EC-Council CHFI Computer Hacking Forensic Investigator v.8

Course Number: 312-49

Course Overview

Computer hacking forensic investigation is the process of detecting hacking attacks and properly

extracting evidence to report the crime and conduct audits to prevent future attacks. Computer

forensics is simply the application of computer investigation and analysis techniques in the

interests of determining potential legal evidence. Evidence might be sought in a wide range of

computer crime or misuse, including but not limited to theft of trade secrets, theft of or

destruction of intellectual property, and fraud. CHFI investigators can draw on an array of

methods for discovering data that resides in a computer system, or recovering deleted, encrypted,

or damaged file information. This course will prepare you to pass the EC0 312-49 exam and

achieve Computer Hacking Forensics Investigator (CHFI) certification.

Career Academy is an EC-Council endorsed training provider. We have invited the best security

trainers in the industry to help us develop the ultimate training and certification program which

includes everything you will need to fully prepare for and pass your certification exams. This

officially endorsed product gives our students access to the exam by providing you with a

Authorization Code. The EC-Council Authorization Code can be used at any Prometric center,

this Authorization Code is required and mandatory for you to schedule and pay for your exam.

Without this Authorization Code, Prometric will not entertain any of your requests to schedule

and take the exam. Note: The cost of the exam is not included in this package.

Prerequisites

It is strongly recommended that students take the CEH course before beginning the CHFI

program.

Audience

This course is of significant benefit to Police and other law enforcement personnel, Defense and

Military personnel, e-Business Security professionals, Systems administrators, Legal

professionals, Banking, Insurance and other professionals, Government agencies, and IT

managers.

Certification Exam

This course prepares you for EC-Council Computer Hacking Forensics Investigator exam 312-

49

Course Outline

Course Introduction 2m

Course Introduction

Module 00 - Student Introduction 6m

Student Introduction

CHFIv8 Course Outline

EC-Council Certification Program

Computer Hacking Forensic Investigator Track

CHFIv8 Exam Information

What Does CHFI Teach You?

CHFI Class Speed

Let's Start Forensics Investigation!

Module 01 - Computer Forensics in Today's World 1h 8m

Module Flow: Computer Forensics

Forensics Science

Computer Forensics

Security Incident Report

Aspects of Organizational Security

Evolution of Computer Forensics (Cont'd)

Evolution of Computer Forensics

Objective of Computer Forensics

Need for Computer Forensics

Module Flow: Forensics Readiness

Benefits of Forensics Readiness

Goals of Forensics Readiness

Forensics Readiness Planning

Module Flow: Cyber Crimes

Cyber Crime

Computer Facilitated Crimes

Modes of Attacks

Examples of Cyber Crime (Cont'd)

Examples of Cyber Crime

Types of Computer Crimes

Cyber Criminals

Organized Cyber Crime: Organizational Chart

How Serious are Different Types of Incidents?

Disruptive Incidents to the Business

Cost Expenditure Responding to the Security Incident

Module Flow: Cyber Crime Investigation

Cyber Crime Investigation

Key Steps in Forensics Investigation (Cont'd)

Key Steps in Forensics Investigation

Rules of Forensics Investigation

Need for Forensics Investigator

Role of Forensics Investigator

Accessing Computer Forensics Resources

Role of Digital Evidence

Module Flow: Corporate Investigations

Understanding Corporate Investigations

Approach to Forensics Investigation: A Case Study (Cont'd)

Approach to Forensics Investigation: A Case Study

Instructions for the Forensic Investigator to Approach the Crime Scene

Why and When Do You Use Computer Forensics?

Enterprise Theory of Investigation (ETI)

Legal Issues

Reporting the Results

Module Flow: Reporting a Cyber Crime

Why you Should Report Cybercrime?

Reporting Computer-Related Crimes (Cont'd)

Reporting Computer-Related Crimes

Person Assigned to Report the Crime

When and How to Report an Incident?

Who to Contact at the Law Enforcement

Federal Local Agents Contact (Cont'd)

Federal Local Agents Contact

More Contacts

CIO Cyberthreat Report Form

Module 01 Review

Module 02 - Computer Forensics Investigation Process 1h 20m

Computer Forensics Investigation Process

Investigating Computer Crime

Before the Investigation

Build a Forensics Workstation

Building the Investigation Team

People Involved in Computer Forensics

Review Policies and Laws

Forensics Laws (Cont'd)

Forensics Laws

Notify Decision Makers and Acquire Authorization

Risk Assessment

Build a Computer Investigation Toolkit

Steps to Prepare for a Computer Forensics Investigation (Cont'd)

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodology: Obtain Search Warrant

Obtain Search Warrant

Example of Search Warrant

Searches Without a Warrant

Computer Forensics Investigation Methodology: Evaluate and Secure the Scene

Forensics Photography

Gather the Preliminary Information at the Scene

First Responder

Computer Forensics Investigation Methodology: Collect the Evidence

Collect Physical Evidence

Evidence Collection Form

Collect Electronic Evidence (Cont'd)

Collect Electronic Evidence

Guidelines for Acquiring Evidence

Computer Forensics Investigation Methodology: Secure the Evidence

Secure the Evidence

Evidence Management

Chain of Custody

Chain of Custody Form

Computer Forensics Investigation Methodology: Acquire the Data

Original Evidence Should NEVER Be Used for Analysis

Duplicate the Data (Imaging)

Verify Image Integrity

Demo - HashCalc

MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

Recover Lost or Deleted Data

Data Recovery Software

Computer Forensics Investigation Methodology: Analyze the Data

Data Analysis

Data Analysis Tools

Computer Forensics Investigation Methodology: Assess Evidence and Case

Evidence Assessment

Case Assessment (Cont'd)

Case Assessment

Processing Location Assessment

Best Practices to Assess the Evidence

Computer Forensics Investigation Methodology: Prepare the Final Report

Documentation in Each Phase

Gather and Organize Information

Writing the Investigation Report (Cont'd)

Writing the Investigation Report

Sample Report (1 of 7)

Sample Report (2 of 7)

Sample Report (3 of 7)

Sample Report (4 of 7)

Sample Report (5 of 7)

Sample Report (6 of 7)

Sample Report (7 of 7)

Computer Forensics Investigation Methodology: Testify as an Expert Witness

Expert Witness

Testifying in the Court Room

Closing the Case

Maintaining Professional Conduct

Investigating a Company Policy Violation

Computer Forensics Service Providers (Cont'd)

Computer Forensics Service Providers

Module 02 Review

Module 03 - Searching and Seizing Computers 1h 27m

Module Flow: Searching and Seizing Computers without a Warrant

Searching and Seizing Computers without a Warrant

Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: Principles

Reasonable Expectation of Privacy in Computers as Storage Devices

Reasonable Expectation of Privacy and Third-Party Possession

Private Searches

Use of Technology to Obtain Information

Exceptions to the Warrant Requirement in Cases Involving Computers

Consent

Scope of Consent

Third-Party Consent

Implied Consent

Exigent Circumstances

Plain View

Search Incident to a Lawful Arrest

Inventory Searches

Border Searches

International Issues

Special Case: Workplace Searches

Private Sector Workplace Searches

Public-Sector Workplace Searches

Module Flow: Searching and Seizing Computers with a Warrant

Searching and Seizing Computers with a Warrant

Successful Search with a Warrant

Basic Strategies for Executing Computer Searches

When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime

When Hardware Is Merely a Storage Device for Evidence of Crime

The Privacy Protection Act

The Terms of the Privacy Protection Act

Application of the PPA to Computer Searches and Seizures (Cont'd)

Application of the PPA to Computer Searches and Seizures

Civil Liability Under the Electronic Communications Privacy Act (ECPA)

Considering the Need for Multiple Warrants in Network Searches

No-Knock Warrants

Sneak-and-Peek Warrants

Privileged Documents

Drafting the Warrant and Affidavit

Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments

Defending Computer Search Warrants Against Challenges Based on the "Things to be Seized"

Establish Probable Cause in the Affidavit

Explanation of the Search Strategy and Practical & Legal Considerations

Post-Seizure Issues

Searching Computers Already in Law Enforcement Custody

The Permissible Time Period for Examining Seized Computers

Rule 41(e) Motions for Return of Property

Module Flow: The Electronic Communications Privacy Act

The Electronic Communications Privacy Act

Providers of Electronic Communication Service vs. Remote Computing Service

Classifying Types of Information Held by Service Providers

Compelled Disclosure Under ECPA

Voluntary Disclosure

Working with Network Providers

Module Flow: Electronic Surveillance in Communications Networks

Electronic Surveillance in Communications Networks

Content vs. Addressing Information

The Pen/Trap Statute

The Wiretap Statute ("Title III")

Exceptions to Title III

Remedies For Violations of Title III and the Pen/Trap Statute

Module Flow: Evidence

Evidence (Cont'd)

Evidence

Authentication

Hearsay

Other Issues

Module 03 Review

Module Flow: Digital Data

Definition of Digital Evidence

Increasing Awareness of Digital Evidence

Challenging Aspects of Digital Evidence

The Role of Digital Evidence

Characteristics of Digital Evidence

Fragility of Digital Evidence

Anti-Digital Forensics (ADF)

Module Flow: Types of Digital Data

Types of Digital Data (Cont'd)

Types of Digital Data

Module Flow: Rules of Evidence

Rules of Evidence

Best Evidence Rule

Federal Rules of Evidence (Cont'd)

Federal Rules of Evidence

International Organization on Computer Evidence (IOCE)

IOCE International Principles for Digital Evidence

Scientific Working Group on Digital Evidence (SWGDE)

SWGDE Standards for the Exchange of Digital Evidence (Cont'd)

