Computer Hacking Forensic Investigator -...

Computer Hacking Forensic Investigator Exam 312-49 Course Outline

Page | 1 Computer Hacking Forensic Investigator Copyright © by EC-Council

All Rights Reserved. Reproduction Is Strictly Prohibited.

Computer Hacking Forensic Investigator

Course Outline

(Version 8)

Module 01: Computer Forensics in Today’s World

Forensics Science

Computer Forensics

o Security Incident Report

o Aspects of Organizational Security

o Evolution of Computer Forensics

o Objective of Computer Forensics

o Need for Computer Forensics

Forensics Readiness

o Benefits of Forensics Readiness

o Goals of Forensics Readiness

o Forensics Readiness Planning

Cyber Crime

o Computer Facilitated Crimes

o Modes of Attacks

o Examples of Cyber Crime

o Types of Computer Crimes

o Cyber Criminals

o Organized Cyber Crime: Organizational Chart

o How Serious are Different Types of Incidents?

o Disruptive Incidents to the Business

o Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation

o Key Steps in Forensics Investigation

o Rules of Forensics Investigation

o Need for Forensics Investigator




o Role of Forensics Investigator

o Accessing Computer Forensics Resources

o Role of Digital Evidence

Corporate Investigations

o Understanding Corporate Investigations

o Approach to Forensics Investigation: A Case Study

o Instructions for the Forensic Investigator to Approach the Crime Scene

o Why and When Do You Use Computer Forensics?

o Enterprise Theory of Investigation (ETI)

o Legal Issues

o Reporting the Results

Reporting a Cyber Crime

o Why you Should Report Cybercrime?

o Reporting Computer-Related Crimes

o Person Assigned to Report the Crime

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o Federal Local Agents Contact

o More Contacts

o CIO Cyberthreat Report Form

Module 02: Computer Forensics Investigation Process

Investigating Computer Crime

o Before the Investigation

o Build a Forensics Workstation

o Building the Investigation Team

o People Involved in Computer Forensics

o Review Policies and Laws

o Forensics Laws

o Notify Decision Makers and Acquire Authorization

o Risk Assessment




o Build a Computer Investigation Toolkit

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodology

o Obtain Search Warrant

Example of Search Warrant

Searches Without a Warrant

o Evaluate and Secure the Scene

Forensics Photography

Gather the Preliminary Information at the Scene

First Responder

o Collect the Evidence

Collect Physical Evidence

Evidence Collection Form

Collect Electronic Evidence

Guidelines for Acquiring Evidence

o Secure the Evidence

Evidence Management

Chain of Custody

Chain of Custody Form

o Acquire the Data

Duplicate the Data (Imaging)

Verify Image Integrity

MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

Recover Lost or Deleted Data

Data Recovery Software

o Analyze the Data

Data Analysis

Data Analysis Tools

o Assess Evidence and Case

Evidence Assessment

Case Assessment




Processing Location Assessment

Best Practices to Assess the Evidence

o Prepare the Final Report

Documentation in Each Phase

Gather and Organize Information

Writing the Investigation Report

Sample Report

o Testifying as an Expert Witness

Expert Witness

Testifying in the Court Room

Closing the Case

Maintaining Professional Conduct

Investigating a Company Policy Violation

Computer Forensics Service Providers

Module 03: Searching and Seizing Computers

Searching and Seizing Computers without a Warrant

o Searching and Seizing Computers without a Warrant

o § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers: General Principles

o § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices

o § A.3: Reasonable Expectation of Privacy and Third-Party Possession

o § A.4: Private Searches

o § A.5 Use of Technology to Obtain Information

o § B: Exceptions to the Warrant Requirement in Cases Involving Computers

o § B.1: Consent

o § B.1.a: Scope of Consent

o § B.1.b: Third-Party Consent

o § B.1.c: Implied Consent

o § B.2: Exigent Circumstances

o § B.3: Plain View




o § B.4: Search Incident to a Lawful Arrest

o § B.5: Inventory Searches

o § B.6: Border Searches

o § B.7: International Issues

o § C: Special Case: Workplace Searches

o § C.1: Private Sector Workplace Searches

o § C.2: Public-Sector Workplace Searches

Searching and Seizing Computers with a Warrant

o Searching and Seizing Computers with a Warrant

o A: Successful Search with a Warrant

o A.1: Basic Strategies for Executing Computer Searches

o § A.1.a: When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime

o § A.1.b: When Hardware Is Merely a Storage Device for Evidence of Crime

o § A.2: The Privacy Protection Act

o § A.2.a: The Terms of the Privacy Protection Act

o § A.2.b: Application of the PPA to Computer Searches and Seizures

o § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)

o § A.4: Considering the Need for Multiple Warrants in Network Searches

o § A.5: No-Knock Warrants

o § A.6: Sneak-and-Peek Warrants

o § A.7: Privileged Documents

o § B: Drafting the Warrant and Affidavit

o § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant

o § B.1.a: Defending Computer Search Warrants Against Challenges Based on the

Description of the “Things to Be Seized”

o § B.2: Establish Probable Cause in the Affidavit

o § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search

Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search

o § C: Post-Seizure Issues

o § C.1: Searching Computers Already in Law Enforcement Custody




o § C.2: The Permissible Time Period for Examining Seized Computers

o § C.3: Rule 41(e) Motions for Return of Property

The Electronic Communications Privacy Act

o The Electronic Communications Privacy Act

o § A. Providers of Electronic Communication Service vs. Remote Computing Service

o § B. Classifying Types of Information Held by Service Providers

o § C. Compelled Disclosure Under ECPA

o § D. Voluntary Disclosure

o § E. Working with Network Providers

Electronic Surveillance in Communications Networks

o Electronic Surveillance in Communications Networks

o § A. Content vs. Addressing Information

o B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127

o C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522

o § C.1: Exceptions to Title III

o § D. Remedies For Violations of Title III and the Pen/Trap Statute

Evidence

o Evidence

o § A. Authentication

o § B. Hearsay

o § C. Other Issues

Module 04: Digital Evidence

Digital Data

o Definition of Digital Evidence

o Increasing Awareness of Digital Evidence

o Challenging Aspects of Digital Evidence

o The Role of Digital Evidence

o Characteristics of Digital Evidence

o Fragility of Digital Evidence

o Anti-Digital Forensics (ADF)




Types of Digital Data

o Types of Digital Data

Rules of Evidence

o Rules of Evidence

o Best Evidence Rule

o Federal Rules of Evidence

o International Organization on Computer Evidence (IOCE)

o IOCE International Principles for Digital Evidence

o Scientific Working Group on Digital Evidence (SWGDE)

