Certified Computer Hacking Forensics Investigator version 8 · o Build a Computer Investigation...

BUSINESS TRAINING, CONSULTING & SOLUTIONS

Empowering People & Business

Overview

Computer forensics is simply the application of computer investigation and

analysis techniques in the interests of determining potential legal evidence.

CHFIv8 presents detailed methodological approach to computer forensics and

evidence analysis. It is a comprehensive course covering major forensic

investigation scenarios that enables students to acquire necessary hands-on

experience on various forensic investigation techniques and standard forensic tools necessary to successfully

carryout a computer forensic investigation leading to prosecution of perpetrators.

The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly

gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will be taught

during this course, including software, hardware and specialized techniques. The need for businesses to

become more efficient and integrated with one another, as well as the home user, has given way to a new

type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization be comprised (hacked)?"

but, rather, "when?" Today's battles between corporations, governments, and countries are no longer fought

only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the

technical realm, which ties into most every facet of modern day life. If you or your organization requires the

knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for you.

What you will learn.

Upon completion of this course, students will be able to:

� The process of investigating cyber-crime, laws involved, and the details in obtaining a search warrant.

� Different types of digital evidence, rules of evidence, digital evidence examination process, and electronic

crime and digital evidence consideration by crime category

� Roles of first responder, first responder toolkit, securing and evaluating electronic crime scene, conducting

preliminary interviews, documenting electronic crime scene, collecting and preserving electronic evidence,

packaging and transporting electronic evidence, reporting the crime scene

� How to recover deleted files and deleted partitions in Windows, Mac OS X, and Linux

� The process involved in forensic investigation using Access Data FTK and Encase Steganography and its

techniques, Steganalysis, and image file forensics

� Password Cracking Concepts, tools, types of password attacks and how to investigate password protected

file breach

� Different types of log capturing techniques, log management, time synchronization, log capturing tools

� How to investigate logs, network traffic, wireless attacks, and web attacks

� How to track e-mails and investigate e-mail crimes and many more.

Certified Computer Hacking Forensics Investigator version 8 5-days Instructor Led Training/Workshop



Who Should Attend

� Legal professionals, Banking

� Insurance and other professionals

� Government agencies

� IT managers.

� IT consultants who want to learn more about hacking

tools and techniques will also benefit.

� And anyone who is concerned about the integrity of

their network infrastructure.

Certification.

This training prepares the student for the CHFI 312-49. Students need to pass the online Prometric exam to

receive the CHFI Certification.

Prerequisite

It is recommended that you attend the CEH class before enrolling into CHFI program.

� Security officers

� Auditors

� Security Professionals

� Police and other law enforcement personnel

� Defense and Military personnel

� e-Business Security professionals

� Site Administrators

� Systems administrators



Course Outline: Computer Hacking Forensics Investigator version 8 Module 01: Computer Forensics in Today's World

� Forensics Science

� Computer Forensics

o Security Incident Report

o Aspects of Organizational Security

o Evolution of Computer Forensics

o Objective of Computer Forensics

o Need for Compute Forensics

� Forensics Readiness

o Benefits of Forensics Readiness

o Goals of Forensics Readiness

o Forensics Readiness Planning

� Cyber Crime

o Computer Facilitated Crimes

o Modes of Attacks

o Examples of Cyber Crime

o Types of Computer Crimes o Cyber Criminals

o Organized Cyber Crime: Organizational

Chart

o How Serious are Different Types of

Incidents?

o Disruptive Incidents to the Business

o Cost Expenditure Responding to the

Security Incident

� Cyber Crime Investigation

o Key Steps in Forensics Investigation

o Rules of Forensics Investigation

o Need for Forensics Investigator

o Role of Forensics Investigator

o Accessing Computer Forensics

Resources

o Role of Digital Evidence

� Corporate Investigations

o Understanding Corporate Investigations

o Approach to Forensics Investigation: A

Case Study

o Instructions for the Forensic Investigator

to Approach the Crime Scene

o Why and When Do You Use Computer

Forensics?

o Enterprise Theory of Investigation (ETI)

o Legal Issues

o Reporting the Results

� Reporting a Cyber Crime

o Why you Should Report Cybercrime?

o Reporting Computer-Related Crimes

o Person Assigned to Report the Crime

o When and How to Report an Incident?

o Who to Contact at the Law

Enforcement?

o Federal Local Agents Contact

o More Contacts

o CIO Cyberthreat Report Form

Module 02: Computer Forensics Investigation Process

� Investigating Computer Crime

o Before the Investigation

o Build a Forensics Workstation

o Building the Investigation Team

o People Involved in Computer Forensics

o Review Policies and Laws

o Forensics Laws

o Notify Decision Makers and Acquire

Authorization

o Risk Assessment

o Build a Computer Investigation Toolkit

� Steps to Prepare for a Computer Forensics

Investigation

� Computer Forensics Investigation Methodology

� Obtain Search Warrant

o Example of Search Warrant o Searches Without a Warrant

� Evaluate and Secure the Scene

o Forensics Photography

o Gather the Preliminary Information at

the Scene

o First Responder

� Collect the Evidence

o Collect Physical Evidence

o Evidence Collection Form

o Collect Electronic Evidence

o Guidelines for Acquiring Evidence

� Secure the Evidence

o Evidence Management

o Chain of Custody

o Chain of Custody Form

� Acquire the Data

o Duplicate the Data (Imaging)

o Verify Image Integrity

o MD5 Hash Calculators: HashCalc, MD5

Calculator and HashMyFiles

o Recover Lost or Deleted Data

o Data Recovery Software

� Analyze the Data

o Data Analysis

o Data Analysis Tools

� Assess Evidence and Case

o Evidence Assessment

o Case Assessment

o Processing Location Assessment

o Best Practices to Assess the Evidence

� Prepare the Final Report

o Documentation in Each Phase

o Gather and Organize Information

o Writing the Investigation Report

o Sample Report



Course Outline: Computer Hacking Forensics Investigator version 8

� Testifying as an Expert Witness

o Expert Witness

o Testifying in the Court Room

o Closing the Case

o Maintaining Professional Conduct

o Investigating a Company Policy

Violation

o Computer Forensics Service Providers

Module 03: Searching and Seizing Computers

� Searching and Seizing Computers without a Warrant

o Searching and Seizing Computers

without a Warrant

o § A: Fourth Amendment’s “Reasonable

Expectation of Privacy” in Cases

Involving Computers: General Principles

o § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices

o § A.3: Reasonable Expectation of

Privacy and Third-Party Possession

o § A.4: Private Searches

o § A.5 Use of Technology to Obtain

Information

o § B: Exceptions to the Warrant

Requirement in Cases Involving

Computers

o § B.1: Consent

o § B.1.a: Scope of Consent

o § B.1.b: Third-Party Consent

o § B.1.c: Implied Consent

o § B.2: Exigent Circumstances

o § B.3: Plain View

o § B.4: Search Incident to a Lawful Arrest

o § B.5: Inventory Searches

o § B.6: Border Searches

o § B.7: International Issues

o § C: Special Case: Workplace Searches

o § C.1: Private Sector Workplace

Searches

o § C.2: Public-Sector Workplace Searches

� Searching and Seizing Computers with a Warrant

o Searching and Seizing Computers with a

Warrant

o A: Successful Search with a Warrant

o A.1: Basic Strategies for Executing

Computer Searches

o § A.1.a: When Hardware is itself

Contraband, Evidence, or an

Instrumentality or Fruit of Crime

o § A.1.b: When Hardware is Merely a

Storage Device for Evidence of Crime

o § A.2: The Privacy Protection Act

o § A.2.a: The Terms of the Privacy

Protection Act

o § A.2.b: Application of the PPA to

Computer Searches and Seizures

o

o § A.3: Civil Liability Under the

Electronic Communications Privacy

Act (ECPA)

o § A.4: Considering the Need for

Multiple Warrants in Network Searches

o § A.5: No-Knock Warrants

o § A.6: Sneak-and-Peek Warrants

o § A.7: Privileged Documents

o § B: Drafting the Warrant and Affidavit

o § B.1: Accurately and Particularly

Describe the Property to be Seized in

the Warrant and/or Attachments to

the Warrant

o § B.1.a: Defending Computer Search

Warrants Against Challenges Based on

the Description of the “Things to Be

Seized” o § B.2: Establish Probable Cause in the

Affidavit

o § B.3: In the Affidavit Supporting the

Warrant, include an Explanation of the

Search Strategy as Well as the

Practical & Legal Considerations that

Will Govern the Execution of the

Search

o § C: Post-Seizure Issues

o § C.1: Searching Computers Already in

Law Enforcement Custody

o § C.2: The Permissible Time Period for

Examining Seized Computers

o § C.3: Rule 41(e) Motions for Return of

Property

� The Electronic Communications Privacy Act

o The Electronic Communications

Privacy Act

o § A. Providers of Electronic

Communication Service vs. Remote

Computing Service

o § B. Classifying Types of Information

Held by Service Providers

o § C. Compelled Disclosure Under

ECPA

o § D. Voluntary Disclosure

o § E. Working with Network Providers

� Electronic Surveillance in Communications

Networks

o Electronic Surveillance in

Communications Networks

o Content vs. Addressing Information

o The Pen/Trap Statute, 18 U.S.C. §§

3121-3127

o The Wiretap Statute (“Title III”), 18

U.S.C. §§ 2510-2522

o § C.1: Exceptions to Title III

o § D. Remedies For Violations of Title III

and the Pen/Trap Statute



Course Outline: Computer Hacking Forensics Investigator version 8 � Evidence

o Evidence

o § A. Authentication

o § B. Hearsay

o § C. Other Issues

Module 04: Digital Evidence

� Digital Data

o Definition of Digital Evidence

o Increasing Awareness of Digital

Evidence

o Challenging Aspects of Digital Evidence

o The Role of Digital Evidence

o Characteristics of Digital Evidence

o Fragility of Digital Evidence

o Anti-Digital Forensics (ADF)

