Search

Computer Hacking Forensic Investigator CHFI v8 Training with Official EC-Council Courseware

Sale Price: $1,395.00
Item Number: CA-CHFI-CW
Configuration: -online

* denotes required field

Media Content*
Untitled Document
Package Includes


    CHFI - Computer Hacking 

Forensics Investigator Training Limited Time Bonus Offer:
    Receive our CompTIA Security+ at No Cost (Value at $495)

  • 12 Months Online Access, Featuring OnDemand Instructor-Led Classroom Sessions with Full Audio and Video Lectures
  • Official EC-Council CHFI Courseware Kit (Value at $650)
    • CHFIv8 printed textbook volume 1
    • CHFIv8 printed textbook volume 2
    • EC-Council Computer Hacking Forensics Investigator v8.0 Lab Manual
    • CHFIv8 DVD pack
    • ECC Computer Hacking Forensic Investigator T-Shirt
    • EC-Council Logo Backpack
  • Software Video Demonstrations
  • Self-Assessment Module Review Quizzes
  • Certificate of Completion
  • Free 1 Year Upgrade Policy
  • Mobile Access via iPhones and iPads

International shipping charges apply on all EC-Council courses.


DWTEXT

Robert Reed - CHFI, Certified EC-Council Instructor (CEI)
Robert Reed is a seasoned investigator and trainer with twenty years of law enforcement experience. With a Masters in Science in computer information systems he has leveraged this knowledge into the computer forensics field developing and operating the first ASCLDD (American Society of Crime Lab Directors) Lab accredited computer forensic program in the State of Arizona.

He has obtained multiple certifications including the EC Council Computer Hacking Forensic Investigator (CHFI) and is a Certified EC Council Instructor (CEI). Reed has taught computer forensics and cyber crime programs to clients from the US and foreign governments. Students include military personnel, law enforcement officials from national, state and local governments, educational institutions, corporate clients and Individuals.

Course Features:
       
Course 

Outline TXT
Course Introduction
Course Introduction
Module 00 - Student Introduction
Student Introduction
CHFIv8 Course Outline
EC-Council Certification Program
Computer Hacking Forensic Investigator Track
CHFIv8 Exam Information
What Does CHFI Teach You?
CHFI Class Speed
Let's Start Forensics Investigation!
Module 01 - Computer Forensics in Today's World
Module Flow: Computer Forensics
Computer Forensics
Security Incident Report
Aspects of Organizational Security
Evolution of Computer Forensics (Cont'd)
Evolution of Computer Forensics
Objective of Computer Forensics
Need for Computer Forensics
Module Flow: Forensics Readiness
Benefits of Forensics Readiness
Goals of Forensics Readiness
Forensics Readiness Planning
Module Flow: Cyber Crimes
Cyber Crime
Computer Facilitated Crimes
Modes of Attacks
Examples of Cyber Crime (Cont'd)
Examples of Cyber Crime
Types of Computer Crimes
Cyber Criminals
Organized Cyber Crime: Organizational Chart
How Serious are Different Types of Incidents?
Disruptive Incidents to the Business
Cost Expenditure Responding to the Security Incident
Module Flow: Cyber Crime Investigation
Cyber Crime Investigation
Key Steps in Forensics Investigation (Cont'd)
Key Steps in Forensics Investigation
Rules of Forensics Investigation
Need for Forensics Investigator
Role of Forensics Investigator
Accessing Computer Forensics Resources
Role of Digital Evidence
Module Flow: Corporate Investigations
Understanding Corporate Investigations
Approach to Forensics Investigation: A Case Study (Cont'd)
Approach to Forensics Investigation: A Case Study
Instructions for the Forensic Investigator to Approach the Crime Scene
Why and When Do You Use Computer Forensics?
Enterprise Theory of Investigation (ETI)
Legal Issues
Reporting the Results
Module Flow: Reporting a Cyber Crime
Why you Should Report Cybercrime?
Reporting Computer-Related Crimes (Cont'd)
Reporting Computer-Related Crimes
Person Assigned to Report the Crime
When and How to Report an Incident?
