.2
C.3
C.4
C.5
Database Systems (e.g., Oracle, MySQL, MSSQL, SQLite, PostgreSQL,
PList, MS Access, Embedded Databases, Ad hoc Database Structures)
Log Analysis
Record Carving
Database Reconstruction
D. Understand Malware Forensics
Malware Types (e.g., Viruses, Worms, Trojans, Botnets, Rootkits, Logic
D.1
Bombs, Advanced Persistent Threat)
D.2
D.3
D.4
Malware Behavior
Malware Impact on Investigations
Malware Analysis Techniques (e.g., Static Analysis and Dynamic
Analysis)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
17
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Domain 6: Hybrid and Emerging Technologies
Overview
The Hybrid and Emerging Technologies domain contains the ever evolving technologies that
the CCFP candidate is expected to have a sound understanding of, i.e. Cloud Computing,
Social Networks, and Industrial Control Systems.
Hybrid and Emerging Technologies covers the practice of applying a comprehensive and
rigorous method for collecting evidence in support of an investigation. These Emerging
Technologies presents new challenges to the field of forensics. It is imperative that the CCFP
candidate understands these developing technologies in order to support the forensics process.
Key Areas of Knowledge
A. Understand Cloud Forensics
A.1
A.2
A.3
A.4
A.5
Types of Cloud Architectures (IaaS, PaaS, SaaS)
Types of Clouds (Public, Private, Hybrid, Community)
Where the Evidence may Reside
Service Level Agreements
Jurisdictional Issues
B. Understand Social Networks
Types/Applications of Social Networks
B.1
B.2
B.3
B.4
Where the Evidence may Reside
Terms of Service
Jurisdictional Issues
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
18
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
C. Understand the Big Data Paradigm
C.1
C.2
Concept of Big Data
Forensic Applications and Implications
D. Understand Control Systems
Concept of Control Systems (e.g., SCADA, DCS, Server, Historian, PLC,
D.1
RTU, IED)
D.2
D.3
Where the Evidence may Reside
Forensic Implications
E. Understand Critical Infrastructure
Concept of Critical Infrastructure
E.1
E.2
Forensic Implications
F. Understand Online Gaming and Virtual/Augmented Reality
Concepts
F.1
F.2
Forensic Implications
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
19
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
REFERENCES
This reference list is NOT intended to be an all-inclusive collection representing the CCFP® Core
Body of Knowledge (CBK®). Its purpose is to provide candidates a starting point for their studies
in domains which need supplementary learning in order to complement their associated level
of work and academic experience. Candidates may also consider other references, which are
not on this list but adequately cover domain content.
Note: (ISC)2 does not endorse any particular text or author and does not imply that any or all
references be acquired or consulted. (ISC)2 does not imply nor guarantee that the study of
these references will result in an examination pass.
Supplementary Reference
Digital Forensics with Open Source Tools. Syngress. Altheide, C., Carvey, H. (2011)
File System Forensic Analysis (2nd ed.). Addison-Wesley Professional.
Carrier, B. (2005).
Computer Forensics: Incident Response Essentials (1st ed.). Addison-Wesley Professional.
MA, E. C. B., Kruse II, W., Heiser, J., (2001)
Digital Evidence and Computer Crime, Third Edition. Academic Press. Casey, E. (2011)
Guide to Computer Forensics and Investigations (4th ed.). Course Technology.
McClure, S., Scambray, J., & Kurtz, G. , Nelson, B., Phillips, A., Steuart, C. (2009)
Hacking Exposed 7: Network Security Secrets & Solutions, Seventh Edition (7th ed.). McGrawHill Osborne Media., McClure, S., Scambray, J., & Kurtz, G. (2012),
The Basics of Digital Forensics. Sammons, J. Syngress, Sammons, J., (2012)
A Guide to Forensic Testimony: The Art and Practice of Presenting Testimony as an Expert
Technical Witness. Addison-Wesley Professional. Smith, F., Bace, R. (2002)
Handbook of Digital Forensics and Investigation. Academic Press. Casey, E. (2009)
SQL Server Forensic Analysis. Addison-Wesley Professional. Fowler, K. (2008)
Computer Evidence: Collection and Preservation, Second Edition. Course Technology PTR.
