Computer Hacking Forensic Investigator

Transcription

Course Outline
Exam 312-49
Course Outline
(Version 8)
Module 01: Computer Forensics in Today’s World

Forensics Science

Computer Forensics
o Security Incident Report
o Aspects of Organizational Security
o Evolution of Computer Forensics
o Objective of Computer Forensics
o Need for Computer Forensics

Forensics Readiness
o Benefits of Forensics Readiness
o Goals of Forensics Readiness
o Forensics Readiness Planning

Cyber Crime
o Computer Facilitated Crimes
o Modes of Attacks
o Examples of Cyber Crime
o Types of Computer Crimes
o Cyber Criminals
o Organized Cyber Crime: Organizational Chart
o How Serious are Different Types of Incidents?
o Disruptive Incidents to the Business
o Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation
o Key Steps in Forensics Investigation
o Rules of Forensics Investigation
o Need for Forensics Investigator
Page | 1
Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Course Outline
Exam 312-49
o Role of Forensics Investigator
o Accessing Computer Forensics Resources
o Role of Digital Evidence

Corporate Investigations
o Understanding Corporate Investigations
o Approach to Forensics Investigation: A Case Study
o Instructions for the Forensic Investigator to Approach the Crime Scene
o Why and When Do You Use Computer Forensics?
o Enterprise Theory of Investigation (ETI)
o Legal Issues
o Reporting the Results
 Reporting a Cyber Crime
o Why you Should Report Cybercrime?
o Reporting Computer-Related Crimes
o Person Assigned to Report the Crime
o When and How to Report an Incident?
o Who to Contact at the Law Enforcement?
o Federal Local Agents Contact
o More Contacts
o CIO Cyberthreat Report Form
Module 02: Computer Forensics Investigation Process

Investigating Computer Crime
o Before the Investigation
o Build a Forensics Workstation
o Building the Investigation Team
o People Involved in Computer Forensics
o Review Policies and Laws
o Forensics Laws
o Notify Decision Makers and Acquire Authorization
o Risk Assessment
Page | 2
Course Outline
Exam 312-49
o Build a Computer Investigation Toolkit

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodology
o Obtain Search Warrant

Example of Search Warrant

Searches Without a Warrant
o Evaluate and Secure the Scene

Forensics Photography

Gather the Preliminary Information at the Scene

First Responder
o Collect the Evidence

Collect Physical Evidence

Evidence Collection Form

Collect Electronic Evidence

Guidelines for Acquiring Evidence
o Secure the Evidence

Evidence Management

Chain of Custody

Chain of Custody Form
o Acquire the Data

Duplicate the Data (Imaging)

Verify Image Integrity


MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data

Data Recovery Software
o Analyze the Data

Data Analysis

Data Analysis Tools
o Assess Evidence and Case
Page | 3

Evidence Assessment

Case Assessment
Course Outline

Processing Location Assessment

Best Practices to Assess the Evidence
Exam 312-49
o Prepare the Final Report

Documentation in Each Phase

Gather and Organize Information

Writing the Investigation Report

Sample Report
o Testifying as an Expert Witness

Expert Witness

Testifying in the Court Room

Closing the Case

Maintaining Professional Conduct

Investigating a Company Policy Violation

Computer Forensics Service Providers
Module 03: Searching and Seizing Computers

Searching and Seizing Computers without a Warrant
o Searching and Seizing Computers without a Warrant
o § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving
Computers: General Principles
o § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices
o § A.3: Reasonable Expectation of Privacy and Third-Party Possession
o § A.4: Private Searches
o § A.5 Use of Technology to Obtain Information
o § B: Exceptions to the Warrant Requirement in Cases Involving Computers
o § B.1: Consent
o § B.1.a: Scope of Consent
o § B.1.b: Third-Party Consent
o § B.1.c: Implied Consent
o § B.2: Exigent Circumstances
o § B.3: Plain View
Page | 4
Course Outline
Exam 312-49
o § B.4: Search Incident to a Lawful Arrest
o § B.5: Inventory Searches
o § B.6: Border Searches
o § B.7: International Issues
o § C: Special Case: Workplace Searches
o § C.1: Private Sector Workplace Searches
o § C.2: Public-Sector Workplace Searches

Searching and Seizing Computers with a Warrant
o Searching and Seizing Computers with a Warrant
o A: Successful Search with a Warrant
o A.1: Basic Strategies for Executing Computer Searches
o § A.1.a: When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of
Crime
o § A.1.b: When Hardware Is Merely a Storage Device for Evidence of Crime
o § A.2: The Privacy Protection Act
o § A.2.a: The Terms of the Privacy Protection Act
o § A.2.b: Application of the PPA to Computer Searches and Seizures
o § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)
o § A.4: Considering the Need for Multiple Warrants in Network Searches
o § A.5: No-Knock Warrants
o § A.6: Sneak-and-Peek Warrants
o § A.7: Privileged Documents
o § B: Drafting the Warrant and Affidavit
o § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant
and/or Attachments to the Warrant
o § B.1.a: Defending Computer Search Warrants Against Challenges Based on the
Description of the “Things to Be Seized”
o § B.2: Establish Probable Cause in the Affidavit
o § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search
Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of
the Search
o § C: Post-Seizure Issues
o § C.1: Searching Computers Already in Law Enforcement Custody
Page | 5
Course Outline
Exam 312-49
o § C.2: The Permissible Time Period for Examining Seized Computers
o § C.3: Rule 41(e) Motions for Return of Property

The Electronic Communications Privacy Act
o The Electronic Communications Privacy Act
o § A. Providers of Electronic Communication Service vs. Remote Computing Service
o § B. Classifying Types of Information Held by Service Providers
o § C. Compelled Disclosure Under ECPA
o § D. Voluntary Disclosure
o § E. Working with Network Providers

Electronic Surveillance in Communications Networks
o Electronic Surveillance in Communications Networks
o § A. Content vs. Addressing Information
o B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127
o C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522
o § C.1: Exceptions to Title III
o § D. Remedies For Violations of Title III and the Pen/Trap Statute

Evidence
o Evidence
o § A. Authentication
o § B. Hearsay
o § C. Other Issues
Module 04: Digital Evidence

Digital Data
o Definition of Digital Evidence
o Increasing Awareness of Digital Evidence
o Challenging Aspects of Digital Evidence
o The Role of Digital Evidence
o Characteristics of Digital Evidence
o Fragility of Digital Evidence
o Anti-Digital Forensics (ADF)
Page | 6
Course Outline

Exam 312-49
Types of Digital Data
o Types of Digital Data

Rules of Evidence
o Rules of Evidence
o Best Evidence Rule
o Federal Rules of Evidence
o International Organization on Computer Evidence (IOCE)
o IOCE International Principles for Digital Evidence
o Scientific Working Group on Digital Evidence (SWGDE)
o SWGDE Standards for the Exchange of Digital Evidence

Electronic Devices: Types and Collecting Potential Evidence
o Electronic Devices: Types and Collecting Potential Evidence

Digital Evidence Examination Process
o Evidence Assessment

Evidence Assessment

Prepare for Evidence Acquisition
o Evidence Acquisition

Preparation for Searches

Seizing the Evidence

Imaging

Bit-Stream Copies

Write Protection

Evidence Acquisition

Evidence Acquisition from Crime Location

Acquiring Evidence from Storage Devices

Collecting Evidence

Collecting Evidence from RAM

Collecting Evidence from a Standalone Network Computer

Chain of Custody

Chain of Evidence Form
o Evidence Preservation
Page | 7
Course Outline

Preserving Digital Evidence: Checklist

Preserving Removable Media

Handling Digital Evidence

Store and Archive

Digital Evidence Findings
Exam 312-49
o Evidence Examination and Analysis

Evidence Examination

Physical Extraction

Logical Extraction

Analyze Host Data

Analyze Storage Media

Analyze Network Data

Analysis of Extracted Data

Timeframe Analysis

Data Hiding Analysis

Application and File Analysis

Ownership and Possession
o Evidence Documentation and Reporting


Documenting the Evidence

Evidence Examiner Report

Final Report of Findings

Computer Evidence Worksheet

Hard Drive Evidence Worksheet

Removable Media Worksheet
Electronic Crime and Digital Evidence Consideration by Crime Category
o Electronic Crime and Digital Evidence Consideration by Crime Category
Module 05: First Responder Procedures