Who to Contact at the Law Enforcement
Federal Local Agents Contact (Cont'd)
Federal Local Agents Contact
More Contacts
CIO Cyberthreat Report Form
Module 01 Review
Module 02 - Computer Forensics Investigation Process
Computer Forensics Investigation Process
Investigating Computer Crime
Before the Investigation
Build a Forensics Workstation
Building the Investigation Team
People Involved in Computer Forensics
Review Policies and Laws
Forensics Laws (Cont'd)
Forensics Laws
Notify Decision Makers and Acquire Authorization
Risk Assessment
Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation (Cont'd)
Steps to Prepare for a Computer Forensics Investigation
Computer Forensics Investigation Methodology: Obtain Search Warrant
Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
Computer Forensics Investigation Methodology: Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
Computer Forensics Investigation Methodology: Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence (Cont'd)
Collect Electronic Evidence
Guidelines for Acquiring Evidence
Computer Forensics Investigation Methodology: Secure the Evidence
Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
Computer Forensics Investigation Methodology: Acquire the Data
Original Evidence Should NEVER Be Used for Analysis
Duplicate the Data (Imaging)
Verify Image Integrity
Demo - HashCalc
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
Computer Forensics Investigation Methodology: Analyze the Data
Data Analysis
Data Analysis Tools
Computer Forensics Investigation Methodology: Assess Evidence and Case
Evidence Assessment
Case Assessment (Cont'd)
Case Assessment
Processing Location Assessment
Best Practices to Assess the Evidence
Computer Forensics Investigation Methodology: Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report (Cont'd)
Writing the Investigation Report
Sample Report (1 of 7)
Sample Report (2 of 7)
Sample Report (3 of 7)
Sample Report (4 of 7)
Sample Report (5 of 7)
Sample Report (6 of 7)
Sample Report (7 of 7)
Computer Forensics Investigation Methodology: Testify as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers (Cont'd)
Computer Forensics Service Providers
Module 02 Review
Module 03 - Searching and Seizing Computers
Module Flow: Searching and Seizing Computers without a Warrant
Searching and Seizing Computers without a Warrant
Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: Principles
Reasonable Expectation of Privacy in Computers as Storage Devices
Reasonable Expectation of Privacy and Third-Party Possession
Private Searches
Use of Technology to Obtain Information
Exceptions to the Warrant Requirement in Cases Involving Computers
Consent
Scope of Consent
Third-Party Consent
Implied Consent
Exigent Circumstances
Plain View
Search Incident to a Lawful Arrest
Inventory Searches
Border Searches
International Issues
Special Case: Workplace Searches
Private Sector Workplace Searches
Public-Sector Workplace Searches
Module Flow: Searching and Seizing Computers with a Warrant
Searching and Seizing Computers with a Warrant
Successful Search with a Warrant
Basic Strategies for Executing Computer Searches
When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
When Hardware Is Merely a Storage Device for Evidence of Crime
The Privacy Protection Act
The Terms of the Privacy Protection Act
Application of the PPA to Computer Searches and Seizures (Cont'd)
Application of the PPA to Computer Searches and Seizures
Civil Liability Under the Electronic Communications Privacy Act (ECPA)
Considering the Need for Multiple Warrants in Network Searches
No-Knock Warrants
Sneak-and-Peek Warrants
Privileged Documents
Drafting the Warrant and Affidavit
Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments
Defending Computer Search Warrants Against Challenges Based on the "Things to be Seized"
Establish Probable Cause in the Affidavit
Explanation of the Search Strategy and Practical & Legal Considerations
Post-Seizure Issues
Searching Computers Already in Law Enforcement Custody