SWGDE Standards for the Exchange of Digital Evidence

Module Flow: Electronic Devices: Types and Collecting Potential Evidence

Electronic Devices: Types and Collecting Potential Evidence (Cont'd)

Electronic Devices: Types and Collecting Potential Evidence

Module Flow: Digital Evidence Examination Process

Digital Evidence Examination Process - Evidence Assessment

Evidence Assessment

Prepare for Evidence Acquisition

Digital Evidence Examination Process - Evidence Acquisition

Preparation for Searches

Seizing the Evidence

Imaging

Demo - Disk Sterilization with DD

Bit-Stream Copies

Write Protection

Evidence Acquisition

Evidence Acquisition from Crime Location

Acquiring Evidence from Storage Devices

Demo - Utilizing HD PARM for HD Information

Collecting Evidence (Cont'd)

Collecting Evidence

Collecting Evidence from RAM (Cont'd)

Collecting Evidence from RAM

Collecting Evidence from a Standalone Network Computer

Chain of Custody

Chain of Evidence Form

Digital Evidence Examination Process - Evidence Preservation

Preserving Digital Evidence: Checklist (Cont'd)

Preserving Digital Evidence: Checklist

Preserving Removable Media (Cont'd)

Preserving Removable Media

Handling Digital Evidence

Store and Archive

Digital Evidence Findings

Digital Evidence Examination Process - Evidence Examination and Analysis

DO NOT WORK on the Original Evidence

Evidence Examination (Cont'd)

Evidence Examination

Physical Extraction

Logical Extraction

Analyze Host Data

Analyze Storage Media

Analyze Network Data

Analysis of Extracted Data

Timeframe Analysis

Data Hiding Analysis

Application and File Analysis

Ownership and Possession

Digital Evidence Examination Process - Evidence Documentation and Reporting

Documenting the Evidence

Evidence Examiner Report

Final Report of Findings

Computer Evidence Worksheet (Cont'd)

Computer Evidence Worksheet

Hard Drive Evidence Worksheet (Cont'd)

Hard Drive Evidence Worksheet

Removable Media Worksheet

Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category

Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)

Electronic Crime and Digital Evidence Consideration by Crime Category

Module 04 Review

Module 05 - First Responder Procedures 1h 59m

Module Flow: First Responder

Electronic Evidence

First Responder

Roles of First Responder

Electronic Devices: Types and Collecting Potential Evidence (Cont' d)

Electronic Devices: Types and Collecting Potential Evidence

Module Flow: First Responder Toolkit

First Responder Toolkit

Creating a First Responder Toolkit

Evidence Collecting Tools and Equipment (Cont'd)

Evidence Collecting Tools and Equipment

Module Flow: First Response Basics

First Response Rule

Incident Response: Different Situations

First Response for System Administrators

First Response by Non-Laboratory Staff

First Response by Laboratory Forensics Staff (Cont'd)

First Response by Laboratory Forensics Staff

Module Flow: Securing and Evaluating Electronic Crime Scene

Securing and Evaluating Electronic Crime Scene: A Checklist (Cont'd)

Securing and Evaluating Electronic Crime Scene: A Checklist

Securing the Crime Scene

Warrant for Search and Seizure

Planning the Search and Seizure (Cont'd)

Planning the Search and Seizure

Initial Search of the Scene

Health and Safety Issues

Module Flow: Conducting Preliminary Interviews

Questions to Ask When Client Calls the Forensic Investigator

Consent

Sample of Consent Search Form

Witness Signatures

Conducting Preliminary Interviews

Conducting Initial Interviews

Witness Statement Checklist

Module Flow: Documenting Electronic Crime Scene

Documenting Electronic Crime Scene

Photographing the Scene

Sketching the Scene

Video Shooting the Crime Scene

Module Flow: Collecting and Preserving Electronic Evidence

Collecting and Preserving Electronic Evidence (Cont'd)

Collecting and Preserving Electronic Evidence

Order of Volatility

Dealing with Powered On Computers (Cont'd)

Demo - Imaging RAM

Demo - Parsing RAM

Dealing with Powered On Computers

Dealing with Powered Off Computers

Dealing with Networked Computer

Dealing with Open Files and Startup Files

Operating System Shutdown Procedure (Cont'd)

Operating System Shutdown Procedure Example

Computers and Servers

Preserving Electronic Evidence

Seizing Portable Computers

Switched On Portables

Collecting and Preserving Electronic Evidence Wrap-up

Module Flow: Packaging and Transporting Electronic Evidence

Evidence Bag Contents List

Packaging Electronic Evidence

Exhibit Numbering

Transporting Electronic Evidence

Handling and Transportation to the Forensics Laboratory

Storing Electronic Evidence

Chain of Custody

Simple Format of the Chain of Custody Document

Chain of Custody Forms (Cont'd)

Chain of Custody Forms

Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Demo - Hardware Inventories

Module Flow: Reporting the Crime Scene

Reporting the Crime Scene

Note Taking Checklist (Cont'd)

Note Taking Checklist

First Responder Common Mistakes

Module 05 Review

Module 06 - Computer Forensics Lab 2h 5m

Module Flow: Setting a Computer Forensics Lab

Computer Forensics Lab

Planning for a Forensics Lab

Budget Allocation for a Forensics Lab

Physical Location Needs of a Forensics Lab

Structural Design Considerations

Environmental Conditions

Electrical Needs

Communication Needs

Work Area of a Computer Forensics Lab

Ambience of a Forensics Lab

Ambience of a Forensics Lab: Ergonomics

Physical Security Recommendations

Fire-Suppression Systems

Evidence Locker Recommendations

Computer Forensic Investigator

Law Enforcement Officer

Lab Director

Forensics Lab Licensing Requisite

Features of the Laboratory Imaging System

Technical Specifications of the Laboratory Based Imaging System

Forensics Lab (1 of 3)

Forensics Lab (2 of 3)

Forensics Lab (3 of 3)

Auditing a Computer Forensics Lab (Cont'd)

Auditing a Computer Forensics Lab

Recommendations to Avoid Eyestrain

Module Flow: Investigative Services in Forensics

Computer Forensics Investigative Services

Computer Forensic Investigative Service Sample

Computer Forensics Services: PenrodEllis Forensic Data Discovery

Data Destruction Industry Standards

Computer Forensics Services (Cont'd)

Computer Forensics Services

Module Flow: Computer Forensics Hardware

Equipment Required in a Forensics Lab

Forensic Workstations

Basic Workstation Requirements in a Forensics Lab

Stocking the Hardware Peripherals

Paraben Forensics Hardware: Handheld First Responder Kit

Paraben Forensics Hardware: Wireless StrongHold Bag

Paraben Forensics Hardware: Wireless StrongHold Box

Paraben Forensics Hardware: Passport StrongHold Bag

Paraben Forensics Hardware: Device Seizure Toolbox

Paraben Forensics Hardware: Project-a-Phone

Paraben Forensics Hardware: Lockdown

Paraben Forensics Hardware: iRecovery Stick

Paraben Forensics Hardware: Data Recovery Stick

Paraben Forensics Hardware: Chat Stick

Paraben Forensics Hardware: USB Serial DB9 Adapter

Paraben Forensics Hardware: Mobile Field Kit

Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop

Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower

Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon

Portable Forensic Systems and Towers: Ultimate Forensic Machine

Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

Tableau T3u Forensic SATA Bridge Write Protection Kit

Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader

Tableau TACC 1441 Hardware Accelerator

Multiple TACC1441 Units

Tableau TD1 Forensic Duplicator

Power Supplies and Switches

Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon)

Digital Intelligence Forensic Hardware: FRED-L

Digital Intelligence Forensic Hardware: FRED SC

Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)

Digital Intelligence Forensic Hardware: Rack-A-TACC

Digital Intelligence Forensic Hardware: FREDDIE

Digital Intelligence Forensic Hardware: UltraKit

Digital Intelligence Forensic Hardware: UltraBay II

Digital Intelligence Forensic Hardware: UltraBlock SCSI

Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device

Digital Intelligence Forensic Hardware: HardCopy 3P

Wiebetech: Forensics DriveDock v4

Wiebetech: Forensic UltraDock v4

Wiebetech: Drive eRazer

Wiebetech: v4 Combo Adapters

Wiebetech: ProSATA SS8

Wiebetech: HotPlug

CelleBrite: UFED System

CelleBrite: UFED Physical Pro

CelleBrite: UFED Ruggedized

DeepSpar: Disk Imager Forensic Edition

DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor

InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector

InfinaDyne Forensic Products: Robotic System Status Light

Image MASSter: Solo-4 (Super Kit)

Image MASSter: RoadMASSter- 3

Image MASSter: WipeMASSter

Image MASSter: WipePRO

Image MASSter: Rapid Image 7020CS IT

Logicube: Forensic MD5

Logicube: Forensic Talon

Logicube: Portable Forensic Lab

Logicube: CellDEK

Logicube: Forensic Quest-2

Logicube: NETConnect

Logicube: RAID I/O Adapter

Logicube: GPStamp

Logicube: OmniPort

Logicube: Desktop WritePROtects

Logicube: USB Adapter

Logicube: CloneCard Pro

Logicube: EchoPlus

OmniClone IDE Laptop Adapters

Logicube: Cables

VoomTech: HardCopy 3P

VoomTech: SHADOW 2

Module Flow: Computer Forensics Software

Basic Software Requirements in a Forensics Lab

Main Operating System and Application Inventories

Imaging Software: R-drive Image

Demo - R-Drive Image

Imaging Software: P2 eXplorer Pro

Imaging Software: AccuBurn-R for CD/DVD Inspector

Imaging Software: Flash Retriever Forensic Edition

File Conversion Software: FileMerlin

File Conversion Software: SnowBatch

File Conversion Software: Zamzar

File Viewer Software: File Viewer

File Viewer Software: Quick View Plus 11 Standard Edition

Demo - File Viewers

Analysis Software: P2 Commander

P2 Commander Screenshot

Analysis Software: DriveSpy

Analysis Software: SIM Card Seizure

Analysis Software: CD/DVD Inspector

Analysis Software: Video Indexer (Vindex)