Electronic Evidence

First Responder
Page | 8
Course Outline
Exam 312-49

Roles of First Responder

Electronic Devices: Types and Collecting Potential Evidence

First Responder Toolkit
o First Responder Toolkit
o Creating a First Responder Toolkit
o Evidence Collecting Tools and Equipment

First Response Basics
o First Response Rule
o Incident Response: Different Situations
o First Response for System Administrators
o First Response by Non-Laboratory Staff
o First Response by Laboratory Forensics Staff

Securing and Evaluating Electronic Crime Scene
o Securing and Evaluating Electronic Crime Scene: A Checklist
o Securing the Crime Scene
o Warrant for Search and Seizure
o Planning the Search and Seizure
o Initial Search of the Scene
o Health and Safety Issues

Conducting Preliminary Interviews
o Questions to Ask When Client Calls the Forensic Investigator
o Consent
o Sample of Consent Search Form
o Witness Signatures
o Conducting Preliminary Interviews
o Conducting Initial Interviews
o Witness Statement Checklist

Documenting Electronic Crime Scene
o Documenting Electronic Crime Scene
o Photographing the Scene
o Sketching the Scene
Page | 9
Course Outline
Exam 312-49
o Video Shooting the Crime Scene

Collecting and Preserving Electronic Evidence
o Collecting and Preserving Electronic Evidence
o Order of Volatility
o Dealing with Powered On Computers
o Dealing with Powered Off Computers
o Dealing with Networked Computer
o Dealing with Open Files and Startup Files
o Operating System Shutdown Procedure
o Computers and Servers
o Preserving Electronic Evidence
o Seizing Portable Computers
o Switched On Portables
o Collecting and Preserving Electronic Evidence

Packaging and Transporting Electronic Evidence
o Evidence Bag Contents List
o Packaging Electronic Evidence
o Exhibit Numbering
o Transporting Electronic Evidence
o Handling and Transportation to the Forensics Laboratory
o Storing Electronic Evidence
o Chain of Custody
o Simple Format of the Chain of Custody Document
o Chain of Custody Forms
o Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Reporting the Crime Scene
o Reporting the Crime Scene

Note Taking Checklist

First Responder Common Mistakes
Module 06: Computer Forensics Lab
Page | 10
Course Outline

Exam 312-49
Setting a Computer Forensics Lab
o Computer Forensics Lab
o Planning for a Forensics Lab
o Budget Allocation for a Forensics Lab
o Physical Location Needs of a Forensics Lab
o Structural Design Considerations
o Environmental Conditions
o Electrical Needs
o Communication Needs
o Work Area of a Computer Forensics Lab
o Ambience of a Forensics Lab
o Ambience of a Forensics Lab: Ergonomics
o Physical Security Recommendations
o Fire-Suppression Systems
o Evidence Locker Recommendations
o Computer Forensic Investigator
o Law Enforcement Officer
o Lab Director
o Forensics Lab Licensing Requisite
o Features of the Laboratory Imaging System
o Technical Specification of the Laboratory-Based Imaging System
o Forensics Lab
o Auditing a Computer Forensics Lab
o Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics
o Computer Forensics Investigative Services
o Computer Forensic Investigative Service Sample
o Computer Forensics Services: PenrodEllis Forensic Data Discovery
o Data Destruction Industry Standards
o Computer Forensics Services

Computer Forensics Hardware
Page | 11
Course Outline
Exam 312-49
o Equipment Required in a Forensics Lab
o Forensic Workstations
o Basic Workstation Requirements in a Forensics Lab
o Stocking the Hardware Peripherals
o Paraben Forensics Hardware

Handheld First Responder Kit

Wireless StrongHold Bag

Wireless StrongHold Box

Passport StrongHold Bag

Device Seizure Toolbox

Project-a-Phone

Lockdown

iRecovery Stick

Data Recovery Stick

Chat Stick

USB Serial DB9 Adapter

Mobile Field Kit
o Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop
o Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
o Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
o Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
o Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon
o Portable Forensic Systems and Towers: Ultimate Forensic Machine
o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
o Tableau T3u Forensic SATA Bridge Write Protection Kit
o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash
Media Reader
o Tableau TACC 1441 Hardware Accelerator

Multiple TACC1441 Units
o Tableau TD1 Forensic Duplicator
Page | 12
Course Outline
Exam 312-49
o Power Supplies and Switches
o Digital Intelligence Forensic Hardware

FRED SR (Dual Xeon)

FRED-L

FRED SC

Forensic Recovery of Evidence Data Center (FREDC)

Rack-A-TACC

FREDDIE

UltraKit

UltraBay II

UltraBlock SCSI

Micro Forensic Recovery of Evidence Device (µFRED)

HardCopy 3P
o Wiebetech

Forensics DriveDock v4

Forensics UltraDock v4

Drive eRazer

v4 Combo Adapters

ProSATA SS8

HotPlug
o CelleBrite

UFED System

UFED Physical Pro

UFED Ruggedized
o DeepSpar
Page | 13

Disk Imager Forensic Edition

3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor
Course Outline
Exam 312-49
o InfinaDyne Forensic Products

Robotic Loader Extension for CD/DVD Inspector

Robotic System Status Light
o Image MASSter

Solo-4 (Super Kit)

RoadMASSter- 3

WipeMASSter

WipePRO

Rapid Image 7020CS IT
o Logicube

Forensic MD5

Forensic Talon®

Portable Forensic Lab™

CellDEK®

Forensic Quest-2®

NETConnect™

RAID I/O Adapter™

GPStamp™

OmniPort

Desktop WritePROtects

USB Adapter

CloneCard Pro

EchoPlus

OmniClone IDE Laptop Adapters

Cables
o VoomTech


HardCopy 3P

SHADOW 2
Computer Forensics Software
o Basic Software Requirements in a Forensic Lab
Page | 14
Course Outline
Exam 312-49
o Maintain Operating System and Application Inventories
o Imaging Software

R-drive Image

P2 eXplorer Pro

AccuBurn-R for CD/DVD Inspector

Flash Retriever Forensic Edition
o File Conversion Software

FileMerlin

SnowBatch®

Zamzar
o File Viewer Software

File Viewer

Quick View Plus 11 Standard Edition
o Analysis Software

P2 Commander

DriveSpy

SIM Card Seizure

CD/DVD Inspector

Video Indexer (Vindex™)
o Monitoring Software

Device Seizure

Deployable P2 Commander (DP2C)

ThumbsDisplay

Email Detective
o Computer Forensics Software

DataLifter

X-Ways Forensics

LiveWire Investigator
Module 07: Understanding Hard Disks and File Systems

Hard Disk Drive Overview
Page | 15
Course Outline
Exam 312-49
o Disk Drive Overview
o Hard Disk Drive
o Solid-State Drive (SSD)
o Physical Structure of a Hard Disk
o Logical Structure of Hard Disk
o Types of Hard Disk Interfaces
o Hard Disk Interfaces

ATA

SCSI

IDE/EIDE

USB

Fibre Channel
o Disk Platter
o Tracks

Track Numbering
o Sector

Advanced Format: Sectors

Sector Addressing
o Cluster

Cluster Size

Changing the Cluster Size

Slack Space

Lost Clusters
o Bad Sector
o Hard Disk Data Addressing
o Disk Capacity Calculation
o Measuring the Performance of the Hard Disk

Disk Partitions and Boot Process
o Disk Partitions
o Master Boot Record

Page | 16
Structure of a Master Boot Record
Course Outline
Exam 312-49
o What is the Booting Process?
o Essential Windows System Files
o Windows 7 Boot Process
o Macintosh Boot Process
o http://www.bootdisk.com

Understanding File Systems
o Understanding File Systems
o Types of File Systems
o List of Disk File Systems
o List of Network File Systems
o List of Special Purpose File Systems
o List of Shared Disk File Systems
o Popular Windows File Systems


File Allocation Table (FAT)

FAT File System Layout

FAT Partition Boot Sector

FAT Structure

FAT Folder Structure

Directory Entries and Cluster Chains

Filenames on FAT Volumes

Examining FAT

FAT32
New Technology File System (NTFS)

