Door 1
Door 2
Door 3
Door 4
Door 5
100

Term that describes the industry of examining system data, user activity, and other pieces of computer-related evidence to determine if an attack is in progress and who may be behind the activity.

Digital Forensics

100

A Linux file that contains information on successful and unsuccessful login attempts, as well as information on other security-related events.

auth.log

100

Synthetic media that have been digitally manipulated to replace one person's likeness convincingly with that of another.

Deepfake

100

The most common method to organize and analyze the events and artifacts of a cybersecurity incident.

Timeline Creation

100

Any security incident in which unauthorized parties gain access to sensitive or confidential information.

Data Breach

200

The overarching process that an organization will follow in order to prepare for, detect, contain, and recover from a data breach.

Incident Response

200

A collection of malicious software that provides privileged, root-level access to a computer or network and hides its presence from end-user knowledge or permission.

Rootkit

200

Minimizing the scope of the security event and keep the effects of unauthorized usage within the smallest affected environment possible.

Containment

200

The development and implementation of plans, processes, and procedures for restoration, in a timely manner, of any capabilities or services that are impaired due to a cyber event.

Recovery

200

The primary Windows registry hive that stores user account information and password hashes.

SAM hive

300

Any piece of evidence or data that is collected and analyzed during digital forensics and incident responses (DFIRs). Examples could include system logs, browsing history, or files.

Artifact

300

Typically the final step of an incident response process where an organization reviews what happened and implements additional defensive measures and make detailed logs of the events.

Lessons Learned

300

An advanced digital forensic and incident response tool that enhances your visibility into the endpoints of a network.

Velociraptor

300

The process of maintaining the integrity of the digital artifact collected for an investigation.

Evidence Preservation

300

A software tool used to extract files from a disk image or a live system by mounting the said disk image or drive.

FTK Imager

400

The analysis of a piece of software or hardware to understand its design and inner workings.

Reverse Engineering

400

Includes having the required people, processes, and technology to prevent and respond to cybersecurity events.

Incident Response Preparation

400

Malware capable of changing base (i.e., identifiable) features and/or behavior to circumvent detection grids and achieve its end goal.

Polymorphic Virus

400

Techniques adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.

Persistence

400

Actions that are required to completely wipe the threat from the network or system.

Eradication

500

Programs, commands, or processes that begin when a user starts up a system and/or logs on to a system.

Autostart Programs

500

The idea that digital evidence to potentially be lost at any time, so it is essential to prioritize what you collect first.

Order of Volatility

500

An acronym that guides you on how to perform a standard Incident Response

PICERL (Prepare, Identify, Contain, Eradicate, Recover and Lessons Learned)

500

A process that tracks the movement of evidence through its collection, safeguarding, and analysis lifecycle by documenting each person who handled the evidence, the date/time it was collected or transferred, and the purpose for the transfer.

Chain of Custody

500

A utility that takes a registry hive as input and outputs a report that extracts data from some of the forensically important keys and values in that hive.

RegRipper

M
e
n
u