� Types of Digital Data

o Types of Digital Data � Rules of Evidence

o Rules of Evidence

o Best Evidence Rule

o Federal Rules of Evidence

o International Organization on Computer

Evidence (IOCE)

o IOCE International Principles for Digital

Evidence

o Scientific Working Group on Digital

Evidence (SWGDE)

o SWGDE Standards for the Exchange of

Digital Evidence

� Electronic Devices: Types and Collecting Potential

Evidence

o Electronic Devices: Types and Collecting

Potential Evidence

� Digital Evidence Examination Process



o Prepare for Evidence Acquisition

o Evidence Acquisition

o Preparation for Searches

o Seizing the Evidence

o Imaging

o Bit-Stream Copies

o Write Protection

o Evidence Acquisition

o Evidence Acquisition from Crime

Location

o Acquiring Evidence from Storage

Devices

o Collecting Evidence

o Collecting Evidence from RAM

o Collecting Evidence from a Standalone

Network Computer

o Chain of Custody

o Chain of Evidence Form

o Evidence Preservation

o Preserving Digital Evidence: Checklist

o Preserving Removable Media

o Handling Digital Evidence

o Store and Archive

o Digital Evidence Findings

o Evidence Examination and Analysis

o Evidence Examination

o Physical Extraction

o Logical Extraction

o Analyze Host Data

o Analyze Storage Media

o Analyze Network Data

o Analysis of Extracted Data

o Timeframe Analysis

o Data Hiding Analysis

o Application and File Analysis o Ownership and Possession

o Evidence Documentation and

Reporting

o Documenting the Evidence

o Evidence Examiner Report

o Final Report of Findings

o Computer Evidence Worksheet

o Hard Drive Evidence Worksheet

o Removable Media Worksheet

� Electronic Crime and Digital Evidence

Consideration by Crime Category

o Electronic Crime and Digital Evidence

Consideration by Crime Category

Module 05: First Responder Procedures

� Electronic Evidence

� First Responder

� Roles of First Responder

� Electronic Devices: Types and Collecting Potential

Evidence

� First Responder Toolkit

o First Responder Toolkit

o Creating a First Responder Toolkit

o Evidence Collecting Tools and

Equipment

� First Response Basics

o First Response Rule

o Incident Response: Different Situations

o First Response for System

Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensics

Staff



Course Outline: Computer Hacking Forensics Investigator version 8 � Securing and Evaluating Electronic Crime Scene

o Securing and Evaluating Electronic

Crime Scene: A Checklist

o Securing the Crime Scene

o Warrant for Search and Seizure

o Planning the Search and Seizure

o Initial Search of the Scene

o Health and Safety Issues

� Conducting Preliminary Interviews

o Questions to Ask When Client Calls the

Forensic Investigator

o Consent

o Sample of Consent Search Form

o Witness Signatures

o Conducting Preliminary Interviews

o Conducting Initial Interviews

o Witness Statement Checklist � Documenting Electronic Crime Scene

o Documenting Electronic Crime Scene

o Photographing the Scene

o Sketching the Scene

o Video Shooting the Crime Scene

� Collecting and Preserving Electronic Evidence

o Collecting and Preserving Electronic

Evidence

o Order of Volatility

o Dealing with Powered On Computers

o Dealing with Powered Off Computers

o Dealing with Networked Computer

o Dealing with Open Files and Startup Files

o Operating System Shutdown Procedure

o Computers and Servers

o Preserving Electronic Evidence

o Seizing Portable Computers

o Switched On Portables

o Collecting and Preserving Electronic

Evidence � Packaging and Transporting Electronic Evidence

o Evidence Bag Contents List

o Packaging Electronic Evidence

o Exhibit Numbering

o Transporting Electronic Evidence

o Handling and Transportation to the Forensics

Laboratory

o Storing Electronic Evidence

o Chain of Custody

o Simple Format of the Chain of Custody

Document

o Chain of Custody Forms

o Chain of Custody on Property Evidence

Envelope/Bag and Sign-out Sheet

� Reporting the Crime Scene

o Reporting the Crime Scene

� Note Taking Checklist

o First Responder Common Mistakes

Module 06: Computer Forensics Lab

� Setting a Computer Forensics Lab

o Computer Forensics Lab

o Planning for a Forensics Lab

o Budget Allocation for a Forensics Lab

o Physical Location Needs of a Forensics

Lab

o Structural Design Considerations

o Environmental Conditions

o Electrical Needs

o Communication Needs

o Work Area of a Computer Forensics

Lab

o Ambience of a Forensics Lab

o Ambience of a Forensics Lab:

Ergonomics

o Physical Security Recommendations o Fire-Suppression Systems

o Evidence Locker Recommendations

o Computer Forensic Investigator

o Law Enforcement Officer

o Lab Director

o Forensics Lab Licensing Requisite

o Features of the Laboratory Imaging

System

o Technical Specification of the

Laboratory-based Imaging System

o Forensics Lab

o Auditing a Computer Forensics Lab

o Recommendations to Avoid Eyestrain

� Investigative Services in Computer Forensics

o Computer Forensics Investigative

Services

o Computer Forensic Investigative

Service Sample

o Computer Forensics Services:

PenrodEllis Forensic Data Discovery

o Data Destruction Industry Standards

o Computer Forensics Services

� Computer Forensics Hardware

o Equipment Required in a Forensics Lab

o Forensic Workstations

o Basic Workstation Requirements in a

Forensics Lab

o Stocking the Hardware Peripherals

o Paraben Forensics Hardware

• Handheld First Responder Kit

• Wireless StrongHold Bag

• Wireless StrongHold Box

• Passport StrongHold Bag

• Device Seizure Toolbox

• Project-a-Phone

• Lockdown

• iRecovery Stick

• Data Recovery Stick

• Chat Stick

�



Course Outline: Computer Hacking Forensics Investigator version 8 • USB Serial DB9 Adapter

• Mobile Field Kit

o Portable Forensic Systems and Towers:

Forensic Air-Lite VI MK III laptop


Original Forensic Tower II and F

o Portable Forensic Workhorse V: Tableau

335 Forensic Drive Bay Controller


Forensic Air-Lite IV MK II


Forensic Air-Lite V MK III


Forensic Tower IV Dual Xeon


Ultimate Forensic Machine

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

II-ES

o Tableau T3u Forensic SATA Bridge Write

Protection Kit

o Tableau T8 Forensic USB Bridge

Kit/Addonics Mini DigiDrive READ ONLY

12-in-1 Flash Media Reader

o Tableau TACC 1441 Hardware

Accelerator

• Multiple TACC1441 Units

o Tableau TD1 Forensic Duplicator

o Power Supplies and Switches

o Digital Intelligence Forensic Hardware o FRED SR (Dual Xeon)

o FRED-L

o FRED SC

o Forensic Recovery of Evidence Data

Center (FREDC)

o Rack-A-TACC

o FREDDIE

o UltraKit

o UltraBay II

o UltraBlock SCSI

o Micro Forensic Recovery of Evidence

Device (µFRED)

o HardCopy 3P

o Wiebetech

• Forensics DriveDock v4

• Forensics UltraDock v4

• Drive eRazer

• v4 Combo Adapters

• ProSATA SS8

• HotPlug

o CelleBrite

• UFED System

• UFED Physical Pro

• UFED Ruggedized

o DeepSpar

• Disk Imager Forensic Edition

• 3D Data Recovery

• Phase 1 Tool: PC-3000 Drive

Restoration System

• Phase 2 Tool: DeepSpar Disk

Imager

• Phase 3 Tool: PC-3000 Data

Extractor

o InfinaDyne Forensic Products

• Robotic Loader Extension for

CD/DVD Inspector

• Robotic System Status Light

o Image MASSter

• Solo-4 (Super Kit)