Brown, C. (2009)
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
20
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Clifford, Ralph D., Cybercrime: The Investigation, Prosecution and Defense of a ComputerRelated Crime. Ralph D. Clifford, CYBERCRIME: THE INVESTIGATION, PROSECUTION AND
DEFENSE OF A COMPUTER-RELATED CRIME, Carolina Academic Press, (2011). Available at
SSRN: http://ssrn.com/abstract=287574
Malware Forensics: Investigating and Analyzing Malicious Code. Syngress. Malin, C., Eoghan,
C., Aquilina, J. (2008)
Digital Forensics for Legal Professionals. Syngress. Daniel, L., Daniel, L. (2011)
Cisco Router and Switch Forensics: Investigating and Analyzing Malicious Network Activity.
Syngress. Liu, D. (2009)
Cyber Crime Investigations. Syngress. Reyes, A., Brittson, R., O’Shea, K., Steele, J. (2007)
Android Forensics: Investigation, Analysis, and Mobile Security for Google Android. Syngress.
Hoog, A. (2011)
iPhone and iOS Forensics. Syngress. Hoog, A., Strzempka, K. (2011)
Virtualization and Forensics A Digital Forensic Investigator’s Guide to Virtual Environments.
Syngress. Barrett, D., Kipper, G. (2010)
Digital Triage Forensics: Processing the Digital Crime Scene. Syngress. Pearson, S. (2010)
System Forensics, Investigation, and Response. Jones & Bartlett Learning. Vacca, J., Rudolph,
K. (2010)
Scientific Working Group on Digital Evidence.
https://www.swgde.org/documents/Current%20Documents
Incident Response & Computer Forensics, Second Edition. McGraw-Hill Osborne Media.
Mandia, K., Prosise, C., Pepe, M (2003)
Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal
Investigations. U.S. Justice Department.
http://www.justice.gov/criminal/cybercrime/docs/ssmanual2009.pdf
Investigations Involving the Internet and Computer Networks. U.S. Department of Justice. NIJ
Special Report. https://www.ncjrs.gov/pdffiles1/nij/210798.pdf
Forensic Examination of Digital Evidence: A Guide for Law Enforcement. U.S. Department of
Justice. NIJ Special Report. https://www.ncjrs.gov/pdffiles1/nij/199408.pdf
NIST SP 800-86 Guide to Integrating Forensic Techniques into Incident Response.
http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
21
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
SAMPLE EXAM QUESTION
A Cyber Forensic Analyst is collecting evidence for possible use in a criminal case against a
former employee. The organization has a Virtual Desktop Infrastructure implemented. The
Analyst must collect all necessary evidence to support the investigation. The Analyst
understands that he or she must maintain and protect the chain of custody. Next of importance
to the Analyst is the actual Data Acquisition.
1.
With virtualization, the Analyst needs to acquire which of the following to support the
investigation?
(A)
The virtual disk, memory files, and metadata files.
(B)
The image of the Operating System.
(C)
Perform a log collection on the suspected system.
(D)
A MD5 hash of the Operating System.
Answer – A
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
22
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
GENERAL EXAMINATION INFORMATION
Computer Based Testing (CBT)
Registering for the Exam
Process for Registration Overview
This section describes procedures for candidates registering to sit for a Computer Based Test
(CBT). The test is administered at Pearson VUE Testing centers in the US, Canada, and other
parts of the world.
1. Go to www.pearsonvue.com/isc2 to register for a test appointment.
2. Select the most convenient test center
3. Select an appointment time.
4. Pay for your exam appointment.
5. Receive confirmation from Pearson VUE with the appointment details, test center
location and other relevant instructions, if any.
Please note that your registration information will be transferred to (ISC)² and all
communication about the testing process from (ISC)² and Pearson VUE will be sent to you via
email.
Fees
Please visit the (ISC)² website https://www.isc2.org/certification-register-now.aspx for the most
current examination registration fees.
U.S. Government Veteran’s Administration G.I. Bill
The U.S. Department of Veterans Affairs has approved reimbursement to veterans under the G.I.