Monitoring Software: Device Seizure

Device Seizure Screenshots

Monitoring Software: Deployable P2 Commander (DP2C)

Monitoring Software: ThumbsDisplay

ThumbsDisplay Screenshot

Monitoring Software: Email Detective

Computer Forensics Software: DataLifter

Computer Forensics Software: X-Ways Forensics

Demo - X-Ways Forensics

Computer Forensics Software: LiveWire Investigator

Module 06 Review

Module 07 - Understanding Hard Disks and File Systems 3h 59m

Module Flow: Hard Disk Drive Overview

Disk Drive Overview (Cont'd)

Disk Drive Overview

Hard Disk Drive

Solid-State Drive (SSD)

Physical Structure of a Hard Disk (Cont'd)

Physical Structure of a Hard Disk

Logical Structure of Hard Disk

Types of Hard Disk Interfaces

Hard Disk Interfaces: ATA

Hard Disk Interfaces: SCSI (Cont'd)

Hard Disk Interfaces: SCSI

Hard Disk Interfaces: IDE/EIDE

Hard Disk Interfaces: USB

Hard Disk Interfaces: Fibre Channel

Disk Platter

Tracks

Track Numbering

Sector

Advanced Format: Sectors

Sector Addressing

Cluster

Cluster Size

Changing the Cluster Size

Demo - Cluster Size

Slack Space ( Cont'd)

Slack Space

Demo - Slack Space

Lost Clusters

Bad Sector

Hard Disk Data Addressing

Disk Capacity Calculation

Demo - Calculating Disk Capacity

Measuring the Performance of the Hard Disk

Module Flow: Disk Partitions and Boot Process

Disk Partitions

Demo - Partitioning Linux

Master Boot Record

Structure of a Master Boot Record (Cont'd)

Demo - Backing Up the MBR

Structure of a Master Boot Record

What is the Booting Process?

Essential Windows System Files

Windows 7 Boot Process (Cont'd)

Windows 7 Boot Process

Macintosh Boot Process (Cont'd)

Macintosh Boot Process

http://www.bootdisk.com

Module Flow: Understanding File Systems

Understanding File Systems

Types of File Systems

List of Disk File Systems (Cont'd)

List of Disk File Systems

List of Network File Systems

List of Special Purpose File Systems

List of Shared Disk File Systems

Windows File Systems

Popular Windows File Systems

File Allocation Table (FAT)

FAT File System Layout

FAT Partition Boot Sector

FAT Structure

FAT Folder Structure

Directory Entries and Cluster Chains

Filenames on FAT Volumes

Examining FAT

FAT32

New Technology File System (NTFS) (Cont'd)

NTFS (Cont'd)

NTFS

NTFS Architecture

NTFS System Files

NTFS Partition Boot Sector

Cluster Sizes of NTFS Volume

NTFS Master File Table (MFT) (Cont'd)

NTFS Master File Table (MFT)

Metadata Files Stored in the MFT

NTFS Files and Data Storage

NTFS Attributes

NTFS Data Stream (Cont'd)

NTFS Data Stream

NTFS Compressed Files

Setting the Compression State of a Volume

Encrypting File Systems (EFS)

Components of EFS

Operation of Encrypting File System

EFS Attribute

Encrypting a File

EFS Recovery Key Agent (Cont'd)

EFS Recovery Key Agent

Tool: Advanced EFS Data Recovery

Tool: EFS Key

Sparse Files

Deleting NTFS Files

Registry Data (Cont'd)

Registry Data

Examining Registry Data

FAT vs. NTFS

Linux File Systems

Popular Linux File Systems

Linux File System Architecture

Ext2 (Cont'd)

Ext2

Ext3 (Cont'd)

Ext3

Mac OS X File Systems

HFS vs. HFS Plus

HFS

HFS Plus

HFS Plus Volumes

HFS Plus Journal

Sun Solaris 10 File System: ZFS

CD-ROM / DVD File System

CDFS

Demo - Multi-sessions Discs

Module Flow: RAID Storage System

RAID Storage System

RAID Level 0: Disk Striping

RAID Level 1: Disk Mirroring

RAID Level 3: Disk Striping with Parity

RAID Level 5: Block Interleaved Distributed Parity

RAID Level 10: Blocks Striped and Mirrored

RAID Level 50: Mirroring and Striping across Multiple RAID Levels

Different RAID Levels

Comparing RAID Levels

Recover Data from Unallocated Space Using File Carving Process

Module Flow: File System Analysis Using the Sleuth Kit (TSK)

Tool: The Sleuth Kit (TSK)

The Sleuth Kit (TSK): fsstat

The Sleuth Kit (TSK): istat (1 of 4)

The Sleuth Kit (TSK): istat (2 of 4)

The Sleuth Kit (TSK): istat (3 of 4)

The Sleuth Kit (TSK): istat (4 of 4)

The Sleuth Kit (TSK): fls and img_stat

Demo - TSK and Autopsy

Module 07 Review

Module 08 - Windows Forensics 3h 37m

Module Flow: Collecting Volatile Information

Volatile Information

System Time

Logged-On Users

Logged-On Users: PsLoggedOn Tool

Logged-On Users: net sessions Command

Logged-On Users: LogonSessions Tool

Open Files

Open Files: net file Command

Open Files: PsFile Utility

Open Files: Openfiles Command

Network Information (Cont'd)

Network Information

Network Connections (Cont'd)

Demo - Netstat Command

Network Connections

Process Information (Cont'd)

Process Information

Process-to-Port Mapping (Cont'd)

Process-to-Port Mapping

Process Memory

Network Status (Cont'd)

Demo - ipconfig

Network Status

Other Important Information (Cont'd)

Demo - Clipboard Viewer

Other Important Information

Module Flow: Collecting Non-Volatile Information

Non-Volatile Information

Examine File Systems

Registry Settings

Microsoft Security ID

Event Logs

Index.dat File (Cont'd)

Index.dat File

Demo - Grabbing Registry Files

Devices and Other Information

Slack Space

Virtual Memory

Swap File

Windows Search Index

Collecting Hidden Partition Information

Demo - Gparted

Hidden ADS Streams

Investigating ADS Streams: StreamArmor

Other Non-Volatile Information

Module Flow: Windows Memory Analysis

Memory Dump (Cont'd)

Memory Dump

EProcess Structure

Process Creation Mechanism

Parsing Memory Contents

Parsing Process Memory

Extracting the Process Image (Cont'd)

Extracting the Process Image

Collecting Process Memory

Module Flow: Windows Registry Analysis

Inside the Registry (Cont'd)

Inside the Registry

Registry Structure within a Hive File

The Registry as a Log File

Registry Analysis

System Information (Cont'd)

System Information

TimeZone Information

Shares

Audit Policy

Wireless SSIDs

Autostart Locations

System Boot

User Login

User Activity

Enumerating Autostart Registry Locations

USB Removable Storage Devices (Cont'd)

USB Removable Storage Devices

Mounted Devices (Cont'd)

Mounted Devices

Finding Users (Cont'd)

Finding Users: Screenshots

Tracking User Activity

The UserAssist Keys

MRU Lists (Cont'd)

MRU Lists

Search Assistant

Connecting to Other Systems

Analyzing Restore Point Registry Settings (Cont'd)

Analyzing Restore Point Registry Settings

Determining the Startup Locations (Cont'd)

Determining the Startup Locations

Demo - Reg Ripper

Module Flow: Cache, Cookie, and History Analysis

Cache, Cookie, and History Analysis in IE

Cache, Cookie, and History Analysis in Firefox

Cache, Cookie, and History Analysis in Chrome

Analysis Tool: IECookiesView

Analysis Tool: IECacheView

Analysis Tool: IEHistoryView

Analysis Tool: MozillaCookiesView

Analysis Tool: MozillaCacheView

Analysis Tool: MozillaHistoryView

Analysis Tool: ChromeCookiesView

Analysis Tool: ChromeCacheView

Analysis Tool: ChromeHistoryView

Module Flow: MD5 Calculation

Message Digest Function: MD5

Why MD5 Calculation?

MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

MD5 Checksum Verifier

ChaosMD5

Module Flow: Windows File Analysis

Recycle Bin (Cont'd)

Recycle Bin

System Restore Points (Rp.log Files)

System Restore Points (Change.log.x Files)

Prefetch Files (Cont'd)

Prefetch Files

Shortcut Files

Word Documents

PDF Documents

Image Files

File Signature Analysis

NTFS Alternate Data Streams

Executable File Analysis

Documentation Before Analysis

Static Analysis Process

Search Strings

PE Header Analysis

Import Table Analysis

Export Table Analysis

Dynamic Analysis Process

Creating Test Environment

Collecting Information Using Tools

Process of Testing the Malware

Module Flow: Metadata Investigation

Metadata

Types of Metadata (Cont'd)

Types of Metadata

Metadata in Different File Systems (Cont'd)

Metadata in Different File Systems

Metadata in PDF Files

Metadata in Word Documents

Tool: Metadata Analyzer

Module Flow: Text Based Logs

Understanding Events

Event Logon Types (Cont'd)

Event Logon Types

Event Record Structure (Cont'd)

Event Record Structure

Vista Event Logs (Cont'd)

Vista Event Logs: Screenshots

IIS Logs

Parsing IIS Logs (Cont'd)

Parsing IIS Logs

Parsing FTP Logs

FTP sc-status Codes (Cont'd)

FTP sc-status Codes

Parsing DHCP Server Logs (Cont'd)

Parsing DHCP Server Logs

Parsing Windows Firewall Logs

Using the Microsoft Log Parser

Module Flow: Other Audit Events

Evaluating Account Management Events (Cont'd)

Evaluating Account Management Events

Examining Audit Policy Change Events

Examining System Log Entries

Examining Application Log Entries

Examining Application Log Entries (Screenshot)

Module Flow: Forensic Analysis of Event Logs

Searching with Event Viewer

Using EnCase to Examine Windows Event Log Files

Windows Event Log Files Internals

Module Flow: Windows Password Issues

Understanding Windows Password Storage (Cont'd)

Understanding Windows Password Storage

Cracking Windows Passwords Stored on Running Systems (Cont'd)

Cracking Windows Passwords Stored on Running Systems

Exploring Windows Authentication Mechanisms

LanMan Authentication Process

NTLM Authentication Process

Kerberos Authentication Process

Sniffing and Cracking Windows Authentication Exchanges

Cracking Offline Passwords

Module Flow: Forensics Tools

Windows Forensics Tool: OS Forensics

Windows Forensics Tool: Helix3 Pro

Helix3 Pro Screenshot

Integrated Windows Forensics Software: X-Ways Forensics

X-Ways Forensics Screenshot

X-Ways Trace

Windows Forensic Toolchest (WFT)

Built-in Tool: Sigverif

Computer Online Forensic Evidence Extractor (COFEE)

System Explorer

Tool: System Scanner

SecretExplorer

Registry Viewer Tool: Registry Viewer

Registry Viewer Tool: RegScanner

Registry Viewer Tool: Alien Registry Viewer

MultiMon

CurrProcess

Process Explorer

Security Task Manager

PrcView

ProcHeapViewer

Memory Viewer

Tool: PMDump

Word Extractor

Belkasoft Evidence Center

Belkasoft Browser Analyzer

Metadata Assistant

HstEx

XpoLog Center Suite

XpoLog Center Suite Screenshot

LogViewer Pro

Event Log Explorer

LogMeister

ProDiscover Forensics

PyFlag

LiveWire Investigator

ThumbsDisplay

ThumbsDisplay Screenshot

DriveLook

Module 08 Review

Module 09 - Data Acquisition and Duplication 2h 53m

Module Flow: Data Acquisition and Duplication Concepts

Data Acquisition

Forensic and Procedural Principles

Types of Data Acquisition Systems

Data Acquisition Formats (Cont'd)

Data Acquisition Formats

Bit Stream vs. Backups

Why to Create a Duplicate Image?

Issues with Data Duplication

Data Acquisition Methods (Cont'd)

Data Acquisition Methods

Determining the Best Acquisition Method (Cont'd)

Determining the Best Acquisition Method

Contingency Planning for Image Acquisitions (Cont'd)

Contingency Planning for Image Acquisitions

Data Acquisitions Mistakes

Module Flow: Data Acquisition Types

Rules of Thumb

Static Data Acquisition

Collecting Static Data

Demo - Forensic Imaging Using Linux

Demo - Forensic Imaging Using Windows

Static Data Collection Process

Live Data Acquisition

Why Volatile Data is Important?

Volatile Data (Cont'd)

Volatile Data

Order of Volatility

Common Mistakes in Volatile Data Collection

Volatile Data Collection Methodology (Cont'd)

Volatile Data Collection Methodology

Basic Steps in Collecting Volatile Data

Types of Volatile Information (Cont'd)

Types of Volatile Information

Demo - WinTaylors

Module Flow: Disk Acquisition Tool Requirements

Disk Imaging Tool Requirements

Disk Imaging Tool Requirements: Mandatory (Cont'd)

Disk Imaging Tool Requirements: Mandatory

Disk Imaging Tool Requirements: Optional (Cont'd)

Disk Imaging Tool Requirements: Optional

Module Flow: Validation Methods

Validating Data Acquisitions

Linux Validation Methods (Cont'd)

Linux Validation Methods

Windows Validation Methods

Module Flow: Raid Data Acquisition

Understanding RAID Disks (Cont'd)

Understanding RAID Disks

Acquiring RAID Disks (Cont'd)

Acquiring RAID Disks

Remote Data Acquisition

Module Flow: Acquisition Best Practices

Acquisition Best Practices (Cont'd)

Acquisition Best Practices

Module Flow: Data Acquisition Software Tools

Acquiring Data on Windows

Acquiring Data on Linux

dd Command

dcfldd Command

Extracting the MBR

Netcat Command

EnCase Forensic

EnCase Forensic Screenshot

Analysis Software: DriveSpy

ProDiscover Forensics

AccessData FTK Imager

Mount Image Pro

Data Acquisition Toolbox

SafeBack

ILookPI

ILookPI Screenshot

RAID Recovery for Windows

R-Tools R-Studio

F-Response

PyFlag

LiveWire Investigator

ThumbsDisplay

ThumbsDisplay Screenshot

DataLifter

X-Ways Forensics

R-drive Image

Demo - Forensic Imaging

DriveLook

DiskExplorer

P2 eXplorer Pro

Flash Retriever Forensic Edition

Module Flow: Data Acquisition Hardware Tools

US-LATT

Image MASSter: Solo-4 (Super Kit)

Image MASSter: RoadMASSter- 3

Tableau TD1 Forensic Duplicator

Logicube: Forensic MD5

Logicube: Portable Forensic Lab

Logicube: Forensic Talon

Logicube: RAID I/O Adapter

DeepSpar: Disk Imager Forensic Edition

Logicube: USB Adapter

Disk Jockey PRO

Logicube: Forensic Quest-2

Logicube: CloneCard Pro

Logicube: EchoPlus

Paraben Forensics Hardware: Chat Stick

Image MASSter: Rapid Image 7020CS IT

Digital Intelligence Forensic Hardware: UltraKit

Digital Intelligence Forensic Hardware: UltraBay II

Digital Intelligence Forensic Hardware: UltraBlock SCSI

Digital Intelligence Forensic Hardware: HardCopy 3P

Wiebetech: Forensics DriveDock v4

Wiebetech: Forensics UltraDock v4

Image MASSter: WipeMASSter

Image MASSter: WipePRO

Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

Forensic Tower IV Dual Xeon

Digital Intelligence Forensic Hardware: FREDDIE

DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor

Logicube: Cables

Logicube: Adapters

Logicube: GPStamp

Logicube: OmniPort

Logicube: CellDEK

Paraben Forensics Hardware: Project-a-Phone

Paraben Forensics Hardware: Mobile Field Kit

Paraben Forensics Hardware: iRecovery Stick

CelleBrite: UFED System

CelleBrite: UFED Physical Pro

Module 09 Review

Module 10 - Recovering Deleted Files and Deleted Partition 1h 21m

Module Flow: Recovering the Deleted Files

Deleting Files

What Happens When a File is Deleted in Windows?

Recycle Bin in Windows (Cont'd)

Recycle Bin in Windows

Storage Locations of Recycle Bin in FAT and NTFS Systems

How the Recycle Bin Works (Cont'd)

How the Recycle Bin Works

Demo - Recycle Bins

Damaged or Deleted INFO File

Damaged Files in Recycle Bin Folder

Damaged Recycle Folder

File Recovery in Mac OS X (Cont'd)

File Recovery in Mac OS X

File Recovery in Linux

Module Flow: File Recovery Tools for Windows

Recover My Files

EASEUS Data Recovery Wizard

PC INSPECTOR File Recovery

Demo - PC INSPECTOR File Recovery

Recuva

DiskDigger

Handy Recovery

Quick Recovery

Stellar Phoenix Windows Data Recovery

Tools to Recover Deleted Files

Module Flow: File Recovery Tools for Mac

Mac File Recovery

Mac Data Recovery

Boomerang Data Recovery Software

VirtualLab

File Recovery Tools for Mac OS X

Module Flow: File Recovery Tools for Linux

R-Studio for Linux

Quick Recovery for Linux

Kernal for Linux Data Recovery

TestDisk for Linux

Demo - File Carving

Module Flow: Recovering the Deleted Partitions

Disk Partition

Deletion of Partition

Recovery of the Deleted Partition (Cont'd)

Recovery of the Deleted Partition

Module Flow: Partition Recovery Tools

Active@ Partition Recovery for Windows

Acronis Recovery Expert

DiskInternals Partition Recovery

NTFS Partition Data Recovery

GetDataBack

EASEUS Partition Recovery

Advanced Disk Recovery

Power Data Recovery

Remo Recover (Mac) - Pro

Mac Data Recovery Software

Quick Recovery for Linux

Stellar Phoenix Linux Data Recovery Software

Tools to Recover Deleted Partitions

Demo - Partition Recovery

Module 10 Review

Module 11 - Forensics Investigation Using AccessData FTK 3h 9m

Module Flow: Overview and Installation of FTK

Overview of Forensic Toolkit (FTK)

Features of FTK

Software Requirement

Configuration Option

Database Installation (Cont'd)

Database Installation

FTK Application Installation (1 of 6)

FTK Application Installation (2 of 6)

FTK Application Installation (3 of 6)

FTK Application Installation (4 of 6)

FTK Application Installation (5 of 6)

FTK Application Installation (6 of 6)

