CySA+ domain #10: Digital forensic tools and investigation techniques [DECOMMISSIONED ARTICLE]
NOTE: This article reflects an older version of the CySA+ Exam, although some of the material is still relevant – please see the current CySA+ Certification page for the most up-to-date information.
As is the case with all CompTIA certifications, the CySA+ is a vendor-neutral exam. It is aimed at the intermediate cybersecurity professional. There are no real prerequisites for the exam, but it is recommended that candidates have a Network+ and Security+ before attempting the CySA+. These certifications are not strictly necessary, but they will provide the basic foundations of network and cybersecurity theory on which the CySA+ rests.
In this article, we will look at the information that you need to successfully meet the requirements as they are set out in Domain 3.2 in the CompTIA CySA+ exam objectives. This is a brief overview and should be the first place that you start before undertaking your studying. It will help you to mentally map out the work that you need to do in order to study for this exam and will help you to get your study plan mapped out and underway.
You can think of this section of the CySA+ as an outline of the kinds of tools and techniques that you would use during the course of an investigation. It outlines a few of the most crucial items that you need to be familiar with. Below is a breakdown of the forensic kit that you must be familiar with for the exam.
Digital forensics workstation
Think of the digital forensic workstation as the go-to piece of gear that you will be using frequently to conduct investigations. As such, it has a few special requirements that are simple but important to remember. Some of these requirements are as follows:
- Network connectivity: The digital forensics workstation must be able to connect to various network sources during the investigation and testing phases of each case
- Hardware solution for HDD duplication: Hardware-based drive cloning solutions are less likely to tamper with the source hard drive that is being duplicated. They are also designed for this purpose and are the preferred tool for the job
- Remote and network drive duplication: There are instances where evidence will need to be remotely collected, so the digital forensics workstation must have the appropriate software and access to do so
- Filesystem duplication and analysis capabilities: The copied data must be usable in forensic and analytical applications
- File and image integrity checking: If any information is unreadable or if its integrity is in question, then a cybersecurity analyst must be able to verify its validity
- Accessed, modified and created file auditing: Anyone working on a forensic copy of data needs to account for all of their actions while conducting their investigation. Likewise, the analyst must also be able to make determinations about the Accessed, Modified and Created dates that are registered on the evidence that they are working on if it is pertinent to the case
- File system activity monitoring and reporting: Any activity must be monitored and reported on
- Deleted file recovery: Whether it is accidental or intentional, deleted data recovery can help strengthen a case, so this is a very important component in the digital forensic workstation
- Analyze drive dynamics such as allocated versus unallocated space: Tools to get this information need to be available at your digital forensic workstation
- Proper evidence logging and referencing capabilities: Analysts must have the ability to properly collect, store and recall all information relating to each piece of evidence that they collect
- Removable media support: The workstation must be able to accept as many different media types as possible, because evidence can come in many forms and media types
- Evidence admissibility: All evidence must be admissible in court, otherwise the investigation is not viable
Forensic kit components
- Write blockers: There are cases when a hard drive needs to be connected to a computer or duplication station. The source hard drive should never be written to, as this destroys the evidence’s reliability and can jeopardize an investigation. A write blocker allows the hard drive to be read from, but it cannot be written to
- Cables: All cables that could be needed to connect to a multitude of devices. These include IDE ribbon cables, SATA cables, USB and FireWire, or any other proprietary cable that could commonly be needed for consumer or enterprise electronics that store data
- Drive adapters: Any proprietary connector that is not standard will need an adapter, or in some cases, a controller card. Examples are server hard drives such as SCSI, MicroSATA and SAS
- Wiped removable media: If you need to quickly connect some removable media and copy data off a system, then you should have wiped removable media available at all times
- Cameras: Digital cameras are needed as part of the evidence collection process and will help document steps taken during the investigation
- Crime tape: Physical evidence needs to be protected, and crime tape helps to cordon off an area and prevents people from entering an area and contaminating evidence
- Tamper-proof seals: Maintaining the chain of custody is imperative if your investigation leads to a trial. Tamper-proof seals help to prove that evidence has not been interfered with since it was sealed by the investigator
Documentation and forms
- Chain of custody forms: This form keeps a record of who handled the evidence and on which dates
- Incident response plan: In the event of an incident occurring, you must be able to immediately carry out the incident response plan so that any threats are mitigated
- Incident form: The incident form helps to document and describe the exact nature of the incident, as well as who attended to it and what actions were taken
- Call list/escalation list: You need a list of contacts to escalate issues to whenever they surface. Senior technical staff and managers may need to be called if a situation escalates and becomes more serious than the initial response dictated
Forensic investigation suite
You must know what common investigation tools are used while working on forensic investigations. Some of these you may already be familiar with, but others might only become known to you during your preparation for the CySA+ exam. They are:
- Imaging utilities: In order to reproduce a forensic copy of a hard drive or other storage media, you will need to use an imaging utility. Best practice normally dictates that you should make more than one copy of an image so that you have one for your investigations and the other can be stored as evidence
- Analysis utilities: You can think of these as a list of tools that help investigators to analyze and closely look at the data that was gathered by the imaging utility
- Chain of custody: Maintaining hard copies of the chain of custody must be undertaken as a matter of procedure. There are some applications that help to maintain a digital version of the evidence’s chain of custody
- Hashing utilities: Hashing is used to verify data. If a hash value changes since a file was last viewed, then the evidence is no longer intact and cannot be trusted. Examples are SHA and MD5
- OS and process analysis: If a forensic copy of a system is available, then investigators may be curious as to what was running on the machine in its last state. This can reveal a lot about a system and what kinds of threats it currently has running within the operating system
- Mobile device forensics: These are tools that help with gathering data from devices such as smartphones and tablets
- Password crackers: Cracking passwords is necessary in some instances where access to the machine is limited due to a lack of security permissions
- Cryptography tools: Investigators can try to break certain weak encryption types with tools
- Log viewers: Logs can reveal a great deal of information about a system, so being able to view system logs is vital for a digital forensic workstation
This section outlines all of the tools, equipment and sundries that you need for your digital forensic workstation. There is a lot of potential evidence to be collected, and as a cybersecurity analyst, you should be familiar with the processes and procedures that are used while collecting and storing evidence. We hope that this has been useful and that the article will help you to better prepare for your CySA+ studies.
- CompTIA CySA+, CompTIA
- CompTIA Cybersecurity Analyst (CySA+) Certification Exam Objectives, CompTIA
- CompTIA CySA+ Objective 3.2, Pack IT Forwarding
We've encountered a new and totally unexpected error.
Get instant boot camp pricing
A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.