NTFS Architecture

NTFS System Files

NTFS Partition Boot Sector

Cluster Sizes of NTFS Volume

NTFS Master File Table (MFT)
o Metadata Files Stored in the MFT

Page | 17
NTFS Files and Data Storage
Course Outline

NTFS Attributes

NTFS Data Stream

NTFS Compressed Files
Exam 312-49
o Setting the Compression State of a Volume

Encrypting File Systems (EFS)
o Components of EFS
o Operation of Encrypting File System
o EFS Attribute
o Encrypting a File
o EFS Recovery Key Agent
o Tool: Advanced EFS Data Recovery
o Tool: EFS Key

Sparse Files

Deleting NTFS Files

Registry Data

Examining Registry Data

FAT vs. NTFS
o Popular Linux File Systems

Linux File System Architecture

Ext2

Ext3
o Mac OS X File Systems

HFS vs. HFS Plus

HFS

HFS Plus

HFS Plus Volumes

HFS Plus Journal
o Sun Solaris 10 File System: ZFS
o CD-ROM / DVD File System
o CDFS

RAID Storage System
Page | 18
Course Outline
Exam 312-49
o RAID Levels
o Different RAID Levels
o Comparing RAID Levels
o Recover Data from Unallocated Space Using File Carving Process

File System Analysis Using The Sleuth Kit (TSK)
o The Sleuth Kit (TSK)

The Sleuth Kit (TSK): fsstat

The Sleuth Kit (TSK): istat

The Sleuth Kit (TSK): fls and img_stat
Module 08: Windows Forensics

Collecting Volatile Information
o Volatile Information

System Time

Logged-On Users



PsLoggedOn Tool

net sessions Command

LogonSessions Tool
Open Files

net file Command

PsFile Utility

Openfiles Command

Network Information

Network Connections

Process Information

Process-to-Port Mapping

Process Memory

Network Status

Other Important Information
Collecting Non-Volatile Information
o Non-Volatile Information
Page | 19
Course Outline

Examine File Systems

Registry Settings

Microsoft Security ID

Event Logs

Index.dat File

Devices and Other Information

Slack Space

Virtual Memory

Swap File

Windows Search Index

Collecting Hidden Partition Information

Hidden ADS Streams



Exam 312-49
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Windows Memory Analysis
o Memory Dump
o EProcess Structure
o Process Creation Mechanism
o Parsing Memory Contents
o Parsing Process Memory
o Extracting the Process Image
o Collecting Process Memory

Windows Registry Analysis
o Inside the Registry
o Registry Structure within a Hive File
o The Registry as a Log File
o Registry Analysis
o System Information
o TimeZone Information
o Shares
o Audit Policy
Page | 20
Course Outline
Exam 312-49
o Wireless SSIDs
o Autostart Locations
o System Boot
o User Login
o User Activity
o Enumerating Autostart Registry Locations
o USB Removable Storage Devices
o Mounted Devices
o Finding Users
o Tracking User Activity
o The UserAssist Keys
o MRU Lists
o Search Assistant
o Connecting to Other Systems
o Analyzing Restore Point Registry Settings
o Determining the Startup Locations

Cache, Cookie, and History Analysis
o Cache, Cookie, and History Analysis in IE
o Cache, Cookie, and History Analysis in Firefox
o Cache, Cookie, and History Analysis in Chrome
o Analysis Tools


IECookiesView

IECacheView

IEHistoryView

MozillaCookiesView

MozillaCacheView

MozillaHistoryView

ChromeCookiesView

ChromeCacheView

ChromeHistoryView
MD5 Calculation
Page | 21
Course Outline
Exam 312-49
o Message Digest Function: MD5
o Why MD5 Calculation?
o MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
o MD5 Checksum Verifier
o ChaosMD5

Windows File Analysis
o Recycle Bin
o System Restore Points (Rp.log Files)
o System Restore Points (Change.log.x Files)
o Prefetch Files
o Shortcut Files
o Word Documents
o PDF Documents
o Image Files
o File Signature Analysis
o NTFS Alternate Data Streams
o Executable File Analysis
o Documentation Before Analysis
o Static Analysis Process
o Search Strings
o PE Header Analysis
o Import Table Analysis
o Export Table Analysis
o Dynamic Analysis Process
o Creating Test Environment
o Collecting Information Using Tools
o Process of Testing the Malware

Metadata Investigation
o Metadata
o Types of Metadata
o Metadata in Different File Systems
Page | 22
Course Outline
Exam 312-49
o Metadata in PDF Files
o Metadata in Word Documents
o Tool: Metadata Analyzer

Text Based Logs
o Understanding Events
o Event Logon Types
o Event Record Structure
o Vista Event Logs
o IIS Logs

Parsing IIS Logs
o Parsing FTP Logs

FTP sc-status Codes
o Parsing DHCP Server Logs
o Parsing Windows Firewall Logs
o Using the Microsoft Log Parser

Other Audit Events
o Evaluating Account Management Events
o Examining Audit Policy Change Events
o Examining System Log Entries
o Examining Application Log Entries

Forensic Analysis of Event Logs
o Searching with Event Viewer
o Using EnCase to Examine Windows Event Log Files
o Windows Event Log Files Internals

Windows Password Issues
o Understanding Windows Password Storage
o Cracking Windows Passwords Stored on Running Systems
o Exploring Windows Authentication Mechanisms
Page | 23

LanMan Authentication Process

NTLM Authentication Process

Kerberos Authentication Process
Course Outline
Exam 312-49
o Sniffing and Cracking Windows Authentication Exchanges
o Cracking Offline Passwords

Forensic Tools
o Windows Forensics Tool: OS Forensics
o Windows Forensics Tool: Helix3 Pro
o Integrated Windows Forensics Software: X-Ways Forensics
o X-Ways Trace
o Windows Forensic Toolchest (WFT)
o Built-in Tool: Sigverif
o Computer Online Forensic Evidence Extractor (COFEE)
o System Explorer
o Tool: System Scanner
o SecretExplorer
o Registry Viewer Tool: Registry Viewer
o Registry Viewer Tool: RegScanner
o Registry Viewer Tool: Alien Registry Viewer
o MultiMon
o CurrProcess
o Process Explorer
o Security Task Manager
o PrcView
o ProcHeapViewer
o Memory Viewer
o Tool: PMDump
o Word Extractor
o Belkasoft Evidence Center
o Belkasoft Browser Analyzer
o Metadata Assistant
o HstEx
o XpoLog Center Suite
o LogViewer Pro
Page | 24
Course Outline
Exam 312-49
o Event Log Explorer
o LogMeister
o ProDiscover Forensics
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DriveLook
Module 09: Data Acquisition and Duplication

Data Acquisition and Duplication Concepts
o Data Acquisition
o Forensic and Procedural Principles
o Types of Data Acquisition Systems
o Data Acquisition Formats
o Bit Stream vs. Backups
o Why to Create a Duplicate Image?
o Issues with Data Duplication
o Data Acquisition Methods
o Determining the Best Acquisition Method
o Contingency Planning for Image Acquisitions
o Data Acquisition Mistakes

Data Acquisition Types
o Rules of Thumb
o Static Data Acquisition

Collecting Static Data

Static Data Collection Process
o Live Data Acquisition
Page | 25

Why Volatile Data is Important?

