ITSY Key Acronyms/terms Module 6 1. Some of you are new to Information Security (InfoSec) and some are experienced practitioners looking for some additional education/certification. 2. The biggest part of learning anything new is getting a grasp of the professional vocabulary and with all things the IT/infosec related acronyms…spoiler alert -- there are LOT of them. 3. What to do: a. If it is acronyms spell it out (remember these terms are relevant to cyber security) b. Provide a brief definition in your own words c. Use the acronym/term in a few sentences explaining how it is relevant to cyber security…for instance: Example: A+ - is a CompTIA certification and is generally consider the first in the series. The A+ certification covers the following areas of IT knowledge/skills: installing, maintaining, customizing, and operating personal computers. Before I was able to take the CompTIA Network+ exam I had to first take and pass the A+ exam. Having the A+ certification on my resume helped me land my first computer repair job. 4. Each acronym/term should require about 3-4 sentences in order to really define and describe it (remember use your own words please do not just copy and paste from an internet search). Term/Acronym SWGDE – The Scientific Working Group on Digital Evidence is an organization tasked with developing regulations, quality assurances, and standards for the gathering, safeguarding, and investigating of digital evidence that is made available through publications. The organization aims to establish an exchange of forensics techniques, ideas, and collaboration amongst countries. SWGDE has long-standing relationships with private forensics companies, banks, retail stores, departments of Justice, Defense, Homeland Security, County Police, and other law enforcement agencies. File slack – also known as slack space, this is the part of a drive that remains after a file has been stored. The file slack remains when the file gets deleted, and it is from this that a forensics analyst can uncover deleted files from that sector on the drive. File slacks are made possible by random bytes of data from memory written into sectors by the system’s operating system. Wear-leveling – This is an algorithmic process that intends to extend the life expectancy of solid-state hard drives for prolonged use. There are two types of wear-leveling: dynamic wear writes data with the least amount of free flash blocks while static wear cuts wear by changing the data to the barely used flash blocks. The idea of wear-leveling is to make the most of a drive for optimal use. Partition gap – is the unused space that exists between multiple partitions created on a drive. This space/gap can be used as storage to hide data. Often, partition gaps are not visible in the file system but can be accessed using a disk editor utility. Least significant bit - is the lowest bit of a number in a binary string on the furthest-right of the string, depending on the computer's functionality. The least significant bit number has little effect on the value of a string. The least significant bit can be used as a hash function to quickly find items in a database. Defense in depth – This is a convergence of multiple layers of security defense structures overlayed to protect important data. The idea of defense in depth is to keep securing protection even if a layer fails. Defense in depth defensive layers could be administrative, physical, or technical controls. OOV – Order of Volatility is the procedure expected of a forensic examiner to acquire and follow the evidence from the most volatile to the less volatile. The Internet Engineering Task Force (IETF) released the OOV required as follows: Registers, Cache; Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory; Temporary File Systems; Disk; Remote Logging and Monitoring Data that is Relevant to the System in Question; Physical Configuration, Network Topology; and Archival Media. KFF - The Known File Filter (KFF) is a utility that can measure known hash value files against known files in an evidence catalog. The filter can analyze files to figure out what is needed to be identified or ignored, and files to be notified about. KFF architecture has two fundamental parts: KFF server to process and store data, and KFF data with known hashes analyzed against the evidence. Block-wise hashing – This is a process in which sectors of data are hashed and then compared against the sectors of the evidence drive. This is done to figure if there are any underlying data that wasn’t retrieved. Raster images – Raster images, also referred to as bitmap images are typically formed from photocopied or scanned images. They are the culmination of rectangular pixels, and color tones that merge to form an image. Raster images are best used for precise graphics or artwork and are very specific to the resolution or format of an image to be reproduced or scanned.