Course Outline (Global Certification from EC-Council on qualifying online examination):
Module 01: Computer Forensics in Today's World
- Forensics Science
- Computer Forensics
- Security Incident Report
- Aspects of Organizational Security
- Evolution of Computer Forensics
- Objective of Computer Forensics
- Need for Compute Forensics
- Forensics Readiness
- Benefits of Forensics Readiness
- Goals of Forensics Readiness
- Forensics Readiness Planning
- Cyber Crime
- Computer Facilitated Crimes
- Modes of Attacks
- Examples of Cyber Crime
- Types of Computer Crimes
- Cyber Criminals
- Organized Cyber Crime: Organizational Chart
- How Serious are Different Types of Incidents?
- Disruptive Incidents to the Business
- Cost Expenditure Responding to the Security Incident
- Cyber Crime Investigation
-
Key Steps in Forensics Investigation
-
Rules of Forensics Investigation
-
Need for Forensics Investigator
-
Role of Forensics Investigator
-
Accessing Computer Forensics Resources
-
Role of Digital Evidence
- Corporate Investigations
-
Understanding Corporate Investigations
-
Approach to Forensics Investigation: A Case Study
-
Instructions for the Forensic Investigator to Approach the Crime Scene
-
Why and When Do You Use Computer Forensics?
-
Enterprise Theory of Investigation (ETI)
-
Legal Issues
-
Reporting the Results
- Reporting a Cyber Crime
-
Why you Should Report Cybercrime?
-
Reporting Computer-Related Crimes
-
Person Assigned to Report the Crime
-
When and How to Report an Incident?
-
Who to Contact at the Law Enforcement?
-
Federal Local Agents Contact
-
More Contacts
-
CIO Cyberthreat Report Form
Module 02: Computer Forensics Investigation Process
- Investigating Computer Crime
-
Before the Investigation
-
Build a Forensics Workstation
-
Building the Investigation Team
-
People Involved in Computer Forensics
-
Review Policies and Laws
-
Forensics Laws
-
Notify Decision Makers and Acquire Authorization
-
Risk Assessment
-
Build a Computer Investigation Toolkit
- Steps to Prepare for a Computer Forensics Investigation
- Computer Forensics Investigation Methodology
- Obtain Search Warrant
-
Example of Search Warrant
-
Searches Without a Warrant
- Evaluate and Secure the Scene
-
Forensics Photography
-
Gather the Preliminary Information at the Scene
-
First Responder
- Collect the Evidence
- Collect Physical Evidence
- Collect Electronic Evidence
- Guidelines for Acquiring Evidence
- Secure the Evidence
- Evidence Management
- Chain of Custody
- Acquire the Data
- Duplicate the Data (Imaging)
- Verify Image Integrity
- MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
- Recover Lost or Deleted Data
- Analyze the Data
- Data Analysis
- Data Analysis Tools
- Assess Evidence and Case
-
Evidence Assessment
-
Case Assessment
-
Processing Location Assessment
-
Best Practices to Assess the Evidence
- Prepare the Final Report
-
Documentation in Each Phase
-
Gather and Organize Information
-
Writing the Investigation Report
-
Sample Report
- Testifying as an Expert Witness
-
Expert Witness
-
Testifying in the Court Room
-
Closing the Case
-
Maintaining Professional Conduct
-
Investigating a Company Policy Violation
-
Computer Forensics Service Providers
Module 03: Searching and Seizing Computers
- Searching and Seizing Computers without a Warrant
-
A: Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: General Principles
- A.1: Reasonable Expectation of Privacy in Computers as Storage Devices
- A.3: Reasonable Expectation of Privacy and Third-Party Possession
- A.4: Private Searches
- A.5 Use of Technology to Obtain Information
- B: Exceptions to the Warrant Requirement in Cases Involving Computers
- B.1: Consent
- B.1.a: Scope of Consent
- B.1.b: Third-Party Consent
- B.1.c: Implied Consent
- B.2: Exigent Circumstances
- B.3: Plain View
- B.4: Search Incident to a Lawful Arrest
- B.5: Inventory Searches
- B.6: Border Searches
- B.7: International Issues
- C: Special Case: Workplace Searches
- C.1: Private Sector Workplace Searches
- C.2: Public-Sector Workplace Searches
- Searching and Seizing Computers with a Warrant
- A: Successful Search with a Warrant
- A.1: Basic Strategies for Executing Computer Searches
- A.1.a: When Hardware is itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
- A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime
- A.2: The Privacy Protection Act
- A.2.a: The Terms of the Privacy Protection Act
- A.2.b: Application of the PPA to Computer Searches and Seizures
- A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)
- A.4: Considering the Need for Multiple Warrants in Network Searches
- A.5: No-Knock Warrants
- A.6: Sneak-and-Peek Warrants
- A.7: Privileged Documents
- B: Drafting the Warrant and Affidavit
- B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant
- B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the "Things to Be Seized"
- B.2: Establish Probable Cause in the Affidavit
- B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search
- C: Post-Seizure Issues
- C.1: Searching Computers Already in Law Enforcement Custody
- C.2: The Permissible Time Period for Examining Seized Computers
- C.3: Rule 41(e) Motions for Return of Property
- The Electronic Communications Privacy Act
- A. Providers of Electronic Communication Service vs. Remote Computing Service
- B. Classifying Types of Information Held by Service Providers
- C. Compelled Disclosure Under ECPA
- D. Voluntary Disclosure
- E. Working with Network Providers
- Electronic Surveillance in Communications Networks
- A. Content vs. Addressing Information
- B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127
- C. The Wiretap Statute ("Title III"), 18 U.S.C. §§ 2510-2522
- C.1: Exceptions to Title III
- D. Remedies For Violations of Title III and the Pen/Trap Statute
-
Evidence
- A. Authentication
- B. Hearsay
- C. Other Issues
Module 04: Digital Evidence
- Digital Data
-
Definition of Digital Evidence
-
Increasing Awareness of Digital Evidence
-
Challenging Aspects of Digital Evidence
-
The Role of Digital Evidence
-
Characteristics of Digital Evidence
-
Fragility of Digital Evidence
-
Anti-Digital Forensics (ADF)
- Types of Digital Data
- Rules of Evidence
-
Rules of Evidence
-
Best Evidence Rule
-
Federal Rules of Evidence
-
International Organization on Computer Evidence (IOCE)
-
IOCE International Principles for Digital Evidence
-
Scientific Working Group on Digital Evidence (SWGDE)
-
SWGDE Standards for the Exchange of Digital Evidence
- Electronic Devices: Types and Collecting Potential Evidence
- Electronic Devices: Types and Collecting Potential Evidence
- Digital Evidence Examination Process
- Evidence Assessment
- Prepare for Evidence Acquisition
- Evidence Acquisition
-
Preparation for Searches
-
Seizing the Evidence
-
Imaging
-
Bit-Stream Copies
-
Write Protection
-
Evidence Acquisition
-
Evidence Acquisition from Crime Location
-
Acquiring Evidence from Storage Devices
-
Collecting Evidence
-
Collecting Evidence from RAM
-
Collecting Evidence from a Standalone Network Computer
-
Chain of Custody
-
Chain of Evidence Form
- Evidence Preservation
-
Preserving Digital Evidence: Checklist
-
Preserving??Removable Media
-
Handling Digital Evidence
-
Store and Archive
-
Digital Evidence Findings
- Evidence Examination and Analysis
-
Evidence Examination
-
Physical Extraction
-
Logical Extraction
-
Analyze Host Data
-
Analyze Storage Media
-
Analyze Network Data
-
Analysis of Extracted Data
-