The Permissible Time Period for Examining Seized Computers
Rule 41(e) Motions for Return of Property
Module Flow: The Electronic Communications Privacy Act
The Electronic Communications Privacy Act
Providers of Electronic Communication Service vs. Remote Computing Service
Classifying Types of Information Held by Service Providers
Compelled Disclosure Under ECPA
Voluntary Disclosure
Working with Network Providers
Module Flow: Electronic Surveillance in Communications Networks
Electronic Surveillance in Communications Networks
Content vs. Addressing Information
The Pen/Trap Statute
The Wiretap Statute ("Title III")
Exceptions to Title III
Remedies For Violations of Title III and the Pen/Trap Statute
Module Flow: Evidence
Evidence (Cont'd)
Evidence
Authentication
Hearsay
Other Issues
Module 03 Review
Module 04 - Digital Evidence
Module Flow: Digital Data
Definition of Digital Evidence
Increasing Awareness of Digital Evidence
Challenging Aspects of Digital Evidence
The Role of Digital Evidence
Characteristics of Digital Evidence
Fragility of Digital Evidence
Anti-Digital Forensics (ADF)
Module Flow: Types of Digital Data
Types of Digital Data (Cont'd)
Types of Digital Data (Cont'd)
Types of Digital Data
Module Flow: Rules of Evidence
Rules of Evidence
Best Evidence Rule
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence
International Organization on Computer Evidence (IOCE)
IOCE International Principles for Digital Evidence
Scientific Working Group on Digital Evidence (SWGDE)
SWGDE Standards for the Exchange of Digital Evidence (Cont'd)
SWGDE Standards for the Exchange of Digital Evidence (Cont'd)
SWGDE Standards for the Exchange of Digital Evidence
Module Flow: Electronic Devices: Types and Collecting Potential Evidence
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: Digital Evidence Examination Process
Digital Evidence Examination Process - Evidence Assessment
Evidence Assessment
Prepare for Evidence Acquisition
Digital Evidence Examination Process - Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Demo - Disk Sterilization with DD
Bit-Stream Copies
Write Protection
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Demo - Utilizing HD PARM for HD Information
Collecting Evidence (Cont'd)
Collecting Evidence (Cont'd)
Collecting Evidence (Cont'd)
Collecting Evidence
Collecting Evidence from RAM (Cont'd)
Collecting Evidence from RAM
Collecting Evidence from a Standalone Network Computer
Chain of Custody
Chain of Evidence Form
Digital Evidence Examination Process - Evidence Preservation
Preserving Digital Evidence: Checklist (Cont'd)
Preserving Digital Evidence: Checklist (Cont'd)
Preserving Digital Evidence: Checklist (Cont'd)
Preserving Digital Evidence: Checklist
Preserving Removable Media (Cont'd)
Preserving Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
Digital Evidence Examination Process - Evidence Examination and Analysis
DO NOT WORK on the Original Evidence
Evidence Examination (Cont'd)
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
Digital Evidence Examination Process - Evidence Documentation and Reporting
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Computer Evidence Worksheet (Cont'd)
Computer Evidence Worksheet
Hard Drive Evidence Worksheet (Cont'd)
Hard Drive Evidence Worksheet
Removable Media Worksheet
Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category
Module 04 Review
Module 05 - First Responder Procedures
Module Flow: First Responder
Electronic Evidence
First Responder
Roles of First Responder
Electronic Devices: Types and Collecting Potential Evidence (Cont' d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: First Responder Toolkit
First Responder Toolkit
Creating a First Responder Toolkit
Evidence Collecting Tools and Equipment (Cont'd)
Evidence Collecting Tools and Equipment (Cont'd)
Evidence Collecting Tools and Equipment
Module Flow: First Response Basics
First Response Rule
Incident Response: Different Situations
First Response for System Administrators
First Response by Non-Laboratory Staff
