Computer Hacking Forensic Investigator

The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will be taught during this course, including software, hardware and specialized techniques. The need for businesses to become more efficient and integrated with one another, as well as the home user, has given way to a new type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization be comprised (hacked)?" but, rather, "when?" Today's battles between corporations, governments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for you.

Prerequisites

It is strongly recommended that you attend the CEH class before enrolling into CHFI program.

Target Student:

Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Legal professionals, Banking, Insurance and other professionals, Government agencies, IT managers.

Delivery Method

Instructor-led, group-paced, classroom-delivery learning model with structured hands-on activities.

Course duration

5 Days

Course outline

Module I: Computer Forensics in Today?s World

Introduction
History of Forensics
Definition of Forensic Science
Definition of Computer Forensics
What Is Computer Forensics?
Need for Computer Forensics
Evolution of Computer Forensics
Computer Forensics Flaws and Risks
Corporate Espionage Statistics
Modes of Attacks
Cyber Crime
Examples of Cyber Crime
Reason for Cyber Attacks
Role of Computer Forensics in Tracking Cyber Criminals
Rules of Computer Forensics
Computer Forensics Methodologies
Accessing Computer Forensics Resources
Preparing for Computing Investigations
Maintaining professional conduct
Understanding Enforcement Agency Investigations
Understanding Corporate Investigations
Investigation Process
Digital Forensics

Module II: Law And Computer Forensics

What Is Cyber Crime?
What Is Computer Forensics?
Computer Facilitated Crimes
Reporting Security Breaches to Law Enforcement
National Infrastructure Protection Center
FBI
Federal Statutes
Cyber Laws
Approaches to Formulate Cyber Laws
Scientific Working Group on Digital Evidence (SWGDE)
Federal Laws
The USA Patriot Act of 2001
Freedom of Information Act
Building Cyber Crime Case
How the FBI Investigates Computer Crime?
How to Initiate an Investigation?
Legal Issues Involved in Seizure of Computer Equipments
Searching With a Warrant
Searching Without a Warrant
Privacy Issues Involved in Investigations
International Issues Related to Computer Forensics
Crime Legislation of EU
Cyber Crime Investigation

Module III: Computer Investigation Process

Investigating Computer Crime
Investigating a Company Policy Violation
Investigation Methodology
Evaluating the Case
Before the Investigation
Document Everything
Investigation Plan
Obtain Search Warrant
Warning Banners
Shutdown the Computer
Collecting the Evidence
Confiscation of Computer Equipments
Preserving the Evidence
Importance of Data-recovery Workstations and Software
Implementing an Investigation
Understanding Bit-stream Copies
Imaging the Evidence Disk
Examining the Digital Evidence
Closing the Case
Case Evaluation

Module IV: Computer Security Incident Response Team

Present Networking Scenario
Vulnerability
Vulnerability Statistics
What Is an Incident?
A Study by CERT Shows Alarming Rise in Incidents (security Breach
How to Identify an Incident
Whom to Report an Incident?
Incident Reporting
Category of Incidents
Handling Incidents
Procedure for Handling Incident
Preparation
Identification
Containment
Eradication
Recovery
Follow up
What Is CSIRT?
Why an Organization Needs an Incident Response Team?
Need for CSIRT
Example of CSIRT
CSIRT Vision
Vision
Best Practices for Creating a CSIRT
Step 1: Obtain Management Support and Buy-In
Step 2: Determine the CSIRT Development Strategic
Step 3: Gather Relevant Information
Step 4: Design your CSIRT Vision
Step 5: Communicate the CSIRT Vision
Step 6: Begin CSIRT Implementation
Step 7: Announce the CSIRT
Other Response Teams Acronyms and CSIRTs around the world
World CSIRT

Module V: Computer Forensic Laboratory Requirements

Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensic Lab
Work Area of a Computer Forensics Lab
General Configuration of a Forensic
Equipment Needs in a Forensics Lab
Ambience of a Forensics Lab
Environmental Conditions
Recommended Eyestrain Considerations
Structural Design Considerations
Electrical Needs
Communications
Basic Workstation Requirements in a Forensic Lab
Consider stocking the following hardware peripherals
Maintain Operating System and Application Inventories
Common Terms
Physical Security Recommendations for a Forensic Lab
Fire-Suppression Systems
Evidence Locker Recommendations
Evidence Locker Combination Recommendations
Evidence Locker Padlock Recommendations
Facility Maintenance
Auditing a Computer Forensics Lab
Auditing a Forensics Lab
Forensics Lab
Mid Sized Lab
Forensic Lab Licensing Requisite
Forensic Lab Manager Responsibilities