• RoadMASSter- 3

• WipeMASSter • WipePRO

• Rapid Image 7020CS IT

o Logicube

• Forensic MD5

• Forensic Talon®

• Portable Forensic Lab™

• CellDEK®

• Forensic Quest-2®

• NETConnect™

• RAID I/O Adapter™

• GPStamp™

• OmniPort

• Desktop WritePROtects

• USB Adapter

• CloneCard Pro

• EchoPlus

• OmniClone IDE Laptop Adapters

• Cables

o VoomTech

• HardCopy 3P

• SHADOW 2

� Computer Forensics Software

o Basic Software Requirements in a

Forensic Lab

o Maintain Operating System and

Application Inventories

o Imaging Software

• R-drive Image

• P2 eXplorer Pro

• AccuBurn-R for CD/DVD Inspector

• Flash Retriever Forensic Edition

o File Conversion Software

• FileMerlin

• SnowBatch®

• Zamzar

o File Viewer Software

• File Viewer

• Quick View Plus 11 Standard

Edition



Course Outline: Computer Hacking Forensics Investigator version 8 o Analysis Software

• P2 Commander

• DriveSpy

• SIM Card Seizure

• CD/DVD Inspector

• Video Indexer (Vindex™)

o Monitoring Software

• Device Seizure

• Deployable P2 Commander

(DP2C)

• ThumbsDisplay

• Email Detective

o Computer Forensics Software

• DataLifter

• X-Ways Forensics

• LiveWire Investigator

Module 07: Understanding Hard Disks and File Systems � Hard Disk Drive Overview

o Disk Drive Overview

o Hard Disk Drive

o Solid-State Drive (SSD)

o Physical Structure of a Hard Disk

o Logical Structure of Hard Disk

o Types of Hard Disk Interfaces

o Hard Disk Interfaces

� ATA

� SCSI

� IDE/EIDE

� USB

� Fibre Channel

o Disk Platter

o Tracks

� Track Numbering

o Sector

� Advanced Format: Sectors

� Sector Addressing

o Cluster

� Cluster Size

� Changing the Cluster Size

� Slack Space

� Lost Clusters

o Bad Sector

o Hard Disk Data Addressing

o Disk Capacity Calculation

o Measuring the Performance of the Hard

Disk

� Disk Partitions and Boot Process

o Disk Partitions

o Master Boot Record

� Structure of a Master Boot

Record

o What is the Booting Process?

o Essential Windows System Files

o Windows Boot Process

o Macintosh Boot Process

o http://www.bootdisk.com

� Understanding File Systems

o Understanding File Systems

o Types of File Systems

o List of Disk File Systems

o List of Network File Systems

o List of Special Purpose File Systems

o List of Shared Disk File Systems

o Popular Windows File Systems

� File Allocation Table (FAT)

� FAT File System Layout

� FAT Partition Boot Sector

� FAT Structure

� FAT Folder Structure

� Directory Entries and Cluster

Chains

� Filenames on FAT Volumes

� Examining FAT � FAT32

� New Technology File System

(NTFS)

� NTFS Architecture

� NTFS System Files

� NTFS Partition Boot Sector

� Cluster Sizes of NTFS Volume

� NTFS Master File Table (MFT)

� Metadata Files Stored in the

MFT

� NTFS Files and Data Storage

� NTFS Attributes

� NTFS Data Stream

� NTFS Compressed Files

� Setting the Compression

State of a Volume

� Encrypting File Systems (EFS)

� Components of EFS

� Operation of Encrypting File

System

� EFS Attribute

� Encrypting a File

� EFS Recovery Key Agent

� Tool: Advanced EFS Data

Recovery

� Tool: EFS Key

� Sparse Files

� Deleting NTFS Files

� Registry Data

� Examining Registry Data

� FAT vs. NTFS

o Popular Linux File Systems

� Linux File System Architecture

� Ext2

� Ext3



Course Outline: Computer Hacking Forensics Investigator version 8 o Mac OS X File System

� HFS vs. HFS Plus

� HFS

� HFS Plus

� HFS Plus Volumes

� HFS Plus Journal

o Sun Solaris 10 File System: ZFS

o CD-ROM / DVD File System

o CDFS

� RAID Storage System

o RAID Levels

o Different RAID Levels

o Comparing RAID Levels

o Recover Data from Unallocated Space

Using File Carving Process

� File System Analysis Using The Sleuth Kit (TSK)

o The Sleuth Kit (TSK) o The Sleuth Kit (TSK): fsstat

o The Sleuth Kit (TSK): istat

o The Sleuth Kit (TSK): fls and img_stat

Module 08: Windows Forensics

� Collecting Volatile Information

o Volatile Information

o System Time

o Logged-on Users

o Psloggedon

o Net Sessions Command

o Logonsessions Tool

o Open Files

o Net File Command

o PsFile Command

o OpenFiles Command

o Network Information

o Network Connections

o Process Information

o Process-to-Port Mapping

o Process Memory

o Network Status

o Other Important Information

� Collecting Non-volatile Information

o Non-volatile Information

o Examine File Systems

o Registry Settings o Microsoft Security ID

o Event Logs

o Index.dat File

o Devices and Other Information

o Slack Space

o Virtual Memory

o Swap File

o Windows Search Index

o Collecting Hidden Partition Information

o Hidden ADS Streams

o Investigating ADS Streams: StreamArmor

o Other Non-Volatile Information

� Windows Memory Analysis

o Memory Dump

o EProcess Structure

o Process Creation Mechanism

o Parsing Memory Contents

o Parsing Process Memory

o Extracting the Process Image

o Collecting Process Memory

� Windows Registry Analysis

o Inside the Registry

o Registry Structure within a Hive File

o The Registry as a Log File

o Registry Analysis

o System Information

o TimeZone Information

o Shares

o Audit Policy o Wireless SSIDs

o Autostart Locations

o System Boot

o User Login

o User Activity

o Enumerating Autostart Registry

Locations

o USB Removable Storage Devices

o Mounted Devices

o Finding Users

o Tracking User Activity

o The UserAssist Keys

o MRU Lists

o Search Assistant

o Connecting to Other Systems

o Analyzing Restore Point Registry

Settings

o Determining the Startup Locations

� Cache, Cookie, and History Analysis

o Cache, Cookie, and History Analysis in

IE


Firefox


Chrome

o Analysis Tools

� IE Cookies View

� IE Cache View

� IE History Viewer

� MozillaCookiesView

� MozillaCacheView

� MozillaHistoryView

� ChromeCookiesView

� ChromeCacheView

� ChromeHistoryView



Course Outline: Computer Hacking Forensics Investigator version 8 � MD5 Calculation

o Message Digest Function: MD5

o Why MD5 Calculation?

o MD5 Hash Calculators: HashCalc, MD5

Calculator and HashMyFiles

o MD5 Checksum Verifier

o ChaosMD5

� Windows File Analysis

o Recycle Bin

o System Restore Points (Rp.log Files)

o System Restore Points (Change.log.x

Files)

o Prefetch Files

o Shortcut Files

o Word Documents

o PDF Documents

o Image Files o File Signature Analysis

o NTFS Alternate Data Streams

o Executable File Analysis

o Documentation Before Analysis

o Static Analysis Process

o Search Strings

o PE Header Analysis

o Import Table Analysis

o Export Table Analysis

o Dynamic Analysis Process

o Creating Test Environment

o Collecting Information Using Tools

o Process of Testing the Malware

� Metadata Investigation

o Metadata

o Types of Metadata

o Metadata in Different File Systems

o Metadata in PDF Files

o Metadata in Word Documents

o Tool: Metadata Analyzer

� Text Based Logs

o Understanding Events

o Event Logon Types

o Event Record Structure

o Vista Event Logs

o IIS Logs

o Parsing IIS Logs

o Parsing FTP Logs

o FTP sc-status Codes

o Parsing DHCP Server Logs

o Parsing Windows Firewall Logs

o Using the Microsoft Log Parser

� Other Audit Events

o Evaluating Account Management

Events

o Examining Audit Policy Change Events

o Examining System Log Entries

o Examining Application Log Entries

� Forensic Analysis of Event Logs

o Searching with Event Viewer

o Using EnCase to Examine Windows

Event Log Files

o Windows Event Log Files Internals

� Windows Password Issues

o Understanding Windows Password

Storage

o Cracking Windows Passwords Stored

on Running Systems

o Exploring Windows Authentication

Mechanisms

� LanMan Authentication

Process

� NTLM Authentication Process

� Kerberos Authentication

Process o Sniffing and Cracking Windows

Authentication Exchanges

o Cracking Offline Passwords

� Forensic Tools

o Windows Forensics Tool: OS Forensics

o Windows Forensics Tool: Helix3 Pro

o Integrated Windows Forensics

Software: X-Ways Forensics

o X-Ways Trace

o Windows Forensic Toolchest (WFT)

o Built-in Tool: Sigverif

o Computer Online Forensic Evidence

Extractor (COFEE)

o System Explorer

o Tool: System Scanner

o SecretExplorer

o Registry Viewer Tool: Registry Viewer

o Registry Viewer Tool: RegScanner

o Registry Viewer Tool: Alien Registry

Viewer

o MultiMon

o CurrProcess

o Process Explorer

o Security Task Manager

o PrcView

o ProcHeapViewer

o Memory Viewer

o Tool: PMDump

o Word Extractor

o Belkasoft Evidence Center

o Belkasoft Browser Analyzer

o Metadata Assistant

o HstEx

o XpoLog Center Suite



Course Outline: Computer Hacking Forensics Investigator version 8 o LogViewer Pro

o Event Log Explorer

o LogMeister

o ProDiscover Forensics

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DriveLook

Module 09: Data Acquisition and Duplication

� Data Acquisition and Duplication Concepts

o Data Acquisition

� Forensic and Procedural

Principles

� Types of Data Acquisition

Systems

� Data Acquisition Formats

� Bit Stream vs. Backups � Why to Create a Duplicate

Image?