Module Flow: FTK Case Manager User Interface

Case Manager Window

Case Manager Database Menu

Setting Up Additional Users and Assigning Roles

Case Manager Case Menu

Assigning Users Shared Label Visibility

Case Manager Tools Menu

Recovering Processing Jobs

Restoring an Image to a Disk

Case Manager Manage Menu

Managing Carvers

Managing Custom Identifiers

Module Flow: FTK Examiner User Interface

FTK Examiner User Interface

Menu Bar: File Menu

Exporting Files

Exporting Case Data to a Custom Content Image

Exporting the Word List

Menu Bar: Edit Menu

Menu Bar: View Menu

Menu Bar: Evidence Menu

Menu Bar: Tools Menu

Verifying Drive Image Integrity

Demo - Verifying Image Integrity

Mounting an Image to a Drive

File List View

Using Labels

Creating and Applying a Label

Module Flow: Starting with FTK

Creating a case

Selecting Detailed Options: Evidence Processing (Cont'd)

Selecting Detailed Options: Evidence Processing

Selecting Detailed Options: Fuzzy Hashing (Cont'd)

Selecting Detailed Options: Fuzzy Hashing

Selecting Detailed Options: Data Carving

Selecting Detailed Options: Custom File Identification (Cont'd)

Selecting Detailed Options: Custom File Identification

Selecting Detailed Options: Evidence Refinement (Advanced) (Cont'd)

Selecting Detailed Options: Evidence Refinement (Advanced)

Selecting Detailed Options: Index Refinement (Advanced) (Cont'd)

Selecting Detailed Options: Index Refinement (Advanced)

Module Flow: FTK Interface Tabs

Demo - FTK Imaging and Adding

FTK Interface Tabs

Explore Tab

Overview Tab

Email Tab

Graphics Tab

Bookmarks Tab

Live Search Tabs

Volatile Tab

Demo - File Overview Tab

Module Flow: Adding and Processing Static, Live, and Remote Evidence

Adding Evidence to a Case

Evidence Groups

Acquiring Local Live Evidence

FTK Role Requirements For Remote Acquisition

Types of Remote Information

Acquiring Data Remotely Using Remote Device Management System (RDMS) (Cont'd)

Acquiring Data Remotely Using Remote Device Management System (RDMS)

Imaging Drives

Mounting and Unmounting a Device

Module Flow: Using and Managing Filters

Accessing Filter Tools

Using Filters

Customizing Filters

Using Predefined Filters

Demo - Filtering

Module Flow: Using Index Search and Live Search

Conducting an Index Search

Selecting Index Search Options

Viewing Index Search Results

Documenting Search Results

Conducting a Live Search: Live Text Search

Conducting a Live Search: Live Hex Search

Conducting a Live Search: Live Pattern Search

Demo - Indexed and Live Searches

Demo - FTK File Carving

Module Flow: Decrypting EFS and other Encrypted Files

Decrypting EFS Files and Folders

Decrypting MS Office Files

Viewing Decrypted Files

Decrypting Domain Account EFS Files from Live Evidence (Cont'd)

Decrypting Domain Account EFS Files from Live Evidence

Decrypting Credant Files

Decrypting Safeboot Files

Demo - FTK File Encryption

Module Flow: Working with Reports

Creating a Report

Entering Case Information

Managing Bookmarks in a Report

Managing Graphics in a Report

Selecting a File Path List

Adding a File Properties List

Making Registry Selections

Selecting the Report Output Options

Customizing the Formatting of Reports

Viewing and Distributing a Report

Demo - Reporting

Module 11 Review

Module 12 - Forensics Investigation Using EnCase 3h 18m

Module Flow: Overview of EnCase Forensic

Official Licensed Content Provided by EnCase to EC-Council

Overview of EnCase Forensic

EnCase Forensic Features (Cont'd)

EnCase Forensic Features

EnCase Forensic Platform

EnCase Forensic Modules (Cont'd)

EnCase Forensic Modules

Module Flow: Installing EnCase Forensic

Minimum Requirements

Installing the Examiner

Installed Files

Installing the EnCase Modules

Configuring EnCase

Configuring EnCase: Case Options Tab

Configuring EnCase: Global Tab

Configuring EnCase: Debug Tab

Configuring EnCase: Colors Tab and Fonts Tab

Configuring EnCase: EnScript Tab and Storage Paths Tab

Sharing Configuration (INI) Files

Module Flow: EnCase Interface

Demo - EnCase Options

Main EnCase Window

System Menu Bar

Toolbar

Panes Overview (Cont'd)

Panes Overview

Tree Pane

Table Pane

Table Pane: Table Tab

Table Pane: Report Tab

Table Pane: Gallery Tab

Table Pane: Timeline Tab

Table Pane: Disk Tab and Code Tab

View Pane (Cont'd)

View Pane

Filter Pane

Filter Pane Tabs

Creating a Filter

Creating Conditions

Status Bar

Demo - EnCase Tabs and Views

Module Flow: Case Management

Overview of Case Structure

Case Management

Indexing a Case (Cont'd)

Indexing a Case

Case Backup

Options Dialog Box

Logon Wizard

New Case Wizard

Setting Time Zones for Case Files

Setting Time Zone Options for Evidence Files

Module Flow: Working with Evidence

Types of Entries

Adding a Device (Cont'd)

Adding a Device

Adding a Device using Tableau Write Blocker (Cont'd)

Adding a Device using Tableau Write Blocker

Performing a Typical Acquisition

Acquiring a Device (Cont'd)

Acquiring a Device

Canceling an Acquisition

Verifying Evidence Files

Demo - Imaging with EnCase

Delayed Loading of Internet Artifacts

Hashing the Subject Drive

Logical Evidence File (LEF)

Creating a Logical Evidence File (Cont'd)

Creating a Logical Evidence File

Recovering Folders on FAT Volumes

Restoring a Physical Drive

Demo - Restoring a Drive from an Image

Module Flow: Source Processor

Source Processor

Starting to Work with Source Processor

Setting Case Options

Collection Jobs

Creating a Collection Job (Cont'd)

Creating a Collection Job

Copying a Collection Job

Running a Collection Job (Cont'd)

Running a Collection Job

Analysis Jobs

Creating an Analysis Job

Running an Analysis Job (Cont'd)

Running an Analysis Job

Creating a Report (Cont'd)

Creating a Report

Demo - Enscripts

Module Flow: Analyzing and Searching Files

Viewing the File Signature Directory

Performing a Signature Analysis

Hash Analysis

Hashing a New Case

Demo - Signature Analysis and Hashing

Creating a Hash Set

Keyword Searches

Creating Global Keywords

Adding Keywords

Importing and Exporting Keywords

Searching Entries for Email and Internet Artifacts

Viewing Search Hits

Generating an Index

Tag Records

Demo - Keyword Searcher

Module Flow: Viewing File Content

Viewing Files

Copying and Unerasing Files (Cont'd)

Copying and Unerasing Files

Adding a File Viewer

Demo - Adding a File Viewer

Viewing File Content Using View Pane

Viewing Compound Files

Viewing Base64 and UUE Encoded Files

Demo - Compound Files

Module Flow: Bookmarking Items

Bookmarks Overview

Creating a Highlighted Data Bookmark

Creating a Note Bookmark

Creating a Folder Information/Structure Bookmark

Creating a Notable File Bookmark

Creating a File Group Bookmark

Creating a Log Record Bookmark

Creating a Snapshot Bookmark

Organizing Bookmarks

Copying/Moving a Table Entry into a Folder

Viewing a Bookmark on the Table Report Tab

Excluding Bookmarks (Cont'd)

Excluding Bookmarks

Copying Selected Items from One Folder to Another

Demo - Bookmarks

Module Flow: Reporting

Reporting

Report User Interface

Creating a Report Using the Report Tab

Report Single/Multiple Files

Viewing a Bookmark Report

Viewing an Email Report

Viewing a Webmail Report

Viewing a Search Hits Report

Creating a Quick Entry Report

Creating an Additional Fields Report

Exporting a Report

Demo - Reporting

Module 12 Review

Module 13 - Steganography and Image File Forensics 2h 11m

Module Flow: Steganography

What is Steganography?

How Steganography Works

Legal Use of Steganography

Unethical Use of Steganography

Module Flow: Steganography Techniques

Steganography Techniques

Application of Steganography

Classification of Steganography

Technical Steganography

Linguistic Steganography (Cont'd)

Linguistic Steganography

Types of Steganography

Image Steganography

Least Significant Bit Insertion

Masking and Filtering

Algorithms and Transformation

Image Steganography: Hermetic Stego

Steganography Tool: S-Tools

Image Steganography Tools

Audio Steganography

Audio Steganography Methods (Cont'd)

Audio Steganography Methods

Audio Steganography: Mp3stegz

Audio Steganography Tools

Video Steganography

Video Steganography: MSU StegoVideo

Video Steganography Tools

Document Steganography: wbStego

Byte Shelter I

Document Steganography Tools

Whitespace Steganography Tool: SNOW

Folder Steganography: Invisible Secrets 4

Demo - Invisible Secrets

Folder Steganography Tools

Spam/Email Steganography: Spam Mimic

Steganographic File System

Issues in Information Hiding

Module Flow: Steganalysis

Steganalysis

How to Detect Steganography (Cont'd)

How to Detect Steganography

Detecting Text, Image, Audio, and Video Steganography (Cont'd)

Detecting Text, Image, Audio, and Video Steganography

Steganalysis Methods/Attacks on Steganography

Disabling or Active Attacks

Steganography Detection Tool: Stegdetect

Steganography Detection Tools

Demo - Steg Detection

Module Flow: Image Files

Image Files

Common Terminologies

Understanding Vector Images

Understanding Raster Images

Metafile Graphics

Understanding Image File Formats

GIF (Graphics Interchange Format) (Cont'd)

GIF (Cont'd)

GIF

JPEG (Joint Photographic Experts Group)

JPEG Files Structure (Cont'd)

JPEG Files Structure

JPEG 2000

BMP (Bitmap) File

BMP File Structure

PNG (Portable Network Graphics)

PNG File Structure

TIFF (Tagged Image File Format)

TIFF File Structure (Cont'd)

TIFF File Structure

Module Flow: Data Compression

Understanding Data Compression

How Does File Compression Work?