o SWGDE Standards for the Exchange of Digital Evidence

Electronic Devices: Types and Collecting Potential Evidence

o Electronic Devices: Types and Collecting Potential Evidence

Digital Evidence Examination Process

o Evidence Assessment

Evidence Assessment

Prepare for Evidence Acquisition

o Evidence Acquisition

Preparation for Searches

Seizing the Evidence

Imaging

Bit-Stream Copies

Write Protection

Evidence Acquisition

Evidence Acquisition from Crime Location

Acquiring Evidence from Storage Devices

Collecting Evidence

Collecting Evidence from RAM

Collecting Evidence from a Standalone Network Computer

Chain of Custody

Chain of Evidence Form

o Evidence Preservation




Preserving Digital Evidence: Checklist

Preserving Removable Media

Handling Digital Evidence

Store and Archive

Digital Evidence Findings

o Evidence Examination and Analysis

Evidence Examination

Physical Extraction

Logical Extraction

Analyze Host Data

Analyze Storage Media

Analyze Network Data

Analysis of Extracted Data

Timeframe Analysis

Data Hiding Analysis

Application and File Analysis

Ownership and Possession

o Evidence Documentation and Reporting

Documenting the Evidence

Evidence Examiner Report

Final Report of Findings

Computer Evidence Worksheet

Hard Drive Evidence Worksheet

Removable Media Worksheet

Electronic Crime and Digital Evidence Consideration by Crime Category

o Electronic Crime and Digital Evidence Consideration by Crime Category

Module 05: First Responder Procedures

Electronic Evidence

First Responder




Roles of First Responder

Electronic Devices: Types and Collecting Potential Evidence

First Responder Toolkit

o First Responder Toolkit

o Creating a First Responder Toolkit

o Evidence Collecting Tools and Equipment

First Response Basics

o First Response Rule

o Incident Response: Different Situations

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensics Staff

Securing and Evaluating Electronic Crime Scene

o Securing and Evaluating Electronic Crime Scene: A Checklist

o Securing the Crime Scene

o Warrant for Search and Seizure

o Planning the Search and Seizure

o Initial Search of the Scene

o Health and Safety Issues

Conducting Preliminary Interviews

o Questions to Ask When Client Calls the Forensic Investigator

o Consent

o Sample of Consent Search Form

o Witness Signatures

o Conducting Preliminary Interviews

o Conducting Initial Interviews

o Witness Statement Checklist

Documenting Electronic Crime Scene

o Documenting Electronic Crime Scene

o Photographing the Scene

o Sketching the Scene




o Video Shooting the Crime Scene

Collecting and Preserving Electronic Evidence

o Collecting and Preserving Electronic Evidence

o Order of Volatility

o Dealing with Powered On Computers

o Dealing with Powered Off Computers

o Dealing with Networked Computer

o Dealing with Open Files and Startup Files

o Operating System Shutdown Procedure

o Computers and Servers

o Preserving Electronic Evidence

o Seizing Portable Computers

o Switched On Portables

o Collecting and Preserving Electronic Evidence

Packaging and Transporting Electronic Evidence

o Evidence Bag Contents List

o Packaging Electronic Evidence

o Exhibit Numbering

o Transporting Electronic Evidence

o Handling and Transportation to the Forensics Laboratory

o Storing Electronic Evidence

o Chain of Custody

o Simple Format of the Chain of Custody Document

o Chain of Custody Forms

o Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Reporting the Crime Scene

o Reporting the Crime Scene

Note Taking Checklist

First Responder Common Mistakes

Module 06: Computer Forensics Lab




Setting a Computer Forensics Lab

o Computer Forensics Lab

o Planning for a Forensics Lab

o Budget Allocation for a Forensics Lab

o Physical Location Needs of a Forensics Lab

o Structural Design Considerations

o Environmental Conditions

o Electrical Needs

o Communication Needs

o Work Area of a Computer Forensics Lab

o Ambience of a Forensics Lab

o Ambience of a Forensics Lab: Ergonomics

o Physical Security Recommendations

o Fire-Suppression Systems

o Evidence Locker Recommendations

o Computer Forensic Investigator

o Law Enforcement Officer

o Lab Director

o Forensics Lab Licensing Requisite

o Features of the Laboratory Imaging System

o Technical Specification of the Laboratory-Based Imaging System

o Forensics Lab

o Auditing a Computer Forensics Lab

o Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

o Computer Forensics Investigative Services

o Computer Forensic Investigative Service Sample

o Computer Forensics Services: PenrodEllis Forensic Data Discovery

o Data Destruction Industry Standards

o Computer Forensics Services

Computer Forensics Hardware




o Equipment Required in a Forensics Lab

o Forensic Workstations

o Basic Workstation Requirements in a Forensics Lab

o Stocking the Hardware Peripherals

o Paraben Forensics Hardware

Handheld First Responder Kit

Wireless StrongHold Bag

Wireless StrongHold Box

Passport StrongHold Bag

Device Seizure Toolbox

Project-a-Phone

Lockdown

iRecovery Stick

Data Recovery Stick

Chat Stick

USB Serial DB9 Adapter

Mobile Field Kit

o Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

o Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower

o Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

o Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

o Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

o Portable Forensic Systems and Towers: Ultimate Forensic Machine

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

o Tableau TACC 1441 Hardware Accelerator

Multiple TACC1441 Units

o Tableau TD1 Forensic Duplicator




o Power Supplies and Switches

o Digital Intelligence Forensic Hardware

FRED SR (Dual Xeon)

FRED-L

FRED SC

Forensic Recovery of Evidence Data Center (FREDC)

Rack-A-TACC

FREDDIE

UltraKit

UltraBay II

UltraBlock SCSI

Micro Forensic Recovery of Evidence Device (µFRED)

HardCopy 3P

o Wiebetech

Forensics DriveDock v4

Forensics UltraDock v4

Drive eRazer

v4 Combo Adapters

ProSATA SS8

HotPlug

o CelleBrite

UFED System

UFED Physical Pro

UFED Ruggedized

o DeepSpar

Disk Imager Forensic Edition

3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor




o InfinaDyne Forensic Products

Robotic Loader Extension for CD/DVD Inspector

Robotic System Status Light

o Image MASSter

Solo-4 (Super Kit)

RoadMASSter- 3

WipeMASSter

WipePRO

Rapid Image 7020CS IT

o Logicube

Forensic MD5

Forensic Talon®

Portable Forensic Lab™

CellDEK®

Forensic Quest-2®

NETConnect™

RAID I/O Adapter™

GPStamp™

OmniPort

Desktop WritePROtects

USB Adapter

CloneCard Pro

EchoPlus

OmniClone IDE Laptop Adapters

Cables

o VoomTech

HardCopy 3P

SHADOW 2

Computer Forensics Software

o Basic Software Requirements in a Forensic Lab




o Maintain Operating System and Application Inventories

o Imaging Software

R-drive Image

P2 eXplorer Pro

AccuBurn-R for CD/DVD Inspector

Flash Retriever Forensic Edition

o File Conversion Software

FileMerlin

SnowBatch®

Zamzar

o File Viewer Software

File Viewer

Quick View Plus 11 Standard Edition

o Analysis Software

P2 Commander

DriveSpy

SIM Card Seizure

CD/DVD Inspector

Video Indexer (Vindex™)

o Monitoring Software

Device Seizure

Deployable P2 Commander (DP2C)

ThumbsDisplay

Email Detective

o Computer Forensics Software

DataLifter

X-Ways Forensics

LiveWire Investigator

Module 07: Understanding Hard Disks and File Systems

Hard Disk Drive Overview




o Disk Drive Overview

o Hard Disk Drive

o Solid-State Drive (SSD)

o Physical Structure of a Hard Disk

o Logical Structure of Hard Disk

o Types of Hard Disk Interfaces

o Hard Disk Interfaces

ATA

SCSI

IDE/EIDE

USB

Fibre Channel

o Disk Platter

o Tracks

Track Numbering

o Sector

Advanced Format: Sectors

Sector Addressing

o Cluster

Cluster Size

Changing the Cluster Size

Slack Space

Lost Clusters

o Bad Sector

o Hard Disk Data Addressing

o Disk Capacity Calculation

o Measuring the Performance of the Hard Disk

Disk Partitions and Boot Process

o Disk Partitions

o Master Boot Record

Structure of a Master Boot Record




o What is the Booting Process?

o Essential Windows System Files

o Windows 7 Boot Process

o Macintosh Boot Process

o http://www.bootdisk.com

Understanding File Systems

o Understanding File Systems

o Types of File Systems

o List of Disk File Systems

o List of Network File Systems

o List of Special Purpose File Systems

o List of Shared Disk File Systems

o Popular Windows File Systems

File Allocation Table (FAT)

FAT File System Layout

FAT Partition Boot Sector

FAT Structure

FAT Folder Structure

Directory Entries and Cluster Chains

Filenames on FAT Volumes

Examining FAT

FAT32

New Technology File System (NTFS)