Volatile Data

Order of Volatility

Common Mistakes in Volatile Data Collection
Course Outline


Volatile Data Collection Methodology

Basic Steps in Collecting Volatile Data

Types of Volatile Information
Exam 312-49
Disk Acquisition Tool Requirements
o Disk Imaging Tool Requirements
o Disk Imaging Tool Requirements: Mandatory
o Disk Imaging Tool Requirements: Optional

Validation Methods
o Validating Data Acquisitions
o Linux Validation Methods
o Windows Validation Methods

RAID Data Acquisition
o Understanding RAID Disks
o Acquiring RAID Disks
o Remote Data Acquisition

Acquisition Best Practices
o Acquisition Best Practices

Data Acquisition Software Tools
o Acquiring Data on Windows
o Acquiring Data on Linux

dd Command

dcfldd Command

Extracting the MBR

Netcat Command
o EnCase Forensic
o Analysis Software: DriveSpy
o ProDiscover Forensics
o AccessData FTK Imager
o Mount Image Pro
o Data Acquisition Toolbox
o SafeBack
Page | 26
Course Outline
Exam 312-49
o ILookPI
o RAID Recovery for Windows
o R-Tools R-Studio
o F- Response
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DataLifter
o X-Ways Forensics
o R-drive Image
o DriveLook
o DiskExplorer
o P2 eXplorer Pro
o Flash Retriever Forensic Edition

Data Acquisition Hardware Tools
o US-LATT
o Image MASSter: Solo-4 (Super Kit)
o Image MASSter: RoadMASSter- 3
o Tableau TD1 Forensic Duplicator
o Logicube: Forensic MD5
o Logicube: Portable Forensic Lab™
o Logicube: Forensic Talon®
o Logicube: RAID I/O Adapter™
o DeepSpar: Disk Imager Forensic Edition
o Logicube: USB Adapter
o Disk Jockey PRO
o Logicube: Forensic Quest-2®
o Logicube: CloneCard Pro
o Logicube: EchoPlus
o Paraben Forensics Hardware: Chat Stick
o Image MASSter: Rapid Image 7020CS IT
Page | 27
Course Outline
Exam 312-49
o Digital Intelligence Forensic Hardware: UltraKit
o Digital Intelligence Forensic Hardware: UltraBay II
o Digital Intelligence Forensic Hardware: UltraBlock SCSI
o Digital Intelligence Forensic Hardware: HardCopy 3P
o Wiebetech: Forensics DriveDock v4
o Wiebetech: Forensics UltraDock v4
o Image MASSter: WipeMASSter
o Image MASSter: WipePRO
o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
o Forensic Tower IV Dual Xeon
o Digital Intelligence Forensic Hardware: FREDDIE
o DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor
o Logicube

Cables

Adapters

GPStamp™

OmniPort

CellDEK®
o Paraben Forensics Hardware

Project-a-Phone

Mobile Field Kit

iRecovery Stick
o CelleBrite

UFED System

UFED Physical Pro
Module 10: Recovering Deleted Files and Deleted Partitions

Recovering the Deleted Files
Page | 28
Course Outline
Exam 312-49
o Deleting Files
o What Happens When a File is Deleted in Windows?
o Recycle Bin in Windows

Storage Locations of Recycle Bin in FAT and NTFS Systems

How the Recycle Bin Works

Damaged or Deleted INFO File

Damaged Files in Recycle Bin Folder

Damaged Recycle Folder
o File Recovery in MAC OS X
o File Recovery in Linux

File Recovery Tools for Windows
o Recover My Files
o EASEUS Data Recovery Wizard
o PC INSPECTOR File Recovery
o Recuva
o DiskDigger
o Handy Recovery
o Quick Recovery
o Stellar Phoenix Windows Data Recovery
o Tools to Recover Deleted Files
Page | 29

Total Recall

Advanced Disk Recovery

Windows Data Recovery Software

R-Studio

PC Tools File Recover

Data Rescue PC

Smart Undelete

FileRestore Professional

Deleted File Recovery Software

DDR Professional Recovery Software

Data Recovery Pro
Course Outline


GetDataBack

UndeletePlus

Search and Recover

File Scavenger

Filesaver

Virtual Lab

Active@ UNDELETE

Win Undelete

R-Undelete

Recover4all Professional

eData Unerase

Active@ File Recovery

FinalRecovery
Exam 312-49
File Recovery Tools for MAC
o MAC File Recovery
o MAC Data Recovery
o Boomerang Data Recovery Software
o VirtualLab
o File Recovery Tools for MAC OS X


DiskWarrior

AppleXsoft File Recovery for MAC

Disk Doctors MAC Data Recovery

R-Studio for MAC

Data Rescue

Stellar Phoenix MAC Data Recovery

FileSalvage

TechTool Pro
File Recovery Tools for Linux
o R-Studio for Linux
o Quick Recovery for Linux
o Kernel for Linux Data Recovery
Page | 30
Course Outline
Exam 312-49
o TestDisk for Linux

Recovering the Deleted Partitions
o Disk Partition
o Deletion of Partition
o Recovery of the Deleted Partition

Partition Recovery Tools
o Active@ Partition Recovery for Windows
o Acronis Recovery Expert
o DiskInternals Partition Recovery
o NTFS Partition Data Recovery
o GetDataBack
o EASEUS Partition Recovery
o Advanced Disk Recovery
o Power Data Recovery
o Remo Recover (MAC) - Pro
o MAC Data Recovery Software
o Quick Recovery for Linux
o Stellar Phoenix Linux Data Recovery Software
o Tools to Recover Deleted Partitions
Page | 31

Handy Recovery

TestDisk for Windows

Stellar Phoenix Windows Data Recovery

ARAX Disk Doctor

Power Data Recovery

Quick Recovery for MAC

Partition Find & Mount

Advance Data Recovery Software Tools

TestDisk for MAC

Kernel for FAT and NTFS – Windows Disk Recovery

Disk Drill

Stellar Phoenix MAC Data Recovery
Course Outline

ZAR Windows Data Recovery

AppleXsoft File Recovery for MAC

Quick Recovery for FAT & NTFS

TestDisk for Linux
Exam 312-49
Module 11: Forensics Investigation using AccessData FTK

Overview and Installation of FTK
o Overview of Forensic Toolkit (FTK)
o Features of FTK
o Software Requirement
o Configuration Option
o Database Installation
o FTK Application Installation

FTK Case Manager User Interface
o Case Manager Window

Case Manager Database Menu


Case Manager Case Menu




Setting Up Additional Users and Assigning Roles
Assigning Users Shared Label Visibility
Case Manager Tools Menu

Recovering Processing Jobs

Restoring an Image to a Disk
Case Manager Manage Menu

Managing Carvers

Managing Custom Identifiers
FTK Examiner User Interface
o FTK Examiner User Interface

Page | 32
Menu Bar: File Menu

Exporting Files

Exporting Case Data to a Custom Content Image

Exporting the Word List
Course Outline

Menu Bar: Edit Menu

Menu Bar: View Menu

Menu Bar: Evidence Menu

Menu Bar: Tools Menu



Verifying Drive Image Integrity

Mounting an Image to a Drive
Exam 312-49
File List View

Using Labels

Creating and Applying a Label
Starting with FTK
o Creating a case
o Selecting Detailed Options: Evidence Processing
o Selecting Detailed Options: Fuzzy Hashing
o Selecting Detailed Options: Data Carving
o Selecting Detailed Options: Custom File Identification
o Selecting Detailed Options: Evidence Refinement (Advanced)
o Selecting Detailed Options: Index Refinement (Advanced)

FTK Interface Tabs
o FTK Interface Tabs


Explore Tab

Overview Tab

Email Tab

Graphics Tab

Bookmarks Tab

Live Search Tabs

Volatile Tab
Adding and Processing Static, Live, and Remote Evidence
o Adding Evidence to a Case
o Evidence Groups
o Acquiring Local Live Evidence
o FTK Role Requirements For Remote Acquisition
Page | 33
Course Outline
Exam 312-49
o Types of Remote Information
o Acquiring Data Remotely Using Remote Device Management System (RDMS)
o Imaging Drives
o Mounting and Unmounting a Device

Using and Managing Filters
o Accessing Filter Tools
o Using Filters
o Customizing Filters
o Using Predefined Filters

Using Index Search and Live Search
o Conducting an Index Search

Selecting Index Search Options

Viewing Index Search Results

Documenting Search Results
o Conducting a Live Search: Live Text Search
o Conducting a Live Search: Live Hex Search
o Conducting a Live Search: Live Pattern Search

Decrypting EFS and other Encrypted Files
o Decrypting EFS Files and Folders
o Decrypting MS Office Files
o Viewing Decrypted Files
o Decrypting Domain Account EFS Files from Live Evidence
o Decrypting Credant Files
o Decrypting Safeboot Files

Working with Reports
o Creating a Report
o Entering Case Information
o Managing Bookmarks in a Report
o Managing Graphics in a Report
o Selecting a File Path List
o Adding a File Properties List
Page | 34
Course Outline
Exam 312-49
o Making Registry Selections
o Selecting the Report Output Options
o Customizing the Formatting of Reports
o Viewing and Distributing a Report
Module 12: Forensics Investigation Using Enase

Overview of Encase Forensic
o Overview of EnCase Forensic
o EnCase Forensic Features
o EnCase Forensic Platform
o EnCase Forensic Modules

Installing EnCase Forensic
o Minimum Requirements
o Installing the Examiner
o Installed Files
o Installing the EnCase Modules
o Configuring EnCase

