INTRODUCTION

Cyber forensics is a growing field. Reaffirming this, (ISC)², creators of the CISSP credential, have created a comprehensive cyber forensics certification, the Certified Cyber Forensics Professional (CCFP). This certification is not a vendor tool certification, but rather a broad-based general cyber forensics certification. The certification requires a four-year degree with three years of experience in cyber forensics or IT security in at least three out of the six (ISC)² CCFP domains. If you don’t have a degree, then six years of experience are required. If you have no experience, you can take the test and become an Associate of (ISC)². The test consists of 125 multiple-choice questions. You have four hours and must pass with a 70 percent (700 points) or greater. After you’ve passed the exam successfully, you must also agree to adhere to the (ISC)² Code of Ethics (discussed in Chapter 2 of this book). Your application must then be endorsed by a current (ISC)² member (someone with the CCFP, CISSP, or similar certification) in order to achieve the credential.

This book is intended to thoroughly prepare you to take the CCFP exam. In this book, you will learn about forensics concepts, how to create forensics reports, various forensics techniques, computer forensics, mobile device forensics, and emerging trends. While we assume general IT security knowledge, we don’t assume prior cyber forensics knowledge, although the CCFP exam assumes three years’ experience. We will teach you everything you need to know to function effectively as a cyber forensics professional.

This book starts with general concepts in Chapter 1. Chapter 2 makes certain you have the appropriate technical background for cyber forensics. For most readers, Chapter 2 should be a review. As you progress through the chapters, you will see a mixture of theory along with practical techniques and advice. Look for extra test tips and notes in the chapters—these are meant to provide some extra information for you.

EXAM TIP Chapter 10 gives you a good introduction to mobile forensics. This is an increasingly important topic in forensics, and for the CCFP exam. You should pay particular attention to this chapter, and I recommend memorizing all the various terms found therein.

In addition to the book, I have created a website designed to be an aid to readers and forensics practitioners: www.digitalforensicscert.com/. This website will be updated from time to time and expanded as needed. You can also visit my personal website: www.ChuckEasttom.com.

How to Use This Book

As you read the book, you will encounter all the material you need to know to successfully take and pass the CCFP exam. I recommend you give each chapter a casual read and then return and spend time studying topics that were new to you or were difficult. If there are hands-on exercises or labs in a chapter (and there are several), whenever possible actually execute the exercise or the lab. Anytime you encounter a new term or acronym, it is important that you memorize it. Don’t just read it—make sure you commit it to memory.

Each chapter ends with review questions, and there are additional questions that accompany the book in electronic format. These questions will test your knowledge related to the CCFP domains, but these are not actual questions from the CCFP exam. The point is not to memorize the questions and answers, but use them to probe your knowledge and see how much has been retained. While the test assumes you have experience in cyber forensics, this book does not. My experience has been that a lot of working professionals, in any field, have very deep knowledge of some areas, and gaps in others. This book should review what you already know and fill in gaps in other areas.

As I mentioned, pay special attention to the Exam Tips in the chapters. These are specific guidelines discussing what you will need to know for the test, and in some cases, things you don’t need to know for the test. When you finish a chapter, take a moment to reflect on it. Make sure you fully understood the chapter and memorized any new terms or acronyms before you move on to the next chapter.

The Examination

I have taken many certification tests (29 as of this writing) and successfully taught many certification courses. Let me give you a few exam tips. First and foremost, make sure you are relaxed. Don’t schedule the exam until you are really ready. And then schedule it at the best time for you. If you are a morning person, schedule it as early as you can. If you are not a morning person, then under no circumstances should you take a difficult test in the morning!

The day of the test, try to relax. On your way to the test, listen to your favorite music and relax. You will notice a few things when the test starts. The first is that occasionally you will see a question essentially repeated but worded a different way. That’s okay and actually helps you. One way the question is worded might not be clear to you, but the other way is. This gives you a second chance to see what the question is asking and to answer it appropriately. Make sure you fully read each question. Four hours is plenty of time—don’t rush.

You may have heard the old adage, never change your answer. That is only partially true. If a subsequent question is clearer to you and you know, absolutely know, that you need to change an answer, then do it. However, if your second answer is just a guess, stick with your first guess. Also, keep in mind that no matter how hard you study, you will probably encounter a question or two that you just don’t know. Don’t panic. You have a one in four chance of guessing right. Can you see at least one answer that you are certain is not correct? Well, you just raised your odds to one in three!

If you’ve read this book, you should feel confident that you’ve prepared, and prepared well. Last but not least, good luck!

CCFP Exam Objective Map