NTFS Architecture

NTFS System Files

NTFS Partition Boot Sector

Cluster Sizes of NTFS Volume

NTFS Master File Table (MFT)

o Metadata Files Stored in the MFT

NTFS Files and Data Storage




NTFS Attributes

NTFS Data Stream

NTFS Compressed Files

o Setting the Compression State of a Volume

Encrypting File Systems (EFS)

o Components of EFS

o Operation of Encrypting File System

o EFS Attribute

o Encrypting a File

o EFS Recovery Key Agent

o Tool: Advanced EFS Data Recovery

o Tool: EFS Key

Sparse Files

Deleting NTFS Files

Registry Data

Examining Registry Data

FAT vs. NTFS

o Popular Linux File Systems

Linux File System Architecture

Ext2

Ext3

o Mac OS X File Systems

HFS vs. HFS Plus

HFS

HFS Plus

HFS Plus Volumes

HFS Plus Journal

o Sun Solaris 10 File System: ZFS

o CD-ROM / DVD File System

o CDFS

RAID Storage System




o RAID Levels

o Different RAID Levels

o Comparing RAID Levels

o Recover Data from Unallocated Space Using File Carving Process

File System Analysis Using The Sleuth Kit (TSK)

o The Sleuth Kit (TSK)

The Sleuth Kit (TSK): fsstat

The Sleuth Kit (TSK): istat

The Sleuth Kit (TSK): fls and img_stat

Module 08: Windows Forensics

Collecting Volatile Information

o Volatile Information

System Time

Logged-On Users

PsLoggedOn Tool

net sessions Command

LogonSessions Tool

Open Files

net file Command

PsFile Utility

Openfiles Command

Network Information

Network Connections

Process Information

Process-to-Port Mapping

Process Memory

Network Status

Other Important Information

Collecting Non-Volatile Information

o Non-Volatile Information




Examine File Systems

Registry Settings

Microsoft Security ID

Event Logs

Index.dat File

Devices and Other Information

Slack Space

Virtual Memory

Swap File

Windows Search Index

Collecting Hidden Partition Information

Hidden ADS Streams

Investigating ADS Streams: StreamArmor

Other Non-Volatile Information

Windows Memory Analysis

o Memory Dump

o EProcess Structure

o Process Creation Mechanism

o Parsing Memory Contents

o Parsing Process Memory

o Extracting the Process Image

o Collecting Process Memory

Windows Registry Analysis

o Inside the Registry

o Registry Structure within a Hive File

o The Registry as a Log File

o Registry Analysis

o System Information

o TimeZone Information

o Shares

o Audit Policy




o Wireless SSIDs

o Autostart Locations

o System Boot

o User Login

o User Activity

o Enumerating Autostart Registry Locations

o USB Removable Storage Devices

o Mounted Devices

o Finding Users

o Tracking User Activity

o The UserAssist Keys

o MRU Lists

o Search Assistant

o Connecting to Other Systems

o Analyzing Restore Point Registry Settings

o Determining the Startup Locations

Cache, Cookie, and History Analysis

o Cache, Cookie, and History Analysis in IE

o Cache, Cookie, and History Analysis in Firefox

o Cache, Cookie, and History Analysis in Chrome

o Analysis Tools

IECookiesView

IECacheView

IEHistoryView

MozillaCookiesView

MozillaCacheView

MozillaHistoryView

ChromeCookiesView

ChromeCacheView

ChromeHistoryView

MD5 Calculation




o Message Digest Function: MD5

o Why MD5 Calculation?

o MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

o MD5 Checksum Verifier

o ChaosMD5

Windows File Analysis

o Recycle Bin

o System Restore Points (Rp.log Files)

o System Restore Points (Change.log.x Files)

o Prefetch Files

o Shortcut Files

o Word Documents

o PDF Documents

o Image Files

o File Signature Analysis

o NTFS Alternate Data Streams

o Executable File Analysis

o Documentation Before Analysis

o Static Analysis Process

o Search Strings

o PE Header Analysis

o Import Table Analysis

o Export Table Analysis

o Dynamic Analysis Process

o Creating Test Environment

o Collecting Information Using Tools

o Process of Testing the Malware

Metadata Investigation

o Metadata

o Types of Metadata

o Metadata in Different File Systems




o Metadata in PDF Files

o Metadata in Word Documents

o Tool: Metadata Analyzer

Text Based Logs

o Understanding Events

o Event Logon Types

o Event Record Structure

o Vista Event Logs

o IIS Logs

Parsing IIS Logs

o Parsing FTP Logs

FTP sc-status Codes

o Parsing DHCP Server Logs

o Parsing Windows Firewall Logs

o Using the Microsoft Log Parser

Other Audit Events

o Evaluating Account Management Events

o Examining Audit Policy Change Events

o Examining System Log Entries

o Examining Application Log Entries

Forensic Analysis of Event Logs

o Searching with Event Viewer

o Using EnCase to Examine Windows Event Log Files

o Windows Event Log Files Internals

Windows Password Issues

o Understanding Windows Password Storage

o Cracking Windows Passwords Stored on Running Systems

o Exploring Windows Authentication Mechanisms

LanMan Authentication Process

NTLM Authentication Process

Kerberos Authentication Process




o Sniffing and Cracking Windows Authentication Exchanges

o Cracking Offline Passwords

Forensic Tools

o Windows Forensics Tool: OS Forensics

o Windows Forensics Tool: Helix3 Pro

o Integrated Windows Forensics Software: X-Ways Forensics

o X-Ways Trace

o Windows Forensic Toolchest (WFT)

o Built-in Tool: Sigverif

o Computer Online Forensic Evidence Extractor (COFEE)

o System Explorer

o Tool: System Scanner

o SecretExplorer

o Registry Viewer Tool: Registry Viewer

o Registry Viewer Tool: RegScanner

o Registry Viewer Tool: Alien Registry Viewer

o MultiMon

o CurrProcess

o Process Explorer

o Security Task Manager

o PrcView

o ProcHeapViewer

o Memory Viewer

o Tool: PMDump

o Word Extractor

o Belkasoft Evidence Center

o Belkasoft Browser Analyzer

o Metadata Assistant

o HstEx

o XpoLog Center Suite

o LogViewer Pro




o Event Log Explorer

o LogMeister

o ProDiscover Forensics

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DriveLook

Module 09: Data Acquisition and Duplication

Data Acquisition and Duplication Concepts

o Data Acquisition

o Forensic and Procedural Principles

o Types of Data Acquisition Systems

o Data Acquisition Formats

o Bit Stream vs. Backups

o Why to Create a Duplicate Image?

o Issues with Data Duplication

o Data Acquisition Methods

o Determining the Best Acquisition Method

o Contingency Planning for Image Acquisitions

o Data Acquisition Mistakes

Data Acquisition Types

o Rules of Thumb

o Static Data Acquisition

Collecting Static Data

Static Data Collection Process

o Live Data Acquisition

Why Volatile Data is Important?