Configuring EnCase: Case Options Tab

Configuring EnCase: Global Tab

Configuring EnCase: Debug Tab

Configuring EnCase: Colors Tab and Fonts Tab

Configuring EnCase: EnScript Tab and Storage Paths Tab
o Sharing Configuration (INI) Files

EnCase Interface
o Main EnCase Window

System Menu Bar

Toolbar

Panes Overview

Tree Pane

Table Pane
o Table Pane: Table Tab
Page | 35
Course Outline
Exam 312-49
o Table Pane: Report Tab
o Table Pane: Gallery Tab
o Table Pane: Timeline Tab
o Table Pane: Disk Tab and Code Tab

View Pane

Filter Pane
o Filter Pane Tabs
o Creating a Filter
o Creating Conditions


Status Bar
Case Management
o Overview of Case Structure
o Case Management
o Indexing a Case
o Case Backup
o Options Dialog Box
o Logon Wizard
o New Case Wizard
o Setting Time Zones for Case Files
o Setting Time Zone Options for Evidence Files

Working with Evidence
o Types of Entries
o Adding a Device

Adding a Device using Tableau Write Blocker
o Performing a Typical Acquisition
o Acquiring a Device
o Canceling an Acquisition
o Acquiring a Handsprings PDA
o Delayed Loading of Internet Artifacts
o Hashing the Subject Drive
Page | 36
Course Outline
Exam 312-49
o Logical Evidence File (LEF)
o Creating a Logical Evidence File
o Recovering Folders on FAT Volumes
o Restoring a Physical Drive

Source Processor
o Source Processor

Starting to Work with Source Processor

Setting Case Options

Collection Jobs




Creating a Collection Job

Copying a Collection Job

Running a Collection Job
Analysis Jobs

Creating an Analysis Job

Running an Analysis Job
Creating a Report
Analyzing and Searching Files
o Viewing the File Signature Directory
o Performing a Signature Analysis
o Hash Analysis
o Hashing a New Case
o Creating a Hash Set
o Keyword Searches
o Creating Global Keywords
o Adding Keywords
o Importing and Exporting Keywords
o Searching Entries for Email and Internet Artifacts
o Viewing Search Hits
o Generating an Index
o Tag Records

Viewing File Content
Page | 37
Course Outline
Exam 312-49
o Viewing Files
o Copying and Unerasing Files
o Adding a File Viewer
o Viewing File Content Using View Pane
o Viewing Compound Files
o Viewing Base64 and UUE Encoded Files

Bookmarking Items
o Bookmarks Overview
o Creating a Highlighted Data Bookmark
o Creating a Note Bookmark
o Creating a Folder Information/ Structure Bookmark
o Creating a Notable File Bookmark
o Creating a File Group Bookmark
o Creating a Log Record Bookmark
o Creating a Snapshot Bookmark
o Organizing Bookmarks
o Copying/Moving a Table Entry into a Folder
o Viewing a Bookmark on the Table Report Tab
o Excluding Bookmarks
o Copying Selected Items from One Folder to Another

Reporting
o Reporting
o Report User Interface
o Creating a Report Using the Report Tab
o Report Single/Multiple Files
o Viewing a Bookmark Report
o Viewing an Email Report
o Viewing a Webmail Report
o Viewing a Search Hits Report
o Creating a Quick Entry Report
o Creating an Additional Fields Report
Page | 38
Course Outline
Exam 312-49
o Exporting a Report
Module 13: Steganography and Image File Forensics

Steganography
o What is Steganography?
o How Steganography Works
o Legal Use of Steganography
o Unethical Use of Steganography

Steganography Techniques
o Steganography Techniques
o Application of Steganography
o Classification of Steganography
o Technical Steganography
o Linguistic Steganography
o Types of Steganography

Image Steganography

Least Significant Bit Insertion

Masking and Filtering

Algorithms and Transformation

Image Steganography: Hermetic Stego

Steganography Tool: S- Tools

Image Steganography Tools
o ImageHide
o QuickStego
o gifshuffle
o OutGuess
o Contraband
o Camera/Shy
o JPHIDE and JPSEEK
o StegaNote

Page | 39
Audio Steganography
Course Outline

Audio Steganography Methods

Audio Steganography: Mp3stegz

Audio Steganography Tools
Exam 312-49
o MAXA Security Tools
o Stealth Files
o Audiostegano
o BitCrypt
o MP3Stego
o Steghide
o Hide4PGP
o CHAOS Universal

Video Steganography

Video Steganography: MSU StegoVideo

Video Steganography Tools
o Masker
o Max File Encryption
o Xiao Steganography
o RT Steganography
o Our Secret
o BDV DataHider
o CHAOS Universal
o OmniHide PRO

Document Steganography: wbStego

Byte Shelter I

Document Steganography Tools
o Merge Streams
o Office XML
o CryptArkan
o Data Stash
o FoxHole
o Xidie Security Suite
Page | 40
Course Outline
Exam 312-49
o StegParty
o Hydan

Whitespace Steganography Tool: SNOW

Folder Steganography: Invisible Secrets 4

Folder Steganography Tools
o StegoStick
o QuickCrypto
o Max Folder Secure
o WinMend Folder Hidden
o PSM Encryptor
o XPTools
o Universal Shield
o Hide My Files

Spam/Email Steganography: Spam Mimic
o Steganographic File System
o Issues in Information Hiding

Steganalysis
o Steganalysis
o How to Detect Steganography
o Detecting Text, Image, Audio, and Video Steganography
o Steganalysis Methods/Attacks on Steganography
o Disabling or Active Attacks
o Steganography Detection Tool: Stegdetect
o Steganography Detection Tools
Page | 41

Xstegsecret

Stego Watch

StegAlyzerAS

StegAlyzerRTS

StegSpy

Gargoyle Investigator™ Forensic Pro

StegAlyzerSS
Course Outline


Exam 312-49
StegMark
Image Files
o Image Files
o Common Terminologies
o Understanding Vector Images
o Understanding Raster Images
o Metafile Graphics
o Understanding Image File Formats
o GIF (Graphics Interchange Format)
o JPEG (Joint Photographic Experts Group)

JPEG File Structure

JPEG 2000
o BMP (Bitmap) File

BMP File Structure
o PNG (Portable Network Graphics)

PNG File Structure
o TIFF (Tagged Image File Format)


TIFF File Structure
Data Compression
o Understanding Data Compression
o How Does File Compression Work?
o Lossless Compression
o Huffman Coding Algorithm
o Lempel-Ziv Coding Algorithm
o Lossy Compression
o Vector Quantization

Locating and Recovering Image Files
o Best Practices for Forensic Image Analysis
o Forensic Image Processing Using MATLAB
o Locating and Recovering Image Files
o Analyzing Image File Headers
Page | 42
Course Outline
Exam 312-49
o Repairing Damaged Headers
o Reconstructing File Fragments
o Identifying Unknown File Formats
o Identifying Image File Fragments
o Identifying Copyright Issues on Graphics
o Picture Viewer: IrfanView
o Picture Viewer: ACDSee Photo Manager 12
o Picture Viewer: Thumbsplus
o Picture Viewer: AD Picture Viewer Lite
o Picture Viewer Max
o Picture Viewer: FastStone Image Viewer
o Picture Viewer: XnView
o Faces – Sketch Software
o Digital Camera Data Discovery Software: File Hound

Image File Forensics Tools
o Hex Workshop
o GFE Stealth™ - Forensics Graphics File Extractor
o Ilook
o Adroit Photo Forensics 2011
o Digital Photo Recovery
o Stellar Phoenix Photo Recovery Software
o Zero Assumption Recovery (ZAR)
o Photo Recovery Software
o Forensic Image Viewer
o File Finder
o DiskGetor Data Recovery
o DERescue Data Recovery Master
o Recover My Files
o Universal Viewer
Module 14: Application Password Crackers
Page | 43
Course Outline

Exam 312-49
Password Cracking Concepts
o Password - Terminology
o Password Types
o Password Cracker
o How Does a Password Cracker Work?
o How Hash Passwords are Stored in Windows SAM