Timeframe Analysis
-
Data Hiding Analysis
-
Application and File Analysis
-
Ownership and Possession
- Evidence Documentation and Reporting
-
Documenting the Evidence
-
Evidence Examiner Report
-
Final Report of Findings
-
Computer Evidence Worksheet
-
Hard Drive Evidence Worksheet
-
Removable Media Worksheet
- Electronic Crime and Digital Evidence Consideration by Crime Category
- Electronic Crime and Digital Evidence Consideration by Crime Category
Module 05: First Responder Procedures
- Electronic Evidence
-
First Responder
-
Roles of First Responder
-
Electronic Devices: Types and Collecting Potential Evidence
- First Responder Toolkit
-
First Responder Toolkit
-
Creating a First Responder Toolkit
-
Evidence Collecting Tools and Equipment
- First Response Basics
-
First Response Rule
-
Incident Response: Different Situations
-
First Response for System Administrators
-
First Response by Non-Laboratory Staff
-
First Response by Laboratory Forensics Staff
- Securing and Evaluating Electronic Crime Scene
-
Securing and Evaluating Electronic Crime Scene: A Checklist
-
Securing the Crime Scene
-
Warrant for Search and Seizure
-
Planning the Search and Seizure
-
Initial Search of the Scene
-
Health and Safety Issues
- Conducting Preliminary Interviews
-
Questions to Ask When Client Calls the Forensic Investigator
-
Consent
-
Sample of Consent Search Form
-
Witness Signatures
-
Conducting Preliminary Interviews
-
Conducting Initial Interviews
-
Witness Statement Checklist
- Documenting Electronic Crime Scene
-
Documenting Electronic Crime Scene
-
Photographing the Scene
-
Sketching the Scene
-
Video Shooting the Crime Scene
- Collecting and Preserving Electronic Evidence
-
Collecting and Preserving Electronic Evidence
-
Order of Volatility
-
Dealing with Powered On Computers
-
Dealing with Powered Off Computers
-
Dealing with Networked Computer
-
Dealing with Open Files and Startup Files
-
Operating System Shutdown Procedure
-
Computers and Servers
-
Preserving Electronic Evidence
-
Seizing Portable Computers
-
Switched On Portables
-
Collecting and Preserving Electronic Evidence
- Packaging and Transporting Electronic Evidence
-
Evidence Bag Contents List
-
Packaging Electronic Evidence
-
Exhibit Numbering
-
Transporting Electronic Evidence
-
Handling and Transportation to the Forensics Laboratory
-
Storing Electronic Evidence
-
Chain of Custody
-
Simple Format of the Chain of Custody Document
-
Chain of Custody Forms
-
Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
- Reporting the Crime Scene
-
Reporting the Crime Scene
-
Note Taking Checklist
-
First Responder Common Mistakes
Module 06: Computer Forensics Lab
- Setting a Computer Forensics Lab
-
Computer Forensics Lab
-
Planning for a Forensics Lab
-
Budget Allocation for a Forensics Lab
-
Physical Location Needs of a Forensics Lab
-
Structural Design Considerations
-
Environmental Conditions
-
Electrical Needs
-
Communication Needs
-
Work Area of a Computer Forensics Lab
-
Ambience of a Forensics Lab
-
Ambience of a Forensics Lab: Ergonomics
-
Physical Security Recommendations
-
Fire-Suppression Systems
-
Evidence Locker Recommendations
-
Computer Forensic Investigator
-
Law Enforcement Officer
-
Lab Director
-
Forensics Lab Licensing Requisite
-
Features of the Laboratory Imaging System
-
Technical Specification of the Laboratory-??ased Imaging System
-
Forensics Lab
-
Auditing a Computer Forensics Lab
-
Recommendations to Avoid Eyestrain
- Investigative Services in Computer Forensics
-
Computer Forensics Investigative Services
-
Computer Forensic Investigative Service Sample
-
Computer Forensics Services: PenrodEllis Forensic Data Discovery
-
Data Destruction Industry Standards
-
Computer Forensics Services
- Computer Forensics Hardware
-
Equipment Required in a Forensics Lab
-
Forensic Workstations
-
Basic Workstation Requirements in a Forensics Lab
-
Stocking the Hardware Peripherals
- Paraben Forensics Hardware
-
Handheld First Responder Kit
-
Wireless StrongHold Bag
-
Wireless StrongHold Box
-
Passport StrongHold Bag
-
Device Seizure Toolbox
-
Project-a-Phone
-
Lockdown
-
iRecovery Stick
-
Data Recovery Stick
-
Chat Stick
-
USB Serial DB9 Adapter
-
Mobile Field Kit
-
Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop
-
Portable Forensic Systems and Towers: Original Forensic Tower II and F
-
Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
-
Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
-
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
-
Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon
-
Portable Forensic Systems and Towers: Ultimate Forensic Machine
-
Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
-
Tableau T3u Forensic SATA Bridge Write Protection Kit
-
Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader
- Tableau TACC 1441 Hardware Accelerator
-
Tableau TD1 Forensic Duplicator
-
Power Supplies and Switches
- Digital Intelligence Forensic Hardware
-
FRED SR (Dual Xeon)
-
FRED-L
-
FRED SC
-
Forensic Recovery of Evidence Data Center (FREDC)
-
Rack-A-TACC
-
FREDDIE
-
UltraKit
-
UltraBay II
-
UltraBlock SCSI
-
Micro Forensic Recovery of Evidence Device (µFRED)
-
HardCopy 3P
- Wiebetech
-
Forensics DriveDock v4
-
Forensics UltraDock v4
-
Drive eRazer
-
v4 Combo Adapters
-
ProSATA SS8
-
HotPlug
- CelleBrite
-
UFED System
-
UFED Physical Pro
-
UFED Ruggedized
- DeepSpar
-
Disk Imager Forensic Edition
-
3D Data Recovery
-
Phase 1 Tool: PC-3000 Drive Restoration System
-
Phase 2 Tool: DeepSpar Disk Imager
-
Phase 3 Tool: PC-3000 Data Extractor
- InfinaDyne Forensic Products
-
Robotic Loader Extension for CD/DVD Inspector
-
Robotic System Status Light
- Image MASSter
-
Solo-4 (Super Kit)
-
RoadMASSter- 3
-
WipeMASSter
-
WipePRO
-
Rapid Image 7020CS IT
- Logicube
-
Forensic MD5
-
Forensic Talon®
-
Portable Forensic Lab™
-
CellDEK®
-
Forensic Quest-2®
-
NETConnect™
-
RAID I/O Adapter™
-
GPStamp™
-
OmniPort
-
Desktop WritePROtects
-
USB Adapter
-
CloneCard Pro
-
EchoPlus
-
OmniClone IDE Laptop Adapters
-
Cables
- VoomTech
- Computer Forensics Software
-
Basic Software Requirements in a Forensic Lab
-
Maintain Operating System and Application Inventories
- Imaging Software
-
R-drive Image
-
P2 eXplorer Pro
-
AccuBurn-R for CD/DVD Inspector
-
Flash Retriever Forensic Edition
- File Conversion Software
-
FileMerlin
-
SnowBatch®
-
Zamzar
- File Viewer Software
-
File Viewer
-
Quick View Plus 11 Standard Edition
- Analysis Software
-
P2 Commander
-
DriveSpy
-
SIM Card Seizure
-
CD/DVD Inspector
-
Video Indexer (Vindex™)
- Monitoring Software
-
Device Seizure
-
Deployable P2 Commander (DP2C)
-
ThumbsDisplay
-
Email Detective
- Computer Forensics Software
-
DataLifter
-
X-Ways Forensics
-
LiveWire Investigator
Module 07: Understanding Hard Disks and File Systems
- Hard Disk Drive Overview
-
Disk Drive Overview
-
Hard Disk Drive
-
Solid-State Drive (SSD)
-
Physical Structure of a Hard Disk
-
Logical Structure of Hard Disk
-
Types of Hard Disk Interfaces
- Hard Disk Interfaces
-
ATA
-
SCSI
-
IDE/EIDE
-
USB
-
Fibre Channel
-
Disk Platter
- Tracks
- Sector
-
Advanced Format: Sectors
-
Sector Addressing
- Cluster
-
Cluster Size
-
Changing the Cluster Size
-
Slack Space
-
Lost Clusters
-
Bad Sector
-
Hard Disk Data Addressing
-
Disk Capacity Calculation
-
Measuring the Performance of the Hard Disk
- Disk Partitions and Boot Process
-
Disk Partitions
- Master Boot Record
-
Structure of a Master Boot Record
-
What is the Booting Process?