� Issues with Data Duplication

� Data Acquisition Methods

� Determining the Best

Acquisition Method

� Contingency Planning for

Image Acquisitions

� Data Acquisition Mistakes

� Data Acquisition Types

o Rules of Thumb

o Static Data Acquisition

� Collecting Static Data

� Static Data Collection Process

o Live Data Acquisition

� Why Volatile Data is Important?

� Volatile Data

� Order of Volatility

� Common Mistakes in Volatile

Data Collection

� Volatile Data Collection

Methodology

� Basic Steps in Collecting

Volatile Data

� Types of Volatile Information

� Disk Acquisition Tool Requirements

o Disk Imaging Tool Requirements

o Disk Imaging Tool Requirements:

Mandatory

o Disk Imaging Tool Requirements:

Optional

� Validation Methods

o Validating Data Acquisitions

o Linux Validation Methods

o Windows Validation Methods

� RAID Data Acquisition

o Understanding RAID Disks

o Acquiring RAID Disks

o Remote Data Acquisition

� Acquisition Best Practices

o Acquisition Best Practices

� Data Acquisition Software Tools

o Acquiring Data on Windows

o Acquiring Data on Linux

o dd Command

o dcfldd Command

o Extracting the MBR

o Netcat Command

o EnCase Forensic

o Analysis Software: DriveSpy

o ProDiscover Forensics

o AccessData FTK Imager o Mount Image Pro

o Data Acquisition Toolbox

o SafeBack

o ILookPI

o RAID Recovery for Windows

o R-Tools R-Studio

o F-Response

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DataLifter

o X-Ways Forensics

o R-drive Image

o DriveLook

o DiskExplorer

o P2 eXplorer Pro

o Flash Retriever Forensic Edition

� Data Acquisition Hardware Tools

o US-LATT

o Image MASSter: Solo-4 (Super Kit)

o Image MASSter: RoadMASSter- 3

o Tableau TD1 Forensic Duplicator

o Logicube: Forensic MD5

o Logicube: Portable Forensic Lab™

o Logicube: Forensic Talon®

o Logicube: RAID I/O Adapter™

o DeepSpar: Disk Imager Forensic Edition

o Logicube: USB Adapter

o Disk Jockey PRO

o Logicube: Forensic Quest-2®

o Logicube: CloneCard Pro

o Logicube: EchoPlus

o Paraben Forensics Hardware: Chat

Stick

o Image MASSter: Rapid Image 7020CS

IT

o Digital Intelligence Forensic Hardware:

UltraKit



Course Outline: Computer Hacking Forensics Investigator version 8 o Digital Intelligence Forensic Hardware:

UltraBay II


UltraBlock SCSI


HardCopy 3P

o Wiebetech: Forensics DriveDock v4

o Wiebetech: Forensics UltraDock v4

o Image MASSter: WipeMASSter

o Image MASSter: WipePRO


Forensic Air-Lite V MK III

o Forensic Tower IV Dual Xeon


FREDDIE

o DeepSpar: 3D Data Recovery

� Phase 1 Tool: PC-3000 Drive Restoration System

� Phase 2 Tool: DeepSpar Disk

Imager

� Phase 3 Tool: PC-3000 Data

Extractor

o Logicube

� Cables

� Adapters

� GPStamp™

� OmniPort

� CellDEK®

o Paraben Forensics Hardware

� Project-a-Phone

� Mobile Field Kit

� iRecovery Stick

o CelleBrite

� UFED System

� UFED Physical Pro

Module 10: Recovering Deleted Files and Deleted

Partitions

� Recovering the Deleted Files

o Deleting Files

o What Happens When a File is Deleted in

Windows?

o Recycle Bin in Windows

� Storage Locations of Recycle

Bin in FAT and NTFS System

� How the Recycle Bin Works

� Damaged or Deleted INFO File

� Damaged Files in Recycled

Folder

� Damaged Recycle Folder

o File Recovery in MAC OS X

o File Recovery in Linux

� File Recovery Tools for Windows

o Recover My Files

o EASEUS Data Recovery Wizard

o PC INSPECTOR File Recovery

o Recuva

o DiskDigger

o Handy Recovery

o Quick Recovery

o Stellar Phoenix Windows Data

Recovery

o Tools to Recover Deleted Files

� Total Recall

� Advanced Disk Recovery

� Windows Data Recovery

Software

� R-Studio

� PC Tools File Recover � Data Rescue PC

� Smart Undelete

� FileRestore Professional

� Deleted File Recovery

Software

� DDR Professional Recovery

Software

� Data Recovery Pro

� GetDataBack

� UndeletePlus

� Search and Recover

� File Scavenger

� Filesaver

� Virtual Lab

� Active@ UNDELETE

� Win Undelete

� R-Undelete

� Recover4all Professional

� eData Unerase

� Active@ File Recovery

� FinalRecovery

� File Recovery Tools for MAC

o MAC File Recovery

o MAC Data Recovery

o Boomerang Data Recovery Software

o VirtualLab

o File Recovery Tools for MAC OS X

� DiskWarrior

� AppleXsoft File Recovery for

MAC

� Disk Doctors MAC Data

Recovery

� R-Studio for MAC

� Data Rescue

� Stellar Phoenix MAC Data

Recovery

� FileSalvage

� TechTool Pro



Course Outline: Computer Hacking Forensics Investigator version 8 � File Recovery Tools for Linux

o R-Studio for Linux

o Quick Recovery for Linux

o Kernal for Linux Data Recovery

o TestDisk for Linux

� Recovering the Deleted Partitions

o Disk Partition

o Deletion of Partition

o Recovery of the Deleted Partition

� Partition Recovery Tools

o Active@ Partition Recovery for Windows

o Acronis Recovery Expert

o DiskInternals Partition Recovery

o NTFS Partition Data Recovery

o GetDataBack

o EASEUS Partition Recovery

o Advanced Disk Recovery o Power Data Recovery

o Remo Recover (MAC) - Pro

o MAC Data Recovery Software

o Quick Recovery for Linux

o Stellar Phoenix Linux Data Recovery

Software

o Tools to Recover Deleted Partitions

� Handy Recovery

� TestDisk for Windows

� Stellar Phoenix Windows Data

Recovery

� ARAX Disk Doctor

� Power Data Recovery

� Quick Recovery for MAC

� Partition Find & Mount

� Advance Data Recovery

Software Tools

� TestDisk for MAC

� Kernel for FAT and NTFS –

Windows Disk Recovery

� Disk Drill

� Stellar Phoenix MAC Data

Recovery

� ZAR Windows Data Recovery

� AppleXsoft File Recovery for

MAC

� Quick Recovery for FAT & NTFS

� TestDisk for Linux

Module 11: Forensics Investigation using AccessData FTK

� Overview and Installation of FTK

o Overview of Forensic Toolkit (FTK)

o Features of FTK

o Software Requirement

o Configuration Option

o Database Installation

o FTK Application Installation

� FTK Case Manager User Interface

o Case Manager Window

o Case Manager Database Menu

o Setting Up Additional Users and

Assigning Roles

o Case Manager Case Menu

o Assigning Users Shared Label Visibility

o Case Manager Tools Menu

o Recovering Processing Jobs o Restoring an Image to a Disk

o Case Manager Manage Menu

o Managing Carvers

o Managing Custom Identifiers

� FTK Examiner User Interface

o FTK Examiner User Interface

o Menu Bar: File Menu

o Exporting Files

o Exporting Case Data to a Custom

Content Image

o Exporting the Word List

o Menu Bar: Edit Menu

o Menu Bar: View Menu

o Menu Bar: Evidence Menu

o Menu Bar: Tools Menu

o Verifying Drive Image Integrity

o Mounting an Image to a Drive

o File List View

o Using Labels

o Creating and Applying a Label

� Starting with FTK

o Creating a case

o Selecting Detailed Options: Evidence

Processing

o Selecting Detailed Options: Fuzzy

Hashing

o Selecting Detailed Options: Data

Carving

o Selecting Detailed Options: Custom

File Identification

o Selecting Detailed Options: Evidence

Refinement (Advanced)