Volatile Data

Order of Volatility

Common Mistakes in Volatile Data Collection




Volatile Data Collection Methodology

Basic Steps in Collecting Volatile Data

Types of Volatile Information

Disk Acquisition Tool Requirements

o Disk Imaging Tool Requirements

o Disk Imaging Tool Requirements: Mandatory

o Disk Imaging Tool Requirements: Optional

Validation Methods

o Validating Data Acquisitions

o Linux Validation Methods

o Windows Validation Methods

RAID Data Acquisition

o Understanding RAID Disks

o Acquiring RAID Disks

o Remote Data Acquisition

Acquisition Best Practices

o Acquisition Best Practices

Data Acquisition Software Tools

o Acquiring Data on Windows

o Acquiring Data on Linux

dd Command

dcfldd Command

Extracting the MBR

Netcat Command

o EnCase Forensic

o Analysis Software: DriveSpy

o ProDiscover Forensics

o AccessData FTK Imager

o Mount Image Pro

o Data Acquisition Toolbox

o SafeBack




o ILookPI

o RAID Recovery for Windows

o R-Tools R-Studio

o F- Response

o PyFlag

o LiveWire Investigator

o ThumbsDisplay

o DataLifter

o X-Ways Forensics

o R-drive Image

o DriveLook

o DiskExplorer

o P2 eXplorer Pro

o Flash Retriever Forensic Edition

Data Acquisition Hardware Tools

o US-LATT

o Image MASSter: Solo-4 (Super Kit)

o Image MASSter: RoadMASSter- 3

o Tableau TD1 Forensic Duplicator

o Logicube: Forensic MD5

o Logicube: Portable Forensic Lab™

o Logicube: Forensic Talon®

o Logicube: RAID I/O Adapter™

o DeepSpar: Disk Imager Forensic Edition

o Logicube: USB Adapter

o Disk Jockey PRO

o Logicube: Forensic Quest-2®

o Logicube: CloneCard Pro

o Logicube: EchoPlus

o Paraben Forensics Hardware: Chat Stick

o Image MASSter: Rapid Image 7020CS IT




o Digital Intelligence Forensic Hardware: UltraKit

o Digital Intelligence Forensic Hardware: UltraBay II

o Digital Intelligence Forensic Hardware: UltraBlock SCSI

o Digital Intelligence Forensic Hardware: HardCopy 3P

o Wiebetech: Forensics DriveDock v4

o Wiebetech: Forensics UltraDock v4

o Image MASSter: WipeMASSter

o Image MASSter: WipePRO

o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

o Forensic Tower IV Dual Xeon

o Digital Intelligence Forensic Hardware: FREDDIE

o DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor

o Logicube

Cables

Adapters

GPStamp™

OmniPort

CellDEK®

o Paraben Forensics Hardware

Project-a-Phone

Mobile Field Kit

iRecovery Stick

o CelleBrite

UFED System

UFED Physical Pro

Module 10: Recovering Deleted Files and Deleted Partitions

Recovering the Deleted Files




o Deleting Files

o What Happens When a File is Deleted in Windows?

o Recycle Bin in Windows

Storage Locations of Recycle Bin in FAT and NTFS Systems

How the Recycle Bin Works

Damaged or Deleted INFO File

Damaged Files in Recycle Bin Folder

Damaged Recycle Folder

o File Recovery in MAC OS X

o File Recovery in Linux

File Recovery Tools for Windows

o Recover My Files

o EASEUS Data Recovery Wizard

o PC INSPECTOR File Recovery

o Recuva

o DiskDigger

o Handy Recovery

o Quick Recovery

o Stellar Phoenix Windows Data Recovery

o Tools to Recover Deleted Files

Total Recall

Advanced Disk Recovery

Windows Data Recovery Software

R-Studio

PC Tools File Recover

Data Rescue PC

Smart Undelete

FileRestore Professional

Deleted File Recovery Software

DDR Professional Recovery Software

Data Recovery Pro




GetDataBack

UndeletePlus

Search and Recover

File Scavenger

Filesaver

Virtual Lab

Active@ UNDELETE

Win Undelete

R-Undelete

Recover4all Professional

eData Unerase

Active@ File Recovery

FinalRecovery

File Recovery Tools for MAC

o MAC File Recovery

o MAC Data Recovery

o Boomerang Data Recovery Software

o VirtualLab

o File Recovery Tools for MAC OS X

DiskWarrior

AppleXsoft File Recovery for MAC

Disk Doctors MAC Data Recovery

R-Studio for MAC

Data Rescue

Stellar Phoenix MAC Data Recovery

FileSalvage

TechTool Pro

File Recovery Tools for Linux

o R-Studio for Linux

o Quick Recovery for Linux

o Kernel for Linux Data Recovery




o TestDisk for Linux

Recovering the Deleted Partitions

o Disk Partition

o Deletion of Partition

o Recovery of the Deleted Partition

Partition Recovery Tools

o Active@ Partition Recovery for Windows

o Acronis Recovery Expert

o DiskInternals Partition Recovery

o NTFS Partition Data Recovery

o GetDataBack

o EASEUS Partition Recovery

o Advanced Disk Recovery

o Power Data Recovery

o Remo Recover (MAC) - Pro

o MAC Data Recovery Software

o Quick Recovery for Linux

o Stellar Phoenix Linux Data Recovery Software

o Tools to Recover Deleted Partitions

Handy Recovery

TestDisk for Windows

Stellar Phoenix Windows Data Recovery

ARAX Disk Doctor

Power Data Recovery

Quick Recovery for MAC

Partition Find & Mount

Advance Data Recovery Software Tools

TestDisk for MAC

Kernel for FAT and NTFS – Windows Disk Recovery

Disk Drill

Stellar Phoenix MAC Data Recovery




ZAR Windows Data Recovery

AppleXsoft File Recovery for MAC

Quick Recovery for FAT & NTFS

TestDisk for Linux

Module 11: Forensics Investigation using AccessData FTK

Overview and Installation of FTK

o Overview of Forensic Toolkit (FTK)

o Features of FTK

o Software Requirement

o Configuration Option

o Database Installation

o FTK Application Installation

FTK Case Manager User Interface

o Case Manager Window

Case Manager Database Menu

Setting Up Additional Users and Assigning Roles

Case Manager Case Menu

Assigning Users Shared Label Visibility

Case Manager Tools Menu

Recovering Processing Jobs

Restoring an Image to a Disk

Case Manager Manage Menu

Managing Carvers

Managing Custom Identifiers

FTK Examiner User Interface

o FTK Examiner User Interface

Menu Bar: File Menu

Exporting Files

Exporting Case Data to a Custom Content Image

Exporting the Word List




Menu Bar: Edit Menu

Menu Bar: View Menu

Menu Bar: Evidence Menu

Menu Bar: Tools Menu

Verifying Drive Image Integrity

Mounting an Image to a Drive

File List View

Using Labels

Creating and Applying a Label

Starting with FTK

o Creating a case

o Selecting Detailed Options: Evidence Processing

o Selecting Detailed Options: Fuzzy Hashing

o Selecting Detailed Options: Data Carving

o Selecting Detailed Options: Custom File Identification

o Selecting Detailed Options: Evidence Refinement (Advanced)

o Selecting Detailed Options: Index Refinement (Advanced)

FTK Interface Tabs

o FTK Interface Tabs

Explore Tab

Overview Tab

Email Tab

Graphics Tab

Bookmarks Tab

Live Search Tabs

Volatile Tab

Adding and Processing Static, Live, and Remote Evidence

o Adding Evidence to a Case

o Evidence Groups

o Acquiring Local Live Evidence

o FTK Role Requirements For Remote Acquisition




o Types of Remote Information

o Acquiring Data Remotely Using Remote Device Management System (RDMS)