Lossless Compression

Huffman Coding Algorithm (Cont'd)

Huffman Coding Algorithm

Lempel-Ziv Coding Algorithm (Cont'd)

Lempel-Ziv Coding Algorithm

Lossy Compression

Vector Quantization

Module Flow: Locating and Recovering Image Files

Best Practices for Forensic Image Analysis

Forensic Image Processing Using MATLAB

Advantages of MATLAB

MATLAB Screenshot

Locating and Recovering Image Files

Analyzing Image File Headers

Repairing Damaged Headers (Cont'd)

Repairing Damaged Headers

Reconstructing File Fragments

Identifying Unknown File Formats

Identifying Image File Fragments

Identifying Copyright Issues on Graphics

Picture Viewer: IrfanView

Picture Viewer: ACDSee Photo Manager 12

Picture Viewer: Thumbsplus

Picture Viewer: AD Picture Viewer Lite

Picture Viewer Max

Picture Viewer: FastStone Image Viewer

Picture Viewer: XnView

Demo - Picture Viewers

Faces - Sketch Software

Digital Camera Data Discovery Software: File Hound

Module Flow: Image File Forensics Tools

Hex Workshop

GFE Stealth - Forensics Graphics File Extractor

Ilook

Adroit Photo Forensics 2011

Digital Photo Recovery

Digital Photo Recovery Screenshots

Stellar Phoenix Photo Recovery Software

Zero Assumption Recovery (ZAR)

Photo Recovery Software

Forensic Image Viewer

File Finder

DiskGetor Data Recovery

DERescue Data Recovery Master

Recover My Files

Universal Viewer

Module 13 Review

Module 14 - Application Password Crackers 1h 8m

Module Flow: Password Cracking Concepts

Password - Terminology

Password Types

Password Cracker

How Does a Password Cracker Work?

How Hash Passwords are Stored in Windows SAM

Module Flow: Types of Password Attacks

Password Cracking Techniques

Types of Password Attacks

Passive Online Attacks: Wire Sniffing

Password Sniffing

Passive Online Attack: Man-in-the-Middle and Replay Attack

Active Online Attack: Password Guessing

Active Online Attack: Trojan/Spyware/keylogger

Active Online Attack: Hash Injection Attack

Rainbow Attacks: Pre-Computed Hash

Distributed Network Attack

Elcomsoft Distributed Password Recovery

Non-Electronic Attacks

Manual Password Cracking (Guessing)

Automatic Password Cracking Algorithm

Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

Module Flow: System Software Password Cracking

System Software Password Cracking

Bypassing BIOS Passwords

Using Manufacturer's Backdoor Password to Access the BIOS

Using Password Cracking Software

CmosPwd

Resetting the CMOS using the Jumpers or Solder Beads

Removing CMOS Battery

Overloading the Keyboard Buffer and Using a Professional Service

Tool to Reset Admin Password: Active@ Password Changer

Tool to Reset Admin Password: Windows Key

Module Flow: Application Software Password Cracking

Passware Kit Forensic

Accent Keyword Extractor

Distributed Network Attack

Password Recovery Bundle

Advanced Office Password Recovery

Office Password Recovery

Office Password Recovery Toolbox

Office Multi-document Password Cracker

Word Password Recovery Master

Accent WORD Password Recovery

Word Password

PowerPoint Password Recovery

PowerPoint Password

Powerpoint Key

Stellar Phoenix Powerpoint Password Recovery

Excel Password Recovery Master

Accent EXCEL Password Recovery

Excel Password

Advanced PDF Password Recovery

PDF Password Cracker

PDF Password Cracker Pro

Atomic PDF Password Recovery

PDF Password

Recover PDF Password

Appnimi PDF Password Recovery

Advanced Archive Password Recovery

KRyLack Archive Password Recovery

Zip Password

Atomic ZIP Password Recovery

RAR Password Unlocker

Demo - Office Password Cracking

Default Passwords

http://www.defaultpassword.com

http://www.cirt.net/passwords

http://default-password.info

http://www.defaultpassword.us

http://www.passwordsdatabase.com

http://www.virus.org

Module Flow: Password Cracking Tools

L0phtCrack

OphCrack

Cain & Abel

RainbowCrack

Windows Password Unlocker

Windows Password Breaker

SAMInside

PWdump7 and Fgdump

Password Cracking Tools

Demo - System Password Cracking

Module 14 Review

Module 15 - Log Capturing and Event Correlation 1h 23m

Module Flow: Computer Security Logs

Computer Security Logs

Operating System Logs

Application Logs

Security Software Logs

Router Log Files

Honeypot Logs

Linux Process Accounting

Logon Event in Windows

Windows Log File

Configuring Windows Logging

Analyzing Windows Logs

Windows Log File: System Logs

Windows Log Files: Application Logs

Logon Events that appear in the Security Event Log (Cont'd)

Logon Events that appear in the Security Event Log

Demo - Windows Event Viewer

IIS Logs

IIS Log File Format

Maintaining Credible IIS Log Files

Log File Accuracy

Log Everything

Keeping Time

UTC Time

View the DHCP Logs

Sample DHCP Audit Log File

ODBC Logging

Module Flow: Logs and Legal Issues

Legality of Using Logs (Cont'd)

Legality of Using Logs

Records of Regularly Conducted Activity as Evidence

Laws and Regulations

Module Flow: Log Management

Log Management

Functions of Log Management

Challenges in Log Management

Meeting the Challenges in Log Management

Module Flow: Centralized Logging and Syslogs

Centralized Logging

Centralized Logging Architecture

Steps to Implement Central Logging

Syslog

Syslog in Unix-Like Systems

Steps to Set Up a Syslog Server for Unix Systems

Advantages of Centralized Syslog Server

IIS Centralized Binary Logging

Module Flow: Time Synchronization

Why Synchronize Computer Times?

What is NTP?

NTP Stratum Levels (Cont'd)

NTP Stratum Levels

NIST Time Servers (Cont'd)

NIST Time Servers

Configuring Time Server in Windows Server

Module Flow: Event Correlation

Event Correlation

Types of Event Correlation

Prerequisites for Event Correlation

Event Correlation Approaches (Cont'd)

Event Correlation Approaches

Module Flow: Log Capturing and Analysis Tools

GFI EventsManager

GFI EventsManager Screenshot

Activeworx Security Center

EventLog Analyzer

EventLog Analyzer Screenshot

Syslog-ng OSE

Syslog-ng Screenshot

Kiwi Syslog Server

Kiwi Syslog Server Screenshot

WinSyslog

Firewall Analyzer: Log Analysis Tool

Firewall Analyzer Architecture

Firewall Analyzer Screenshot

Activeworx Log Center

EventReporter

Kiwi Log Viewer

Event Log Explorer

WebLog Expert

XpoLog Center Suite

XpoLog Center Suite Screenshot

ELM Event Log Monitor

EventSentry

LogMeister

LogViewer Pro

WinAgents EventLog Translation Service

EventTracker Enterprise

Corner Bowl Log Manager

Ascella Log Monitor Plus

FLAG - Forensic and Log Analysis GUI

FLAG Screenshot

Simple Event Correlator (SEC)

OSSEC

Module 15 Review

Module 16 - Network Forensics, Investigating Logs

and Investigating Network Traffic 1h 37m Module Flow: Network Forensics

Network Attack Statistics

Network Forensics

Network Forensics Analysis Mechanism

Network Addressing Schemes

Overview of Network Protocols

Overview of Physical and Data-Link Layer of the OSI Model

Overview of Network and Transport Layer of the OSI Model

OSI Reference Model

TCP/IP Protocol

Intrusion Detection Systems (IDS) and Their Placement

How IDS Works

Types of Intrusion Detection Systems

General Indications of Intrusions

Firewall

Honeypot

Module Flow: Network Attacks

Network Vulnerabilities

Types of Network Attacks

IP Address Spoofing

Man-in-the-Middle Attack

Packet Sniffing

How a Sniffer Works

Enumeration

Denial of Service Attack

Session Sniffing

Buffer Overflow

Trojan Horse

Module Flow: Log Injection Attacks

New Line Injection Attack

New Line Injection Attack Countermeasure

Separator Injection Attack (Cont'd)

Separator Injection Attack

Defending Separator Injection Attacks

Timestamp Injection Attack (Cont'd)

Timestamp Injection Attack

Defending Timestamp Injection Attacks

Word Wrap Abuse Attack

Defending Word Wrap Abuse Attacks

HTML Injection Attack

Defending HTML Injection Attacks

Terminal Injection Attack

Defending Terminal Injection Attacks

Module Flow: Investigating and Analyzing Logs

Postmortem and Real-Time Analysis

Where to Look for Evidence

Log Capturing Tool: ManageEngine EventLog Analyzer

Log Capturing Tool: ManageEngine Firewall Analyzer

Log Capturing Tool: GFI EventsManager

GFI EventsManager Screenshot

Log Capturing Tool: Kiwi Syslog Server

Kiwi Syslog Server Screenshot

Handling Logs as Evidence

Log File Authenticity

Demo - Kiwi Log Viewer

Use Signatures, Encryption, and Checksums

Work with Copies

Ensure System's Integrity

Access Control

Chain of Custody

Condensing Log File

Module Flow: Investigating Network Traffic

Why Investigate Network Traffic?