-
Essential Windows System Files
-
Windows Boot Process
-
Macintosh Boot Process
-
http://www.bootdisk.com
- Understanding File Systems
-
Understanding File Systems
-
Types of File Systems
-
List of Disk File Systems
-
List of Network File Systems
-
List of Special Purpose File Systems
-
List of Shared Disk File Systems
- Popular Windows File Systems
- File Allocation Table (FAT)
-
FAT File System Layout
-
FAT Partition Boot Sector
-
FAT Structure
-
FAT Folder Structure
-
Directory Entries and Cluster Chains
-
Filenames on FAT Volumes
-
Examining FAT
-
FAT32
- New Technology File System (NTFS)
-
NTFS Architecture
-
NTFS System Files
-
NTFS Partition Boot Sector
-
Cluster Sizes of NTFS Volume
- NTFS Master File Table (MFT)
-
Metadata Files Stored in the MFT
-
NTFS Files and Data Storage
-
NTFS Attributes
-
NTFS Data Stream
- NTFS Compressed Files
-
Setting the Compression State of a Volume
- Encrypting File Systems (EFS)
-
Components of EFS
-
Operation of Encrypting File System
-
EFS Attribute
-
Encrypting a File
-
EFS Recovery Key Agent
-
Tool: Advanced EFS Data Recovery
-
Tool: EFS Key
-
Sparse Files
-
Deleting NTFS Files
-
Registry Data
-
Examining Registry Data
-
FAT vs. NTFS
- Popular Linux File Systems
-
Linux File System Architecture
-
Ext2
-
Ext3
-
Mac OS X File System
-
HFS vs. HFS Plus
-
HFS
-
HFS Plus
-
HFS Plus Volumes
-
HFS Plus Journal
-
Sun Solaris 10 File System: ZFS
-
CD-ROM / DVD File System
-
CDFS
- RAID Storage System
-
RAID Levels
-
Different RAID Levels
-
Comparing RAID Levels
-
Recover Data from Unallocated Space Using File Carving Process
- File System Analysis Using The Sleuth Kit (TSK)
- The Sleuth Kit (TSK)
-
The Sleuth Kit (TSK): fsstat
-
The Sleuth Kit (TSK): istat
-
The Sleuth Kit (TSK): fls and img_stat
Module 08: Windows Forensics
- Collecting Volatile Information
- Volatile Information
- System Time
-
Logged-on Users
-
Psloggedon
-
Net Sessions Command
-
Logonsessions Tool
- Open Files
-
Net File Command
-
PsFile Command
-
OpenFiles Command
-
Network Information
-
Network Connections
-
Process Information
-
Process-to-Port Mapping
-
Process Memory
-
Network Status
-
Other Important Information
- Collecting Non-volatile Information
- Non-volatile Information
-
Examine File Systems
-
Registry Settings
-
Microsoft Security ID
-
Event Logs
-
Index.dat File
-
Devices and Other Information
-
Slack Space
-
Virtual Memory
-
Swap File
-
Windows Search Index
-
Collecting Hidden Partition Information
- Hidden ADS Streams
-
Investigating ADS Streams: StreamArmor
-
Other Non-Volatile Information
- Windows Memory Analysis
-
Memory Dump
-
EProcess Structure
-
Process Creation Mechanism
-
Parsing Memory Contents
-
Parsing Process Memory
-
Extracting the Process Image
-
Collecting Process Memory
- Windows Registry Analysis
-
Inside the Registry
-
Registry Structure within a Hive File
-
The Registry as a Log File
-
Registry Analysis
-
System Information
-
TimeZone Information
-
Shares
-
Audit Policy
-
Wireless SSIDs
-
Autostart Locations
-
System Boot
-
User Login
-
User Activity
-
Enumerating Autostart Registry Locations
-
USB Removable Storage Devices
-
Mounted Devices
-
Finding Users
-
Tracking User Activity
-
The UserAssist Keys
-
MRU Lists
-
Search Assistant
-
Connecting to Other Systems
-
Analyzing Restore Point Registry Settings
-
Determining the Startup Locations
- Cache, Cookie, and History Analysis
-
Cache, Cookie, and History Analysis in IE
-
Cache, Cookie, and History Analysis in Firefox
-
Cache, Cookie, and History Analysis in Chrome
- Analysis Tools
-
IE Cookies View
-
IE Cache View
-
IE History Viewer
-
MozillaCookiesView
-
MozillaCacheView
-
MozillaHistoryView
-
ChromeCookiesView
-
ChromeCacheView
-
ChromeHistoryView
- MD5 Calculation
-
Message Digest Function: MD5
-
Why MD5 Calculation?
-
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
-
MD5 Checksum Verifier
-
ChaosMD5
- Windows File Analysis
-
Recycle Bin
-
System Restore Points (Rp.log Files)
-
System Restore Points (Change.log.x Files)
-
Prefetch Files
-
Shortcut Files
-
Word Documents
-
PDF Documents
-
Image Files
-
File Signature Analysis
-
NTFS Alternate Data Streams
-
Executable File Analysis
-
Documentation Before Analysis
-
Static Analysis Process
-
Search Strings
-
PE Header Analysis
-
Import Table Analysis
-
Export Table Analysis
-
Dynamic Analysis Process
-
Creating Test Environment
-
Collecting Information Using Tools
-
Process of Testing the Malware
- Metadata Investigation
-
Metadata
-
Types of Metadata
-
Metadata in Different File Systems
-
Metadata in PDF Files
-
Metadata in Word Documents
-
Tool: Metadata Analyzer
- Text Based Logs
-
Understanding Events
-
Event Logon Types
-
Event Record Structure
-
Vista Event Logs
- IIS Logs
- Parsing FTP Logs
-
Parsing DHCP Server Logs
-
Parsing Windows Firewall Logs
-
Using the Microsoft Log Parser
- Other Audit Events
-
Evaluating Account Management Events
-
Examining Audit Policy Change Events
-
Examining System Log Entries
-
Examining Application Log Entries
- Forensic Analysis of Event Logs
-
Searching with Event Viewer
-
Using EnCase to Examine Windows Event Log Files
-
Windows Event Log Files Internals
- Windows Password Issues
-
Understanding Windows Password Storage
-
Cracking Windows Passwords Stored on Running Systems
- Exploring Windows Authentication Mechanisms
-
LanMan Authentication Process
-
NTLM Authentication Process
-
Kerberos Authentication Process
- Sniffing and Cracking Windows Authentication Exchanges
-
Cracking Offline Passwords
- Forensic Tools
-
Windows Forensics Tool: OS Forensics
-
Windows Forensics Tool: Helix3 Pro
-
Integrated Windows Forensics Software: X-Ways Forensics
-
X-Ways Trace
-
Windows Forensic Toolchest (WFT)
-
Built-in Tool: Sigverif
-
Computer Online Forensic Evidence Extractor (COFEE)
-
System Explorer
-
Tool: System Scanner
-
SecretExplorer
-
Registry Viewer Tool: Registry Viewer
-
Registry Viewer Tool: RegScanner
-
Registry Viewer Tool: Alien Registry Viewer
-
MultiMon
-
CurrProcess
-
Process Explorer
-
Security Task Manager
-
PrcView
-
ProcHeapViewer
-
Memory Viewer
-
Tool: PMDump
-
Word Extractor
-
Belkasoft Evidence Center
-
Belkasoft Browser Analyzer
-
Metadata Assistant
-
HstEx
-
XpoLog Center Suite
-
LogViewer Pro
-
Event Log Explorer
-
LogMeister
-
ProDiscover Forensics
-
PyFlag
-
LiveWire Investigator
-
ThumbsDisplay
-
DriveLook
Module 09: Data Acquisition and Duplication
- Data Acquisition and Duplication Concepts
-
Data Acquisition
-
Forensic and Procedural Principles
-
Types of Data Acquisition Systems
-
Data Acquisition Formats
-
Bit Stream vs. Backups
-
Why to Create a Duplicate Image?
-
Issues with Data Duplication
-
Data Acquisition Methods
-
Determining the Best Acquisition Method
-
Contingency Planning for Image Acquisitions
-
Data Acquisition Mistakes
- Data Acquisition Types
-
Rules of Thumb
- Static Data Acquisition
-
Collecting Static Data
-
Static Data Collection Process
- Live Data Acquisition
-
Why Volatile Data is Important?