Module VI: Understanding File systems and Hard disks

Disk Drive Overview - I
Hard Disk
Disk Platter
Tracks
Tracks Numbering
Sector
Sector addressing
Cluster
Cluster Size
Slack Space
Lost Clusters
Bad Sector
Understanding File Systems
Types of File System
List of Disk File Systems
List of Network file systems
Special Purpose File systems
Popular Linux File systems
Sun Solaris 10 File system - ZFS
Windows File systems
Mac OS X File system
CD-ROM / DVD File system
File system Comparison
Boot Sector
Exploring Microsoft File Structures
Disk Partition Concerns
Boot Partition Concerns
Examining FAT
NTFS
NTFS System Files
NTFS Partition Boot Sector
NTFS Master File Table (MFT)
NTFS Attributes
NTFS Data Stream
NTFS Compressed Files
NTFS Encrypted File Systems (EFS)
EFS File Structure
Metadata File Table (MFT)
EFS Recovery Key Agent
Deleting NTFS Files
Understanding Microsoft Boot Tasks
Windows XP system files
Understanding Boot Sequence DOS
Understanding MS-DOS Startup Tasks
Other DOS Operating Systems
Registry Data
Examining Registry Data

Module VII: Windows Forensics

Locating Evidence on Windows Systems
Gathering Volatile Evidence
Pslist
Forensic Tool: fport
Forensic Tool - Psloggedon
Investigating Windows File Slack
Examining File Systems
Built-in Tool: Sigverif
Word Extractor
Checking Registry
Reglite.exe
Tool: Resplendent Registrar 3.30
Microsoft Security ID
Importance of Memory Dump
Manual Memory Dumping in Windows 2000
Memory Dumping in Windows XP and Pmdump
System State Backup
How to Create a System State Backup?
Investigating Internet Traces
Tool - IECookiesView
Tool - IE History Viewer
Forensic Tool: Cache Monitor
CD-ROM Bootable Windows XP
Bart PE
Ultimate Boot CD-ROM
List of Tools in UB CD-ROM
Desktop Utilities
File Analysis Tools
File Management Tools
File Recovery Tools
File Transfer Tools
Hardware Info Tools
Process Viewer Tools
Registry Tools

Module VIII: Linux and Macintosh Boot processes

UNIX Overview
Linux Overview
Understanding Volumes -I
Exploring Unix/Linux Disk Data Structures
Understanding Unix/linux Boot Process
Understanding Linux Loader
Linux Boot Process Steps
Step 1: The Boot Manager
Step 2: init
Step 2.1: /etc/inittab
runlevels
Step 3: Services
Understanding Permission Modes
Unix and Linux Disk Drives and Partitioning Schemes
Mac OS X
Mac OS X Hidden Files
Booting Mac OS X
Mac OS X Boot Options
The Mac OS X Boot Process
Installing Mac OS X on Windows XP
PearPC
MacQuisition Boot CD

Module IX: Linux Forensics

Use of Linux as a Forensics Tool
Recognizing Partitions in Linux
File System in Linux
Linux Boot Sequence
Linux Forensics
Case Example
Step-by-step approach to Case 1 (a)
Step-by-step approach to Case 1 (b)
Step-by-step approach to Case 1 (c)
Step-by-step approach to Case 1 (d)
Case 2
Challenges in disk forensics with Linux
Step-by-step approach to Case 2 (a)
Step-by-step approach to Case 2 (b)
Step-by-step approach to Case 2 (c)
Popular Linux Tools

Module X: Data Acquisition and Duplication

Determining the Best Acquisition Methods
Data Recovery Contingencies
MS-DOS Data Acquisition Tools
DriveSpy
DriveSpy Data Manipulation Commands
DriveSpy Data Preservation Commands
Using Windows Data Acquisition Tools
Data Acquisition Tool: AccessData FTK Explorer
FTK
Acquiring Data on Linux
dd.exe (Windows XP Version)
Data Acquisition Tool: Snapback Exact
Data Arrest
Data Acquisition Tool: SafeBack
Data Acquisition Tool: Encase
Need for Data Duplication
Data Duplication Tool: R-drive Image
Data Duplication Tool: DriveLook
Data Duplication Tool: DiskExplorer