First Response by Laboratory Forensics Staff (Cont'd)
First Response by Laboratory Forensics Staff
Module Flow: Securing and Evaluating Electronic Crime Scene
Securing and Evaluating Electronic Crime Scene: A Checklist (Cont'd)
Securing and Evaluating Electronic Crime Scene: A Checklist
Securing the Crime Scene
Warrant for Search and Seizure
Planning the Search and Seizure (Cont'd)
Planning the Search and Seizure
Initial Search of the Scene
eNotes
eNotes
Health and Safety Issues
Module Flow: Conducting Preliminary Interviews
Questions to Ask When Client Calls the Forensic Investigator
Consent
Sample of Consent Search Form
Witness Signatures
Conducting Preliminary Interviews
Conducting Initial Interviews
Witness Statement Checklist
Module Flow: Documenting Electronic Crime Scene
Documenting Electronic Crime Scene
Photographing the Scene
Sketching the Scene
Video Shooting the Crime Scene
Module Flow: Collecting and Preserving Electronic Evidence
Collecting and Preserving Electronic Evidence (Cont'd)
Collecting and Preserving Electronic Evidence
Order of Volatility
Dealing with Powered On Computers (Cont'd)
Demo - Imaging RAM
Demo - Parsing RAM
Dealing with Powered On Computers
Dealing with Powered Off Computers
Dealing with Networked Computer
Dealing with Open Files and Startup Files
Operating System Shutdown Procedure (Cont'd)
Operating System Shutdown Procedure Example
Computers and Servers
eNotes
Preserving Electronic Evidence
Seizing Portable Computers
Switched On Portables
Collecting and Preserving Electronic Evidence Wrap-up
Module Flow: Packaging and Transporting Electronic Evidence
Evidence Bag Contents List
Packaging Electronic Evidence
Exhibit Numbering
Transporting Electronic Evidence
Handling and Transportation to the Forensics Laboratory
Storing Electronic Evidence
Chain of Custody
Simple Format of the Chain of Custody Document
Chain of Custody Forms (Cont'd)
Chain of Custody Forms (Cont'd)
Chain of Custody Forms
Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
Demo - Hardware Inventories
Module Flow: Reporting the Crime Scene
Reporting the Crime Scene
Note Taking Checklist (Cont'd)
Note Taking Checklist
First Responder Common Mistakes
Module 05 Review
Module 06 - Computer Forensics Lab
Module Flow: Setting a Computer Forensics Lab
Computer Forensics Lab
Planning for a Forensics Lab
Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensics Lab
Structural Design Considerations
Environmental Conditions
Electrical Needs
Communication Needs
Work Area of a Computer Forensics Lab
Ambience of a Forensics Lab
Ambience of a Forensics Lab: Ergonomics
Physical Security Recommendations
Fire-Suppression Systems
Evidence Locker Recommendations
Computer Forensic Investigator
Law Enforcement Officer
Lab Director
Forensics Lab Licensing Requisite
Features of the Laboratory Imaging System
Technical Specifications of the Laboratory Based Imaging System
Forensics Lab (1 of 3)
Forensics Lab (2 of 3)
Forensics Lab (3 of 3)
Auditing a Computer Forensics Lab (Cont'd)
Auditing a Computer Forensics Lab
Recommendations to Avoid Eyestrain
Module Flow: Investigative Services in Forensics
Computer Forensics Investigative Services
Computer Forensic Investigative Service Sample
Computer Forensics Services: PenrodEllis Forensic Data Discovery
Data Destruction Industry Standards
Computer Forensics Services (Cont'd)
Computer Forensics Services
Module Flow: Computer Forensics Hardware
Equipment Required in a Forensics Lab
Forensic Workstations
Basic Workstation Requirements in a Forensics Lab
Stocking the Hardware Peripherals
Paraben Forensics Hardware: Handheld First Responder Kit
Paraben Forensics Hardware: Wireless StrongHold Bag
Paraben Forensics Hardware: Wireless StrongHold Box
Paraben Forensics Hardware: Passport StrongHold Bag
Paraben Forensics Hardware: Device Seizure Toolbox
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Lockdown
Paraben Forensics Hardware: iRecovery Stick
Paraben Forensics Hardware: Data Recovery Stick
Paraben Forensics Hardware: Chat Stick
Paraben Forensics Hardware: USB Serial DB9 Adapter