-
Volatile Data
-
Order of Volatility
-
Common Mistakes in Volatile Data Collection
-
Volatile Data Collection Methodology
-
Basic Steps in Collecting Volatile Data
-
Types of Volatile Information
- Disk Acquisition Tool Requirements
-
Disk Imaging Tool Requirements
-
Disk Imaging Tool Requirements: Mandatory
-
Disk Imaging Tool Requirements: Optional
- Validation Methods
-
Validating Data Acquisitions
-
Linux Validation Methods
-
Windows Validation Methods
- RAID Data Acquisition
-
Understanding RAID Disks
-
Acquiring RAID Disks
-
Remote Data Acquisition
- Acquisition Best Practices
-
Acquisition Best Practices
- Data Acquisition Software Tools
-
Acquiring Data on Windows
-
Acquiring Data on Linux
-
dd Command
-
dcfldd Command
-
Extracting the MBR
-
Netcat Command
-
EnCase Forensic
-
Analysis Software: DriveSpy
-
ProDiscover Forensics
-
AccessData FTK Imager
-
Mount Image Pro
-
Data Acquisition Toolbox
-
SafeBack
-
ILookPI
-
RAID Recovery for Windows
-
R-Tools R-Studio
-
F-Response
-
PyFlag
-
LiveWire Investigator
-
ThumbsDisplay
-
DataLifter
-
X-Ways Forensics
-
R-drive Image
-
DriveLook
-
DiskExplorer
-
P2 eXplorer Pro
-
Flash Retriever Forensic Edition
- Data Acquisition Hardware Tools
-
US-LATT
-
Image MASSter: Solo-4 (Super Kit)
-
Image MASSter: RoadMASSter- 3
-
Tableau TD1 Forensic Duplicator
-
Logicube: Forensic MD5
-
Logicube: Portable Forensic Lab™
-
Logicube: Forensic Talon®
-
Logicube: RAID I/O Adapter™
-
DeepSpar: Disk Imager Forensic Edition
-
Logicube: USB Adapter
-
Disk Jockey PRO
-
Logicube: Forensic Quest-2®
-
Logicube: CloneCard Pro
-
Logicube: EchoPlus
-
Paraben Forensics Hardware: Chat Stick
-
Image MASSter: Rapid Image 7020CS IT
-
Digital Intelligence Forensic Hardware: UltraKit
-
Digital Intelligence Forensic Hardware: UltraBay II
-
Digital Intelligence Forensic Hardware: UltraBlock SCSI
-
Digital Intelligence Forensic Hardware: HardCopy 3P
-
Wiebetech: Forensics DriveDock v4
-
Wiebetech: Forensics UltraDock v4
-
Image MASSter: WipeMASSter
-
Image MASSter: WipePRO
-
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
-
Forensic Tower IV Dual Xeon
-
Digital Intelligence Forensic Hardware: FREDDIE
- DeepSpar: 3D Data Recovery
-
Phase 1 Tool: PC-3000 Drive Restoration System
-
Phase 2 Tool: DeepSpar Disk Imager
-
Phase 3 Tool: PC-3000 Data Extractor
- Logicube
-
Cables
-
Adapters
-
GPStamp™
-
OmniPort
-
CellDEK®
- Paraben Forensics Hardware
-
Project-a-Phone
-
Mobile Field Kit
-
iRecovery Stick
- CelleBrite
-
UFED System
-
UFED Physical Pro
Module 10: Recovering Deleted Files and Deleted Partitions
- Recovering the Deleted Files
-
Deleting Files
-
What Happens When a File is Deleted in Windows?
- Recycle Bin in Windows
-
Storage Locations of Recycle Bin in FAT and NTFS System
-
How the Recycle Bin Works
-
Damaged or Deleted INFO File
-
Damaged Files in Recycled Folder
-
Damaged Recycle Folder
-
File Recovery in MAC OS X
-
File Recovery in Linux
- File Recovery Tools for Windows
-
Recover My Files
-
EASEUS Data Recovery Wizard
-
PC INSPECTOR File Recovery
-
Recuva
-
DiskDigger
-
Handy Recovery
-
Quick Recovery
-
Stellar Phoenix Windows Data Recovery
- Tools to Recover Deleted Files
-
Total Recall
-
Advanced Disk Recovery
-
Windows Data Recovery Software
-
R-Studio
-
PC Tools File Recover
-
Data Rescue PC
-
Smart Undelete
-
FileRestore Professional
-
Deleted File Recovery Software
-
DDR Professional Recovery Software
-
Data Recovery Pro
-
GetDataBack
-
UndeletePlus
-
Search and Recover
-
File Scavenger
-
Filesaver
-
Virtual Lab
-
[email protected] UNDELETE
-
Win Undelete
-
R-Undelete
-
Recover4all Professional
-
eData Unerase
-
[email protected] File Recovery
-
FinalRecovery
- File Recovery Tools for MAC
-
MAC File Recovery
-
MAC Data Recovery
-
Boomerang Data Recovery Software
-
VirtualLab
- File Recovery Tools for MAC OS X
-
DiskWarrior
-
AppleXsoft File Recovery for MAC
-
Disk Doctors MAC Data Recovery
-
R-Studio for MAC
-
Data Rescue
-
Stellar Phoenix MAC Data Recovery
-
FileSalvage
-
TechTool Pro
- File Recovery Tools for Linux
-
R-Studio for Linux
-
Quick Recovery for Linux
-
Kernal for Linux Data Recovery
-
TestDisk for Linux
- Recovering the Deleted Partitions
-
Disk Partition
-
Deletion of Partition
-
Recovery of the Deleted Partition
- Partition Recovery Tools
-
[email protected] Partition Recovery for Windows
-
Acronis Recovery Expert
-
DiskInternals Partition Recovery
-
NTFS Partition Data Recovery
-
GetDataBack
-
EASEUS Partition Recovery
-
Advanced Disk Recovery
-
Power Data Recovery
-
Remo Recover (MAC) - Pro
-
MAC Data Recovery Software
-
Quick Recovery for Linux
-
Stellar Phoenix Linux Data Recovery Software
- Tools to Recover Deleted Partitions
-
Handy Recovery
-
TestDisk for Windows
-
Stellar Phoenix Windows Data Recovery
-
ARAX Disk Doctor
-
Power Data Recovery
-
Quick Recovery for MAC
-
Partition Find & Mount
-
Advance Data Recovery Software Tools
-
TestDisk for MAC
-
Kernel for FAT and NTFS – Windows Disk Recovery
-
Disk Drill
-
Stellar Phoenix MAC Data Recovery
-
ZAR Windows Data Recovery
-
AppleXsoft File Recovery for MAC
-
Quick Recovery for FAT & NTFS
-
TestDisk for Linux
Module 11: Forensics Investigation using AccessData FTK
- Overview and Installation of FTK
-
Overview of Forensic Toolkit (FTK)
-
Features of FTK
-
Software Requirement
-
Configuration Option
-
Database Installation
-
FTK Application Installation
- FTK Case Manager User Interface
- Case Manager Window
- Case Manager Database Menu
-
Setting Up Additional Users and Assigning Roles
- Case Manager Case Menu
- Assigning Users Shared Label Visibility
- Case Manager Tools Menu
-
Recovering Processing Jobs
-
Restoring an Image to a Disk
- Case Manager Manage Menu
-
Managing Carvers
-
Managing Custom Identifiers
- FTK Examiner User Interface
- FTK Examiner User Interface
- Menu Bar: File Menu
-
Exporting Files
-
Exporting Case Data to a Custom Content Image
-
Exporting the Word List
-
Menu Bar: Edit Menu
-
Menu Bar: View Menu
-
Menu Bar: Evidence Menu
- Menu Bar: Tools Menu
-
Verifying Drive Image Integrity
-
Mounting an Image to a Drive
- File List View
-
Using Labels
-
Creating and Applying a Label
- Starting with FTK
-
Creating a case
-
Selecting Detailed Options: Evidence Processing
-
Selecting Detailed Options: Fuzzy Hashing
-
Selecting Detailed Options: Data Carving
-
Selecting Detailed Options: Custom File Identification
-
Selecting Detailed Options: Evidence Refinement (Advanced)
-
Selecting Detailed Options: Index Refinement (Advanced)
- FTK Interface Tabs
- FTK Interface Tabs
-
Explore Tab
-
Overview Tab
-
Email Tab
-
Graphics Tab
-
Bookmarks Tab
-
Live Search Tabs
-
Volatile Tab
- Adding and Processing Static, Live, and Remote Evidence
-
Adding Evidence to a Case
-
Evidence Groups
-
Acquiring Local Live Evidence
-
FTK Role Requirements For Remote Acquisition
-
Types of Remote Information
-
Acquiring Data Remotely Using Remote Device Management System (RDMS)
-
Imaging Drives
-
Mounting and Unmounting a Device
- Using and Managing Filters
-
Accessing Filter Tools
-
Using Filters
-
Customizing Filters
-
Using Predefined Filters
- Using Index Search and Live Search
- Conducting an Index Search
-
Selecting Index Search Options
-
Viewing Index Search Results
-
Documenting Search Results
-
Conducting a Live Search: Live Text Search
-
Conducting a Live Search: Live Hex Search
-
Conducting a Live Search: Live Pattern Search
- Decrypting EFS and other Encrypted Files
-
Decrypting EFS Files and Folders
-
Decrypting MS Office Files
-
Viewing Decrypted Files
-
Decrypting Domain Account EFS Files from Live Evidence