Module XI: Recovering Deleted Files

Introduction
Digital Evidence
Recycle Bin in Windows
Recycle Hidden Folder
Recycle folder
How to Undelete a File?
Tool: Search and Recover
Tool: Zero Assumption Digital Image Recovery
Data Recovery in Linux
Data Recovery Tool: E2undel
Data Recovery Tool: O&O Unerase
Data Recovery Tool: Restorer 2000
Data Recovery Tool: Badcopy Pro
Data Recovery Tool: File Scavenger
Data Recovery Tool: Mycroft V3
Data Recovery Tool: PC Parachute
Data Recovery Tool: Stellar Phoenix
Data Recovery Tool: Filesaver
Data Recovery Tool: Virtual Lab
Data Recovery Tool: R-linux
Data recovery tool: Drive and Data Recovery
Data recovery tool: active@ UNERASER - DATA recovery
Data recovery tool: Acronis Recovery Expert
Data Recovery Tool: Restoration
Data Recovery Tool: PC Inspector File Recovery

Module XII: Image Files Forensics

Introduction to Image Files
Recognizing an Image File
Understanding Bitmap and Vector Images
Metafile Graphics
Understanding Image File Formats
File types
Understanding Data Compression
Understanding Lossless and Lossy Compression
Locating and Recovering Image Files
Repairing Damaged Headers
Reconstructing File Fragments
Identifying Unknown File Formats
Analyzing Image File Headers
Picture Viewer: Ifran View
Picture Viewer: Acdsee
Picture Viewer: Thumbsplus
Steganography in Image Files
Steganalysis Tool: Hex Workshop
Steganalysis Tool: S-tools
Identifying Copyright Issues With
Graphics

Module XIII: Steganography

Introduction
Important Terms in Stego-forensics
Background Information to Image Steganography
Steganography History
Evolution of Steganography
Steps for Hiding Information in Steganography
Six Categories of Steganography in Forensics
Types of Steganography
What Is Watermarking
Classification of Watermarking
Types of Watermarks
Steganographic Detection
Steganographic Attacks
Real World Uses of Steganography
Steganography in the Future
Unethical Use of Steganography
Hiding Information in Text Files
Hiding Information in Image Files
Process of Hiding Information in Image Files
Least Significant Bit
Masking and Filtering
Algorithms and Transformation
Hiding Information in Audio Files
Low-bit Encoding in Audio Files
Phase Coding
Spread Spectrum
Echo Data Hiding
Hiding Information in DNA
TEMPEST
The Steganography Tree
Steganography Tool: Fort Knox
Steganography Tool: Blindside
Steganography Tool: S- Tools
Steganography Tool: Steghide
Steganography Tool: Digital Identity
Steganography Tool: Stegowatch
Tool : Image Hide
Data Stash
Tool: Mp3Stego
Tool: Snow.exe
Tool: Camera/Shy
Steganography Detection

Module XIV: Computer Forensic Tools

Dump Tool: DS2DUMP
Dump Tool: Chaosreader
Slack Space & Data Recovery Tools: Drivespy
Slack Space & Data Recovery Tools: Ontrack
Hard Disk Write Protection Tools: Pdblock
Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock
Permanent Deletion of Files:pdwipe
Disk Imaging Tools: Image & Iximager
Disk Imaging Tools: Snapback Datarrest
Partition Managers: PART & Explore2fs
Linux/unix Tools: Ltools and Mtools
Linux/UNIX tools: TCT and TCTUTILs
Password Recovery Tool: @Stake
ASRData
SMART Screenshot
Ftime
Oxygen Phone Manager
Multipurpose Tools: Byte Back & Biaprotect
Multipurpose Tools: Maresware
Multipurpose Tools: LC Technologies Software
Multipurpose Tools: Winhex Specialist Edition
Multipurpose Tools: Prodiscover DFT
Toolkits: NTI tools
Toolkits: R-Tools-I
Toolkits: R-Tools-II
Toolkits: DataLifter
Toolkits: AccessData
LC Technology International Hardware
Screenshot of Forensic Hardware
Image MASSter Solo and FastBloc
RMON2 Tracing Tools and
MCI DoStracker
EnCase

Module XV: Application password crackers

Password - Terminology
What is a Password Cracker?
How Does A Password Cracker Work?
Various Password Cracking Methods
Classification of Cracking Software
System Level Password Cracking
Application Password Cracking
Application Software Password Cracker
Distributed Network Attack-I
Distributed Network Attack-II
Passware Kit
Accent Keyword Extractor
Advanced Zip Password Recovery
Default Password Database
http://phenoelit.darklab.org/
http://www.defaultpassword.com/
http://www.cirt.net/cgi-bin/passwd.pl
Password Cracking Tools List