Bill for the cost of the Certified Information System Security Professional (CISSP), the CISSP
Concentrations (ISSAP, ISSEP, ISSMP), the Certification and Accreditation Professional (CAP), and
the System Security Certified Practitioner (SSCP) examinations. Please refer to the U.S.
Department of Veterans Affairs Website at www.va.gov for more details.
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
23
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
CBT Demonstration
Candidates can experience a demonstration and tutorial of the CBT experience
on our Pearson VUE web page. The tutorial may be found at
www.pearsonvue.com/isc2.
Scheduling a Test Appointment
Process for Registration Overview
Candidates may register for a testing appointment directly with Pearson VUE (
www.pearsonvue.com/isc2 ). Candidates who do not pass the test will be subject to the retake
policy and must wait the applicable time before they are allowed to re-sit for the examination.
Exam Appointment
Test centers may fill up quickly because of high volume and previously scheduled special
events. Pearson VUE testing centers also serve candidates from other entities; thus waiting to
schedule the testing appointment may significantly limit the options for candidate’s desired
testing dates at the closest center available.
Scheduling for a Testing Appointment
Candidates may schedule their appointment online at (ISC)² CBT Website located at
www.pearsonvue.com/isc2. Candidates will be required to create a Pearson VUE account in
order to complete registration. Candidates profile will be transferred to (ISC)² and becomes
part of the candidate’s permanent record. Candidates will be able to locate test centers and
select from a choice of available examination appointment times at the Pearson VUE website.
Candidates may also register over the telephone with a CBT registration specialist. Please refer
to ‘Contact Information’ for local telephone numbers for your region.
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
24
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Rescheduling or Cancellation of a Testing Appointment
If you wish to reschedule or cancel your exam appointment, you must contact Pearson VUE at
least 48 hours before the exam date by contacting Pearson VUE online
(www.pearsonvue.com/isc2), OR at least 24 hours prior to exam appointment time by
contacting Pearson VUE over the phone. Canceling or rescheduling an exam appointment less
than 24 hours via phone notification, or less than 48 hours via online notification is subject to a
forfeit of exam fees. Exam fees are also forfeited for no-shows. Please note that, Pearson VUE
charges a 50 USD/35 £/40 € fee for reschedules, and 100 USD/70 £/80 € fee for cancellations.
Reschedules and cancellations may be done at the (ISC)² CBT Candidate Website
(www.pearsonvue.com/isc2) or via telephone. Please refer to ‘Contact Information’ for more
information and local telephone numbers for your region.
Late Arrivals or No Shows
If the candidate does not arrive within 15 minutes of the scheduled exam starting time, he or
she has technically forfeited his or her assigned seat.
If the candidate arrives late (after 15 minutes of his/her scheduled appointment), it is up to the
discretion of the testing center as to whether or not the candidate may still take the exam. If the
test administrator at the testing location is able to accommodate a late arriving candidate,
without affecting subsequent candidates’ appointments, he/she will let the candidate to sit for
the exam and launch his/her exam.
Any/all attempts are made to accommodate candidates who arrive late. However, if the
schedule is such that the test center is not able to accommodate a late arrival, the candidate
will be turned away and his/her exam fees will be forfeited.
If a candidate fails to appear for a testing appointment, the test result will appear in the system
as a No-Show and the candidate’s exam fees will be forfeited.
Procedure for Requesting Special Accommodations
Pearson VUE Professional Centers can accommodate a variety of candidates’ needs, as they
are fully compliant with the Americans with Disability Act (ADA), and the equivalent
requirements in other countries.
Requests for accommodations should be made to (ISC)² in advance of the desired testing
appointment. Once (ISC)² grants the accommodations request, the candidate may schedule
the testing appointment using Pearson VUE’s special accommodations number. From there, a
Pearson VUE coordinator will handle all of the arrangements.
PLEASE NOTE: Candidates that request special accommodations should not schedule their
appointment online or call the main CBT registration line.
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
25
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
What to Bring to the Test Center
Proper Identification
(ISC)² requires two forms of identification, a primary and a secondary, when checking in for a
CBT test appointment at a Pearson VUE Test Center. All candidate identification documents
must be valid (not expired) and must be an original document (not a photocopy or a fax).
