Cybercrime Investigation Body Of Knowledge

Cybercrime Investigation Body Of Knowledge

News

read more

About CIBOK

The first edition of the Cybercrime Investigation Body of Knowledge (CIBOK) was established in 2016 by the CIBOK Editorial Committee. It was the first attempt to systematically organize the fundamental knowledge and skills required by practitioners involved in responding to cybercrime.
The Editor-in-Chief of both the first and second editions was Dr. Shane Shook, Ph.D.
The second edition was compiled in May 2025 by the CIBOK Editorial Committee, consisting of 18 authors from five countries and 26 reviewers, with contributions from 5 international cyber security companies, chaired by Hiroshi Nishino. Upon approval by the CIBOK Steering Committee, printing and publication of the second edition has commenced.
The purpose of the CIBOK Second Edition is to provide a systematic overview of the knowledge, skills, and attitudes required for handling cybercrime, conducting investigations, and operating and managing departments responsible for incident response, such as investigative units or CSIRTs. While maintaining the framework of the first edition, it introduces updated information and case studies from both public and private sector perspectives to promote broader understanding and support effective investigations and organizational operations.

The second edition of CIBOK is established with the same five objectives as the first edition:

  1. Enables the acquisition of globally consistent common sense regarding cybercrime investigation, regardless of national laws.
  2. Clarifies how to position and apply already established practical disciplines—such as project management, computer science, and digital forensics—in the context of cybercrime investigations.
  3. Defines the practical content that should be applied in cybercrime investigations across eight knowledge domains.
  4. Provides ample reference materials for a deeper understanding of the topics related to each of the eight domains.
  5. Enables the development of training curricula and objective evaluation of individual knowledge and skills related to cybercrime investigations.

Target Audience for the Second Edition (unchanged from the first edition):

The second edition of CIBOK is written for individuals involved in or responsible for cybercrime investigations and incident response activities across public, private, and law enforcement sectors.

For investigators and prosecutors in law enforcement

  • Investigators new to cybercrime investigation

  • Those who organize cybercrime investigation department

  • Future senior officers who will lead investigation

  • Human resource development trainers

For IT/Security managers and staff in private organizations

  • Those who are in charge of incident response in SOC, CSIRT, and IT department

  • CIO and CISO who organize incident response system

  • Manager of CSIRT or risk management department

  • IT Security human resource development trainers

CIBOK objectives and application

  • Determine the current capabilities of an organization

    Organizations

    • Objectively evaluate capabilities to requirements
    • Define and optimize information systems in an organization
    • Determine through measurement the maturity of an organization

  • Review department requirements

    Managers

    • Determine roles, duties, and staff needed
    • Review business process requirements by risk tolerance and impact
    • Develop training and staffing plans

  • Fulfill professional requirements

    Professionals

    • Develop self-awareness of their own role
    • Pursue associated skills development
    • Understand career path

About the CIBOK Editorial Committee and Governance

In 2015, the CIBOK Steering Committee formed an organizational body focused on the coordination of cybercrime investigations with the social mission of protecting ICT-based society from cyber threats. Based on surveys and planning conducted at that time, a proposal was submitted to begin drafting the first edition of CIBOK.
Following this, in April 2016, the CIBOK Editorial Committee was formally established with Hiroshi Nishino as chair and Dr. Shane Shook as Editor-in-Chief.
The purpose of the CIBOK project was to conduct job analyses and other research among practitioners or experienced personnel to characterize the technologies, methodologies, processes, and procedures used in the field of cybercrime investigation—regardless of their ICT expertise. Each editorial committee member is expected to continuously monitor cybercrime-related trends and contribute to the characterization of relevant elements. These identified items are periodically brought to editorial meetings, where their significance is evaluated and refined through a layered structuring of knowledge domains. Given the time that has passed since the first edition, the editorial committee undertook comprehensive discussions and revisions of each chapter. As with the first edition, Dr. Shane Shook led the editing process, and the revised content was reviewed by an even broader group of subject-matter experts to produce the Second Edition.

Executive Editor

  • Shane Shook
    Shane Shook (PhD) Shane Shook (PhD) is a well-known veteran of information security and response engagements with nearly 30 years of experience spanning government and industry IT risk management issues. He has led forensic analysts and provided expert testimony in many of the most notorious breaches across most industry sectors. He has also served as the expert witness in related (international and US) federal, civil and commercial disputes. He currently serves on the advisory boards of several emerging security technology companies. He is a contributing author and editor of several books and a frequent keynote or guest speaker.