Module XVI: Investigating Logs

Audit Logs and Security
Audit Incidents
Syslog
Remote Logging
Linux Process Accounting
Configuring Windows Logging
Setting up Remote Logging in Windows
NtSyslog
EventReporter
Application Logs
Extended Logging in IIS Server
Examining Intrusion and Security Events
Significance of Synchronized Time
Event Gathering
EventCombMT
Writing Scripts
Event Gathering Tools
Forensic Tool: Fwanalog
End-to End Forensic Investigation
Correlating Log files
Investigating TCPDump
IDS Loganalyais:RealSecure
IDS Loganalysis :SNORT

Module XVII: Investigating network traffic

Overview of Network Protocols
Sources of Evidence on a Network
Overview of Physical and Data-link Layer of the OSI Model
Evidence Gathering at the Physical Layer
Tool: Windump
Evidence Gathering at the Data-link Layer
Tool: Ethereal
Tool: NetIntercept
Overview of Network and Transport Layer of the OSI Model
Evidence Gathering at the Network and Transport Layer-(I)
Gathering Evidence on a Network
GPRS Network Sniffer : Nokia LIG
NetWitness
McAffee Infinistream Security Forensics
Snort 2.1.0
Documenting the Gathered Evidence on a Network
Evidence Reconstruction for Investigation

Module XVIII: Router Forensics

What Is a Router?
Functions of a Router
A Router in an OSI Model
Routing Table and Its Components
Router Architecture
Implications of a Router Attack
Types of Router Attacks
Denial of Service (DoS) Attacks
Investigating Dos Attacks
Smurfing ? Latest in Dos Attacks
Packet ?Mistreating? Attacks
Routing Table Poisoning
Hit-and-run Attacks Vs. Persistent Attacks
Router Forensics Vs. Traditional Forensics
Investigating Routers
Chain of Custody
Incident Response & Session Recording
Accessing the Router
Volatile Evidence Gathering
Router Investigation Steps - I
Analyzing the Intrusion
Logging
Incident Forensics
Handling a Direct Compromise Incident
Other Incidents

Module XIX: Investigating Web Attacks

Indications of a web attack
Responding to a web attack
Overview of web logs
Mirrored Sites
N-Stealth
Investigating static and dynamic IP address
Tools for locating IP Address: Nslookup
Tools for locating IP Address: Traceroute
Tools for locating IP Address:
NeoTrace (Now McAfee Visual Trace)
Tools for locating IP Address: Whois
Web page defacement
Defacement using DNS compromise
Investigating DNS Poisoning
SQL Injection Attacks
Investigating SQL Injection Attacks
Investigating FTP Servers
Investigating FTP Logs
Investigating IIS Logs
Investigating Apache Logs
Investigating DHCP Server Logfile

Module XX: Tracking E-mails and Investigating E-mail crimes

Understanding Internet Fundamentals
Understanding Internet Protocols
Exploring the Roles of the Client and Server in E-mail
E-mail Crime
Spamming, Mail Bombing, Mail Storm
Chat Rooms
Identity Fraud , Chain Letter
Sending Fakemail
Investigating E-mail Crime and Violation
Viewing E-mail Headers
Examining an E-mail Header
Viewing Header in Microsoft Outlook
Viewing Header in Eudora
Viewing Header in Outlook Express
Viewing Header in AOL
Viewing Header in Hot Mail
Viewing Header using Pine for Unix
Viewing Header in Juno
Viewing Header in Yahoo
Examining Additional Files
Microsoft Outlook Mail
Pst File Location
Tracing an E-mail Message
Using Network Logs Related to E-mail
Understanding E-mail Server
Examining UNIX E-mail Server Logs
Examining Microsoft E-mail Server Logs
Examining Novell GroupWise E-mail Logs
Using Specialized E-mail Forensic Tools
Tool:FINALeMAIL
Tool: R-Mail
E-Mail Examiner by Paraben
Network E-Mail Examiner by Paraben
Tracing Back
Tracing Back Web Based E-mail
Searching E-mail Addresses
E-mail Search Site
Handling Spam
Network Abuse Clearing House
Abuse.Net
Protecting Your E-mail Address From Spam
Tool: Enkoder Form
Tool:eMailTrackerPro
Tool:SPAM Punisher

