Competencies: Security > Forensics & Incident Response

Forensics & Incident Response

Body of Knowledge

Topic	Description	Relevance	Career Tracks
Incident Response Process	IR lifecycle (preparation, identification, containment, eradication, recovery, lessons learned), NIST 800-61, playbooks.	Critical	Incident Responder, SOC Analyst, Security Engineer
IR Planning	IR plan development, team roles (IRT), communication plans, escalation procedures, external contacts, tabletop exercises.	High	Security Manager, Incident Responder
Containment Strategies	Short-term vs long-term containment, network isolation, endpoint isolation, evidence preservation during containment.	Critical	Incident Responder, SOC Analyst
Evidence Collection	Chain of custody, volatile data capture, disk imaging, memory acquisition, network capture, cloud evidence, legal hold.	Critical	Forensics Analyst, Incident Responder
Disk Forensics	Forensic imaging (dd, FTK Imager), file system analysis, deleted file recovery, timeline analysis, Autopsy, EnCase.	High	Forensics Analyst
Memory Forensics	Volatility framework, process analysis, network connections, malware artifacts, rootkit detection, RAM acquisition.	High	Forensics Analyst, Malware Analyst
Network Forensics	Packet capture analysis, flow analysis, proxy logs, firewall logs, DNS logs, lateral movement detection.	High	Forensics Analyst, SOC Analyst
Log Analysis for IR	Timeline correlation, log aggregation, attack reconstruction, pivot points, IOC extraction from logs.	Critical	Incident Responder, SOC Analyst
Malware Analysis (Basic)	Static analysis, dynamic analysis (sandboxing), behavioral indicators, YARA rules, VirusTotal, Any.Run.	High	Malware Analyst, Forensics Analyst
Root Cause Analysis	5 Whys, fishbone diagrams, timeline reconstruction, attack chain mapping, lessons learned documentation.	High	Incident Responder, Security Manager
Post-Incident Activities	Post-mortem reports, remediation tracking, control improvements, metrics, executive briefings.	High	Incident Responder, Security Manager

Topic

Description

Relevance

Career Tracks

Incident Response Process

IR lifecycle (preparation, identification, containment, eradication, recovery, lessons learned), NIST 800-61, playbooks.

Critical

Incident Responder, SOC Analyst, Security Engineer

IR Planning

IR plan development, team roles (IRT), communication plans, escalation procedures, external contacts, tabletop exercises.

High

Security Manager, Incident Responder

Containment Strategies

Short-term vs long-term containment, network isolation, endpoint isolation, evidence preservation during containment.

Critical

Incident Responder, SOC Analyst

Evidence Collection

Chain of custody, volatile data capture, disk imaging, memory acquisition, network capture, cloud evidence, legal hold.

Critical

Forensics Analyst, Incident Responder

Disk Forensics

Forensic imaging (dd, FTK Imager), file system analysis, deleted file recovery, timeline analysis, Autopsy, EnCase.

High

Forensics Analyst

Memory Forensics

Volatility framework, process analysis, network connections, malware artifacts, rootkit detection, RAM acquisition.

High

Forensics Analyst, Malware Analyst

Network Forensics

Packet capture analysis, flow analysis, proxy logs, firewall logs, DNS logs, lateral movement detection.

High

Forensics Analyst, SOC Analyst

Log Analysis for IR

Timeline correlation, log aggregation, attack reconstruction, pivot points, IOC extraction from logs.

Critical

Incident Responder, SOC Analyst

Malware Analysis (Basic)

Static analysis, dynamic analysis (sandboxing), behavioral indicators, YARA rules, VirusTotal, Any.Run.

High

Malware Analyst, Forensics Analyst

Root Cause Analysis

5 Whys, fishbone diagrams, timeline reconstruction, attack chain mapping, lessons learned documentation.

High

Incident Responder, Security Manager

Post-Incident Activities

Post-mortem reports, remediation tracking, control improvements, metrics, executive briefings.

High

Incident Responder, Security Manager

Personal Status

Topic	Level	Evidence	Active Projects	Gaps
Incident Response	Advanced	CHLA incident handling — ISE authentication failures, switch misconfigurations, certificate expiration events; documented RCA methodology (STD-010)	STD-010: Root Cause Analysis Standard, Case Studies & Change Control	No forensic imaging, no memory analysis, no malware reverse engineering

Topic

Level

Evidence

Active Projects

Gaps

Incident Response

Advanced

CHLA incident handling — ISE authentication failures, switch misconfigurations, certificate expiration events; documented RCA methodology (STD-010)

STD-010: Root Cause Analysis Standard, Case Studies & Change Control

No forensic imaging, no memory analysis, no malware reverse engineering