-
Decrypting Credant Files
-
Decrypting Safeboot Files
- Working with Reports
-
Creating a Report
-
Entering Case Information
-
Managing Bookmarks in a Report
-
Managing Graphics in a Report
-
Selecting a File Path List
-
Adding a File Properties List
-
Making Registry Selections
-
Selecting the Report Output Options
-
Customizing the Formatting of Reports
-
Viewing and Distributing a Report
Module 12: Forensics Investigation Using EnCase
- Overview of EnCase Forensic
-
Overview of EnCase Forensic
-
EnCase Forensic Features
-
EnCase Forensic Platform
-
EnCase Forensic Modules
- Installing EnCase Forensic
-
Minimum Requirements
-
Installing the Examiner
-
Installed Files
-
Installing the EnCase Modules
- Configuring EnCase
-
Configuring EnCase: Case Options Tab
-
Configuring EnCase: Global Tab
-
Configuring EnCase: Debug Tab
-
Configuring EnCase: Colors Tab and Fonts Tab
-
Configuring EnCase: EnScript Tab and Storage Paths Tab
-
Sharing Configuration (INI) Files
- EnCase Interface
- Main EnCase Window
-
System Menu Bar
-
Toolbar
- Panes Overview
-
Tree Pane
-
Table Pane
-
Table Pane: Table Tab
-
Table Pane: Report Tab
-
Table Pane: Gallery Tab
-
Table Pane: Timeline Tab
-
Table Pane: Disk Tab and Code Tab
-
View Pane
- Filter Pane
-
Filter Pane Tabs
-
Creating a Filter
-
Creating Conditions
-
Status Bar
- Case Management
-
Overview of Case Structure
-
Case Management
-
Indexing a Case
-
Case Backup
-
Options Dialog Box
-
Logon Wizard
-
New Case Wizard
-
Setting Time Zones for Case Files
-
Setting Time Zone Options for Evidence Files
- Working with Evidence
-
Types of Entries
- Adding a Device
-
Adding a Device using Tableau Write Blocker
-
Performing a Typical Acquisition
-
Acquiring a Device
-
Canceling an Acquisition
-
Acquiring a Handsprings PDA
-
Delayed Loading of Internet Artifacts
-
Hashing the Subject Drive
-
Logical Evidence File (LEF)
-
Creating a Logical Evidence File
-
Recovering Folders on FAT Volumes
-
Restoring a Physical Drive
- Source Processor
-
Source Processor
-
Starting to Work with Source Processor
-
Setting Case Options
- Collection Jobs
-
Creating a Collection Job
-
Copying a Collection Job
-
Running a Collection Job
- Analysis Jobs
-
Creating an Analysis Job
-
Running an Analysis Job
-
Creating a Report
- Analyzing and Searching Files
-
Viewing the File Signature Directory
-
Performing a Signature Analysis
-
Hash Analysis
-
Hashing a New Case
-
Creating a Hash Set
-
Keyword Searches
-
Creating Global Keywords
-
Adding Keywords
-
Importing and Exporting Keywords
-
Searching Entries for Email and Internet Artifacts
-
Viewing Search Hits
-
Generating an Index
-
Tag Records
- Viewing File Content
-
Viewing Files
-
Copying and Unerasing Files
-
Adding a File Viewer
-
Viewing File Content Using View Pane
-
Viewing Compound Files
-
Viewing Base64 and UUE Encoded Files
- Bookmarking Items
-
Bookmarks Overview
-
Creating a Highlighted Data Bookmark
-
Creating a Note Bookmark
-
Creating a Folder Information/ Structure Bookmark
-
Creating a Notable File Bookmark
-
Creating a File Group Bookmark
-
Creating a Log Record Bookmark
-
Creating a Snapshot Bookmark
-
Organizing Bookmarks
-
Copying/Moving a Table Entry into a Folder
-
Viewing a Bookmark on the Table Report Tab
-
Excluding Bookmarks
-
Copying Selected Items from One Folder to Another
- Reporting
-
Reporting
-
Report User Interface
-
Creating a Report Using the Report Tab
-
Report Single/Multiple Files
-
Viewing a Bookmark Report
-
Viewing an Email Report
-
Viewing a Webmail Report
-
Viewing a Search Hits Report
-
Creating a Quick Entry Report
-
Creating an Additional Fields Report
-
Exporting a Report
Module 13: Steganography and Image File Forensics
- Steganography
-
What is Steganography?
-
How Steganography Works
-
Legal Use of Steganography
-
Unethical Use of Steganography
- Steganography Techniques
-
Steganography Techniques
-
Application of Steganography
-
Classification of Steganography
-
Technical Steganography
-
Linguistic Steganography
- Types of Steganography
- Image Steganography
-
Least Significant Bit Insertion
-
Masking and Filtering
-
Algorithms and Transformation
-
Image Steganography: Hermetic Stego
-
Steganography Tool: S- Tools
- Image Steganography Tools
-
ImageHide
-
QuickStego
-
Gifshuffle
-
OutGuess
-
Contraband
-
Camera/Shy
-
JPHIDE and JPSEEK
-
StegaNote
- Audio Steganography
-
Audio Steganography Methods
-
Audio Steganography: Mp3stegz
- Audio Steganography Tools
-
MAXA Security Tools
-
Stealth Files
-
Audiostegano
-
BitCrypt
-
MP3Stego
-
Steghide
-
Hide4PGP
-
CHAOS Universal
- Video Steganography
-
Video Steganography: MSU StegoVideo
- Video Steganography Tools
-
Masker
-
Max File Encryption
-
Xiao Steganography
-
RT Steganography
-
Our Secret
-
BDV DataHider
-
CHAOS Universal
-
OmniHide PRO
- Document Steganography: wbStego
-
Byte Shelter I
- Document Steganography Tools
-
Merge Streams
-
Office XML
-
CryptArkan
-
Data Stash
-
FoxHole
-
Xidie Security Suite
-
StegParty
-
Hydan
- Whitespace Steganography Tool: SNOW
- Folder Steganography: Invisible Secrets 4
- Folder Steganography Tools
-
StegoStick
-
QuickCrypto
-
Max Folder Secure
-
WinMend Folder Hidden
-
PSM Encryptor
-
XPTools
-
Universal Shield
-
Hide My Files
-
Spam/Email Steganography: Spam Mimic
-
Steganographic File System
-
Issues in Information Hiding
- Steganalysis
-
Steganalysis
-
How to Detect Steganography
-
Detecting Text, Image, Audio, and Video Steganography
-
Steganalysis Methods/Attacks on Steganography
-
Disabling or Active Attacks
-
Steganography Detection Tool: Stegdetect
- Steganography Detection Tools
-
Xstegsecret
-
Stego Watch
-
StegAlyzerAS
-
StegAlyzerRTS
-
StegSpy
-
Gargoyle Investigator™ Forensic Pro
-
StegAlyzerSS
-
StegMark
- Image Files
-
Image Files
-
Common Terminologies
-
Understanding Vector Images
-
Understanding Raster Images
-
Metafile Graphics
-
Understanding Image File Formats
-
GIF (Graphics Interchange Format)
- JPEG (Joint Photographic Experts Group)
-
JPEG File Structure
-
JPEG 2000
- BMP (Bitmap) File
- PNG (Portable Network Graphics)
- TIFF (Tagged Image File Format)
- Data Compression
-
Understanding Data Compression
-
How Does File Compression Work?
-
Lossless Compression
-
Huffman Coding Algorithm
-
Lempel-Ziv Coding Algorithm
-
Lossy Compression
-
Vector Quantization
- Locating and Recovering Image Files
-
Best Practices for Forensic Image Analysis
-
Forensic Image Processing Using MATLAB
-
Locating and Recovering Image Files
-
Analyzing Image File Headers
-
Repairing Damaged Headers
-
Reconstructing File Fragments
-
Identifying Unknown File Formats
-
Identifying Image File Fragments
-
Identifying Copyright Issues on Graphics
-
Picture Viewer: IrfanView
-
Picture Viewer: ACDSee Photo Manager 12
-
Picture Viewer: Thumbsplus
-
Picture Viewer: AD Picture Viewer Lite
-
Picture Viewer Max
-
Picture Viewer: FastStone Image Viewer
-
Picture Viewer: XnView
-
Faces – Sketch Software
-
Digital Camera Data Discovery Software: File Hound
- Image File Forensics Tools
-
Hex Workshop
-
GFE Stealth™ - Forensics Graphics File Extractor
-
Ilook
-
Adroit Photo Forensics 2011
-
Digital Photo Recovery
-
Stellar Phoenix Photo Recovery Software
-
Zero Assumption Recovery (ZAR)
-
Photo Recovery Software
-
Forensic Image Viewer
-
File Finder
-
DiskGetor Data Recovery
-
DERescue Data Recovery Master
-
Recover My Files
-
Universal Viewer
Module 14: Application Password Crackers
- Password Cracking Concepts
-
Password - Terminology
-
Password Types
-
Password Cracker
-
How Does a Password Cracker Work?
