CCFP Study Notes

The Certified Cyber Forensics Professional (CCFP) is a certification offered by ISC2 that’s designed to indicate expertise in forensics techniques and procedures.

The content is broken up into the below objectives and I’ll be taking informal (not comprehensive) notes below:

  • Legal, Ethical, and Investigative Principals
  • Forensic Science
  • Digital Forensics
  • Application Forensics, Hybrid Technologies, and Emerging Technologies

Honestly, the notes are captured here for my own referencing and to help anyone who finds this useful, especially as last-minute cram material.

Legal, Ethical, and Investigative Principals


Fragility refers to how transient, how fragile, evidence is. Software that lives in memory is quite fragile.

According to the Supreme Course, a “seizure” of property occurs when there is some meaningful interference with an individual’s possessory interests in that property. “United States v. Jacobson, 466 U.S. 109, 113 (1984). Locking the phone away and denying access is certainly meaningful interference.

Provenance is defined as the origin of something.

In legal terms, the Chinese Wall is a procedural barrier that prohibits two members of the same organization or team from sharing information related to a specific case or project.

A tortfeasor is a person who commits a tort.

Sections of a forensics report:

  • Overview/Case Summary
  • Forensic Acquisition and Exam
  • Findings and Report

It is also common practice to store data in a safe within the evidence room. Most safes also have a fire rating. The following is a list of common ratings:

  • Class 100 is for safes that contain digital data
  • Class 150 is the rating for microfilm and similar metadata
  • Class 350 is the rating for paper documents

Fire Extinguishers are also classified into four general classes based on what types of fires they can extinguish:

  • Class A – Ordinary combustibles such as wood or paper
  • Class B – Flammable liquids such as grease, oil, or gasoline
  • Class C – Electrical equipment
  • Class D – Flammable metals

Forensic Science

concepts applied to forensic analysis

Iman-Rudin paradigm refers to a paper entitled “The Origin of Evidence” that covers five concepts that have been applied to forensic analysis.

  1. Transfer (Locard’s Exchange Principal)
  2. Identification (placing objects in a class)
    This is about the first stage of classifying evidence. What is it? In the case of cybercrimes, is the evidence a server log, a recovered file, network traffic analysis, or some other sort of evidence?
  3. Individualization (narrowing the class to one)
    This is about taking the identification step to another level. In the case of cybercrimes, that is not always possible. For example, a piece of malware could be a Trojan horse as well as a virus and spyware.
  4. Association (linking a person with a crime scene)
    How do you associate a piece of evidence with a specific person? For cybercrimes, if you have a virus, can you show it was created by the suspect? What evidence might you need? For example, finding the source code for the virus on the suspect’s computer would be one piece of evidence.
  5. Reconstruction (understanding the sequence of past events)
    This is the process of determining what happened. It is not always possible to do this as completely as we might like. For example, if you believe a virus was created by a suspect, can you show first it was created by the suspect? Then you would need to show at least one victim downloading the virus from that file server. Essentially, you want to reconstruct exactly what happened.

Inman-Rudin added a sixth principal which states that evidence must divide before it can transfer.


American academy of forensic science ethics

  • Every member and affiliate of the Academy shall refrain from exercising professional or personal conduct adverse to the best interests and objectives of the Academy.
  • No member or affiliate of the Academy shall materially misrepresent his or her education,

training, experience, area of expertise, or membership status within the Academy.

  • No member or affiliate of the Academy shall materially misrepresent data or scientific principles upon which his or her conclusion or professional opinion is based.
  • No member or affiliate of the Academy shall issue public statements that appear to represent the position of the Academy without first obtaining specific authority from the Board of Directors.

ISC2 Code of ethics Canons

  • Protect society, the common code, necessary public trust and confidence, and the infrastructure
  • Act honorably, honestly, justly, responsibly, and legally
  • Provide diligent and compete service to principles
  • Advance and protect the profession

Digital Forensics

Mobile Device status

  • Nascent State/Factory Default State – devices are in the nascent state when received from the manufacturer. The device contains no user data and observes factory configuration settings.
  • Active State – devices are in the active state are powered on, performing tasks, and able to be customized by the user and have their file systems populated with data.
  • Quiescent State – is a dormant mode that conserves batter life while maintaining user data and performing other background functions. Context information about the device is preserved in memory to allow a quick resumption of processing when returning to the active state.
  • Semi-Active State – is a state partway between active and quiescent. The state is reached by a timer, which is triggered after a period of inactivity, allowing battery life to be preserved by dimming the display and taking other appropriate actions.