Types of Password Attacks
o Password Cracking Techniques
o Types of Password Attacks
o Passive Online Attacks: Wire Sniffing
o Password Sniffing
o Passive Online Attack: Man-in-the-Middle and Replay Attack
o Active Online Attack: Password Guessing
o Active Online Attack: Trojan/Spyware/keylogger
o Active Online Attack: Hash Injection Attack
o Rainbow Attacks: Pre-Computed Hash
o Distributed Network Attack

Elcomsoft Distributed Password Recovery
o Non-Electronic Attacks
o Manual Password Cracking (Guessing)
o Automatic Password Cracking Algorithm
o Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

System Software Password Cracking
o Bypassing BIOS Passwords

Using Manufacturer’s Backdoor Password to Access the BIOS

Using Password Cracking Software

Page | 44
CmosPwd

Resetting the CMOS using the Jumpers or Solder Beads

Removing CMOS Battery
Course Outline

Exam 312-49
Overloading the Keyboard Buffer and Using a Professional Service
o Tool to Reset Admin Password: Active@ Password Changer
o Tool to Reset Admin Password: Windows Key

Application Software Password Cracking
o Passware Kit Forensic
o Accent Keyword Extractor
o Distributed Network Attack
o Password Recovery Bundle
o Advanced Office Password Recovery
o Office Password Recovery
o Office Password Recovery Toolbox
o Office Multi-document Password Cracker
o Word Password Recovery Master
o Accent WORD Password Recovery
o Word Password
o PowerPoint Password Recovery
o PowerPoint Password
o Powerpoint Key
o Stellar Phoenix Powerpoint Password Recovery
o Excel Password Recovery Master
o Accent EXCEL Password Recovery
o Excel Password
o Advanced PDF Password Recovery
o PDF Password Cracker
o PDF Password Cracker Pro
o Atomic PDF Password Recovery
o PDF Password
o Recover PDF Password
o Appnimi PDF Password Recovery
o Advanced Archive Password Recovery
o KRyLack Archive Password Recovery
Page | 45
Course Outline
Exam 312-49
o Zip Password
o Atomic ZIP Password Recovery
o RAR Password Unlocker
o Default Passwords
o http://www.defaultpassword.com
o http://www.cirt.net/passwords
o http://default-password.info
o http://www.defaultpassword.us
o http://www.passwordsdatabase.com
o http://www.virus.org

Password Cracking Tools
o L0phtCrack
o OphCrack
o Cain & Abel
o RainbowCrack
o Windows Password Unlocker
o Windows Password Breaker
o SAMInside
o PWdump7 and Fgdump
o PCLoginNow
o KerbCrack
o Recover Keys
o Windows Password Cracker
o Proactive System Password Recovery
o Password Unlocker Bundle
o Windows Password Reset Professional
o Windows Password Reset Standard
o Krbpwguess
o Password Kit
o WinPassword
o Passware Kit Enterprise
Page | 46
Course Outline
Exam 312-49
o Rockxp
o PasswordsPro
o LSASecretsView
o LCP
o MessenPass
o Mail PassView
o Messenger Key
o Dialupass
o Protected Storage PassView
o Network Password Recovery
o Asterisk Key
o IE PassView
Module 15: Log Capturing and Event Correlation

Computer Security Logs
o Computer Security Logs
o Operating System Logs
o Application Logs
o Security Software Logs
o Router Log Files
o Honeypot Logs
o Linux Process Accounting
o Logon Event in Window
o Windows Log File

Configuring Windows Logging

Analyzing Windows Logs

Windows Log File: System Logs

Windows Log File: Application Logs

Logon Events that appear in the Security Event Log
o IIS Logs

Page | 47
IIS Log File Format
Course Outline

Exam 312-49
Maintaining Credible IIS Log Files
o Log File Accuracy
o Log Everything
o Keeping Time
o UTC Time
o View the DHCP Logs

Sample DHCP Audit Log File
o ODBC Logging

Logs and Legal Issues
o Legality of Using Logs
o Records of Regularly Conducted Activity as Evidence
o Laws and Regulations

Log Management
o Log Management


Functions of Log Management

Challenges in Log Management

Meeting the Challenges in Log Management
Centralized Logging and Syslogs
o Centralized Logging

Centralized Logging Architecture

Steps to Implement Central Logging
o Syslog

Syslog in Unix-Like Systems

Steps to Set Up a Syslog Server for Unix Systems

Advantages of Centralized Syslog Server
o IIS Centralized Binary Logging

Time Synchronization
o Why Synchronize Computer Times?
o What is NTP?

NTP Stratum Levels
o NIST Time Servers
Page | 48
Course Outline
Exam 312-49
o Configuring Time Server in Windows Server

Event Correlation
o Event Correlation


Types of Event Correlation

Prerequisites for Event Correlation

Event Correlation Approaches
Log Capturing and Analysis Tools
o GFI EventsManager
o Activeworx Security Center
o EventLog Analyzer
o Syslog-ng OSE
o Kiwi Syslog Server
o WinSyslog
o Firewall Analyzer: Log Analysis Tool
o Activeworx Log Center
o EventReporter
o Kiwi Log Viewer
o Event Log Explorer
o WebLog Expert
o XpoLog Center Suite
o ELM Event Log Monitor
o EventSentry
o LogMeister
o LogViewer Pro
o WinAgents EventLog Translation Service
o EventTracker Enterprise
o Corner Bowl Log Manager
o Ascella Log Monitor Plus
o FLAG - Forensic and Log Analysis GUI
o Simple Event Correlator (SEC)
o OSSEC
Page | 49
Course Outline
Exam 312-49
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic

Network Forensics
o Network Forensics
o Network Forensics Analysis Mechanism
o Network Addressing Schemes
o Overview of Network Protocols
o Overview of Physical and Data-Link Layer of the OSI Model
o Overview of Network and Transport Layer of the OSI Model
o OSI Reference Model
o TCP/ IP Protocol
o Intrusion Detection Systems (IDS) and Their Placement

How IDS Works

Types of Intrusion Detection Systems

General Indications of Intrusions
o Firewall
o Honeypot

Network Attacks
o Network Vulnerabilities
o Types of Network Attacks

IP Address Spoofing

Man-in-the-Middle Attack

Packet Sniffing


How a Sniffer Works

Enumeration

Denial of Service Attack

Session Sniffing

Buffer Overflow

Trojan Horse
Log Injection Attacks
o New Line Injection Attack

Page | 50
New Line Injection Attack Countermeasure
Course Outline
Exam 312-49
o Separator Injection Attack

Defending Separator Injection Attacks
o Timestamp Injection Attack

Defending Timestamp Injection Attacks
o Word Wrap Abuse Attack

Defending Word Wrap Abuse Attacks
o HTML Injection Attack

Defending HTML Injection Attacks
o Terminal Injection Attack


Defending Terminal Injection Attacks
Investigating and Analyzing Logs
o Postmortem and Real-Time Analysis
o Where to Look for Evidence
o Log Capturing Tool: ManageEngine EventLog Analyzer
o Log Capturing Tool: ManageEngine Firewall Analyzer
o Log Capturing Tool: GFI EventsManager
o Log Capturing Tool: Kiwi Syslog Server
o Handling Logs as Evidence
o Log File Authenticity
o Use Signatures, Encryption, and Checksums
o Work with Copies
o Ensure System’s Integrity
o Access Control
o Chain of Custody
o Condensing Log File

Investigating Network Traffic
o Why Investigate Network Traffic?
o Evidence Gathering via Sniffing
o Capturing Live Data Packets Using Wireshark
Page | 51

Display Filters in Wireshark

Additional Wireshark Filters
Course Outline
Exam 312-49
o Acquiring Traffic Using DNS Poisoning Techniques

Intranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)

Proxy Server DNS Poisoning

DNS Cache Poisoning
o Evidence Gathering from ARP Table
o Evidence Gathering at the Data-Link Layer: DHCP Database
o Gathering Evidence by IDS

Traffic Capturing and Analysis Tools
o NetworkMiner
o Tcpdump/Windump
o Intrusion Detection Tool: Snort

How Snort Works
o IDS Policy Manager
o MaaTec Network Analyzer
o Iris Network Traffic Analyzer
o NetWitness Investigator
o Colasoft Capsa Network Analyzer
o Sniff - O - Matic
o NetResident
o Network Probe
o NetFlow Analyzer
o OmniPeek Network Analyzer
o Firewall Evasion Tool: Traffic IQ Professional
o NetworkView
o CommView
o Observer
o SoftPerfect Network Protocol Analyzer
o EffeTech HTTP Sniffer
o Big-Mother
o EtherDetect Packet Sniffer
Page | 52
Course Outline
Exam 312-49
o Ntop
o EtherApe
o AnalogX Packetmon
o IEInspector HTTP Analyzer
o SmartSniff
o Distinct Network Monitor
o Give Me Too
o EtherSnoop
o Show Traffic
o Argus