o Selecting Detailed Options: Index

Refinement (Advanced)

o



Course Outline: Computer Hacking Forensics Investigator version 8 � FTK Interface Tabs

o FTK Interface Tabs

o Explore Tab

o Overview Tab

o Email Tab

o Graphics Tab

o Bookmarks Tab

o Live Search Tabs

o Volatile Tab

� Adding and Processing Static, Live, and Remote

Evidence

o Adding Evidence to a Case

o Evidence Groups

o Acquiring Local Live Evidence

o FTK Role Requirements For Remote

Acquisition

o Types of Remote Information o Acquiring Data Remotely Using Remote

Device Management System (RDMS)

o Imaging Drives

o Mounting and Unmounting a Device

� Using and Managing Filters

o Accessing Filter Tools

o Using Filters

o Customizing Filters

o Using Predefined Filters

� Using Index Search and Live Search

o Conducting an Index Search

o Selecting Index Search Options

o Viewing Index Search Results

o Documenting Search Results

o Conducting a Live Search: Live Text

Search

o Conducting a Live Search: Live Hex

Search

o Conducting a Live Search: Live Pattern

Search

� Decrypting EFS and other Encrypted Files

o Decrypting EFS Files and Folders

o Decrypting MS Office Files

o Viewing Decrypted Files

o Decrypting Domain Account EFS Files

from Live Evidence

o Decrypting Credant Files

o Decrypting Safeboot Files

� Working with Reports

o Creating a Report

o Entering Case Information

o Managing Bookmarks in a Report

o Managing Graphics in a Report

o Selecting a File Path List

o Adding a File Properties List

o Making Registry Selections

o Selecting the Report Output Options

o Customizing the Formatting of Reports

o Viewing and Distributing a Report

Module 12: Forensics Investigation Using EnCase

� Overview of EnCase Forensic

o Overview of EnCase Forensic

o EnCase Forensic Features

o EnCase Forensic Platform

o EnCase Forensic Modules

� Installing EnCase Forensic

o Minimum Requirements

o Installing the Examiner

o Installed Files

o Installing the EnCase Modules

o Configuring EnCase

o Configuring EnCase: Case Options Tab

o Configuring EnCase: Global Tab

o Configuring EnCase: Debug Tab o Configuring EnCase: Colors Tab and

Fonts Tab

o Configuring EnCase: EnScript Tab and

Storage Paths Tab

o Sharing Configuration (INI) Files

� EnCase Interface o Main EnCase Window

� System Menu Bar

� Toolbar

� Panes Overview

� Tree Pane

� Table Pane � Table Pane: Table Tab

� Table Pane: Report Tab

� Table Pane: Gallery Tab

� Table Pane: Timeline Tab

� Table Pane: Disk Tab and

Code Tab

o View Pane

� Filter Pane

� Filter Pane Tabs

� Creating a Filter

� Creating Conditions

o Status Bar

� Case Management

o Overview of Case Structure

o Case Management

o Indexing a Case

o Case Backup

o Options Dialog Box

o Logon Wizard

o New Case Wizard

o Setting Time Zones for Case Files

o Setting Time Zone Options for

Evidence Files



Course Outline: Computer Hacking Forensics Investigator version 8 � Working with Evidence

o Types of Entries

o Adding a Device

o Adding a Device using Tableau Write

Blocker

o Performing a Typical Acquisition

o Acquiring a Device

o Canceling an Acquisition

o Acquiring a Handsprings PDA

o Delayed Loading of Internet Artifacts

o Hashing the Subject Drive

o Logical Evidence File (LEF)

o Creating a Logical Evidence File

o Recovering Folders on FAT Volumes

o Restoring a Physical Drive

� Source Processor

o Source Processor o Starting to Work with Source Processor

o Setting Case Options

o Collection Jobs

o Creating a Collection Job

o Copying a Collection Job

o Running a Collection Job

o Analysis Jobs

o Creating an Analysis Job

o Running an Analysis Job

o Creating a Report

� Analyzing and Searching Files

o Viewing the File Signature Directory

o Performing a Signature Analysis

o Hash Analysis

o Hashing a New Case

o Creating a Hash Set

o Keyword Searches

o Creating Global Keywords

o Adding Keywords

o Importing and Exporting Keywords

o Searching Entries for Email and Internet

Artifacts

o Viewing Search Hits

o Generating an Index

o Tag Records

� Viewing File Content

o Viewing Files

o Copying and Unerasing Files

o Adding a File Viewer

o Viewing File Content Using View Pane

o Viewing Compound Files

o Viewing Base64 and UUE Encoded Files

� Bookmarking Items

o Bookmarks Overview

o Creating a Highlighted Data

Bookmark

o Creating a Note Bookmark

o Creating a Folder Information/

Structure Bookmark

o Creating a Notable File Bookmark

o Creating a File Group Bookmark

o Creating a Log Record Bookmark

o Creating a Snapshot Bookmark

o Organizing Bookmarks

o Copying/Moving a Table Entry into a

Folder

o Viewing a Bookmark on the Table

Report Tab

o Excluding Bookmarks o Copying Selected Items from One

Folder to Another

� Reporting

o Reporting

o Report User Interface

o Creating a Report Using the Report

Tab

o Report Single/Multiple Files

o Viewing a Bookmark Report

o Viewing an Email Report

o Viewing a Webmail Report

o Viewing a Search Hits Report

o Creating a Quick Entry Report

o Creating an Additional Fields Report

o Exporting a Report Module 13: Steganography and Image File Forensics

� Steganography

o What is Steganography?

o How Steganography Works

o Legal Use of Steganography

o Unethical Use of Steganography

o Steganography Techniques

o Steganography Techniques

o Application of Steganography

o Classification of Steganography

o Technical Steganography

o Linguistic Steganography



Course Outline: Computer Hacking Forensics Investigator version 8 o Types of Steganography

� Image Steganography

� Least Significant Bit Insertion

� Masking and Filtering

� Algorithms and Transformation

� Image Steganography:

Hermetic Stego

� Steganography Tool: S- Tools

� Image Steganography Tools

� ImageHide

� QuickStego

� Gifshuffle

� OutGuess

� Contraband

� Camera/Shy

� JPHIDE and JPSEEK

� StegaNote � Audio Steganography

� Audio Steganography Methods

� Audio Steganography:

Mp3stegz

� Audio Steganography Tools

� MAXA Security Tools

� Stealth Files

� Audiostegano

� BitCrypt

� MP3Stego

� Steghide

� Hide4PGP

� CHAOS Universal

� Video Steganography

� Video Steganography: MSU

StegoVideo

� Video Steganography Tools

� Masker

� Max File Encryption

� Xiao Steganography

� RT Steganography

� Our Secret

� BDV DataHider

� CHAOS Universal

� OmniHide PRO

� Document Steganography:

wbStego

� Byte Shelter I

� Document Steganography

Tools

� Merge Streams

� Office XML

� CryptArkan

� Data Stash

� FoxHole

� Xidie Security Suite

� StegParty

� Hydan

� Whitespace Steganography

Tool: SNOW

� Folder Steganography:

Invisible Secrets 4

� Folder Steganography Tools

� StegoStick

� QuickCrypto

� Max Folder Secure

� WinMend Folder Hidden

� PSM Encryptor

� XPTools

� Universal Shield

� Hide My Files

� Spam/Email Steganography:

Spam Mimic

o Steganographic File System

o Issues in Information Hiding

� Steganalysis

o Steganalysis

o How to Detect Steganography

o Detecting Text, Image, Audio, and Video

Steganography

o Steganalysis Methods/Attacks on

Steganography

o Disabling or Active Attacks

o Steganography Detection Tool:

Stegdetect

o Steganography Detection Tools

� Xstegsecret

� Stego Watch

� StegAlyzerAS

� StegAlyzerRTS

� StegSpy

� Gargoyle Investigator™

Forensic Pro

� StegAlyzerSS

� StegMark

� Image Files

o Image Files

o Common Terminologies

o Understanding Vector Images

o Understanding Raster Images

o Metafile Graphics o Understanding Image File Formats

o GIF (Graphics Interchange Format)

o JPEG (Joint Photographic Experts

Group)

� JPEG File Structure

� JPEG 2000

o BMP (Bitmap) File

� BMP File Structure

o PNG (Portable Network Graphics)

� PNG File Structure

o TIFF (Tagged Image File Format)

o TIFF File Structure



Course Outline: Computer Hacking Forensics Investigator version 8 � Data Compression

o Understanding Data Compression

o How Does File Compression Work?