Evidence Gathering via Sniffing

Capturing Live Data Packets Using Wireshark

Wireshark Screenshot

Display Filters in Wireshark

Additional Wireshark Filters

Demo - Wireshark

Acquiring Traffic Using DNS Poisoning Techniques

Intranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)

Proxy Server DNS Poisoning

DNS Cache Poisoning

Evidence Gathering from ARP Table

Evidence Gathering at the Data-Link Layer: DHCP Database

Gathering Evidence by IDS

Module Flow: Traffic Capturing and Analysis Tools

NetworkMiner

Tcpdump/Windump

Intrusion Detection Tool: Snort

How Snort Works

IDS Policy Manager

MaaTec Network Analyzer

Iris Network Traffic Analyzer

NetWitness Investigator

NetWitness Investigator Screenshot

Colasoft Capsa Network Analyzer

Sniff - O - Matic

NetResident

Network Probe

NetFlow Analyzer

OmniPeek Network Analyzer

Firewall Evasion Tool: Traffic IQ Professional

NetworkView

CommView

Observer

SoftPerfect Network Protocol Analyzer

EffeTech HTTP Sniffer

Big-Mother

EtherDetect Packet Sniffer

Ntop

EtherApe

Demo - Nmap

AnalogX Packetmon

IEInspector HTTP Analyzer

SmartSniff

Distinct Network Monitor

Give Me Too

EtherSnoop

Show Traffic

Argus

Documenting the Evidence Gathered on a Network

Module 16 Review

Module 17 - Investigating Wireless Attacks 2h 5m

Module Flow: Wireless Technologies

Wi-Fi Usage Statistics in the US

Wireless Networks

Wireless Terminologies

Wireless Components

Types of Wireless Networks

Wireless Standards

MAC Filtering

Service Set Identifier (SSID)

Types of Wireless Encryption: WEP

Types of Wireless Encryption: WPA

Types of Wireless Encryption: WPA2

WEP vs. WPA vs. WPA2

Module Flow: Wireless Attacks

Wi-Fi Chalking

Wi-Fi Chalking Symbols

Access Control Attacks (Cont'd)

Access Control Attacks

Integrity Attacks (Cont'd)

Integrity Attacks

Confidentiality Attacks (Cont'd)

Confidentiality Attacks

Availability Attacks (Cont'd)

Availability Attacks

Authentication Attacks (Cont'd)

Authentication Attacks

Module Flow: Investigating Wireless Attacks

Key Points to Remember

Steps for Investigation

Obtain a Search Warrant

Identify Wireless Devices at Crime Scene (Cont'd)

Identify Wireless Devices at Crime Scene

Search for Additional Devices

Detect Rogue Access Point

Document the Scene and Maintain a Chain of Custody

Detect the Wireless Connections

Methodologies to Detect Wireless Connections

Wi-Fi Discovery Tool: inSSIDer

GPS Mapping

GPS Mapping Tool: WIGLE

GPS Mapping Tool: Skyhook

How to Discover Wi-Fi Networks Using Wardriving

Check for MAC Filtering (Cont'd)

Check for MAC Filtering

Changing the MAC Address (Cont'd)

Changing the MAC Address

Detect WAPs Using the Nessus Vulnerability Scanner

Capturing Wireless Traffic

Sniffing Tool: Wireshark

Follow TCP Stream in Wireshark

Display Filters in Wireshark

Additional Wireshark Filters

Determine Wireless Field Strength: FSM

Determine Wireless Field Strength: ZAP Checker Products

What is Spectrum Analysis?

Map Wireless Zones and Hotspots

Connect to the Wireless Access Point (Cont'd)

Connect to the Wireless Access Point

Access Point Data Acquisition and Analysis: Attached Devices

Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

Access Point Data Acquisition and Analysis

Firewall Analyzer

Firewall Log Analyzer

Wireless Devices Data Acquisition and Analysis (Cont'd)

Wireless Devices Data Acquisition and Analysis

Report Generation

Module Flow: Features of a Good Wireless Forensics Tool

Features of a Good Wireless Forensics Tool (Cont'd)

Features of a Good Wireless Forensics Tool

Module Flow: Wireless Forensics Tools

Wi-Fi Discovery Tool: NetStumbler

Demo - inSSIDer NetStumbler

Wi-Fi Discovery Tool: NetSurveyor

Wi-Fi Discovery Tool: Vistumbler

Wi-Fi Discovery Tool: WirelessMon

Wi-Fi Discovery Tool: Kismet

Wi-Fi Discovery Tool: AirPort Signal

Wi-Fi Discovery Tools

Wi-Fi Packet Sniffer: OmniPeek (Cont'd)

Wi-Fi Packet Sniffer: OmniPeek

Wi-Fi Packet Sniffer: CommView for WiFi

Wi-Fi USB Dongle: AirPcap

Wi-Fi Packet Sniffer: Wireshark with AirPcap

Wi-Fi Packet Sniffer: tcpdump

tcpdump Commands (Cont'd)

tcpdump Commands

Wi-Fi Packet Sniffer: KisMAC

Aircrack-ng Suite

Demo - AirCrack

AirMagnet WiFi Analyzer

Wardriving Tools

RF Monitoring Tools

Wi-Fi Connection Manager Tools

Wi-Fi Traffic Analyzer Tools

Wi-Fi Raw Packet Capturing Tools / Wi-Fi Spectrum Analyzing Tools

Module 17 Review

Module 18 - Investigating Web Attacks 2h 14m

Module Flow: Introduction to Web Applications and Web Servers

Web Application Security Statistics

Webserver Market Shares

Introduction to Web Applications

Web Application Components

How Web Applications Work

Web Application Architecture

Open Source Web Server Architecture

Indications of a Web Attack

Web Attack Vectors

Why Web Servers are Compromised

Impact of Web Server Attacks

Website Defacement

Case Study

Module Flow: Web Logs

Overview of Web Logs

Application Logs

Internet Information Services (IIS) Logs

IIS Web Server Architecture

IIS Log File Format

Apache Web Server Logs

DHCP Server Logs

Module Flow: Web Attacks

Web Attacks - 1

Web Attacks - 2

Unvalidated Input

Parameter/Form Tampering

Directory Traversal

Security Misconfiguration

Injection Flaws

SQL Injection Attacks

Command Injection Attacks

Command Injection Example

File Injection Attack

What is LDAP Injection?

How LDAP Injection Works

Hidden Field Manipulation Attack

Cross-Site Scripting (XSS) Attacks

How XSS Attacks Work

Cross-Site Request Forgery (CSRF) Attack

How CSRF Attacks Work

Web Application Denial-of-Service (DoS) Attack

Denial of Service (DoS) Examples

Buffer Overflow Attacks

Cookie/Session Poisoning

How Cookie Poisoning Works

Session Fixation Attack

Insufficient Transport Layer Protection

Improper Error Handling

Insecure Cryptographic Storage

Broken Authentication and Session Management

Unvalidated Redirects and Forwards

DMZ Protocol Attack/ Zero Day Attack

Log Tampering

URL Interpretation and Impersonation Attack

Web Services Attack

Web Services Footprinting Attack

Web Services XML Poisoning

Web Server Misconfiguration

Example

HTTP Response Splitting Attack

Web Cache Poisoning Attack

HTTP Response Hijacking

SSH Bruteforce Attack

Man-in-the-Middle Attack

Defacement Using DNS Compromise

Module Flow: Web Attack Investigation

Investigating Web Attacks

Investigating Web Attacks in Windows-Based Servers (Cont'd)

Investigating Web Attacks in Windows-Based Servers

Investigating IIS Logs

Investigating Apache Logs (Cont'd)

Investigating Apache Logs

Example of FTP Compromise

Investigating FTP Servers

Investigating Static and Dynamic IP Addresses

Sample DHCP Audit Log File

Investigating Cross-Site Scripting (XSS) (Cont'd)

Investigating Cross-Site Scripting (XSS)

Investigating SQL Injection Attacks (Cont'd)

Investigating SQL Injection Attacks

Pen-Testing CSRF Validation Fields

Investigating Code Injection Attack

Investigating Cookie Poisoning Attack

Detecting Buffer Overflow

Investigating Authentication Hijacking

Web Page Defacement

Investigating DNS Poisoning

Intrusion Detection

Security Strategies for Web Applications

Checklist for Web Security

Module Flow: Web Attack Detection Tools

Demo - Nessus

Web Application Security Tool: Acunetix Web Vulnerability Scanner

Web Application Security Tool: Falcove Web Vulnerability Scanner

Web Application Security Tool: Netsparker

Web Application Security Tool: N-Stalker Web Application Security Scanner

Web Application Security Tool: Sandcat

Web Application Security Tool: Wikto

Web Application Security Tools: WebWatchBot

Web Application Security Tool: OWASP ZAP

Web Application Security Tool: SecuBat Vulnerability Scanner

Web Application Security Tool: Websecurify

Web Application Security Tool: HackAlert

Web Application Security Tool: WebCruiser

Web Application Firewall: dotDefender

Web Application Firewall: IBM AppScan

Web Application Firewall: ServerDefender VP

Web Log Viewer : Deep Log Analyzer

Web Log Viewer: WebLog Expert

Web Log Viewer: AlterWind Log Analyzer

Web Log Viewer: Webalizer

Web Log Viewer: eWebLog Analyzer

Web Log Viewer: Apache Logs Viewer (ALV)

Web Attack Investigation Tool: AWStats

Web Attack Investigation Tools: Paros Proxy

Web Attack Investigation Tools: Scrawlr

Module Flow: Tools for Locating IP Addresses

Whois Lookup (Cont'd)

Whois Lookup Result

SmartWhois

ActiveWhois

LanWhoIs

CountryWhois

CallerIP

Real Hide IP

Demo - Real Hide IP

IP - Address Manager

Pandora FMS

Demo - Whois Lookup

Module 18 Review

Module 19 - Tracking Emails and Investigating Email Crimes 1h 40m

Module Flow: Email System Basics

Email Terminology

Email System

Email Clients

Email Server

SMTP Server

POP3 and IMAP Servers

Email Message

Importance of Electronic Records Management

Module Flow: Email Crimes

Email Crime

Email Spamming

Mail Bombing/Mail Storm

Phishing (Cont'd)