o Imaging Drives

o Mounting and Unmounting a Device

Using and Managing Filters

o Accessing Filter Tools

o Using Filters

o Customizing Filters

o Using Predefined Filters

Using Index Search and Live Search

o Conducting an Index Search

Selecting Index Search Options

Viewing Index Search Results

Documenting Search Results

o Conducting a Live Search: Live Text Search

o Conducting a Live Search: Live Hex Search

o Conducting a Live Search: Live Pattern Search

Decrypting EFS and other Encrypted Files

o Decrypting EFS Files and Folders

o Decrypting MS Office Files

o Viewing Decrypted Files

o Decrypting Domain Account EFS Files from Live Evidence

o Decrypting Credant Files

o Decrypting Safeboot Files

Working with Reports

o Creating a Report

o Entering Case Information

o Managing Bookmarks in a Report

o Managing Graphics in a Report

o Selecting a File Path List

o Adding a File Properties List




o Making Registry Selections

o Selecting the Report Output Options

o Customizing the Formatting of Reports

o Viewing and Distributing a Report

Module 12: Forensics Investigation Using En/ase

Overview of Encase Forensic

o Overview of EnCase Forensic

o EnCase Forensic Features

o EnCase Forensic Platform

o EnCase Forensic Modules

Installing EnCase Forensic

o Minimum Requirements

o Installing the Examiner

o Installed Files

o Installing the EnCase Modules

o Configuring EnCase

Configuring EnCase: Case Options Tab

Configuring EnCase: Global Tab

Configuring EnCase: Debug Tab

Configuring EnCase: Colors Tab and Fonts Tab

Configuring EnCase: EnScript Tab and Storage Paths Tab

o Sharing Configuration (INI) Files

EnCase Interface

o Main EnCase Window

System Menu Bar

Toolbar

Panes Overview

Tree Pane

Table Pane

o Table Pane: Table Tab




o Table Pane: Report Tab

o Table Pane: Gallery Tab

o Table Pane: Timeline Tab

o Table Pane: Disk Tab and Code Tab

View Pane

Filter Pane

o Filter Pane Tabs

o Creating a Filter

o Creating Conditions

Status Bar

Case Management

o Overview of Case Structure

o Case Management

o Indexing a Case

o Case Backup

o Options Dialog Box

o Logon Wizard

o New Case Wizard

o Setting Time Zones for Case Files

o Setting Time Zone Options for Evidence Files

Working with Evidence

o Types of Entries

o Adding a Device

Adding a Device using Tableau Write Blocker

o Performing a Typical Acquisition

o Acquiring a Device

o Canceling an Acquisition

o Acquiring a Handsprings PDA

o Delayed Loading of Internet Artifacts

o Hashing the Subject Drive




o Logical Evidence File (LEF)

o Creating a Logical Evidence File

o Recovering Folders on FAT Volumes

o Restoring a Physical Drive

Source Processor

o Source Processor

Starting to Work with Source Processor

Setting Case Options

Collection Jobs

Creating a Collection Job

Copying a Collection Job

Running a Collection Job

Analysis Jobs

Creating an Analysis Job

Running an Analysis Job

Creating a Report

Analyzing and Searching Files

o Viewing the File Signature Directory

o Performing a Signature Analysis

o Hash Analysis

o Hashing a New Case

o Creating a Hash Set

o Keyword Searches

o Creating Global Keywords

o Adding Keywords

o Importing and Exporting Keywords

o Searching Entries for Email and Internet Artifacts

o Viewing Search Hits

o Generating an Index

o Tag Records

Viewing File Content




o Viewing Files

o Copying and Unerasing Files

o Adding a File Viewer

o Viewing File Content Using View Pane

o Viewing Compound Files

o Viewing Base64 and UUE Encoded Files

Bookmarking Items

o Bookmarks Overview

o Creating a Highlighted Data Bookmark

o Creating a Note Bookmark

o Creating a Folder Information/ Structure Bookmark

o Creating a Notable File Bookmark

o Creating a File Group Bookmark

o Creating a Log Record Bookmark

o Creating a Snapshot Bookmark

o Organizing Bookmarks

o Copying/Moving a Table Entry into a Folder

o Viewing a Bookmark on the Table Report Tab

o Excluding Bookmarks

o Copying Selected Items from One Folder to Another

Reporting

o Reporting

o Report User Interface

o Creating a Report Using the Report Tab

o Report Single/Multiple Files

o Viewing a Bookmark Report

o Viewing an Email Report

o Viewing a Webmail Report

o Viewing a Search Hits Report

o Creating a Quick Entry Report

o Creating an Additional Fields Report




o Exporting a Report

Module 13: Steganography and Image File Forensics

Steganography

o What is Steganography?

o How Steganography Works

o Legal Use of Steganography

o Unethical Use of Steganography

Steganography Techniques

o Steganography Techniques

o Application of Steganography

o Classification of Steganography

o Technical Steganography

o Linguistic Steganography

o Types of Steganography

Image Steganography

Least Significant Bit Insertion

Masking and Filtering

Algorithms and Transformation

Image Steganography: Hermetic Stego

Steganography Tool: S- Tools

Image Steganography Tools

o ImageHide

o QuickStego

o gifshuffle

o OutGuess

o Contraband

o Camera/Shy

o JPHIDE and JPSEEK

o StegaNote

Audio Steganography




Audio Steganography Methods

Audio Steganography: Mp3stegz

Audio Steganography Tools

o MAXA Security Tools

o Stealth Files

o Audiostegano

o BitCrypt

o MP3Stego

o Steghide

o Hide4PGP

o CHAOS Universal

Video Steganography

Video Steganography: MSU StegoVideo

Video Steganography Tools

o Masker

o Max File Encryption

o Xiao Steganography

o RT Steganography

o Our Secret

o BDV DataHider

o CHAOS Universal

o OmniHide PRO

Document Steganography: wbStego

Byte Shelter I

Document Steganography Tools

o Merge Streams

o Office XML

o CryptArkan

o Data Stash

o FoxHole

o Xidie Security Suite




o StegParty

o Hydan

Whitespace Steganography Tool: SNOW

Folder Steganography: Invisible Secrets 4

Folder Steganography Tools

o StegoStick

o QuickCrypto

o Max Folder Secure

o WinMend Folder Hidden

o PSM Encryptor

o XPTools

o Universal Shield

o Hide My Files

Spam/Email Steganography: Spam Mimic

o Steganographic File System

o Issues in Information Hiding

Steganalysis

o Steganalysis

o How to Detect Steganography

o Detecting Text, Image, Audio, and Video Steganography

o Steganalysis Methods/Attacks on Steganography

o Disabling or Active Attacks

o Steganography Detection Tool: Stegdetect

o Steganography Detection Tools

Xstegsecret

Stego Watch

StegAlyzerAS

StegAlyzerRTS

StegSpy

Gargoyle Investigator™ Forensic Pro

StegAlyzerSS




StegMark

Image Files

o Image Files

o Common Terminologies

o Understanding Vector Images

o Understanding Raster Images

o Metafile Graphics

o Understanding Image File Formats

o GIF (Graphics Interchange Format)

o JPEG (Joint Photographic Experts Group)

JPEG File Structure

JPEG 2000

o BMP (Bitmap) File

BMP File Structure

o PNG (Portable Network Graphics)

PNG File Structure

o TIFF (Tagged Image File Format)

TIFF File Structure

Data Compression

o Understanding Data Compression

o How Does File Compression Work?

o Lossless Compression

o Huffman Coding Algorithm

o Lempel-Ziv Coding Algorithm

o Lossy Compression

o Vector Quantization

Locating and Recovering Image Files

o Best Practices for Forensic Image Analysis

o Forensic Image Processing Using MATLAB

o Locating and Recovering Image Files

o Analyzing Image File Headers




o Repairing Damaged Headers

o Reconstructing File Fragments

o Identifying Unknown File Formats

o Identifying Image File Fragments

o Identifying Copyright Issues on Graphics

o Picture Viewer: IrfanView

o Picture Viewer: ACDSee Photo Manager 12

o Picture Viewer: Thumbsplus

o Picture Viewer: AD Picture Viewer Lite

o Picture Viewer Max

o Picture Viewer: FastStone Image Viewer

o Picture Viewer: XnView

o Faces – Sketch Software

o Digital Camera Data Discovery Software: File Hound

Image File Forensics Tools

o Hex Workshop

o GFE Stealth™ - Forensics Graphics File Extractor

o Ilook

o Adroit Photo Forensics 2011

o Digital Photo Recovery

o Stellar Phoenix Photo Recovery Software

o Zero Assumption Recovery (ZAR)

o Photo Recovery Software

o Forensic Image Viewer

o File Finder

o DiskGetor Data Recovery

o DERescue Data Recovery Master

o Recover My Files

o Universal Viewer

Module 14: Application Password Crackers




Password Cracking Concepts

o Password - Terminology

o Password Types

o Password Cracker

o How Does a Password Cracker Work?