Paraben Forensics Hardware: Mobile Field Kit
Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop
Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon
Portable Forensic Systems and Towers: Ultimate Forensic Machine
Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
Tableau T3u Forensic SATA Bridge Write Protection Kit
Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader
Tableau TACC 1441 Hardware Accelerator
Multiple TACC1441 Units
Tableau TD1 Forensic Duplicator
Power Supplies and Switches
Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon)
Digital Intelligence Forensic Hardware: FRED-L
Digital Intelligence Forensic Hardware: FRED SC
Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)
Digital Intelligence Forensic Hardware: Rack-A-TACC
Digital Intelligence Forensic Hardware: FREDDIE
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensic UltraDock v4
Wiebetech: Drive eRazer
Wiebetech: v4 Combo Adapters
Wiebetech: ProSATA SS8
Wiebetech: HotPlug
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
CelleBrite: UFED Ruggedized
DeepSpar: Disk Imager Forensic Edition
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector
InfinaDyne Forensic Products: Robotic System Status Light
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Image MASSter: Rapid Image 7020CS IT
Logicube: Forensic MD5
Logicube: Forensic Talon
Logicube: Portable Forensic Lab
Logicube: CellDEK
Logicube: Forensic Quest-2
Logicube: NETConnect
Logicube: RAID I/O Adapter
Logicube: GPStamp
Logicube: OmniPort
Logicube: Desktop WritePROtects
Logicube: USB Adapter
Logicube: CloneCard Pro
Logicube: EchoPlus
OmniClone IDE Laptop Adapters
Logicube: Cables
VoomTech: HardCopy 3P
VoomTech: SHADOW 2
Module Flow: Computer Forensics Software
Basic Software Requirements in a Forensics Lab
Main Operating System and Application Inventories
Imaging Software: R-drive Image
Demo - R-Drive Image
Imaging Software: P2 eXplorer Pro
Imaging Software: AccuBurn-R for CD/DVD Inspector
Imaging Software: Flash Retriever Forensic Edition
File Conversion Software: FileMerlin
File Conversion Software: SnowBatch
File Conversion Software: Zamzar
File Viewer Software: File Viewer
File Viewer Software: Quick View Plus 11 Standard Edition
Demo - File Viewers
Analysis Software: P2 Commander
P2 Commander Screenshot
Analysis Software: DriveSpy
Analysis Software: SIM Card Seizure
Analysis Software: CD/DVD Inspector
Analysis Software: Video Indexer (Vindex)
Monitoring Software: Device Seizure
Device Seizure Screenshots
Monitoring Software: Deployable P2 Commander (DP2C)
Monitoring Software: ThumbsDisplay
ThumbsDisplay Screenshot
Monitoring Software: Email Detective
Computer Forensics Software: DataLifter
Computer Forensics Software: X-Ways Forensics
Demo - X-Ways Forensics
Computer Forensics Software: LiveWire Investigator
Module 06 Review
Module 07 - Understanding Hard Disks and File Systems
Module Flow: Hard Disk Drive Overview
Disk Drive Overview (Cont'd)
Disk Drive Overview
Hard Disk Drive
Solid-State Drive (SSD)
Physical Structure of a Hard Disk (Cont'd)
Physical Structure of a Hard Disk (Cont'd)
Physical Structure of a Hard Disk (Cont'd)
Physical Structure of a Hard Disk
Logical Structure of Hard Disk
Types of Hard Disk Interfaces
Hard Disk Interfaces: ATA
Hard Disk Interfaces: SCSI (Cont'd)
Hard Disk Interfaces: SCSI
Hard Disk Interfaces: IDE/EIDE
Hard Disk Interfaces: USB
Hard Disk Interfaces: Fibre Channel
Disk Platter
Tracks
Track Numbering
Sector
Advanced Format: Sectors
Sector Addressing
Cluster
Cluster Size
Changing the Cluster Size
Demo - Cluster Size
Slack Space ( Cont'd)
Slack Space
Demo - Slack Space
Lost Clusters
Bad Sector
Hard Disk Data Addressing
Disk Capacity Calculation
Demo - Calculating Disk Capacity
Measuring the Performance of the Hard Disk
Module Flow: Disk Partitions and Boot Process
Disk Partitions
Demo - Partitioning Linux
Master Boot Record
Structure of a Master Boot Record (Cont'd)
Demo - Backing Up the MBR
Structure of a Master Boot Record
What is the Booting Process?