Phishing

Email Spoofing

Crime via Chat Room

Identity Fraud/Chain Letter

Module Flow: Email Headers

Example of Email Header

List of Common Headers (Cont'd)

List of Common Headers

Module Flow: Steps to Investigate

Why to Investigate Emails

Investigating Email Crime and Violation

Obtain a Search Warrant and Seize the Computer and Email Account

Obtain a Bit-by-Bit Image of Email Information

Examine Email Headers

Viewing Email Headers in Microsoft Outlook

Viewing Email Headers in AOL

Viewing Email Headers in Hotmail

Viewing Email Headers in Gmail

Viewing Headers in Yahoo Mail

Forging Headers

Analyzing Email Headers (Cont'd)

Analyzing Email Headers

Email Header Fields

Received: Headers

Demo - Email Headers

Microsoft Outlook Mail

Examining Additional Files (.pst or .ost Files)

Checking the Email Validity

Examine the Originating IP Address

Tracing Back

Tracing Back Web-Based Email

Email Archives

Content of Email Archives

Local Archive (Cont'd)

Local Archive

Server Storage Archive (Cont'd)

Server Storage Archive

Forensic Acquisition of Email Archive (Cont'd)

Forensic Acquisition of Email Archive

Deleted Email Recovery

Module Flow: Email Forensics Tools

Stellar Phoenix Deleted Email Recovery

Recover My Email

Outlook Express Recovery

Zmeil

Quick Recovery for MS Outlook

Email Detective

Email Trace - Email Tracking

R-Mail

FINALeMAIL

eMailTrackerPro

Forensic Tool Kit (FTK)

Paraben's E-mail Examiner

Paraben's Network E-mail Examiner

DiskInternal's Outlook Express Repair

Abuse.Net

MailDetective Tool

Module Flow: Laws and Acts against Email Crimes

U.S. Laws Against Email Crime: CAN-SPAM Act (Cont'd)

U.S. Laws Against Email Crime: CAN-SPAM Act

18 U.S.C. - 2252A

18 U.S.C. - 2252B

Email Crime Law in Washington: RCW 19.190.020

Module 19 Review

Module 20 - Mobile Forensics 1h 58m

Module Flow: Mobile Phones

Smartphone Sales Statistics 2010/2011

Mobile Phone

Different Mobile Devices

Hardware Characteristics of Mobile Devices

Software Characteristics of Mobile Devices

Components of Cellular Network

Cellular Network

Different Cellular Networks

Module Flow: Mobile Operating Systems

Mobile Operating Systems

Types of Mobile Operating Systems

webOS

webOS System Architecture

Symbian OS

Symbian OS Architecture

Android OS

Android OS Architecture

RIM Blackberry OS

Windows Phone 7

Windows Phone 7 Architecture

Apple iOS

Module Flow: Mobile Forensics

What a Criminal Can Do with Mobile Phones

Mobile Forensics

Mobile Forensics Challenges

Forensics Information in Mobile Phones

Memory Considerations in Mobiles

Subscriber Identity Module (SIM)

SIM File System

Integrated Circuit Card Identification (ICCID)

International Mobile Equipment Identifier (IMEI)

Electronic Serial Number (ESN)

Precautions to Be Taken Before Investigation (Cont'd)

Precautions to Be Taken Before Investigation

Module Flow: Mobile Forensics Process

Mobile Forensics Process

Collecting the Evidence

Points to Remember while Collecting the Evidence

Collecting an iPod/iPhone Connected to a Computer

Demo - Mac-based iPods

Demo - Windows-based iPods

Document the Scene and Preserve the Evidence (Cont'd)

Document the Scene and Preserve the Evidence

Imaging and Profiling

Acquire the Information

Device Identification

Acquire Data from SIM Cards (Cont'd)

Acquire Data from SIM Cards

Acquire Data from Unobstructed Mobile Devices

Acquire the Data from Obstructed Mobile Devices

Acquire Data from Memory Cards (Cont'd)

Acquire Data from Memory Cards

Acquire Data from Synched Devices

Gather Data from Network Operator

Check Call Data Records (CDRs)

Gather Data from SQLite Record (Cont'd)

Gather Data from SQLite Record

Analyze the Information (Cont'd)

Analyze the Information

Generate Report

Module Flow: Mobile Forensics Software Tools

Oxygen Forensic Suite 2011

MOBILedit! Forensic

MOBILedit! Forensic: Screenshot

BitPim

SIM Analyzer

SIMCon

SIM Card Data Recovery

Memory Card Data Recovery

Device Seizure

SIM Card Seizure

ART (Automatic Reporting Tool)

iPod Data Recovery Software

Recover My iPod

PhoneView

Elcomsoft Blackberry Backup Explorer

Oxygen Phone Manager II

Sanmaxi SIM Recoverer

Mobile Forensics Tools

Demo - Mobile Forensic Software

Module Flow: Mobile Forensics Hardware Tools

Secure View Kit

Deployable Device Seizure (DDS)

Paraben's Mobile Field Kit

PhoneBase

XACT System

Logicube CellDEK

Logicube CellDEK TEK

RadioTactics ACESO

UME-36Pro - Universal Memory Exchanger

Cellebrite UFED System - Universal Forensic Extraction Device

ZRT 2

ICD 5200

ICD 1300

Module 20 Review

Module 21 - Investigative Reports 1h 16m

Module Flow: Computer Forensics Report

Computer Forensics Report

Salient Features of a Good Report (Cont'd)

Salient Features of a Good Report

Aspects of a Good Report

Module Flow: Computer Forensics Report Template

Computer Forensics Report Template (Cont'd)

Computer Forensics Report Template

Simple Format of the Chain of Custody Document

Chain of Custody Forms (Cont'd)

Chain of Custody Forms

Evidence Collection Form

Computer Evidence Worksheet (Cont'd)

Computer Evidence Worksheet

Hard Drive Evidence Worksheet (Cont'd)

Hard Drive Evidence Worksheet

Removable Media Worksheet

Module Flow: Investigative Report Writing

Report Classification

Layout of an Investigative Report

Layout of an Investigative Report: Numbering

Report Specifications

Guidelines for Writing a Report

Use of Supporting Material

Importance of Consistency

Investigative Report Format

Attachments and Appendices

Include Metadata

Signature Analysis

Investigation Procedures

Collecting Physical and Demonstrative Evidence

Collecting Testimonial Evidence

Do's and Don'ts of Computer Forensics Investigations

Case Report Writing and Documentation

Creating a Report to Attach to the Media Analysis Worksheet

Best Practices for Investigators

Module Flow: Sample Forensics Report

Sample Forensics Report

Sample Forensics Report 1 (1 of 5)

Sample Forensics Report 1 (2 of 5)

Sample Forensics Report 1 (3 of 5)

Sample Forensics Report 1 (4 of 5)

Sample Forensics Report 1 (5 of 5)

Sample Forensics Report 2 (1 of 3)

Sample Forensics Report 2 (2 of 3)

Sample Forensics Report 2 (3 of 3)

Module Flow: Report Writing Using Tools

Writing Report Using FTK (1 of 10)

Writing Report Using FTK (2 of 10)

Writing Report Using FTK (3 of 10)

Writing Report Using FTK (4 of 10)

Writing Report Using FTK (5 of 10)

Writing Report Using FTK (6 of 10)

Writing Report Using FTK (7 of 10)

Writing Report Using FTK (8 of 10)

Writing Report Using FTK (9 of 10)

Writing Report Using FTK (10 of 10)

Writing Report Using ProDiscover (1 of 7)

Writing Report Using ProDiscover (2 of 7)

Writing Report Using ProDiscover (3 of 7)

Writing Report Using ProDiscover (4 of 7)

Writing Report Using ProDiscover (5 of 7)

Writing Report Using ProDiscover (6 of 7)

Writing Report Using ProDiscover (7 of 7)

Demo - Investigative Reports

Module 21 Review

Module 22 - Becoming an Expert Witness 1h

Module Flow: Expert Witness

What is an Expert Witness?

Role of an Expert Witness

What Makes a Good Expert Witness?

Module Flow: Types of Expert Witnesses

Types of Expert Witnesses

Computer Forensics Experts

Role of Computer Forensics Expert

Medical & Psychological Experts

Civil Litigation Experts

Construction & Architecture Experts

Criminal Litigation Experts

Module Flow: Scope of Expert Witness Testimony

Scope of Expert Witness Testimony (Cont'd)

Scope of Expert Witness Testimony

Technical Witness vs. Expert Witness

Preparing for Testimony

Module Flow: Evidence Processing

Evidence Preparation and Documentation

Evidence Processing Steps (Cont'd)

Evidence Processing Steps

Checklists for Processing Evidence

Examining Computer Evidence

Prepare the Report

Evidence Presentation

Module Flow: Rules for Expert Witness

Rules Pertaining to an Expert Witness's Qualifications (Cont'd)

Rules Pertaining to an Expert Witness' Qualification

Daubert Standard

Frye Standard

Importance of Resume

Testifying in the Court

The Order of Trial Proceedings

Module Flow: General Ethics While Testifying

General Ethics While Testifying

Importance of Graphics in a Testimony

Helping your Attorney

Avoiding Testimony Issues

Testifying during Direct Examination (Cont'd)

Testifying during Direct Examination

Testifying during Cross-Examination

Deposing

Recognizing Deposition Problems

Guidelines to Testifying at a Deposition

Dealing with Media

Finding a Computer Forensics Expert

Learn More…

Module 22 Review

Course Closure

Total Duration: 44h 56m