-
How Hash Passwords are Stored in Windows SAM
- Types of Password Attacks
-
Password Cracking Techniques
-
Types of Password Attacks
-
Passive Online Attacks: Wire Sniffing
-
Password Sniffing
-
Passive Online Attack: Man-in-the-Middle and Replay Attack
-
Active Online Attack: Password Guessing
-
Active Online Attack: Trojan/Spyware/keylogger
-
Active Online Attack: Hash Injection Attack
-
Rainbow Attacks: Pre-Computed Hash
- Distributed Network Attack
-
Elcomsoft Distributed Password Recovery
-
Non-Electronic Attacks
-
Manual Password Cracking (Guessing)
-
Automatic Password Cracking Algorithm
-
Time Needed to Crack Passwords
-
Classification of Cracking Software
-
Systems Software vs. Applications Software
- System Software Password Cracking
- Bypassing BIOS Passwords
-
Using Manufacturer’s Backdoor Password to Access the BIOS
- Using Password Cracking Software
-
Resetting the CMOS using the Jumpers or Solder Beads
-
Removing CMOS Battery
-
Overloading the Keyboard Buffer and Using a Professional Service
-
Tool to Reset Admin Password: [email protected] Password Changer
-
Tool to Reset Admin Password: Windows Key
- Application Software Password Cracking
-
Passware Kit Forensic
-
Accent Keyword Extractor
-
Distributed Network Attack
-
Password Recovery Bundle
-
Advanced Office Password Recovery
-
Office Password Recovery
-
Office Password Recovery Toolbox
-
Office Multi-document Password Cracker
-
Word Password Recovery Master
-
Accent WORD Password Recovery
-
Word Password
-
PowerPoint Password Recovery
-
PowerPoint Password
-
Powerpoint Key
-
Stellar Phoenix Powerpoint Password Recovery
-
Excel Password Recovery Master
-
Accent EXCEL Password Recovery
-
Excel Password
-
Advanced PDF Password Recovery
-
PDF Password Cracker
-
PDF Password Cracker Pro
-
Atomic PDF Password Recovery
-
PDF Password
-
Recover PDF Password
-
Appnimi PDF Password Recovery
-
Advanced Archive Password Recovery
-
KRyLack Archive Password Recovery
-
Zip Password
-
Atomic ZIP Password Recovery
-
RAR Password Unlocker
-
Default Passwords
-
http://www.defaultpassword.com
-
http://www.cirt.net/passwords
-
http://default-password.info
-
http://www.defaultpassword.us
-
http://www.passwordsdatabase.com
-
http://www.virus.org
- Password Cracking Tools
-
L0phtCrack
-
OphCrack
-
Cain & Abel
-
RainbowCrack
-
Windows Password Unlocker
-
Windows Password Breaker
-
SAMInside
-
PWdump7 and Fgdump
-
PCLoginNow
-
KerbCrack
-
Recover Keys
-
Windows Password Cracker
-
Proactive System Password Recovery
-
Password Unlocker Bundle
-
Windows Password Reset Professional
-
Windows Password Reset Standard
-
Krbpwguess
-
Password Kit
-
WinPassword
-
Passware Kit Enterprise
-
Rockxp
-
PasswordsPro
-
LSASecretsView
-
LCP
-
MessenPass
-
Mail PassView
-
Messenger Key
-
Dialupass
-
Protected Storage PassView
-
Network Password Recovery
-
Asterisk Key
-
IE PassView
Module 15: Log Capturing and Event Correlation
- Computer Security Logs
-
Computer Security Logs
-
Operating System Logs
-
Application Logs
-
Security Software Logs
-
Router Log Files
-
Honeypot Logs
-
Linux Process Accounting
-
Logon Event in Window
- Windows Log File
-
Configuring Windows Logging
-
Analyzing Windows Logs
-
Windows Log File: System Logs
-
Windows Log File: Application Logs
-
Logon Events that appear in the Security Event Log
- IIS Logs
-
IIS Log File Format
-
Maintaining Credible IIS Log Files
-
Log File Accuracy
-
Log Everything
-
Keeping Time
-
UTC Time
- View the DHCP Logs
-
Sample DHCP Audit Log File
-
ODBC Logging
- Logs and Legal Issues
-
Legality of Using Logs
-
Records of Regularly Conducted Activity as Evidence
-
Laws and Regulations
- Log Management
- Log Management
-
Functions of Log Management
-
Challenges in Log Management
-
Meeting the Challenges in Log Management
- Centralized Logging and Syslogs
- Centralized Logging
-
Centralized Logging Architecture
-
Steps to Implement Central Logging
- Syslog
-
Syslog in Unix-Like Systems
-
Steps to Set Up a Syslog Server for Unix Systems
-
Advantages of Centralized Syslog Server
-
IIS Centralized Binary Logging
- Time Synchronization
-
Why Synchronize Computer Times?
- What is NTP?
-
NIST Time Servers
-
Configuring Time Server in Windows Server
- Event Correlation
- Event Correlation
-
Types of Event Correlation
-
Prerequisites for Event Correlation
-
Event Correlation Approaches
- Log Capturing and Analysis Tools
-
GFI EventsManager
-
Activeworx Security Center
-
EventLog Analyzer
-
Syslog-ng OSE
-
Kiwi Syslog Server
-
WinSyslog
-
Firewall Analyzer: Log Analysis Tool
-
Activeworx Log Center
-
EventReporter
-
Kiwi Log Viewer
-
Event Log Explorer
-
WebLog Expert
-
XpoLog Center Suite
-
ELM Event Log Monitor
-
EventSentry
-
LogMeister
-
LogViewer Pro
-
WinAgents EventLog Translation Service
-
EventTracker Enterprise
-
Corner Bowl Log Manager
-
Ascella Log Monitor Plus
-
FLAG - Forensic and Log Analysis GUI
-
Simple Event Correlator (SEC)
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic
- Network Forensics
-
Network Forensics
-
Network Forensics Analysis Mechanism
-
Network Addressing Schemes
-
Overview of Network Protocols
-
Overview of Physical and Data-Link Layer of the OSI Model
-
Overview of Network and Transport Layer of the OSI Model
-
OSI Reference Model
-
TCP/ IP Protocol
- Intrusion Detection Systems (IDS) and ??heir Placement
-
How IDS Works
-
Types of Intrusion Detection Systems
-
General Indications of Intrusions
-
Firewall
-
Honeypot
- Network Attacks
-
Network Vulnerabilities
- Types of Network Attacks
-
IP Address Spoofing
-
Man-in-the-Middle Attack
- Packet Sniffing
-
Enumeration
-
Denial of Service Attack
-
Session Sniffing
-
Buffer Overflow
-
Trojan Horse
- Log Injection Attacks
- New Line Injection Attack
-
New Line Injection Attack Countermeasure
- Separator Injection Attack
-
Defending Separator Injection Attacks
- Timestamp Injection Attack
-
Defending Timestamp Injection Attacks
- Word Wrap Abuse Attack
-
Defending Word Wrap Abuse Attacks
- HTML Injection Attack
-
Defending HTML Injection Attacks
- Terminal Injection Attack
-
Defending Terminal Injection Attacks
- Investigating and Analyzing Logs
-
Postmortem and Real-Time Analysis
-
Where to Look for Evidence
-
Log Capturing Tool: ManageEngine EventLog Analyzer
-
Log Capturing Tool: ManageEngine Firewall Analyzer
-
Log Capturing Tool: GFI EventsManager
-
Log Capturing Tool: Kiwi Syslog Server
-
Handling Logs as Evidence
-
Log File Authenticity
-
Use Signatures, Encryption, and Checksums
-
Work with Copies
-
Ensure System’s Integrity
-
Access Control
-
Chain of Custody
-
Condensing Log File
- Investigating Network Traffic
-
Why Investigate Network Traffic?