Essential Windows System Files
Windows 7 Boot Process (Cont'd)
Windows 7 Boot Process (Cont'd)
Windows 7 Boot Process
Macintosh Boot Process (Cont'd)
Macintosh Boot Process (Cont'd)
Macintosh Boot Process (Cont'd)
Macintosh Boot Process
http://www.bootdisk.com
Module Flow: Understanding File Systems
Understanding File Systems
Types of File Systems
List of Disk File Systems (Cont'd)
List of Disk File Systems (Cont'd)
List of Disk File Systems
List of Network File Systems
List of Special Purpose File Systems
List of Shared Disk File Systems
Windows File Systems
Popular Windows File Systems
File Allocation Table (FAT)
FAT File System Layout
FAT Partition Boot Sector
FAT Structure
FAT Folder Structure
Directory Entries and Cluster Chains
Filenames on FAT Volumes
Examining FAT
FAT32
New Technology File System (NTFS) (Cont'd)
NTFS (Cont'd)
NTFS
NTFS Architecture
NTFS System Files
NTFS Partition Boot Sector
Cluster Sizes of NTFS Volume
NTFS Master File Table (MFT) (Cont'd)
NTFS Master File Table (MFT) (Cont'd)
NTFS Master File Table (MFT)
Metadata Files Stored in the MFT
NTFS Files and Data Storage
NTFS Attributes
NTFS Data Stream (Cont'd)
NTFS Data Stream
NTFS Compressed Files
Setting the Compression State of a Volume
Encrypting File Systems (EFS)
Components of EFS
Operation of Encrypting File System
EFS Attribute
Encrypting a File
EFS Recovery Key Agent (Cont'd)
EFS Recovery Key Agent
Tool: Advanced EFS Data Recovery
Tool: EFS Key
Sparse Files
Deleting NTFS Files
Registry Data (Cont'd)
Registry Data
Examining Registry Data
FAT vs. NTFS
Linux File Systems
Popular Linux File Systems
Linux File System Architecture
Ext2 (Cont'd)
Ext2 (Cont'd)
Ext2
Ext3 (Cont'd)
Ext3
Mac OS X File Systems
Mac OS X File Systems
HFS vs. HFS Plus
HFS
HFS Plus
HFS Plus Volumes
HFS Plus Journal
Sun Solaris 10 File System: ZFS
CD-ROM / DVD File System
CDFS
Demo - Multi-sessions Discs
Module Flow: RAID Storage System
RAID Storage System
RAID Level 0: Disk Striping
RAID Level 1: Disk Mirroring
RAID Level 3: Disk Striping with Parity
RAID Level 5: Block Interleaved Distributed Parity
RAID Level 10: Blocks Striped and Mirrored
RAID Level 50: Mirroring and Striping across Multiple RAID Levels
Different RAID Levels
Comparing RAID Levels
Recover Data from Unallocated Space Using File Carving Process
Module Flow: File System Analysis Using the Sleuth Kit (TSK)
Tool: The Sleuth Kit (TSK)
The Sleuth Kit (TSK): fsstat
The Sleuth Kit (TSK): istat (1 of 4)
The Sleuth Kit (TSK): istat (2 of 4)
The Sleuth Kit (TSK): istat (3 of 4)
The Sleuth Kit (TSK): istat (4 of 4)
The Sleuth Kit (TSK): fls and img_stat
Demo - TSK and Autopsy
Module 07 Review
Module 08 - Windows Forensics
Module Flow: Collecting Volatile Information
Volatile Information
System Time
Logged-On Users
Logged-On Users: PsLoggedOn Tool
Logged-On Users: net sessions Command
Logged-On Users: LogonSessions Tool
Open Files
Open Files: net file Command
Open Files: PsFile Utility
Open Files: Openfiles Command
Network Information (Cont'd)
Network Information
Network Connections (Cont'd)
Demo - Netstat Command
Network Connections
Process Information (Cont'd)
Process Information (Cont'd)
Process Information (Cont'd)
Process Information (Cont'd)
Process Information (Cont'd)
Process Information
Process-to-Port Mapping (Cont'd)
Process-to-Port Mapping
Process Memory
Network Status (Cont'd)
Demo - ipconfig
Network Status
Other Important Information (Cont'd)
Demo - Clipboard Viewer
Other Important Information
Module Flow: Collecting Non-Volatile Information
Non-Volatile Information
Examine File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File (Cont'd)
Index.dat File
Demo - Grabbing Registry Files
Devices and Other Information
Slack Space
Virtual Memory
Swap File
Windows Search Index
Collecting Hidden Partition Information
Demo - Gparted
Hidden ADS Streams