o How Hash Passwords are Stored in Windows SAM

Types of Password Attacks

o Password Cracking Techniques

o Types of Password Attacks

o Passive Online Attacks: Wire Sniffing

o Password Sniffing

o Passive Online Attack: Man-in-the-Middle and Replay Attack

o Active Online Attack: Password Guessing

o Active Online Attack: Trojan/Spyware/keylogger

o Active Online Attack: Hash Injection Attack

o Rainbow Attacks: Pre-Computed Hash

o Distributed Network Attack

Elcomsoft Distributed Password Recovery

o Non-Electronic Attacks

o Manual Password Cracking (Guessing)

o Automatic Password Cracking Algorithm

o Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

System Software Password Cracking

o Bypassing BIOS Passwords

Using Manufacturer’s Backdoor Password to Access the BIOS

Using Password Cracking Software

CmosPwd

Resetting the CMOS using the Jumpers or Solder Beads

Removing CMOS Battery




Overloading the Keyboard Buffer and Using a Professional Service

o Tool to Reset Admin Password: Active@ Password Changer

o Tool to Reset Admin Password: Windows Key

Application Software Password Cracking

o Passware Kit Forensic

o Accent Keyword Extractor

o Distributed Network Attack

o Password Recovery Bundle

o Advanced Office Password Recovery

o Office Password Recovery

o Office Password Recovery Toolbox

o Office Multi-document Password Cracker

o Word Password Recovery Master

o Accent WORD Password Recovery

o Word Password

o PowerPoint Password Recovery

o PowerPoint Password

o Powerpoint Key

o Stellar Phoenix Powerpoint Password Recovery

o Excel Password Recovery Master

o Accent EXCEL Password Recovery

o Excel Password

o Advanced PDF Password Recovery

o PDF Password Cracker

o PDF Password Cracker Pro

o Atomic PDF Password Recovery

o PDF Password

o Recover PDF Password

o Appnimi PDF Password Recovery

o Advanced Archive Password Recovery

o KRyLack Archive Password Recovery




o Zip Password

o Atomic ZIP Password Recovery

o RAR Password Unlocker

o Default Passwords

o http://www.defaultpassword.com

o http://www.cirt.net/passwords

o http://default-password.info

o http://www.defaultpassword.us

o http://www.passwordsdatabase.com

o http://www.virus.org

Password Cracking Tools

o L0phtCrack

o OphCrack

o Cain & Abel

o RainbowCrack

o Windows Password Unlocker

o Windows Password Breaker

o SAMInside

o PWdump7 and Fgdump

o PCLoginNow

o KerbCrack

o Recover Keys

o Windows Password Cracker

o Proactive System Password Recovery

o Password Unlocker Bundle

o Windows Password Reset Professional

o Windows Password Reset Standard

o Krbpwguess

o Password Kit

o WinPassword

o Passware Kit Enterprise




o Rockxp

o PasswordsPro

o LSASecretsView

o LCP

o MessenPass

o Mail PassView

o Messenger Key

o Dialupass

o Protected Storage PassView

o Network Password Recovery

o Asterisk Key

o IE PassView

Module 15: Log Capturing and Event Correlation

Computer Security Logs

o Computer Security Logs

o Operating System Logs

o Application Logs

o Security Software Logs

o Router Log Files

o Honeypot Logs

o Linux Process Accounting

o Logon Event in Window

o Windows Log File

Configuring Windows Logging

Analyzing Windows Logs

Windows Log File: System Logs

Windows Log File: Application Logs

Logon Events that appear in the Security Event Log

o IIS Logs

IIS Log File Format




Maintaining Credible IIS Log Files

o Log File Accuracy

o Log Everything

o Keeping Time

o UTC Time

o View the DHCP Logs

Sample DHCP Audit Log File

o ODBC Logging

Logs and Legal Issues

o Legality of Using Logs

o Records of Regularly Conducted Activity as Evidence

o Laws and Regulations

Log Management

o Log Management

Functions of Log Management

Challenges in Log Management

Meeting the Challenges in Log Management

Centralized Logging and Syslogs

o Centralized Logging

Centralized Logging Architecture

Steps to Implement Central Logging

o Syslog

Syslog in Unix-Like Systems

Steps to Set Up a Syslog Server for Unix Systems

Advantages of Centralized Syslog Server

o IIS Centralized Binary Logging

Time Synchronization

o Why Synchronize Computer Times?

o What is NTP?

NTP Stratum Levels

o NIST Time Servers




o Configuring Time Server in Windows Server

Event Correlation

o Event Correlation

Types of Event Correlation

Prerequisites for Event Correlation

Event Correlation Approaches

Log Capturing and Analysis Tools

o GFI EventsManager

o Activeworx Security Center

o EventLog Analyzer

o Syslog-ng OSE

o Kiwi Syslog Server

o WinSyslog

o Firewall Analyzer: Log Analysis Tool

o Activeworx Log Center

o EventReporter

o Kiwi Log Viewer

o Event Log Explorer

o WebLog Expert

o XpoLog Center Suite

o ELM Event Log Monitor

o EventSentry

o LogMeister

o LogViewer Pro

o WinAgents EventLog Translation Service

o EventTracker Enterprise

o Corner Bowl Log Manager

o Ascella Log Monitor Plus

o FLAG - Forensic and Log Analysis GUI

o Simple Event Correlator (SEC)

o OSSEC




Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic

Network Forensics

o Network Forensics

o Network Forensics Analysis Mechanism

o Network Addressing Schemes

o Overview of Network Protocols

o Overview of Physical and Data-Link Layer of the OSI Model

o Overview of Network and Transport Layer of the OSI Model

o OSI Reference Model

o TCP/ IP Protocol

o Intrusion Detection Systems (IDS) and Their Placement

How IDS Works

Types of Intrusion Detection Systems

General Indications of Intrusions

o Firewall

o Honeypot

Network Attacks

o Network Vulnerabilities

o Types of Network Attacks

IP Address Spoofing

Man-in-the-Middle Attack

Packet Sniffing

How a Sniffer Works

Enumeration

Denial of Service Attack

Session Sniffing

Buffer Overflow

Trojan Horse

Log Injection Attacks

o New Line Injection Attack

New Line Injection Attack Countermeasure




o Separator Injection Attack

Defending Separator Injection Attacks

o Timestamp Injection Attack

Defending Timestamp Injection Attacks

o Word Wrap Abuse Attack

Defending Word Wrap Abuse Attacks

o HTML Injection Attack

Defending HTML Injection Attacks

o Terminal Injection Attack

Defending Terminal Injection Attacks

Investigating and Analyzing Logs

o Postmortem and Real-Time Analysis

o Where to Look for Evidence

o Log Capturing Tool: ManageEngine EventLog Analyzer

o Log Capturing Tool: ManageEngine Firewall Analyzer

o Log Capturing Tool: GFI EventsManager

o Log Capturing Tool: Kiwi Syslog Server

o Handling Logs as Evidence

o Log File Authenticity

o Use Signatures, Encryption, and Checksums

o Work with Copies

o Ensure System’s Integrity

o Access Control

o Chain of Custody

o Condensing Log File

Investigating Network Traffic

o Why Investigate Network Traffic?

o Evidence Gathering via Sniffing

o Capturing Live Data Packets Using Wireshark

Display Filters in Wireshark

Additional Wireshark Filters




o Acquiring Traffic Using DNS Poisoning Techniques

Intranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)