-
Evidence Gathering via Sniffing
- Capturing Live Data Packets Using Wireshark
-
Display Filters in Wireshark
-
Additional Wireshark Filters
- Acquiring Traffic Using DNS Poisoning Techniques
-
Intranet DNS Spoofing (Local Network)
-
Intranet DNS Spoofing (Remote Network)
-
Proxy Server DNS Poisoning
-
DNS Cache Poisoning
-
Evidence Gathering from ARP Table
-
Evidence Gathering at the Data-Link Layer: DHCP Database
-
Gathering Evidence by IDS
-
Traffic Capturing and Analysis Tools
-
NetworkMiner
-
Tcpdump/Windump
- Intrusion Detection Tool: Snort
-
IDS Policy Manager
-
MaaTec Network Analyzer
-
Iris Network Traffic Analyzer
-
NetWitness Investigator
-
Colasoft Capsa Network Analyzer
-
Sniff - O - Matic
-
NetResident
-
Network Probe
-
NetFlow Analyzer
-
OmniPeek Network Analyzer
-
Firewall Evasion Tool: Traffic IQ Professional
-
NetworkView
-
CommView
-
Observer
-
SoftPerfect Network Protocol Analyzer
-
EffeTech HTTP Sniffer
-
Big-Mother
-
EtherDetect Packet Sniffer
-
Ntop
-
EtherApe
-
AnalogX Packetmon
-
IEInspector HTTP Analyzer
-
SmartSniff
-
Distinct Network Monitor
-
Give Me Too
-
EtherSnoop
-
Show Traffic
-
Argus
-
Documenting the Evidence Gathered on a Network
Module 17: Investigating Wireless Attacks
- Wireless Technologies
-
Wireless Networks
-
Wireless Terminologies
-
Wireless Components
-
Types of Wireless Networks
-
Wireless Standards
-
MAC Filtering
-
Service Set Identifier (SSID)
-
Types of Wireless Encryption: WEP
-
Types of Wireless Encryption: WPA
-
Types of Wireless Encryption: WPA2
-
WEP vs. WPA vs. WPA2
- Wireless Attacks
-
Wi-Fi Chalking
-
Wi-Fi Chalking Symbols
-
Access Control Attacks
-
Integrity Attacks
-
Confidentiality Attacks
-
Availability Attacks
-
Authentication Attacks
- Investigating Wireless Attacks
-
Key Points to Remember
- Steps for Investigation
-
Obtain a Search Warrant
- Identify Wireless Devices at Crime Scene
-
Search for Additional Devices
-
Detect Rogue Access Point
-
Document the Scene and Maintain a Chain of Custody
- Detect the Wireless Connections
-
Methodologies to Detect Wireless Connections
-
Wi-Fi Discovery Tool: inSSIDer
- GPS Mapping
-
GPS Mapping Tool: WIGLE
-
GPS Mapping Tool: Skyhook
-
How to Discover Wi-Fi Networks Using Wardriving
-
Check for MAC Filtering
-
Changing the MAC Address
-
Detect WAPs using the Nessus Vulnerability Scanner
- Capturing Wireless Traffic
-
Sniffing Tool: Wireshark
-
Follow TCP Stream in Wireshark
-
Display Filters in Wireshark
-
Additional Wireshark Filters
- Determine Wireless Field Strength
-
Determine Wireless Field Strength: FSM
-
Determine Wireless Field Strength: ZAP Checker Products
-
What is Spectrum Analysis?
-
Map Wireless Zones & Hotspots
- Connect to Wireless Network
-
Connect to the Wireless Access Point
-
Access Point Data Acquisition and Analysis: Attached Devices
-
Access Point Data Acquisition and Analysis: LAN TCP/IP Setup
- Access Point Data Acquisition and Analysis
-
Firewall Analyzer
-
Firewall Log Analyzer
-
Wireless Devices Data Acquisition and Analysis
-
Report Generation
-
Features of a Good Wireless Forensics Tool
- Wireless Forensics Tools
- Wi-Fi Discovery Tools
-
NetStumbler
-
NetSurveyor
-
Vistumbler
-
WirelessMon
-
Kismet
-
AirPort Signal
-
WiFi Hopper
-
Wavestumbler
-
iStumbler
-
WiFinder
-
Meraki WiFi Stumbler
-
Wellenreiter
-
AirCheck Wi-Fi Tester
-
AirRadar 2
- Wi-Fi Packet Sniffers
-
OmniPeek
-
CommView for Wi-Fi
-
Wi-Fi USB Dongle: AirPcap
-
tcpdump
-
KisMAC
- Acquiring Traffic Using DNS Poisoning Techniques
-
Intranet DNS Spoofing (Local Network)
-
Intranet DNS Spoofing (Remote Network)
-
Proxy Server DNS Poisoning
-
DNS Cache Poisoning
-
Evidence Gathering from ARP Table
-
Evidence Gathering at the Data-ink Layer: DHCP Database
-
Gathering Evidence by IDS
- Traffic Capturing and Analysis Tools
-
NetworkMiner
-
Tcpdump/Windump
- Intrusion Detection Tool: Snort
-
IDS Policy Manager
-
MaaTec Network Analyzer
-
Iris Network Traffic Analyzer
-
NetWitness Investigator
-
Colasoft Capsa Network Analyzer
-
Sniff - O - Matic
-
NetResident
-
Network Probe
-
NetFlow Analyzer
-
OmniPeek Network Analyzer
-
Firewall Evasion Tool: Traffic IQ Professional
-
NetworkView
-
CommView
-
Observer
-
SoftPerfect Network Protocol Analyzer
- EffeTech HTTP Sniffer o Big-Mother o EtherDetect Packet Sniffer
-
Cascade Pilot Personal Edition
-
OptiView® XG Network Analysis Tablet
-
Network Packet Analyzer
-
Network Observer
-
Ufasoft Snif
-
CommView for WiFi
-
Network Assistant
- Wi-Fi Raw Packet Capturing Tools
-
WirelessNetView
-
Pirni Sniffer
-
Tcpdump
-
Airview
- Wi-Fi Spectrum Analyzing Tools
-
Cisco Spectrum Expert
-
AirMedic
-
BumbleBee
-
Wi-Spy
Module 18: Investigating Web Attacks
- Introduction to Web Applications and Webservers
-
Introduction to Web Applications
-
Web Application Components
-
How Web Applications Work
-
Web Application Architecture
-
Open Source Webserver Architecture
-
Indications of a Web Attack
-
Web Attack Vectors
-
Why Web Servers are Compromised
-
Impact of Webserver Attacks
-
Website Defacement
-
Case Study
- Web Logs
-
Overview of Web Logs
-
Application Logs
- Internet Information Services (IIS) Logs
-
IIS Webserver Architecture
-
IIS Log File Format
-
Apache Webserver Logs
-
DHCP Server Logs
- Web Attacks
-
Web Attacks - 1
-
Web Attacks - 2
-
Unvalidated Input
-
Parameter/Form Tampering
-
Directory Traversal
-
Security Misconfiguration
-
Injection Flaws
-
SQL Injection Attacks
- Command Injection Attacks
-
Command Injection Example
-
File Injection Attack
- What is LDAP Injection?