o Lossless Compression

o Huffman Coding Algorithm

o Lempel-Ziv Coding Algorithm

o Lossy Compression

o Vector Quantization

� Locating and Recovering Image Files

o Best Practices for Forensic Image

Analysis

o Forensic Image Processing Using MATLAB

o Locating and Recovering Image Files

o Analyzing Image File Headers

o Repairing Damaged Headers

o Reconstructing File Fragments

o Identifying Unknown File Formats o Identifying Image File Fragments

o Identifying Copyright Issues on Graphics

o Picture Viewer: IrfanView

o Picture Viewer: ACDSee Photo Manager

12

o Picture Viewer: Thumbsplus

o Picture Viewer: AD Picture Viewer Lite

o Picture Viewer Max

o Picture Viewer: FastStone Image Viewer

o Picture Viewer: XnView

o Faces – Sketch Software

o Digital Camera Data Discovery

Software: File Hound

� Image File Forensics Tools

o Hex Workshop

o GFE Stealth™ - Forensics Graphics File

Extractor

o Ilook

o Adroit Photo Forensics 2011

o Digital Photo Recovery

o Stellar Phoenix Photo Recovery Software

o Zero Assumption Recovery (ZAR)

o Photo Recovery Software

o Forensic Image Viewer

o File Finder

o DiskGetor Data Recovery

o DERescue Data Recovery Master

o Recover My Files

o Universal Viewer

Module 14: Application Password Crackers

� Password Cracking Concepts

o Password - Terminology

o Password Types

o Password Cracker

o How Does a Password Cracker Work?

o How Hash Passwords are Stored in

Windows SAM

� Types of Password Attacks

o Password Cracking Techniques

o Types of Password Attacks

o Passive Online Attacks: Wire Sniffing

o Password Sniffing

o Passive Online Attack: Man-in-the-

Middle and Replay Attack

o Active Online Attack: Password

Guessing o Active Online Attack:

Trojan/Spyware/keylogger

o Active Online Attack: Hash Injection

Attack

o Rainbow Attacks: Pre-Computed Hash

o Distributed Network Attack

o Elcomsoft Distributed Password

Recovery

o Non-Electronic Attacks

o Manual Password Cracking (Guessing)

o Automatic Password Cracking

Algorithm

o Time Needed to Crack Passwords

� Classification of Cracking Software

� Systems Software vs. Applications Software

� System Software Password Cracking

o Bypassing BIOS Passwords

� Using Manufacturer’s

Backdoor Password to Access

the BIOS

� Using Password Cracking

Software

� CmosPwd

� Resetting the CMOS using the

Jumpers or Solder Beads

� Removing CMOS Battery

� Overloading the Keyboard

Buffer and Using a Professional

Service

o Tool to Reset Admin Password:

Active@ Password Changer

o Tool to Reset Admin Password:

Windows Key



Course Outline: Computer Hacking Forensics Investigator version 8 � Application Software Password Cracking

o Passware Kit Forensic

o Accent Keyword Extractor

o Distributed Network Attack

o Password Recovery Bundle

o Advanced Office Password Recovery

o Office Password Recovery

o Office Password Recovery Toolbox

o Office Multi-document Password

Cracker

o Word Password Recovery Master

o Accent WORD Password Recovery

o Word Password

o PowerPoint Password Recovery

o PowerPoint Password

o Powerpoint Key

o Stellar Phoenix Powerpoint Password Recovery

o Excel Password Recovery Master

o Accent EXCEL Password Recovery

o Excel Password

o Advanced PDF Password Recovery

o PDF Password Cracker

o PDF Password Cracker Pro

o Atomic PDF Password Recovery

o PDF Password

o Recover PDF Password

o Appnimi PDF Password Recovery

o Advanced Archive Password Recovery

o KRyLack Archive Password Recovery

o Zip Password

o Atomic ZIP Password Recovery

o RAR Password Unlocker

o Default Passwords

o http://www.defaultpassword.com

o http://www.cirt.net/passwords

o http://default-password.info

o http://www.defaultpassword.us

o http://www.passwordsdatabase.com

o http://www.virus.org

� Password Cracking Tools

o L0phtCrack

o OphCrack

o Cain & Abel

o RainbowCrack

o Windows Password Unlocker

o Windows Password Breaker

o SAMInside

o PWdump7 and Fgdump

o PCLoginNow

o KerbCrack

o Recover Keys

o Windows Password Cracker

o Proactive System Password Recovery

o Password Unlocker Bundle

o Windows Password Reset Professional

o Windows Password Reset Standard

o Krbpwguess

o Password Kit

o WinPassword

o Passware Kit Enterprise

o Rockxp

o PasswordsPro

o LSASecretsView

o LCP

o MessenPass

o Mail PassView

o Messenger Key

o Dialupass

o Protected Storage PassView o Network Password Recovery

o Asterisk Key

o IE PassView

Module 15: Log Capturing and Event Correlation

� Computer Security Logs

o Computer Security Logs

o Operating System Logs

o Application Logs

o Security Software Logs

o Router Log Files

o Honeypot Logs

o Linux Process Accounting

o Logon Event in Window

o Windows Log File

� Configuring Windows Logging

� Analyzing Windows Logs

� Windows Log File: System Logs

� Windows Log File: Application

Logs

� Logon Events that appear in

the Security Event Log

o IIS Logs

� IIS Log File Format

� Maintaining Credible IIS Log

Files

o Log File Accuracy

o Log Everything

o Keeping Time

o UTC Time

o View the DHCP Logs

� Sample DHCP Audit Log File

o ODBC Logging



Course Outline: Computer Hacking Forensics Investigator version 8 � Logs and Legal Issues

o Legality of Using Logs

o Records of Regularly Conducted Activity

as Evidence

o Laws and Regulations

� Log Management

o Log Management

� Functions of Log Management

� Challenges in Log Management

� Meeting the Challenges in Log

Management

� Centralized Logging and Syslogs

o Centralized Logging

� Centralized Logging

Architecture

� Steps to Implement Central

Logging o Syslog

� Syslog in Unix-Like Systems

� Steps to Set Up a Syslog Server

for Unix Systems

� Advantages of Centralized

Syslog Server

o IIS Centralized Binary Logging

� Time Synchronization

o Why Synchronize Computer Times?

o What is NTP?

o NTP Stratum Levels

o NIST Time Servers

o Configuring Time Server in Windows

Server

o Event Correlation

� Event Correlation

� Types of Event Correlation

� Prerequisites for Event

Correlation

� Event Correlation Approaches

� Log Capturing and Analysis Tools

o GFI EventsManager

o Activeworx Security Center

o EventLog Analyzer

o Syslog-ng OSE

o Kiwi Syslog Server

o WinSyslog

o Firewall Analyzer: Log Analysis Tool

o Activeworx Log Center

o EventReporter

o Kiwi Log Viewer

o Event Log Explorer

o WebLog Expert

o XpoLog Center Suite

o ELM Event Log Monitor

o EventSentry

o LogMeister

o LogViewer Pro

o WinAgents EventLog Translation

Service

o EventTracker Enterprise

o Corner Bowl Log Manager

o Ascella Log Monitor Plus

o FLAG - Forensic and Log Analysis GUI

o Simple Event Correlator (SEC)

Module 16: Network Forensics, Investigating Logs and

Investigating Network Traffic

� Network Forensics

o Network Forensics

o Network Forensics Analysis Mechanism

o Network Addressing Schemes

o Overview of Network Protocols

o Overview of Physical and Data-Link

Layer of the OSI Model

o Overview of Network and Transport Layer of the OSI Model

o OSI Reference Model

o TCP/ IP Protocol

o Intrusion Detection Systems (IDS) and

??heir Placement

� How IDS Works

� Types of Intrusion Detection

Systems

� General Indications of

Intrusions

o Firewall

o Honeypot

� Network Attacks

o Network Vulnerabilities

� Types of Network Attacks

� IP Address Spoofing

� Man-in-the-Middle Attack

� Packet Sniffing

� How a Sniffer Works

� Enumeration

� Denial of Service Attack

� Session Sniffing

� Buffer Overflow

� Trojan Horse

o Log Injection Attacks

� New Line Injection Attack

o New Line Injection Attack

Countermeasure

o Separator Injection Attack

o Defending Separator Injection Attacks

o Timestamp Injection Attack

o Defending Timestamp Injection Attacks

o Word Wrap Abuse Attack

o Defending Word Wrap Abuse Attacks

o HTML Injection Attack

o Defending HTML Injection Attacks

o Terminal Injection Attack

o Defending Terminal Injection Attacks



Course Outline: Computer Hacking Forensics Investigator version 8 � Investigating and Analyzing Logs

o Postmortem and Real-Time Analysis

o Where to Look for Evidence

o Log Capturing Tool: ManageEngine

EventLog Analyzer

o Log Capturing Tool: ManageEngine Firewall

Analyzer

o Log Capturing Tool: GFI EventsManager

o Log Capturing Tool: Kiwi Syslog Server

o Handling Logs as Evidence

o Log File Authenticity

o Use Signatures, Encryption, and Checksums

o Work with Copies

o Ensure System’s Integrity

o Access Control

o Chain of Custody

o Condensing Log File � Investigating Network Traffic

o Why Investigate Network Traffic?