Application Forensics, Hybrid Technologies, and Emerging Technologies

VMware artifacts/files

  • .vmdk – is the actual virtual hard drive for the virtual guest operating system. Virtual hard drives can be fixed or dynamic. Fixed virtual hard drives remain the same size. Dynamic virtual hard drives expand as needed.
  • .vmem – a backup of the virtual machine’s paging file/swap file. This can be very important to a forensic investigation.
  • .vmsn – these are VMware snapshot files, named by the name of the snapshot. A VMSN file stores the state of the virtual machine when the snapshot was created.
  • .vmsd – a VMSD file contains the metadata about the snapshot.
  • .nvram – this is the file that stores the BIOS information for the virtual machine. This should be noted in your forensics report, even if it does not contain critical information for the case.
  • .vmx – this is the configuration file for the virtual machine, such as the operating system and disk information. It is just a text file, so it is easy to analyze.
  • .vmss – this file stores the state of a suspected virtual machine.

Microsoft Virtual PC

  • .vhx – these are the actual virtual hard disks. These are obviously quite important to a forensic examination.
  • .bin files – these contain the memory of the virtual machine, so these absolutely must be examined.
  • .xml – the file contain the virtual machine configuration details. There is one of these for each virtual machine and for each snapshot of a virtual machine. These files are always named with the GUID used to internally identify the virtual machine in question.

Oracle Virtualbox

  • .vdi – these are VirtualBox disk images called virtual disk images.
  • /.config/VirtualBox – this is a hidden file that contains configuration data.
  • .vbox – this is the machine setting file extension. Prior to version 4.0 it was .xml


The registry is organized into give sections referred to as hives. Each of these sections contain specific information that can be useful to you. The five hives are described here:

  • HKEY_CLASSES_ROOT (HKCR)- This hive stores information about drag and drop rules, program shortcuts, the user interface, and related items.
  • HKEY_CURRENT_USER (HKCU) This will be very important to any forensic investigation. It stores information about the currently logged-on user, including desktop settings, user folders, etc.
  • HKEY_CURRENT_USER (HKLM) This can also be important to a forensic investigation. It contains settings common to the entire machine, regardless of the individual user.
  • HKEY_USERS (HKU) This hive is critical to forensic investigations. It has profiles for all the users, including their settings.
  • HKEY_CURRENT_CONFIG (HCU) This hive contains the current system configurations. This might also serve useful in your forensic examinations.

All registry keys contain a value associated with them called LastWriteTime. This value indicates when this registry value was last changed. Rather than a standard date/time, this value is stored as a FILETIME structure. A FILETIME structure represents the number of 100 nanosecond intervals that have passed since January 1, 1601.


The registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run  shows programs that are configured to start automatically when Windows starts.


The registry key HKEY_CURRENT_USER\Software\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU will show recent sites that have been visited.

Recent Documents

The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs shows documents that have been recently accessed.


The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall shows software that has been recently uninstalled.


The registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MapNetworkDriveMRU shows network drives that have been mapped.


The registry key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Intelliforms\SPW is where IE passwords are often saved.

Network Adaptor

The registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\GUID shows recent settings for the network adaptor, like the system IP address and default gateway.


The registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\key shows wireless networks connected to.


The registry key HKEY_LOCAL_MACHINE\System\ControlSet\Enum\USBSTOR lists USB devices that have been connected to the machine.

Relevant Laws

Rule 26(f) states that a part must without a discovery request provide the following to the other parties:

  • Name, address, and telephone number of each individual likely to have discoverable information
  • A copy, or description by category and location of all documents, electronically stored information, and tangible things that the disclosing party has in its possession
  • A computation of each category of damages claimed by the disclosing party.
  • Any insurance agreement under which an insurance business may be liable or satisfy all or part of the possible judgment.

Rule 30 (b)(6) involves a civil case where parties must provide each side with someone from their organization with knowledge of the issues in dispute. The other party can then take the deposition of that person in order to gather information/evidence.

Rule 37 (f) governs electronically stored information and how courts might deal with the production or lack of product of such information.

Quick points

  • Big data refers to data too large to be dealt with using traditional tools