-
Hidden Field Manipulation Attack
- Cross-Site Scripting (XSS) Attacks
- Cross-Site Request Forgery (CSRF) Attack
- Web Application Denial-of-Service (DoS) Attack
-
Denial of Service (DoS) Examples
-
Buffer Overflow Attacks
- Cookie/Session Poisoning
-
How Cookie Poisoning Works
-
Session Fixation Attack
-
Insufficient Transport Layer Protection
-
Improper Error Handling
-
Insecure Cryptographic Storage
-
Broken Authentication and Session Management
-
Unvalidated Redirects and Forwards
-
DMZ Protocol Attack/ Zero Day Attack
-
Log Tampering
-
URL Interpretation and Impersonation Attack
-
Web Services Attack
-
Web Services Footprinting Attack
-
Web Services XML Poisoning
-
Webserver Misconfiguration
-
HTTP Response Splitting Attack
-
Web Cache Poisoning Attack
-
HTTP Response Hijacking
-
SSH Bruteforce Attack
-
Man-in-the-Middle Attack
-
Defacement Using DNS Compromise
- Web Attack Investigation
-
Investigating Web Attacks
-
Investigating Web Attacks in Windows-Based Servers
-
Investigating IIS Logs
-
Investigating Apache Logs
-
Example of FTP Compromise
-
Investigating FTP Servers
-
Investigating Static and Dynamic IP Addresses
-
Sample DHCP Audit Log File
-
Investigating Cross-Site Scripting (XSS)
-
Investigating SQL Injection Attacks
-
Pen-Testing CSRF Validation Fields
-
Investigating Code Injection Attack
-
Investigating Cookie Poisoning Attack
-
Detecting Buffer Overflow
-
Investigating Authentication Hijacking
-
Web Page Defacement
-
Investigating DNS Poisoning
-
Intrusion Detection
-
Security Strategies to Web Applications
-
Checklist for Web Security
- Web Attack Detection Tools
- Web Application Security Tools
-
Acunetix Web Vulnerability Scanner
-
Falcove Web Vulnerability Scanner
-
Netsparker
-
N-Stalker Web Application Security Scanner
-
Sandcat
-
Wikto
-
WebWatchBot
-
OWASP ZAP
-
SecuBat Vulnerability Scanner
-
Websecurify
-
HackAlert
-
WebCruiser
- Web Application Firewalls
-
dotDefender
-
IBM AppScan
-
ServerDefender VP
- Web Log Viewers
-
Deep Log Analyzer
-
WebLog Expert
-
AlterWind Log Analyzer
-
Webalizer
-
eWebLog Analyzer
-
Apache Logs Viewer (ALV)
- Web Attack Investigation Tools
-
AWStats
-
Paros Proxy
-
Scrawlr
- Tools for Locating IP Address
-
Whois Lookup
-
SmartWhois
-
ActiveWhois
-
LanWhois
-
CountryWhois
-
CallerIP
-
Hide Real IP
-
IP - Address Manager
-
Pandora FMS
Module 19: Tracking Emails and Investigating Email Crimes
- Email System Basics
-
Email Terminology
-
Email System
-
Email Clients
-
Email Server
-
SMTP Server
-
POP3 and IMAP Servers
-
Email Message
-
Importance of Electronic Records Management
- Email Crimes
-
Email Crime
-
Email Spamming
-
Mail Bombing/Mail Storm
-
Phishing
-
Email Spoofing
-
Crime via Chat Room
-
Identity Fraud/Chain Letter
- Email Headers
-
Examples of Email Headers
-
List of Common Headers
- Steps to Investigate
-
Why to Investigate Emails
- Investigating Email Crime and Violation
-
Obtain a Search Warrant and Seize the Computer and Email Account
-
Obtain a Bit-by-Bit Image of Email Information
- Examine Email Headers
-
Viewing Email Headers in Microsoft Outlook
-
Viewing Email Headers in AOL
-
Viewing Email Headers in Hotmail
-
Viewing Email Headers in Gmail
-
Viewing Headers in Yahoo Mail
-
Forging Headers
- Analyzing Email Headers
-
Email Header Fields
-
Received: Headers
-
Microsoft Outlook Mail
-
Examining Additional Files (.pst or .ost files)
-
Checking the Email Validity
-
Examine the Originating IP Address
- Trace Email Origin
-
Tracing Back
-
Tracing Back Web-based Email
-
Acquire Email Archives
-
Email Archives
-
Content of Email Archives
-
Local Archive
-
Server Storage Archive
-
Forensic Acquisition of Email Archive
- Recover Deleted Emails
- Email Forensics Tools
-
Stellar Phoenix Deleted Email Recovery
-
Recover My Email
-
Outlook Express Recovery
-
Zmeil
-
Quick Recovery for MS Outlook
-
Email Detective
-
Email Trace - Email Tracking
-
R-Mail
-
FINALeMAIL
-
eMailTrackerPro
-
Forensic Tool Kit (FTK)
-
Paraben’s email Examiner
-
Network Email Examiner by Paraben
-
DiskInternal’s Outlook Express Repair
-
Abuse.Net
-
MailDetective Tool
- Laws and Acts against Email Crimes
-
U.S. Laws Against Email Crime: CAN-SPAM Act
-
18 U.S.C. § 2252A
-
18 U.S.C. § 2252B
-
Email Crime Law in Washington: RCW 19.190.020
Module 20: Mobile Forensics
- Mobile Phone
-
Mobile Phone
-
Different Mobile Devices
-
Hardware Characteristics of Mobile Devices
-
Software Characteristics of Mobile Devices
-
Components of Cellular Network
-
Cellular Network
-
Different Cellular Networks
- Mobile Operating Systems
-
Mobile Operating Systems
-
Types of Mobile Operating Systems
- WebOS
-
WebOS System Architecture
- Symbian OS
- Android OS
-
RIM BlackBerry OS
- Windows Phone 7
-
Windows Phone 7 Architecture
-
Apple iOS
- Mobile Forensics
-
What a Criminal can do with Mobiles Phones?
-
Mobile Forensics
-
Mobile Forensics Challenges
-
Forensics Information in Mobile Phones
-
Memory Considerations in Mobiles
-
Subscriber Identity Module (SIM)
-
SIM File System
-
Integrated Circuit Card Identification (ICCID)
-
International Mobile Equipment Identifier (IMEI)
-
Electronic Serial Number (ESN)
-
Precautions to be Taken Before Investigation
- Mobile Forensic Process
- Mobile Forensic Process
- Collect the Evidence
-
Collecting the Evidence
-
Points to Remember while Collecting the Evidence
-
Collecting iPod/iPhone Connected with Computer
-
Document the Scene and Preserve the Evidence
-
Imaging and Profiling
- Acquire the Information
-
Device Identification
-
Acquire Data from SIM Cards
-
Acquire Data from Unobstructed Mobile Devices
-
Acquire the Data from Obstructed Mobile Devices
-
Acquire Data from Memory Cards
-
Acquire Data from Synched Devices
-
Gather Data from Network Operator
-
Check Call Data Records (CDRs)
-
Gather Data from SQLite Record
-
Analyze the Information
-
Generate Report
- Mobile Forensics Software Tools
-
Oxygen Forensic Suite 2011
-
MOBILedit! Forensic
-
BitPim
-
SIM Analyzer
-
SIMCon
-
SIM Card Data Recovery
-
Memory Card Data Recovery
-
Device Seizure
-
SIM Card Seizure
-
ART (Automatic Reporting Tool)
-
iPod Data Recovery Software
-
Recover My iPod
-
PhoneView
-
Elcomsoft Blackberry Backup Explorer
-
Oxygen Phone Manager II
-
Sanmaxi SIM Recoverer
-
USIMdetective
-
CardRecovery
-
Stellar Phoenix iPod Recovery Software
-
iCare Data Recovery Software
-
Cell Phone Analyzer
-
iXAM
-
BlackBerry Database Viewer Plus
-
BlackBerry Signing Authority Tool
- Mobile Forensics Hardware Tools
-
Secure View Kit
-
Deployable Device Seizure (DDS)
-
Paraben's Mobile Field Kit
-
PhoneBase
-
XACT System
-
Logicube CellDEK
-
Logicube CellDEK TEK
-
TadioTactics ACESO
-
UME-36Pro - Universal Memory Exchanger
-
Cellebrite UFED System - Universal Forensic Extraction Device
-
ZRT 2
-
ICD 5200
-
ICD 1300
Module 21: Investigative Reports
- Computer Forensics Report
-
Computer Forensics Report
-
Salient Features of a Good Report
-
Aspects of a Good Report
- Computer Forensics Report Template
-
Computer Forensics Report Template
-
Simple Format of the Chain of Custody Document
-
Chain of Custody Forms
-
Evidence Collection Form
-
Computer Evidence Worksheet
-
Hard Drive Evidence Worksheet
-
Removable Media Worksheet
- Investigative Report Writing
-
Report Classification
- Layout of an Investigative Report
-
Layout of an Investigative Report: Numbering
-
Report Specifications
-
Guidelines for Writing a Report
-
Use of Supporting Material
-
Importance of Consistency
-
Investigative Report Format
-
Attachments and Appendices
-
Include Metadata
-
Signature Analysis
-
Investigation Procedures
-
Collecting Physical and Demonstrative Evidence
-
Collecting Testimonial Evidence
-
Do’s and Don'ts of Forensics Computer Investigations
-
Case Report Writing and Documentation
-
Create a Report to Attach to the Media Analysis Worksheet
-
Best Practices for Investigators
- Sample Forensics Report
- Report Writing Using Tools
-
Writing Report Using FTK
-
Writing Report Using ProDiscover
Module 22: Becoming an Expert Witness
- Expert Witness
-
What is an Expert Witness?
-
Role of an Expert Witness
-
What Makes a Good Expert Witness?
- Types of Expert Witnesses
-
Types of Expert Witnesses
- Computer Forensics Experts
-
Role of Computer Forensics Expert
-
Medical & Psychological Experts
-
Civil Litigation Experts
-
Construction & Architecture Experts
-
Criminal Litigation Experts
- Scope of Expert Witness Testimony
-
Scope of Expert Witness Testimony
-
Technical Witness vs. Expert Witness
-
Preparing for Testimony
- Evidence Processing
-
Evidence Preparation and Documentation
-
Evidence Processing Steps
-
Checklists for Processing Evidence
-
Examining Computer Evidence
-
Prepare the Report
-
Evidence Presentation
- Rules for Expert Witness
-
Rules Pertaining to an Expert Witness’s Qualification
-
Daubert Standard
-
Frye Standard
-
Importance of Resume
-
Testifying in the Court
-
The Order of Trial Proceedings
- General Ethics While Testifying
-
General Ethics While Testifying
-
Importance of Graphics in a Testimony
-
Helping your Attorney
-
Avoiding Testimony Issues
-
Testifying during Direct Examination
-
Testifying during Cross-Examination
-
Deposition
-
Recognizing Deposition Problems
-
Guidelines to Testify at a Deposition
-
Dealing with Media
-
Finding a Computer Forensic Expert
Enroll Now
Pay Now