Door 1
Term that describes the industry of examining system data, user activity, and other pieces of computer-related evidence to determine if an attack is in progress and who may be behind the activity.
Digital Forensics
A Linux file that contains information on successful and unsuccessful login attempts, as well as information on other security-related events.
auth.log
Synthetic media that have been digitally manipulated to replace one person's likeness convincingly with that of another.
Deepfake
The most common method to organize and analyze the events and artifacts of a cybersecurity incident.
Timeline Creation
Any security incident in which unauthorized parties gain access to sensitive or confidential information.
Data Breach
The overarching process that an organization will follow in order to prepare for, detect, contain, and recover from a data breach.
Incident Response
A collection of malicious software that provides privileged, root-level access to a computer or network and hides its presence from end-user knowledge or permission.
Rootkit
Minimizing the scope of the security event and keep the effects of unauthorized usage within the smallest affected environment possible.
Containment
The development and implementation of plans, processes, and procedures for restoration, in a timely manner, of any capabilities or services that are impaired due to a cyber event.
Recovery
The primary Windows registry hive that stores user account information and password hashes.
SAM hive
Any piece of evidence or data that is collected and analyzed during digital forensics and incident responses (DFIRs). Examples could include system logs, browsing history, or files.
Artifact
Typically the final step of an incident response process where an organization reviews what happened and implements additional defensive measures and make detailed logs of the events.
Lessons Learned
An advanced digital forensic and incident response tool that enhances your visibility into the endpoints of a network.
Velociraptor
The process of maintaining the integrity of the digital artifact collected for an investigation.
Evidence Preservation
A software tool used to extract files from a disk image or a live system by mounting the said disk image or drive.
FTK Imager
The analysis of a piece of software or hardware to understand its design and inner workings.
Reverse Engineering
Includes having the required people, processes, and technology to prevent and respond to cybersecurity events.
Incident Response Preparation
Malware capable of changing base (i.e., identifiable) features and/or behavior to circumvent detection grids and achieve its end goal.
Polymorphic Virus
Techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
Persistence
Actions that are required to completely wipe the threat from the network or system.
Eradication
Programs, commands, or processes that begin when a user starts up a system and/or logs on to a system.
Autostart Programs
The idea that digital evidence to potentially be lost at any time, so it is essential to prioritize what you collect first.
Order of Volatility
An acronym that guides you on how to perform a standard Incident Response
PICERL (Prepare, Identify, Contain, Eradicate, Recover and Lessons Learned)
A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.
Chain of Custody
A utility that takes a registry hive as input and outputs a report that extracts data from some of the forensically important keys and values in that hive.
RegRipper