Documenting the Evidence Gathered on a Network
Module 17: Investigating Wireless Attacks

Wireless Technologies
o Wireless Networks
o Wireless Terminologies
o Wireless Components
o Types of Wireless Networks
o Wireless Standards
o MAC Filtering
o Service Set Identifier (SSID)
o Types of Wireless Encryption: WEP
o Types of Wireless Encryption: WPA
o Types of Wireless Encryption: WPA2
o WEP vs. WPA vs. WPA2

Wireless Attacks
o Wi-Fi Chalking

Wi-Fi Chalking Symbols
o Access Control Attacks
o Integrity Attacks
o Confidentiality Attacks
Page | 53
Course Outline
Exam 312-49
o Availability Attacks
o Authentication Attacks

Investigating Wireless Attacks
o Key Points to Remember
o Steps for Investigation

Obtain a Search Warrant

Identify Wireless Devices at Crime Scene

Search for Additional Devices

Detect Rogue Access Point

Document the Scene and Maintain a Chain of Custody

Detect the Wireless Connections

Methodologies to Detect Wireless Connections

Wi-Fi Discovery Tool: inSSIDer

GPS Mapping
o GPS Mapping Tool: WIGLE
o GPS Mapping Tool: Skyhook

How to Discover Wi-Fi Networks Using Wardriving

Check for MAC Filtering

Changing the MAC Address

Detect WAPs using the Nessus Vulnerability Scanner

Capturing Wireless Traffic
o Sniffing Tool: Wireshark
o Follow TCP Stream in Wireshark
o Display Filters in Wireshark
o Additional Wireshark Filters

Page | 54
Determine Wireless Field Strength

Determine Wireless Field Strength: FSM

Determine Wireless Field Strength: ZAP Checker Products

What is Spectrum Analysis?

Map Wireless Zones & Hotspots

Connect to Wireless Network
Course Outline
Exam 312-49

Connect to the Wireless Access Point

Access Point Data Acquisition and Analysis: Attached Devices

Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

Access Point Data Acquisition and Analysis
o Firewall Analyzer
o Firewall Log Analyzer

Wireless Devices Data Acquisition and Analysis

Report Generation

Features of a Good Wireless Forensics Tool

Wireless Forensics Tools
o Wi-Fi Discovery Tools

NetStumbler

NetSurveyor

Vistumbler

WirelessMon

Kismet

AirPort Signal

WiFi Hopper

Wavestumbler

iStumbler

WiFinder

Meraki WiFi Stumbler

Wellenreiter

AirCheck Wi-Fi Tester

AirRadar 2
o Wi-Fi Packet Sniffers
Page | 55

OmniPeek

CommView for Wi-Fi

Wi-Fi USB Dongle: AirPcap

tcpdump

KisMAC
Course Outline

Aircrack-ng Suite

AirMagnet WiFi Analyzer
Exam 312-49
o Wardriving Tools

MiniStumbler

Airbase

ApSniff

WiFiFoFum

StumbVerter

ClassicStumbler

Driftnet

WarLinux
o RF Monitoring Tools

NetworkManager

KWiFiManager

NetworkControl

KOrinoco

KWaveControl

Aphunter

Qwireless

SigMon
o Wi-Fi Connection Manager Tools

Aironet Wireless LAN

Boingo

HandyWi

Avanquest Connection Manager

Intel PROSet

Odyssey Access Client

WiFi-Manager

QuickLink Mobile
o Wi-Fi Traffic Analyzer Tools
Page | 56
Course Outline

AirMagnet WiFi Analyzer

Cascade Pilot Personal Edition

OptiView® XG Network Analysis Tablet

Network Packet Analyzer

Network Observer

Ufasoft Snif

CommView for WiFi

Network Assistant
Exam 312-49
o Wi-Fi Raw Packet Capturing Tools

WirelessNetView

Pirni Sniffer

Tcpdump

Airview
o Wi-Fi Spectrum Analyzing Tools

Cisco Spectrum Expert

AirMedic

BumbleBee

Wi-Spy
Module 18: Investigating Web Attacks

Introduction to Web Applications and Web Servers
o Introduction to Web Applications
o Web Application Components
o How Web Applications Work
o Web Application Architecture
o Open Source Web Server Architecture
o Indications of a Web Attack
o Web Attack Vectors
o Why Web Servers are Compromised
o Impact of Web Server Attacks
o Website Defacement
Page | 57
Course Outline
Exam 312-49
o Case Study

Web Logs
o Overview of Web Logs
o Application Logs
o Internet Information Services (IIS) Logs

IIS Web Server Architecture

IIS Log File Format
o Apache Web Server Logs
o DHCP Server Logs

Web Attacks
o Web Attacks - 1
o Web Attacks - 2

Unvalidated Input

Parameter/Form Tampering

Directory Traversal

Security Misconfiguration

Injection Flaws

SQL Injection Attacks

Command Injection Attacks


File Injection Attack

What is LDAP Injection?

How LDAP Injection Works

Hidden Field Manipulation Attack

Cross-Site Scripting (XSS) Attacks



How CSRF Attacks Work
Web Application Denial-of-Service (DoS) Attack


How XSS Attacks Work
Cross-Site Request Forgery (CSRF) Attack

Page | 58
Command Injection Example
Denial of Service (DoS) Examples
Buffer Overflow Attacks
Course Outline

Cookie/Session Poisoning


Exam 312-49
How Cookie Poisoning Works

Session Fixation Attack

Insufficient Transport Layer Protection

Improper Error Handling

Insecure Cryptographic Storage

Broken Authentication and Session Management

Unvalidated Redirects and Forwards

DMZ Protocol Attack/ Zero Day Attack

Log Tampering

URL Interpretation and Impersonation Attack

Web Services Attack

Web Services Footprinting Attack

Web Services XML Poisoning

Webserver Misconfiguration

HTTP Response Splitting Attack

Web Cache Poisoning Attack

HTTP Response Hijacking

SSH Bruteforce Attack

Man-in-the-Middle Attack

Defacement Using DNS Compromise
Web Attack Investigation
o Investigating Web Attacks
o Investigating Web Attacks in Windows-Based Servers
o Investigating IIS Logs
o Investigating Apache Logs
o Example of FTP Compromise
o Investigating FTP Servers
o Investigating Static and Dynamic IP Addresses
o Sample DHCP Audit Log File
o Investigating Cross-Site Scripting (XSS)
Page | 59
Course Outline
Exam 312-49
o Investigating SQL Injection Attacks
o Pen-Testing CSRF Validation Fields
o Investigating Code Injection Attack
o Investigating Cookie Poisoning Attack
o Detecting Buffer Overflow
o Investigating Authentication Hijacking
o Web Page Defacement
o Investigating DNS Poisoning
o Intrusion Detection
o Security Strategies for Web Applications
o Checklist for Web Security

Web Attack Detection Tools
o Web Application Security Tools

Acunetix Web Vulnerability Scanner

Falcove Web Vulnerability Scanner

Netsparker

N-Stalker Web Application Security Scanner

Sandcat

Wikto

WebWatchBot

OWASP ZAP

SecuBat Vulnerability Scanner

Websecurify

HackAlert

WebCruiser
o Web Application Firewalls

dotDefender

IBM AppScan

ServerDefender VP
o Web Log Viewers

Page | 60
Deep Log Analyzer
Course Outline

WebLog Expert

AlterWind Log Analyzer

Webalizer

eWebLog Analyzer

Apache Logs Viewer (ALV)
Exam 312-49
o Web Attack Investigation Tools


AWStats

Paros Proxy

Scrawlr
Tools for Locating IP Address
o Whois Lookup
o SmartWhois
o ActiveWhois
o LanWhois
o CountryWhois
o CallerIP
o Real Hide IP
o IP - Address Manager
o Pandora FMS
Module 19: Tracking Emails and Investigating Email Crimes