Primary IDs: Must contain a permanently affixed photo of the candidate, along with the
candidate’s signature.
Secondary IDs: Must have the candidate’s signature.
Accepted Primary ID (photograph and signature, not expired)
• Government issued Driver’s License or Identification Card
• U.S. Dept of State Drivers License
• U.S. Learner’s Permit (card only with photo and signature)
• National/State/Country Identification Card
• Passport
• Passport Cards
• Military ID
• Military ID for spouses and dependents
• Alien Registration Card (Green Card, Permanent Resident Visa)
• Government Issued local language ID (plastic card with photo and signature
• Employee ID
• School ID
• Credit Card* (A credit card can be used as a primary form of ID only if it contains both a
photo and a signature and is not expired. Any credit card can be used as a secondary
form of ID, as long as it contains a signature and is not expired. This includes major credit
cards, such as VISA, MasterCard, American Express and Discover. It also includes
department store and gasoline credit cards.
Accepted Secondary ID (contains signature, not expired)
• U.S. Social Security Card
• Debit/(ATM) Card
• Credit Cards
• Any form of ID on the primary list
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
26
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Name Matching Policy
Candidate’s first and last name on the presented identification document must exactly match
the first and last name on the registration record with Pearson VUE. If the name the candidate
has registered with does not match the name on the identification document, proof of legal
name change must be brought to the test center on the day of the test. The only acceptable
forms of legal documentation are marriage licenses, divorce decrees, or court sanctioned legal
name change documents. All documents presented at the test center must be original
documents. If a mistake is made with a name during the application process, candidates
should contact (ISC)² to correct the information well in advance of the actual test date. Name
changes cannot be made at the test center or on the day of the exam. Candidates who do
not meet the requirements presented in the name matching policy on the day of the test may
be subject to forfeiture of testing fees and asked to leave the testing center.
Non Disclosure
Prior to starting the exam, all candidates are presented with (ISC)² non-disclosure agreement
(NDA), and are required in the computer to accept the agreement prior to being presented
with exam questions. If the NDA is not accepted by the candidate, or refused to accept within
the time allotted, the exam will end, and the candidate will be asked to leave the test center.
No refund of exam fees will be given. For this reason, all candidates are strongly encouraged to
review the non-disclosure agreement prior to scheduling for, or taking the exam.
The agreement is located at www.pearsonvue.com/isc2/isc2_nda.pdf.
Day of the Exam
Check-In Process
Plan to arrive at the Pearson VUE testing center at least 30 minutes before the scheduled testing
time. If you arrive more than 15 minutes late to your scheduled appointment, you may lose your
examination appointment. For checking-in:
•
•
•
•
You will be required to present two acceptable forms of identification.
You will be asked to provide your signature, submit to a palm vein scan, and have
your photograph taken. Hats, scarves and coats may not be worn in the testing room,
or while your photograph is being taken.
You will be required to leave your personal belongings outside the testing room.
Secure storage will be provided. Storage space is small, so candidates should plan
appropriately. Pearson Professional Centers assume no responsibility for candidates’
personal belongings.
The Test Administrator (TA) will give you a short orientation, and then will escort you to
a computer terminal. You must remain in your seat during the examination, except
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
27
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
when authorized to leave by test center staff. You may not change your computer
terminal unless a TA directs you to do so.
Raise your hand to notify the TA if you
•
•
•
•
believe you have a problem with your computer.
need to change note boards.
need to take a break.
need the administrator for any reason.
Breaks
You will have up to six hours to complete the CISSP, up to four hours to complete the CSSLP and
CCFP and up to three hours to complete the following examinations:
• SSCP
• CAP
• ISSAP
• ISSEP
• ISSMP
Total examination time includes any unscheduled breaks you may take. All breaks count
against your testing time. You must leave the testing room during your break, but you may not
leave the building or access any personal belongings unless absolutely necessary (e.g. for
retrieving medication). Additionally, when you take a break, you will be required to submit to a
palm vein scan before and after your break.
Technical Issues
On rare occasions, technical problems may require rescheduling of a candidate’s examination.