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Module Flow: Windows Memory Analysis
Memory Dump (Cont'd)
Memory Dump
EProcess Structure
Process Creation Mechanism
Parsing Memory Contents
Parsing Process Memory
Extracting the Process Image (Cont'd)
Extracting the Process Image
Collecting Process Memory
Module Flow: Windows Registry Analysis
Inside the Registry (Cont'd)
Inside the Registry (Cont'd)
Inside the Registry
Registry Structure within a Hive File
The Registry as a Log File
Registry Analysis
System Information (Cont'd)
System Information
TimeZone Information
Shares
Audit Policy
Wireless SSIDs
Autostart Locations
System Boot
User Login
User Activity
Enumerating Autostart Registry Locations
USB Removable Storage Devices (Cont'd)
USB Removable Storage Devices (Cont'd)
USB Removable Storage Devices (Cont'd)
USB Removable Storage Devices
Mounted Devices (Cont'd)
Mounted Devices
Finding Users (Cont'd)
Finding Users (Cont'd)
Finding Users: Screenshots
Tracking User Activity
The UserAssist Keys
MRU Lists (Cont'd)
MRU Lists (Cont'd)
MRU Lists
Search Assistant
Connecting to Other Systems
Analyzing Restore Point Registry Settings (Cont'd)
Analyzing Restore Point Registry Settings
Determining the Startup Locations (Cont'd)
Determining the Startup Locations (Cont'd)
Determining the Startup Locations (Cont'd)
Determining the Startup Locations (Cont'd)
Determining the Startup Locations (Cont'd)
Determining the Startup Locations
Demo - Reg Ripper
Module Flow: Cache, Cookie, and History Analysis
Cache, Cookie, and History Analysis in IE
Cache, Cookie, and History Analysis in Firefox
Cache, Cookie, and History Analysis in Chrome
Analysis Tool: IECookiesView
Analysis Tool: IECacheView
Analysis Tool: IEHistoryView
Analysis Tool: MozillaCookiesView
Analysis Tool: MozillaCacheView
Analysis Tool: MozillaHistoryView
Analysis Tool: ChromeCookiesView
Analysis Tool: ChromeCacheView
Analysis Tool: ChromeHistoryView
Module Flow: MD5 Calculation
Message Digest Function: MD5
Why MD5 Calculation?
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
MD5 Checksum Verifier
ChaosMD5
Module Flow: Windows File Analysis
Recycle Bin (Cont'd)
Recycle Bin
System Restore Points (Rp.log Files)
System Restore Points (Change.log.x Files)
Prefetch Files (Cont'd)
Prefetch Files
Shortcut Files
Word Documents
PDF Documents
Image Files
File Signature Analysis
NTFS Alternate Data Streams
Executable File Analysis
Documentation Before Analysis
Static Analysis Process
Search Strings
PE Header Analysis
Import Table Analysis
Export Table Analysis
Dynamic Analysis Process
Creating Test Environment
Collecting Information Using Tools
Process of Testing the Malware
Module Flow: Metadata Investigation
Metadata
Types of Metadata (Cont'd)
Types of Metadata
Metadata in Different File Systems (Cont'd)
Metadata in Different File Systems
Metadata in PDF Files
Metadata in Word Documents
Tool: Metadata Analyzer
Module Flow: Text Based Logs
Understanding Events
Event Logon Types (Cont'd)
Event Logon Types (Cont'd)
Event Logon Types
Event Record Structure (Cont'd)
Event Record Structure (Cont'd)
Event Record Structure (Cont'd)
Event Record Structure
Vista Event Logs (Cont'd)
Vista Event Logs: Screenshots
IIS Logs
Parsing IIS Logs (Cont'd)
Parsing IIS Logs (Cont'd)
Parsing IIS Logs (Cont'd)
Parsing IIS Logs (Cont'd)
Parsing IIS Logs
Parsing FTP Logs
FTP sc-status Codes (Cont'd)
FTP sc-status Codes (Cont'd)
FTP sc-status Codes
Parsing DHCP Server Logs (Cont'd)
Parsing DHCP Server Logs
Parsing Windows Firewall Logs
Using the Microsoft Log Parser
Module Flow: Other Audit Events
Evaluating Account Management Events (Cont'd)
Evaluating Account Management Events
Examining Audit Policy Change Events
Examining System Log Entries
Examining Application Log Entries
Examining Application Log Entries (Screenshot)