o Evidence Gathering via Sniffing

o Capturing Live Data Packets Using

Wireshark

o Display Filters in Wireshark

o Additional Wireshark Filters

o Acquiring Traffic Using DNS Poisoning

Techniques

o Intranet DNS Spoofing (Local Network)

o Intranet DNS Spoofing (Remote Network)

o Proxy Server DNS Poisoning

o DNS Cache Poisoning

o Evidence Gathering from ARP Table

o Evidence Gathering at the Data-Link Layer:

DHCP Database

o Gathering Evidence by IDS

� Traffic Capturing and Analysis Tools

o NetworkMiner

o Tcpdump/Windump

o Intrusion Detection Tool: Snort

o How Snort Works

o IDS Policy Manager

o MaaTec Network Analyzer

o Iris Network Traffic Analyzer

o NetWitness Investigator

o Colasoft Capsa Network Analyzer

o Sniff - O - Matic

o NetResident

o Network Probe

o NetFlow Analyzer

o OmniPeek Network Analyzer

o

o Firewall Evasion Tool: Traffic IQ Professional

o NetworkView

o CommView

o Observer

o SoftPerfect Network Protocol Analyzer

o EffeTech HTTP Sniffer

o Big-Mother

o EtherDetect Packet Sniffer

o Ntop

o EtherApe

o AnalogX Packetmon

o IEInspector HTTP Analyzer

o SmartSniff

o Distinct Network Monitor

o Give Me Too

o EtherSnoop

o Show Traffic

o Argus

� Documenting the Evidence Gathered on a Network

Module 17: Investigating Wireless Attacks

� Wireless Technologies

o Wireless Networks

o Wireless Terminologies o Wireless Components

o Types of Wireless Networks

o Wireless Standards

o MAC Filtering

o Service Set Identifier (SSID)

o Types of Wireless Encryption: WEP

o Types of Wireless Encryption: WPA

o Types of Wireless Encryption: WPA2

o WEP vs. WPA vs. WPA2

� Wireless Attacks

o Wi-Fi Chalking

o Wi-Fi Chalking Symbols

o Access Control Attacks

o Integrity Attacks

o Confidentiality Attacks

o Availability Attacks

o Authentication Attacks

� Investigating Wireless Attacks

o Key Points to Remember

o Steps for Investigation

o Obtain a Search Warrant

o Identify Wireless Devices at Crime Scene

o Search for Additional Devices

o Detect Rogue Access Point

o Document the Scene and Maintain a

Chain of Custody � Detect the Wireless Connections

o Methodologies to Detect Wireless

Connections

o Wi-Fi Discovery Tool: inSSIDer

o GPS Mapping

� GPS Mapping Tool: WIGLE

� GPS Mapping Tool: Skyhook

o How to Discover Wi-Fi Networks Using

Wardriving



Course Outline: Computer Hacking Forensics Investigator version 8 o Check for MAC Filtering

o Changing the MAC Address

o Detect WAPs using the Nessus Vulnerability

Scanner

o Capturing Wireless Traffic

o Sniffing Tool: Wireshark

o Follow TCP Stream in Wireshark

o Display Filters in Wireshark

o Additional Wireshark Filters

� Determine Wireless Field Strength

o Determine Wireless Field Strength: FSM

o Determine Wireless Field Strength: ZAP

Checker Products

o What is Spectrum Analysis?

� Map Wireless Zones & Hotspots

� Connect to Wireless Network

o Connect to the Wireless Access Point o Access Point Data Acquisition and Analysis:

Attached Devices

o Access Point Data Acquisition and Analysis:

LAN TCP/IP Setup

o Access Point Data Acquisition and Analysis

o Firewall Analyzer

o Firewall Log Analyzer

o Wireless Devices Data Acquisition and

Analysis

o Report Generation

� Features of a Good Wireless Forensics Tool

� Wireless Forensics Tools

o Wi-Fi Discovery Tools

• NetStumbler

• NetSurveyor

• Vistumbler

• WirelessMon

• Kismet

• AirPort Signal

• WiFi Hopper

• Wavestumbler

• iStumbler

• WiFinder

• Meraki WiFi Stumbler

• Wellenreiter

• AirCheck Wi-Fi Tester

• AirRadar 2

o Wi-Fi Packet Sniffers

• OmniPeek

• CommView for Wi-Fi

• Wi-Fi USB Dongle: AirPcap

• tcpdump

• KisMAC

o Acquiring Traffic Using DNS Poisoning

Techniques

� Intranet DNS Spoofing (Local

Network)

� Intranet DNS Spoofing

(Remote Network)

� Proxy Server DNS Poisoning

� DNS Cache Poisoning

o Evidence Gathering from ARP Table

o Evidence Gathering at the Data-ink

Layer: DHCP Database

o Gathering Evidence by IDS

� Traffic Capturing and Analysis Tools

o NetworkMiner

o Tcpdump/Windump

o Intrusion Detection Tool: Snort

� How Snort Works o IDS Policy Manager

o MaaTec Network Analyzer

o Iris Network Traffic Analyzer

o NetWitness Investigator

o Colasoft Capsa Network Analyzer

o Sniff - O - Matic

o NetResident

o Network Probe

o NetFlow Analyzer

o OmniPeek Network Analyzer

o Firewall Evasion Tool: Traffic IQ

Professional

o NetworkView

o CommView

o Observer

o SoftPerfect Network Protocol Analyzer

o EffeTech HTTP Sniffer o Big-Mother o

EtherDetect Packet Sniffer

� Cascade Pilot Personal Edition

� OptiView® XG Network

Analysis Tablet

� Network Packet Analyzer

� Network Observer

� Ufasoft Snif

� CommView for WiFi

� Network Assistant

o Wi-Fi Raw Packet Capturing Tools

� WirelessNetView

� Pirni Sniffer

� Tcpdump

� Airview

o Wi-Fi Spectrum Analyzing Tools

� Cisco Spectrum Expert

� AirMedic

� BumbleBee

� Wi-Spy



Course Outline: Computer Hacking Forensics Investigator version 8 Module 18: Investigating Web Attacks

� Introduction to Web Applications and Webservers

o Introduction to Web Applications

o Web Application Components

o How Web Applications Work

o Web Application Architecture

o Open Source Webserver Architecture

o Indications of a Web Attack

o Web Attack Vectors

o Why Web Servers are Compromised

o Impact of Webserver Attacks

o Website Defacement

o Case Study

� Web Logs

o Overview of Web Logs

o Application Logs

o Internet Information Services (IIS) Logs � IIS Webserver Architecture

� IIS Log File Format

o Apache Webserver Logs

o DHCP Server Logs

o Web Attacks

o Web Attacks - 1

o Web Attacks - 2

� Unvalidated Input

� Parameter/Form Tampering

� Directory Traversal

� Security Misconfiguration

� Injection Flaws

� SQL Injection Attacks

� Command Injection Attacks

� Command Injection Example

� File Injection Attack

� What is LDAP Injection?

� How LDAP Injection Works

� Hidden Field Manipulation Attack

� Cross-Site Scripting (XSS) Attacks

� How XSS Attacks Work

� Cross-Site Request Forgery (CSRF)

Attack

� How CSRF Attacks Work

� Web Application Denial-of-Service

(DoS) Attack

� Denial of Service (DoS) Examples

� Buffer Overflow Attacks

� Cookie/Session Poisoning

� How Cookie Poisoning Works

� Session Fixation Attack

� Insufficient Transport Layer

Protection

� Improper Error Handling

� Insecure Cryptographic Storage

� Broken Authentication and

Session Management

� Unvalidated Redirects and

Forwards

� DMZ Protocol Attack/ Zero Day

Attack

� Log Tampering

� URL Interpretation and

Impersonation Attack

� Web Services Attack

� Web Services Footprinting Attack

� Web Services XML Poisoning

� Webserver Misconfiguration � HTTP Response Splitting Attack

� Web Cache Poisoning Attack

� HTTP Response Hijacking

� SSH Bruteforce Attack

� Man-in-the-Middle Attack

� Defacement Using DNS

Compromise

� Web Attack Investigation

o Investigating Web Attacks

o Investigating Web Attacks in Windows-

Based Servers

o Investigating IIS Logs

o Investigating Apache Logs

o Example of FTP Compromise

o Investigating FTP Servers

o Investigating Static and Dynamic IP

Addresses

o Sample DHCP Audit Log File

o Investigating Cross-Site Scripting (XSS)

o Investigating SQL Injection Attacks

o Pen-Testing CSRF Validation Fields

o Investigating Code Injection Attack

o Investigating Cookie Poisoning Attack

o Detecting Buffer Overflow

o Investigating Authentication Hijacking

o Web Page Defacement

o Investigating DNS Poisoning

o Intrusion Detection

o Security Strategies to Web Applications

o Checklist for Web Security



Course Outline: Computer Hacking Forensics Investigator version 8 � Web Attack Detection Tools