Authors

  • Aaron Goldstein Aaron Goldstein is a cyber incident response leader and researcher. He has experience in complex, large-scale cyber breaches where he has provided strategic solutions to secure environments of all sizes.
  • Alberto Casares Alberto Casares is a threat intelligence researcher and analyst, and CTO of Constella Intelligence where he focuses on identity threat detection and response. He has led several research & development projects supported by the Spanish Ministry of Industry and is a Cybersecurity professor for the University of Granada Master's in Cybersecurity degree program.
  • Antonia Nisiota (PhD) Antonia Nisiota (PhD) is a Cyber Security Operations Center leader, researcher and analyst with specialties in security posture management, threat hunting, and computer and memory forensics.
  • Billy Gouveia Billy Gouveia is the CEO and Founder of SureFire, Inc. He has more than 20 years' experience spanning cyber incident response, intelligence collection and analysis, and technology.
  • Bradley Potteiger (PhD) Bradley Potteiger (PhD) is Co-Founder and Chief Technology Officer of ArmsCyber. He has intelligence collection, cyber defense, analysis, and technology development experience from government and industry organizations, including the US Department of Defense. He has developed specialized experience in active defense methods utiilzing zero trust, automated moving target defense, deception technologies, and recovery principles of cyber security. He has taught and performed academic research at the University of Maryland and The Johns Hopkins University Applied Physics Laboratory on topics of cyber security, autonomous vehicle security and privacy, election integrity, space systems, and national security.
  • Chris Coulter Chris Coulter is a forensic examiner and incident responder who has led engagements in government, industry, and individual computer crimes investigations. He is a patent holder (Digital forensic acquisition kit and methods of use thereof - United States US 13/019,796) for technology that he developed and delivered to the market to simplify the complex methods of evidence acquisition in forensic computer investigations. His experience includes corporate leadership in cyber security services and products, audit and investigations experience with PwC, Stroz Friedberg LLC, MIT Labs, and the IRS.
  • Dan Gunter Dan Gunter is the founder and CEO of Insane Cyber, a cyber threat hunting and forensics firm focused on IT and OT networks. He has extensive OT and industrial control systems cyber security research and incident response experience gained from working with clients in Oil and Gas, and global Energy companies. He also served as a USAF Cyber Warfare Officer in the AFCERT and CYBERCOM teams.
  • David Emerson David Emerson has extensive leadership experience from Chief Information Security and Technology roles with several product and services companies. He is CTO of SolCyber, a Managed Security Services Provider who help to ensure secure program and operational posture for their clients.
  • Erin Joe Erin Joe is a Senior Executive at Mandiant in Google's Office of the CISO. After a 25 year career culminating as a Senior Executive in the FBI, she joined Mandiant and Google to apply her experience in cyber crime investigation and crisis response.
  • Hideki Ninomiya Hideki Ninomiya is CEO and Founder of Orient Co., Ltd. He has an extensive career of both IT leadership and cyber security and cyber crime analysis and risk advisory services spanning Pharmaceuticals and other industries in Japan. He also advises boards of companies about cyber risks and security organization and posture development.
  • Hiroshi Nishino Hiroshi Nishino is a Chairperson of the CIBOK Editorial Committee, CEO of HI Initiative Co., Ltd. In 1991, he founded Proseed Co., Ltd. and introduced numerous global standard knowledge systems such as PMBOK, ITIL, and COPC into Japan. He contributed to the establishment of promotion organizations for PM, ITSM, and CIKF. Additionally, since 2001, he has been involved in government IT procurement reform, participating in various government committees to propose and implement comprehensive bidding systems, CIO advisor systems, and human resource development initiatives. Concurrent Roles:Vice Chairman of the Board, CeFIL (Specific Nonprofit Corporation); Co-founder of the Digital Business Innovation Center; Member of the Global Cybercrime Experts Committee, International Criminal Police Organization (Interpol); Co-founder and Board Member of the Cybercrime Investigation and Research Forum, a general incorporated association; Part-time Lecturer at the Graduate School of Information and Life Sciences, University of Tsukuba; Part-time Lecturer, Liberal Arts Education, University of Toyama.
  • Ian (Iftach) Amit Ian (Iftach) Amit is a seasoned manager in the security and software industry with vast experience in a myriad areas of information security- from enterprise security, through retail, to end user software and large back-end systems. He is an Information Security expert with experience ranging from low level technical expertise and up to corporate security policy, regulatory compliance and strategy. Ian is a frequent BlackHat and DefCon speaker, and founding member of the PTES (Penetration Testing Execution Standard), IL-CERT, and the Tel-Aviv DEFCON group (DC9723).
  • Karim Hijazi Karim Hijazi is an investor and cyber security intelligence leader with over 30 years of practical experience in cyber security and intelligence. He founded several cyber intelligence services companies to address global botnets and their impact on government organizations and private companies.
  • Kathryn Shih Kathryn Shih is a cyber security analyst, investor, and practitioner with cloud and artificial intelligence program development and management specialties gained in organizations including Akamai Technologies, Amazon Web Services, and Google.