Proxy Server DNS Poisoning

DNS Cache Poisoning

o Evidence Gathering from ARP Table

o Evidence Gathering at the Data-Link Layer: DHCP Database

o Gathering Evidence by IDS

Traffic Capturing and Analysis Tools

o NetworkMiner

o Tcpdump/Windump

o Intrusion Detection Tool: Snort

How Snort Works

o IDS Policy Manager

o MaaTec Network Analyzer

o Iris Network Traffic Analyzer

o NetWitness Investigator

o Colasoft Capsa Network Analyzer

o Sniff - O - Matic

o NetResident

o Network Probe

o NetFlow Analyzer

o OmniPeek Network Analyzer

o Firewall Evasion Tool: Traffic IQ Professional

o NetworkView

o CommView

o Observer

o SoftPerfect Network Protocol Analyzer

o EffeTech HTTP Sniffer

o Big-Mother

o EtherDetect Packet Sniffer




o Ntop

o EtherApe

o AnalogX Packetmon

o IEInspector HTTP Analyzer

o SmartSniff

o Distinct Network Monitor

o Give Me Too

o EtherSnoop

o Show Traffic

o Argus

Documenting the Evidence Gathered on a Network

Module 17: Investigating Wireless Attacks

Wireless Technologies

o Wireless Networks

o Wireless Terminologies

o Wireless Components

o Types of Wireless Networks

o Wireless Standards

o MAC Filtering

o Service Set Identifier (SSID)

o Types of Wireless Encryption: WEP

o Types of Wireless Encryption: WPA

o Types of Wireless Encryption: WPA2

o WEP vs. WPA vs. WPA2

Wireless Attacks

o Wi-Fi Chalking

Wi-Fi Chalking Symbols

o Access Control Attacks

o Integrity Attacks

o Confidentiality Attacks




o Availability Attacks

o Authentication Attacks

Investigating Wireless Attacks

o Key Points to Remember

o Steps for Investigation

Obtain a Search Warrant

Identify Wireless Devices at Crime Scene

Search for Additional Devices

Detect Rogue Access Point

Document the Scene and Maintain a Chain of Custody

Detect the Wireless Connections

Methodologies to Detect Wireless Connections

Wi-Fi Discovery Tool: inSSIDer

GPS Mapping

o GPS Mapping Tool: WIGLE

o GPS Mapping Tool: Skyhook

How to Discover Wi-Fi Networks Using Wardriving

Check for MAC Filtering

Changing the MAC Address

Detect WAPs using the Nessus Vulnerability Scanner

Capturing Wireless Traffic

o Sniffing Tool: Wireshark

o Follow TCP Stream in Wireshark

o Display Filters in Wireshark

o Additional Wireshark Filters

Determine Wireless Field Strength

Determine Wireless Field Strength: FSM

Determine Wireless Field Strength: ZAP Checker Products

What is Spectrum Analysis?

Map Wireless Zones & Hotspots

Connect to Wireless Network


Page | 55 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.

Connect to the Wireless Access Point

Access Point Data Acquisition and Analysis: Attached Devices

Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

Access Point Data Acquisition and Analysis

o Firewall Analyzer

o Firewall Log Analyzer

Wireless Devices Data Acquisition and Analysis

Report Generation

Features of a Good Wireless Forensics Tool

Wireless Forensics Tools

o Wi-Fi Discovery Tools

NetStumbler

NetSurveyor

Vistumbler

WirelessMon

Kismet

AirPort Signal

WiFi Hopper

Wavestumbler

iStumbler

WiFinder

Meraki WiFi Stumbler

Wellenreiter

AirCheck Wi-Fi Tester

AirRadar 2

o Wi-Fi Packet Sniffers

OmniPeek

CommView for Wi-Fi

Wi-Fi USB Dongle: AirPcap

tcpdump

KisMAC



Aircrack-ng Suite

AirMagnet WiFi Analyzer

o Wardriving Tools

MiniStumbler

Airbase

ApSniff

WiFiFoFum

StumbVerter

ClassicStumbler

Driftnet

WarLinux

o RF Monitoring Tools

NetworkManager

KWiFiManager

NetworkControl

KOrinoco

KWaveControl

Aphunter

Qwireless

SigMon

o Wi-Fi Connection Manager Tools

Aironet Wireless LAN

Boingo

HandyWi

Avanquest Connection Manager

Intel PROSet

Odyssey Access Client

WiFi-Manager

QuickLink Mobile

o Wi-Fi Traffic Analyzer Tools



AirMagnet WiFi Analyzer

Cascade Pilot Personal Edition

OptiView® XG Network Analysis Tablet

Network Packet Analyzer

Network Observer

Ufasoft Snif

CommView for WiFi

Network Assistant

o Wi-Fi Raw Packet Capturing Tools

WirelessNetView

Pirni Sniffer

Tcpdump

Airview

o Wi-Fi Spectrum Analyzing Tools

Cisco Spectrum Expert

AirMedic

BumbleBee

Wi-Spy

Module 18: Investigating Web Attacks

Introduction to Web Applications and Web Servers

o Introduction to Web Applications

o Web Application Components

o How Web Applications Work

o Web Application Architecture

o Open Source Web Server Architecture

o Indications of a Web Attack

o Web Attack Vectors

o Why Web Servers are Compromised

o Impact of Web Server Attacks

o Website Defacement



o Case Study

Web Logs

o Overview of Web Logs

o Application Logs

o Internet Information Services (IIS) Logs

IIS Web Server Architecture

IIS Log File Format

o Apache Web Server Logs

o DHCP Server Logs

Web Attacks

o Web Attacks - 1

o Web Attacks - 2

Unvalidated Input

Parameter/Form Tampering

Directory Traversal

Security Misconfiguration

Injection Flaws

SQL Injection Attacks

Command Injection Attacks

Command Injection Example

File Injection Attack

What is LDAP Injection?

How LDAP Injection Works

Hidden Field Manipulation Attack

Cross-Site Scripting (XSS) Attacks

How XSS Attacks Work

Cross-Site Request Forgery (CSRF) Attack

How CSRF Attacks Work

Web Application Denial-of-Service (DoS) Attack

Denial of Service (DoS) Examples

Buffer Overflow Attacks



Cookie/Session Poisoning

How Cookie Poisoning Works

Session Fixation Attack

Insufficient Transport Layer Protection

Improper Error Handling

Insecure Cryptographic Storage

Broken Authentication and Session Management

Unvalidated Redirects and Forwards

DMZ Protocol Attack/ Zero Day Attack

Log Tampering

URL Interpretation and Impersonation Attack

Web Services Attack

Web Services Footprinting Attack

Web Services XML Poisoning

Webserver Misconfiguration

HTTP Response Splitting Attack

Web Cache Poisoning Attack

HTTP Response Hijacking

SSH Bruteforce Attack

Man-in-the-Middle Attack

Defacement Using DNS Compromise

Web Attack Investigation

o Investigating Web Attacks

o Investigating Web Attacks in Windows-Based Servers

o Investigating IIS Logs

o Investigating Apache Logs

o Example of FTP Compromise

o Investigating FTP Servers

o Investigating Static and Dynamic IP Addresses

o Sample DHCP Audit Log File

o Investigating Cross-Site Scripting (XSS)



o Investigating SQL Injection Attacks

o Pen-Testing CSRF Validation Fields

o Investigating Code Injection Attack

o Investigating Cookie Poisoning Attack

o Detecting Buffer Overflow

o Investigating Authentication Hijacking

o Web Page Defacement

o Investigating DNS Poisoning

o Intrusion Detection

o Security Strategies for Web Applications

o Checklist for Web Security

Web Attack Detection Tools

o Web Application Security Tools

Acunetix Web Vulnerability Scanner

Falcove Web Vulnerability Scanner

Netsparker

N-Stalker Web Application Security Scanner

Sandcat

Wikto

WebWatchBot

OWASP ZAP

SecuBat Vulnerability Scanner

Websecurify

HackAlert

WebCruiser

o Web Application Firewalls

dotDefender

IBM AppScan

ServerDefender VP

o Web Log Viewers

Deep Log Analyzer



WebLog Expert

AlterWind Log Analyzer

Webalizer

eWebLog Analyzer

Apache Logs Viewer (ALV)