Module XXI: Mobile and PDA Forensics

Latest Mobile Phone Access Technologies
Evidence in Mobile Phones
Mobile Phone Forensic Examination Methodology
Examining Phone Internal Memory
Examining SIM
Examining Flash Memory and Call data records
Personal Digital Assistant (PDA)
PDA Components
PDA Forensics
PDA Forensics - Examination
PDA Forensics - Identification
PDA Forensics - Collection
PDA Forensics - Documentation
Points to Be Remembered While Conducting Investigation
PDA Seizure by Paraben
SIM Card Seizure by Paraben
(SIM Card acquisition tool)
Forensic Tool ? Palm dd (pdd)
Forensic Tool - POSE

Module XXII: Investigating Trademark and Copyright Infringement

Trademarks
Trademark Eligibility and Benefits of Registering It
Service Mark and Trade Dress
Trademark infringement
Trademark Search
www.uspto.gov
Copyright and Copyright Notice
Investigating Copyright Status of a Particular Work
How Long Does a Copyright Last?
U.S Copyright Office
Doctrine of ?Fair Use?
How Are Copyrights Enforced?
SCO Vs. IBM
SCO Vs Linux
Line-by-Line Copying
Plagiarism
Turnitin
Plagiarism detection tools
CopyCatch
Patent
Patent Infringement
Patent Search
Case Study: Microsoft Vs Forgent
Internet Domain Name and ICANN
Domain Name Infringement
Case Study: Microsoft.com Vs MikeRoweSoft.com
How to check for Domain Name Infringement?

Module XXIII: Investigative Reports

Need of an investigative report
Report specification
Report Classification
Report and Opinion
Layout of an Investigative Report
Writing Report
Use of Supporting Material
Importance of Consistency
Salient Features of a Good Report
Investigative Report Format
Before Writing the Report
Writing Report Using FTK

Module XIV: Becoming an Expert Witness

Who Is an Expert?
Who Is an Expert Witness?
Role of an Expert Witness
Technical Testimony Vs.
Expert Testimony
Preparing for Testimony
Evidence Preparation and Documentation
Evidence Processing Steps
Rules Pertaining to an Expert Witness? Qualification
Importance of Curriculum Vitae
Technical Definitions
Testifying in Court
The Order of Trial Proceedings
Voir dire
General Ethics While Testifying-i
Evidence Presentation
Importance of Graphics in a Testimony
Helping Your Attorney
Avoiding Testimony Problems
Testifying During Direct Examination
Testifying During Cross Examination
Deposition
Guidelines to Testify at a Deposition
Dealing With Reporters

Module XXV: Forensics in action

E-mail Hoax
Trade Secret Theft
Operation Cyberslam

APPENDIX:

1 . Investigating Wireless Attacks

Passive Attacks
Netstumbler
Active Attacks On Wireless Networks
Rogue Access Points
Investigating Wireless Attacks
Airmagnet

2 . Forensics Investigation Using EnCase

Evidence File
Evidence File Format
Verifying File Integrity
Hashing
Acquiring Image
Configuring Encase
Encase Options Screen
Encase Screens
View Menu
Device Tab
Viewing Files and Folders
Bottom Pane
Viewers in Bottom Pane
Status Bar
Searching
Keywords
Adding Keywords
Grouping
Add multiple Keywords
Starting the Search
Search Hits Tab
Search Hits
Bookmarks
Creating Bookmarks
Adding Bookmarks
Bookmarking Selected Data
Recovering Deleted Files/folders in FAT Partition
Recovering Folders in NTFS
Master Boot Record
NTFS Starting Point
Viewing disk Geometry
Recovering Deleted Partitions
Hash Values
Creating Hash Sets
MD5 Hash
Creating Hash
Viewers
Signature Analysis
Copying Files Folders
E-mail Recovery
Reporting
Encase Boot Disks
IE Cache Images

3 . First Responder Procedures

Steps At Crime Scene
People Involved In Incident Response
The Role Of A System Administrator
First Response By Non-Laboratory Staff
Guidelines For Search And Seizure
Planning The Search And Seizure
Evidence Collection
Dealing With Powered Up Computers At Seizure Time
How To Pull The Power
Seizing Computer Equipment
Removable Media
Seizing Portable Computers
How To Remove HD From Laptops?
Initial Interviews
Chain Of Custody

4 . Checklist for Choosing a Forensic Examiner

5 . Investigation Checklist

Please contact your training representative for more details on having this course delivered onsite or online

Training Outlines - the one stop shopping center for IT training.
© Training Outlines All rights reserved