  • Kelly Robertson Kelly Robertson has more than 30 years of professional cyber security experience spanning 30 countries. He has held key technical and market positions with leading ICT and cyber security companies including SAIC, Nokia, Juniper Networks, White Hat Security, Atos, and Horizon3.ai. His contributions from hands-on technical program development, training, and market defining activities has been helpful in the perspectives provided in this edition. He is a long time friend and colleague of Dr. Shook, with whom he has collaborated for more than 20 years on advancing themes of recognizing and addressing cyber risks through effective programs and processes.
  • Maria Vello Maria Vello is a cybercrime veteran with decades of experience bridging the gap between public and private sectors to advance threat intelligence and cybercrime investigations. Maria is the former President and CEO of National Cyber Forensics Training Alliance (NCFTA) in the USA and the former CEO of Cyber Defense Alliance (CDA) in the UK.
  • Mark Mullison Mark Mullison is the Chief Technology Officer of Allied Universal, and has more than 30 years of technology and cyber security leadership experience spanning telecommunications, education, and physical security industries.
  • Neil Binnie (PhD) Neil Binnie (PhD) is a senior cyber security Executive with experience spanning Global Construction and Real Estate, and Aerospace.
  • Noriaki Hayashi Noriaki Hayashi is a Senior Researcher with Trend Micro Incorporated in Japan. He is a highly-skilled and certified administrator and systems engineer in several computing platforms and technologies. He has more than 17 years of systems management and security experience, including program and project management, security research, and threat response.
  • Omalola Fagbule (PhD) Omalola Fagbule (PhD) is a Cyber security Awareness Specialist and researcher focused on understanding human motivation and perceptions. She develops training programs and materials addressing the motivations and actions of cyber criminals to educate staff and raise organizational awareness.
  • Patrick A. Westerhaus Patrick A. Westerhaus joined Wells Fargo in 2016 and is heading up a team in Enterprise Information Security (EIS), Cyber Threat Fusion Center (CTFC), working to consolidate and analyze data in an effort to develop an enterprise program to reduce cyber, fraud, and money laundering risk for the institution. Prior to joining Wells Fargo, Patrick was with KPMG in their fraud and forensic practice and he spent the last 12 years in the FBI reaching the level of Supervisory Special Agent in the Headquarters Cyber Division. During his tenure in the FBI Patrick led investigations into corporate government fraud, public corruption, counterterrorism, counterintelligence, cyber fraud/theft and his last position was at the NCIJTF’s Virtual Currency Team. Patrick has a Bachelor of Business Administration in accounting from Gonzaga University, a Masters in Forensic Science in Security Management from The George Washington University, and a graduate certificate in International Security from Stanford. Patrick also is a CPA and he maintains CFE & CAMS certifications.
  • Satoshi Shimizu Satoshi Shimizu is a founder of the Cybercrime Investigations Knowledge Forum and editor of the first edition of the Cybercrime Investigation Body of Knowledge. He has an extensive career leading technology and cyber security products and programs development for Trend Micro as a Regional CISO for the Japan BU, and as a Director of the Japan Cybercrime Control Center, and of an INTERPOL alliance project with Trend Micro - he has helped to define international intelligence and response efforts to global combat cybercrime.
  • Scott McCready Scott McCready is CEO of SolCyber and has led cyber security products and services delivery around the world for some of the best-known security companies including FireEye, Symantec, NTT, and EDS.
  • Simon Mullis Simon Mullis is an experienced cyber security products and services executive who has led teams at FireEye, Palo Alto Networks, Tanium, and cofounded Venari Security as Chief Technology Officer. He also has represented industry and public sector needs of cyber security as a public speaker at technology and security conferences across Europe and North America.
  • Tammy Archer Tammy Archer has extensive cybersecurity leadership experience as the CISO of Inchcape PLC, a global automotive distribution services company, and former CISO of HSBC. She previously served the UK Government as CISO of the Foreign and Commonwealth Office, and in the UK Ministry of Defence, and the Royal Navy.
  • Wajih Yassine Wajih Yassine is a senior cyber security and forensics engineer with experience gained supporting Google and Cylance customers. He has contributed to the development of cloud and enterprise forensics tools.
  • Judith H. Germano The founding member of Germano Law LLC, a law firm specializing in cybersecurity governance and data privacy issues.
  • Craig W. Sorum A 25-year veteran of the FBI who conducted and supervised hundreds of domestic and international cybercrime investigations.
  • David Cowen A Certified SANS Instructor, CISSP, and GIAC Certified Forensic Examiner working in digital forensics and incident response.
  • Eric Zimmerman A senior director in Kroll’s Cyber Security and Investigations practice and former FBI Special Agent with a tremendous depth and expertise in cyber investigations.
  • Luke Dembosky A partner in Debevoise & Plimpton’s Cybersecurity & Data Privacy group who has been a regular advisor to the leadership of the DOJ and theFBI.
  • John Jolly President of Syncurity and the former Vice President of the Cyber Security Division at General Dynamics.
  • Philip Fodchuk Formerly of the Canadian RCMP and Big4 Audit firms, now at Suncor, maturing and enhancing the information security and cyber investigations capabilities of the organization.

Download

Download CIBOK 2nd edition. The copyright is reserved for Japan Cybersecurity Innovation Committee (JCIC) so that delivery to the others nor secondary use of CIBOK is prohibited. If you wish to use for the 3rd party, please inform us via Inquiry form below.

Inquiry

Please submit your inquiries concerning CIBOK and training with the form below.
Please allow us three business days to respond to your provided email address.

    TOP