If circumstances arise causing you to wait more than 30 minutes after your scheduled
appointment time, or a restart delay lasts longer than 30 minutes, you will be given the choice
of continuing to wait, or rescheduling your appointment without an additional fee.
•
•
•
If you choose to wait, but later change your mind at any time prior to beginning or
restarting the examination, you will be allowed to take exam at a later date, at
no additional cost.
If you choose not to reschedule, but rather test after a delay, you will have no
further recourse, and your test results will be considered valid.
If you choose to reschedule your appointment, or the problem causing the delay
cannot be resolved, you will be allowed to test at a later date at no additional
charge. Every attempt will be made to contact candidates if technical problems
are identified prior to a scheduled appointment.
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
28
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Testing Environment
Pearson Professional Centers administer many types of examinations including some that
require written responses (essay-type). Pearson Professional Centers have no control over typing
noises made by candidates sitting next to you while writing their examination. Typing noise is
considered a normal part of the computerized testing environment, just as the noise of turning
pages is a normal part of the paper-and pencil testing environment. Earplugs are available
upon request.
When the Exam is Finished
After you have finished the examination, raise your hand to summon the TA. The TA will collect
and inventory all note boards. The TA will dismiss you when all requirements are fulfilled.
If you believe there was an irregularity in the administration of your test, or the associated test
conditions adversely affected the outcome of your examination, you should notify the TA
before you leave the test center.
Results Reporting
Candidates will receive their unofficial test result at the test center. The results will be handed
out by the Test Administrator during the checkout process. (ISC)² will then follow up with an
official result via email.
In some instances, real time results may not be available. A comprehensive statistical and
psychometric analysis of the score data is conducted during every testing cycle before scores
are released. A minimum number of candidates are required to take the exam before this
analysis can be completed. Depending upon the volume of test takers for a given cycle, there
may be occasions when scores are delayed for approximately 4-6 weeks in order to complete
this critical process. Results WILL NOT be released over the phone. They will be sent via email
from (ISC)² as soon as the scores are finalized. If you have any questions regarding this policy,
you should contact (ISC)² prior to your examination.
Retake Policy
Test takers who do not pass the exam the first time will be able to retest after 30 days. Test
takers that fail a second time will need to wait 90 days prior to sitting for the exam again. In the
unfortunate event that a candidate fails a third time, the next available time to sit for the exam
will be 180 days after the most recent exam attempt. Candidates are eligible to sit for (ISC)²
exams a maximum of 3 times within a calendar year.
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
29
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
Recertification by Examination
Candidates and members may recertify by examination for the following reasons ONLY;
•
•
The candidate has become decertified due to reaching the expiration of the time limit
for endorsement.
The member has become decertified for not meeting the number of required continuing
professional education credits.
Logo Usage Guidelines
(ISC)² is a non-profit membership organization identified as the leader in certifying individuals in
information security.
Candidates who successfully complete any of the (ISC)² certification requirements may use the
appropriate Certification Mark or the Collective Mark, where appropriate, and the logo
containing the Certification Mark or the Collective Mark, where appropriate (the “Logo”) to
identify themselves as having demonstrated the professional experience and requisite
knowledge in the realm of information system security. Please visit the following link (URL) for
more information on logo use:
https://www.isc2.org/uploadedfiles/(ISC)2_Public_Content/Legal _and _Policies/LogoGuidleines.pdf
Any questions?
(ISC)2 Candidate Services
311 Park Place Blvd, Suite 400
Clearwater, FL 33759
Phone: 1.866.331.ISC2 (4722) in the United States
1.727.785.0189 all others
Fax: 1.727.683.0785
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
30
Certified Cyber Forensics Professional (CCFPSM)
Candidate Information Bulletin
Effective Date September 2013
2013 International Information Systems Security Certification Consortium, Inc. All Rights Reserved. Duplication for commercial
purposes is prohibited.
Rev #06.05.13, Rev 2
31
Related documents
Forensics – Chapters 1-3 Study Guide Helpers
Forensics – Chapters 1-3 Study Guide Helpers
Developing Curriculum
Developing Curriculum
review3
review3
Senior Software Engineer - Computer Science Job Board
Senior Software Engineer - Computer Science Job Board
Download
advertisement