Email System Basics
o Email Terminology
o Email System
o Email Clients
o Email Server
o SMTP Server
o POP3 and IMAP Servers
o Email Message
o Importance of Electronic Records Management

Email Crimes
Page | 61
Course Outline
Exam 312-49
o Email Crime
o Email Spamming
o Mail Bombing/Mail Storm
o Phishing
o Email Spoofing
o Crime via Chat Room
o Identity Fraud/Chain Letter

Email Headers
o Example of Email Header
o List of Common Headers

Steps to Investigate
o Why to Investigate Emails
o Investigating Email Crime and Violation

Obtain a Search Warrant and Seize the Computer and Email Account

Obtain a Bit-by-Bit Image of Email Information

Examine Email Headers



Viewing Email Headers in Microsoft Outlook

Viewing Email Headers in AOL

Viewing Email Headers in Hotmail

Viewing Email Headers in Gmail

Viewing Headers in Yahoo Mail

Forging Headers
Analyzing Email Headers

Email Header Fields

Received: Headers

Microsoft Outlook Mail

Examining Additional Files (.pst or .ost files)

Checking the Email Validity

Examine the Originating IP Address
Trace Email Origin

Page | 62
Tracing Back
Course Outline



Tracing Back Web-based Email
Acquire Email Archives

Email Archives

Content of Email Archives

Local Archive

Server Storage Archive

Forensic Acquisition of Email Archive
Recover Deleted Emails


Exam 312-49
Deleted Email Recovery
Email Forensics Tools
o Stellar Phoenix Deleted Email Recovery
o Recover My Email
o Outlook Express Recovery
o Zmeil
o Quick Recovery for MS Outlook
o Email Detective
o Email Trace - Email Tracking
o R-Mail
o FINALeMAIL
o eMailTrackerPro
o Forensic Tool Kit (FTK)
o Paraben’s E-mail Examiner
o Paraben's Network E-mail Examiner
o DiskInternal’s Outlook Express Repair
o Abuse.Net
o MailDetective Tool

Laws and Acts against Email Crimes
o U.S. Laws Against Email Crime: CAN-SPAM Act
o 18 U.S.C. § 2252A
o 18 U.S.C. § 2252B
o Email Crime Law in Washington: RCW 19.190.020
Page | 63
Course Outline
Exam 312-49
Module 20: Mobile Forensics

Mobile Phones
o Mobile Phone
o Different Mobile Devices
o Hardware Characteristics of Mobile Devices
o Software Characteristics of Mobile Devices
o Components of Cellular Network
o Cellular Network
o Different Cellular Networks

Mobile Operating Systems
o Mobile Operating Systems
o Types of Mobile Operating Systems
o webOS

webOS System Architecture
o Symbian OS

Symbian OS Architecture
o Android OS

Android OS Architecture
o RIM BlackBerry OS
o Windows Phone 7

Windows Phone 7 Architecture
o Apple iOS

Mobile Forensics
o What a Criminal Can Do with Mobiles Phones
o Mobile Forensics
o Mobile Forensics Challenges
o Forensics Information in Mobile Phones
o Memory Considerations in Mobiles
o Subscriber Identity Module (SIM)
o SIM File System
Page | 64
Course Outline
Exam 312-49
o Integrated Circuit Card Identification (ICCID)
o International Mobile Equipment Identifier (IMEI)
o Electronic Serial Number (ESN)
o Precautions to Be Taken Before Investigation

Mobile Forensics Process
o Mobile Forensics Process


Collecting the Evidence

Points to Remember while Collecting the Evidence

Collecting an iPod/iPhone Connected to a Computer

Document the Scene and Preserve the Evidence

Imaging and Profiling

Acquire the Information


Collect the Evidence

Device Identification

Acquire Data from SIM Cards

Acquire Data from Unobstructed Mobile Devices

Acquire the Data from Obstructed Mobile Devices

Acquire Data from Memory Cards

Acquire Data from Synched Devices

Gather Data from Network Operator

Check Call Data Records (CDRs)

Gather Data from SQLite Record

Analyze the Information
Generate Report
Mobile Forensics Software Tools
o Oxygen Forensic Suite 2011
o MOBILedit! Forensic
o BitPim
o SIM Analyzer
o SIMCon
o SIM Card Data Recovery
Page | 65
Course Outline
Exam 312-49
o Memory Card Data Recovery
o Device Seizure
o SIM Card Seizure
o ART (Automatic Reporting Tool)
o iPod Data Recovery Software
o Recover My iPod
o PhoneView
o Elcomsoft Blackberry Backup Explorer
o Oxygen Phone Manager II
o Sanmaxi SIM Recoverer
o USIMdetective
o CardRecovery
o Stellar Phoenix iPod Recovery Software
o iCare Data Recovery Software
o Cell Phone Analyzer
o iXAM
o BlackBerry Database Viewer Plus
o BlackBerry Signing Authority Tool

Mobile Forensics Hardware Tools
o Secure View Kit
o Deployable Device Seizure (DDS)
o Paraben's Mobile Field Kit
o PhoneBase
o XACT System
o Logicube CellDEK
o Logicube CellDEK TEK
o RadioTactics ACESO
o UME-36Pro - Universal Memory Exchanger
o Cellebrite UFED System - Universal Forensic Extraction Device
o ZRT 2
o ICD 5200
Page | 66
Course Outline
Exam 312-49
o ICD 1300
Module 21: Investigative Reports

Computer Forensics Report
o Computer Forensics Report
o Salient Features of a Good Report
o Aspects of a Good Report

Computer Forensics Report Template
o Computer Forensics Report Template
o Simple Format of the Chain of Custody Document
o Chain of Custody Forms
o Evidence Collection Form
o Computer Evidence Worksheet
o Hard Drive Evidence Worksheet
o Removable Media Worksheet

Investigative Report Writing
o Report Classification
o Layout of an Investigative Report

Layout of an Investigative Report: Numbering
o Report Specifications
o Guidelines for Writing a Report
o Use of Supporting Material
o Importance of Consistency
o Investigative Report Format
o Attachments and Appendices
o Include Metadata
o Signature Analysis
o Investigation Procedures
o Collecting Physical and Demonstrative Evidence
o Collecting Testimonial Evidence
o Do’s and Don'ts of ŽŵƉƵƚĞƌForensics Investigations
Page | 67
Course Outline
Exam 312-49
o Case Report Writing and Documentation
o Create a Report to Attach to the Media Analysis Worksheet
o Best Practices for Investigators

Sample Forensics Report
o Sample Forensics Report

Report Writing Using Tools
o Writing Report Using FTK
o Writing Report Using ProDiscover
Module 22: Becoming an Expert Witness

Expert Witness
o What is an Expert Witness?
o Role of an Expert Witness
o What Makes a Good Expert Witness?

Types of Expert Witnesses
o Types of Expert Witnesses

Computer Forensics Experts


Role of Computer Forensics Expert

Medical & Psychological Experts

Civil Litigation Experts

Construction & Architecture Experts

Criminal Litigation Experts
Scope of Expert Witness Testimony
o Scope of Expert Witness Testimony
o Technical Witness vs. Expert Witness
o Preparing for Testimony

Evidence Processing
o Evidence Preparation and Documentation
o Evidence Processing Steps
o Checklists for Processing Evidence
o Examining Computer Evidence
Page | 68
Course Outline
Exam 312-49
o Prepare the Report
o Evidence Presentation

Rules for Expert Witness
o Rules Pertaining to an Expert Witness’s Qualification
o Daubert Standard
o Frye Standard
o Importance of Resume
o Testifying in the Court
o The Order of Trial Proceedings

General Ethics While Testifying
o General Ethics While Testifying
o Importance of Graphics in a Testimony
o Helping your Attorney
o Avoiding Testimony Issues
o Testifying during Direct Examination
o Testifying during Cross-Examination
o Deposing
o Recognizing Deposition Problems
o Guidelines to Testifying at a Deposition
o Dealing with Media
o Finding a Computer Forensics Expert
Page | 69

Computer Hacking Forensic Investigator

Transcription

Documents pareils

Objectif Participant Prérequis Remarque Programme

Report to/Rapport au

Old Style Hacking

What You Need to Know When an Investigation Leads You

The Expert Witness Institute Annual Conference

Forensic Analysis of Paper Currency with FT

Tracking Dog - A Privacy Tool against Google Hacking

Validation of an alcohol dehydrogenase method for