o Web Application Security Tools

o Acunetix Web Vulnerability Scanner

o Falcove Web Vulnerability Scanner

o Netsparker

o N-Stalker Web Application Security

Scanner

o Sandcat

o Wikto

o WebWatchBot

o OWASP ZAP

o SecuBat Vulnerability Scanner

o Websecurify

o HackAlert

o WebCruiser

o Web Application Firewalls

o dotDefender o IBM AppScan

o ServerDefender VP

o Web Log Viewers

o Deep Log Analyzer

o WebLog Expert

o AlterWind Log Analyzer

o Webalizer

o eWebLog Analyzer

o Apache Logs Viewer (ALV)

o Web Attack Investigation Tools

o AWStats

o Paros Proxy

o Scrawlr

� Tools for Locating IP Address

o Whois Lookup

o SmartWhois

o ActiveWhois

o LanWhois

o CountryWhois

o CallerIP

o Hide Real IP

o IP - Address Manager

o Pandora FMS

Module 19: Tracking Emails and Investigating Email

Crimes

o Email System Basics

� Email Terminology

� Email System

� Email Clients

� Email Server

� SMTP Server

� POP3 and IMAP Servers

� Email Message

� Importance of Electronic

Records Management

o Email Crimes

� Email Crime

� Email Spamming

� Mail Bombing/Mail Storm

� Phishing

� Email Spoofing

� Crime via Chat Room

� Identity Fraud/Chain Letter

� Email Headers

o Examples of Email Headers

o List of Common Headers

� Steps to Investigate

o Why to Investigate Emails

o Investigating Email Crime and Violation

o Obtain a Search Warrant and Seize the

Computer and Email Account

o Obtain a Bit-by-Bit Image of Email

Information

o Examine Email Headers

o Viewing Email Headers in Microsoft

Outlook o Viewing Email Headers in AOL

o Viewing Email Headers in Hotmail

o Viewing Email Headers in Gmail

o Viewing Headers in Yahoo Mail

o Forging Headers

o Analyzing Email Headers

o Email Header Fields

o Received: Headers

o Microsoft Outlook Mail

o Examining Additional Files (.pst or .ost

files)

o Checking the Email Validity

o Examine the Originating IP Address

o Trace Email Origin

o Tracing Back

o Tracing Back Web-based Email

o Acquire Email Archives

o Email Archives

o Content of Email Archives

o Local Archive

o Server Storage Archive

o Forensic Acquisition of Email Archive

o Recover Deleted Emails

o Deleted Email Recovery

� Email Forensics Tools

o Stellar Phoenix Deleted Email Recovery

o Recover My Email

o Outlook Express Recovery

o Zmeil

o Quick Recovery for MS Outlook

o Email Detective

o Email Trace - Email Tracking

o R-Mail

o FINALeMAIL

o eMailTrackerPro

o Forensic Tool Kit (FTK)

o Paraben’s email Examiner

o Network Email Examiner by Paraben



Course Outline: Computer Hacking Forensics Investigator version 8 o DiskInternal’s Outlook Express Repair

o Abuse.Net

o MailDetective Tool

o Laws and Acts against Email Crimes

� U.S. Laws Against Email Crime: CAN-SPAM Act

o 18 U.S.C. § 2252A

o 18 U.S.C. § 2252B

o Email Crime Law in Washington: RCW

19.190.020

Module 20: Mobile Forensics

o Mobile Phone

� Mobile Phone

� Different Mobile Devices

� Hardware Characteristics of

Mobile Devices � Software Characteristics of

Mobile Devices

� Components of Cellular

Network

� Cellular Network

� Different Cellular Networks

� Mobile Operating Systems

o Mobile Operating Systems

o Types of Mobile Operating Systems

o WebOS

o WebOS System Architecture

o Symbian OS

o Symbian OS Architecture

o Android OS

o Android OS Architecture

o RIM BlackBerry OS

o Windows Phone 7

o Windows Phone

o Apple IOS

� Mobile Forensics

o What a Criminal can do with Mobiles

Phones?

o Mobile Forensics

o Mobile Forensics Challenges

o Forensics Information in Mobile Phones

o Memory Considerations in Mobiles

o Subscriber Identity Module (SIM)

o SIM File System

o Integrated Circuit Card Identification

(ICCID)

o International Mobile Equipment Identifier

(IMEI)

o Electronic Serial Number (ESN)

o Precautions to be Taken Before

Investigation

� Mobile Forensic Process

o Mobile Forensic Process

o Collect the Evidence

o Collecting the Evidence

o Points to Remember while Collecting the

Evidence

o Collecting iPod/iPhone Connected with

Computer

o Document the Scene and Preserve the

Evidence

o Imaging and Profiling

o Acquire the Information

o Device Identification

o Acquire Data from SIM Cards

o Acquire Data from Unobstructed Mobile

Devices

o Acquire the Data from Obstructed Mobile Devices

o Acquire Data from Memory Cards

o Acquire Data from Synched Devices

o Gather Data from Network Operator

o Check Call Data Records (CDRs)

o Gather Data from SQLite Record

o Analyze the Information

o Generate Report

� Mobile Forensics Software Tools

o Oxygen Forensic Suite 2011

o MOBILedit! Forensic

o BitPim

o SIM Analyzer

o SIMCon

o SIM Card Data Recovery

o Memory Card Data Recovery

o Device Seizure

o SIM Card Seizure

o ART (Automatic Reporting Tool)

o iPod Data Recovery Software

o Recover My iPod

o PhoneView

o Elcomsoft Blackberry Backup Explorer

o Oxygen Phone Manager II

o Sanmaxi SIM Recoverer

o USIMdetective

o CardRecovery

o Stellar Phoenix iPod Recovery Software

o iCare Data Recovery Software

o Cell Phone Analyzer

o iXAM

o BlackBerry Database Viewer Plus

o BlackBerry Signing Authority Tool



Course Outline: Computer Hacking Forensics Investigator version 8 � Mobile Forensics Hardware Tools

o Secure View Kit

o Deployable Device Seizure (DDS)

o Paraben's Mobile Field Kit

o PhoneBase

o XACT System

o Logicube CellDEK

o Logicube CellDEK TEK

o TadioTactics ACESO

o UME-36Pro - Universal Memory Exchanger

o Cellebrite UFED System - Universal Forensic

Extraction Device

o ZRT 2

o ICD 5200

o ICD 1300

Module 21: Investigative Reports

� Computer Forensics Report o Computer Forensics Report

o Salient Features of a Good Report

o Aspects of a Good Report

� Computer Forensics Report Template

o Computer Forensics Report Template

o Simple Format of the Chain of Custody

Document

o Chain of Custody Forms

o Evidence Collection Form

o Computer Evidence Worksheet

o Hard Drive Evidence Worksheet

o Removable Media Worksheet

� Investigative Report Writing

o Report Classification

o Layout of an Investigative Report

o Layout of an Investigative Report:

Numbering

o Report Specifications

o Guidelines for Writing a Report

o Use of Supporting Material

o Importance of Consistency

o Investigative Report Format

o Attachments and Appendices

o Include Metadata

o Signature Analysis

o Investigation Procedures

o Collecting Physical and Demonstrative

Evidence

o Collecting Testimonial Evidence

o Do’s and Don'ts of Forensics Computer

Investigations

o Case Report Writing and Documentation

o Create a Report to Attach to the Media

Analysis Worksheet

o Best Practices for Investigators

� Sample Forensics Report

o Sample Forensics Report

� Report Writing Using Tools

o Writing Report Using FTK

o Writing Report Using ProDiscover

Module 22: Becoming an Expert Witness

� Expert Witness

o What is an Expert Witness?

o Role of an Expert Witness

o What Makes a Good Expert Witness?

� Types of Expert Witnesses

o Types of Expert Witnesses

o Computer Forensics Experts

o Role of Computer Forensics Expert

o Medical & Psychological Experts

o Civil Litigation Experts

o Construction & Architecture Experts o Criminal Litigation Experts

� Scope of Expert Witness Testimony

o Scope of Expert Witness Testimony

o Technical Witness vs. Expert Witness

o Preparing for Testimony

� Evidence Processing

o Evidence Preparation and

Documentation

o Evidence Processing Steps

o Checklists for Processing Evidence

o Examining Computer Evidence

o Prepare the Report

o Evidence Presentation

� Rules for Expert Witness

o Rules Pertaining to an Expert Witness’s

Qualification

o Daubert Standard

o Frye Standard

o Importance of Resume

o Testifying in the Court

o The Order of Trial Proceedings

� General Ethics While Testifying

o General Ethics While Testifying

o Importance of Graphics in a Testimony

o Helping your Attorney

o Avoiding Testimony Issues

o Testifying during Direct Examination

o Testifying during Cross-Examination

o Deposition

o Recognizing Deposition Problems

o Guidelines to Testify at a Deposition

o Dealing with Media

o Finding a Computer Forensic Expert

Certified Computer Hacking Forensics Investigator version 8 · o Build a Computer Investigation...

Documents

Transcript of Certified Computer Hacking Forensics Investigator version 8 · o Build a Computer Investigation...