o Web Attack Investigation Tools

AWStats

Paros Proxy

Scrawlr

Tools for Locating IP Address

o Whois Lookup

o SmartWhois

o ActiveWhois

o LanWhois

o CountryWhois

o CallerIP

o Real Hide IP

o IP - Address Manager

o Pandora FMS

Module 19: Tracking Emails and Investigating Email Crimes

Email System Basics

o Email Terminology

o Email System

o Email Clients

o Email Server

o SMTP Server

o POP3 and IMAP Servers

o Email Message

o Importance of Electronic Records Management

Email Crimes



o Email Crime

o Email Spamming

o Mail Bombing/Mail Storm

o Phishing

o Email Spoofing

o Crime via Chat Room

o Identity Fraud/Chain Letter

Email Headers

o Example of Email Header

o List of Common Headers

Steps to Investigate

o Why to Investigate Emails

o Investigating Email Crime and Violation

Obtain a Search Warrant and Seize the Computer and Email Account

Obtain a Bit-by-Bit Image of Email Information

Examine Email Headers

Viewing Email Headers in Microsoft Outlook

Viewing Email Headers in AOL

Viewing Email Headers in Hotmail

Viewing Email Headers in Gmail

Viewing Headers in Yahoo Mail

Forging Headers

Analyzing Email Headers

Email Header Fields

Received: Headers

Microsoft Outlook Mail

Examining Additional Files (.pst or .ost files)

Checking the Email Validity

Examine the Originating IP Address

Trace Email Origin

Tracing Back



Tracing Back Web-based Email

Acquire Email Archives

Email Archives

Content of Email Archives

Local Archive

Server Storage Archive

Forensic Acquisition of Email Archive

Recover Deleted Emails

Deleted Email Recovery

Email Forensics Tools

o Stellar Phoenix Deleted Email Recovery

o Recover My Email

o Outlook Express Recovery

o Zmeil

o Quick Recovery for MS Outlook

o Email Detective

o Email Trace - Email Tracking

o R-Mail

o FINALeMAIL

o eMailTrackerPro

o Forensic Tool Kit (FTK)

o Paraben’s E-mail Examiner

o Paraben's Network E-mail Examiner

o DiskInternal’s Outlook Express Repair

o Abuse.Net

o MailDetective Tool

Laws and Acts against Email Crimes

o U.S. Laws Against Email Crime: CAN-SPAM Act

o 18 U.S.C. § 2252A

o 18 U.S.C. § 2252B

o Email Crime Law in Washington: RCW 19.190.020



Module 20: Mobile Forensics

Mobile Phones

o Mobile Phone

o Different Mobile Devices

o Hardware Characteristics of Mobile Devices

o Software Characteristics of Mobile Devices

o Components of Cellular Network

o Cellular Network

o Different Cellular Networks

Mobile Operating Systems

o Mobile Operating Systems

o Types of Mobile Operating Systems

o webOS

webOS System Architecture

o Symbian OS

Symbian OS Architecture

o Android OS

Android OS Architecture

o RIM BlackBerry OS

o Windows Phone 7

Windows Phone 7 Architecture

o Apple iOS

Mobile Forensics

o What a Criminal Can Do with Mobiles Phones

o Mobile Forensics

o Mobile Forensics Challenges

o Forensics Information in Mobile Phones

o Memory Considerations in Mobiles

o Subscriber Identity Module (SIM)

o SIM File System



o Integrated Circuit Card Identification (ICCID)

o International Mobile Equipment Identifier (IMEI)

o Electronic Serial Number (ESN)

o Precautions to Be Taken Before Investigation

Mobile Forensics Process

o Mobile Forensics Process

Collect the Evidence

Collecting the Evidence

Points to Remember while Collecting the Evidence

Collecting an iPod/iPhone Connected to a Computer

Document the Scene and Preserve the Evidence

Imaging and Profiling

Acquire the Information

Device Identification

Acquire Data from SIM Cards

Acquire Data from Unobstructed Mobile Devices

Acquire the Data from Obstructed Mobile Devices

Acquire Data from Memory Cards

Acquire Data from Synched Devices

Gather Data from Network Operator

Check Call Data Records (CDRs)

Gather Data from SQLite Record

Analyze the Information

Generate Report

Mobile Forensics Software Tools

o Oxygen Forensic Suite 2011

o MOBILedit! Forensic

o BitPim

o SIM Analyzer

o SIMCon

o SIM Card Data Recovery



o Memory Card Data Recovery

o Device Seizure

o SIM Card Seizure

o ART (Automatic Reporting Tool)

o iPod Data Recovery Software

o Recover My iPod

o PhoneView

o Elcomsoft Blackberry Backup Explorer

o Oxygen Phone Manager II

o Sanmaxi SIM Recoverer

o USIMdetective

o CardRecovery

o Stellar Phoenix iPod Recovery Software

o iCare Data Recovery Software

o Cell Phone Analyzer

o iXAM

o BlackBerry Database Viewer Plus

o BlackBerry Signing Authority Tool

Mobile Forensics Hardware Tools

o Secure View Kit

o Deployable Device Seizure (DDS)

o Paraben's Mobile Field Kit

o PhoneBase

o XACT System

o Logicube CellDEK

o Logicube CellDEK TEK

o RadioTactics ACESO

o UME-36Pro - Universal Memory Exchanger

o Cellebrite UFED System - Universal Forensic Extraction Device

o ZRT 2

o ICD 5200



o ICD 1300

Module 21: Investigative Reports

Computer Forensics Report

o Computer Forensics Report

o Salient Features of a Good Report

o Aspects of a Good Report

Computer Forensics Report Template

o Computer Forensics Report Template

o Simple Format of the Chain of Custody Document

o Chain of Custody Forms

o Evidence Collection Form

o Computer Evidence Worksheet

o Hard Drive Evidence Worksheet

o Removable Media Worksheet

Investigative Report Writing

o Report Classification

o Layout of an Investigative Report

Layout of an Investigative Report: Numbering

o Report Specifications

o Guidelines for Writing a Report

o Use of Supporting Material

o Importance of Consistency

o Investigative Report Format

o Attachments and Appendices

o Include Metadata

o Signature Analysis

o Investigation Procedures

o Collecting Physical and Demonstrative Evidence

o Collecting Testimonial Evidence

o Do’s and Don'ts of /ƻƳǇǳǘŜǊ Forensics Investigations



o Case Report Writing and Documentation

o Create a Report to Attach to the Media Analysis Worksheet

o Best Practices for Investigators

Sample Forensics Report

o Sample Forensics Report

Report Writing Using Tools

o Writing Report Using FTK

o Writing Report Using ProDiscover

Module 22: Becoming an Expert Witness

Expert Witness

o What is an Expert Witness?

o Role of an Expert Witness

o What Makes a Good Expert Witness?

Types of Expert Witnesses

o Types of Expert Witnesses

Computer Forensics Experts

Role of Computer Forensics Expert

Medical & Psychological Experts

Civil Litigation Experts

Construction & Architecture Experts

Criminal Litigation Experts

Scope of Expert Witness Testimony

o Scope of Expert Witness Testimony

o Technical Witness vs. Expert Witness

o Preparing for Testimony

Evidence Processing

o Evidence Preparation and Documentation

o Evidence Processing Steps

o Checklists for Processing Evidence

o Examining Computer Evidence



o Prepare the Report

o Evidence Presentation

Rules for Expert Witness

o Rules Pertaining to an Expert Witness’s Qualification

o Daubert Standard

o Frye Standard

o Importance of Resume

o Testifying in the Court

o The Order of Trial Proceedings

General Ethics While Testifying

o General Ethics While Testifying

o Importance of Graphics in a Testimony

o Helping your Attorney

o Avoiding Testimony Issues

o Testifying during Direct Examination

o Testifying during Cross-Examination

o Deposing

o Recognizing Deposition Problems

o Guidelines to Testifying at a Deposition

o Dealing with Media

o Finding a Computer Forensics Expert

Date post:	06-Mar-2018
Category:	Documents
Upload:	vuongthien
View:	227 times
Download:	8 times