Module Flow: Forensic Analysis of Event Logs
Searching with Event Viewer
Using EnCase to Examine Windows Event Log Files
Windows Event Log Files Internals
Module Flow: Windows Password Issues
Understanding Windows Password Storage (Cont'd)
Understanding Windows Password Storage
Cracking Windows Passwords Stored on Running Systems (Cont'd)
Cracking Windows Passwords Stored on Running Systems
Exploring Windows Authentication Mechanisms
LanMan Authentication Process
NTLM Authentication Process
Kerberos Authentication Process
Sniffing and Cracking Windows Authentication Exchanges
Cracking Offline Passwords
Module Flow: Forensics Tools
Windows Forensics Tool: OS Forensics
Windows Forensics Tool: Helix3 Pro
Helix3 Pro Screenshot
Helix3 Pro Screenshot
Integrated Windows Forensics Software: X-Ways Forensics
X-Ways Forensics Screenshot
X-Ways Trace
Windows Forensic Toolchest (WFT)
Built-in Tool: Sigverif
Computer Online Forensic Evidence Extractor (COFEE)
System Explorer
Tool: System Scanner
SecretExplorer
Registry Viewer Tool: Registry Viewer
Registry Viewer Tool: RegScanner
Registry Viewer Tool: Alien Registry Viewer
MultiMon
CurrProcess
Process Explorer
Security Task Manager
PrcView
ProcHeapViewer
Memory Viewer
Tool: PMDump
Word Extractor
Belkasoft Evidence Center
Belkasoft Browser Analyzer
Metadata Assistant
HstEx
XpoLog Center Suite
XpoLog Center Suite Screenshot
LogViewer Pro
Event Log Explorer
LogMeister
ProDiscover Forensics
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DriveLook
Module 08 Review
Module 09 - Data Acquisition and Duplication
Module Flow: Data Acquisition and Duplication Concepts
Data Acquisition
Forensic and Procedural Principles
Types of Data Acquisition Systems
Data Acquisition Formats (Cont'd)
Data Acquisition Formats (Cont'd)
Data Acquisition Formats
Bit Stream vs. Backups
Why to Create a Duplicate Image?
Issues with Data Duplication
Data Acquisition Methods (Cont'd)
Data Acquisition Methods
Determining the Best Acquisition Method (Cont'd)
Determining the Best Acquisition Method
Contingency Planning for Image Acquisitions (Cont'd)
Contingency Planning for Image Acquisitions
Data Acquisitions Mistakes
Module Flow: Data Acquisition Types
Rules of Thumb
Static Data Acquisition
Collecting Static Data
Demo - Forensic Imaging Using Linux
Demo - Forensic Imaging Using Windows
Static Data Collection Process
Live Data Acquisition
Why Volatile Data is Important?
Volatile Data (Cont'd)
Volatile Data
Order of Volatility
Common Mistakes in Volatile Data Collection
Volatile Data Collection Methodology (Cont'd)
Volatile Data Collection Methodology (Cont'd)
Volatile Data Collection Methodology
Basic Steps in Collecting Volatile Data
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information (Cont'd)
Types of Volatile Information
Demo - WinTaylors
Module Flow: Disk Acquisition Tool Requirements
Disk Imaging Tool Requirements
Disk Imaging Tool Requirements: Mandatory (Cont'd)
Disk Imaging Tool Requirements: Mandatory
Disk Imaging Tool Requirements: Optional (Cont'd)
Disk Imaging Tool Requirements: Optional
Module Flow: Validation Methods
Validating Data Acquisitions
Linux Validation Methods (Cont'd)
Linux Validation Methods (Cont'd)
Linux Validation Methods (Cont'd)
Linux Validation Methods
Windows Validation Methods
Module Flow: Raid Data Acquisition
Understanding RAID Disks (Cont'd)
Understanding RAID Disks (Cont'd)
Understanding RAID Disks
Acquiring RAID Disks (Cont'd)
Acquiring RAID Disks
Remote Data Acquisition
Module Flow: Acquisition Best Practices
Acquisition Best Practices (Cont'd)
Acquisition Best Practices (Cont'd)
Acquisition Best Practices (Cont'd)
Acquisition Best Practices
Module Flow: Data Acquisition Software Tools
Acquiring Data on Windows
Acquiring Data on Linux
dd Command
dcfldd Command
Extracting the MBR
Netcat Command
EnCase Forensic
EnCase Forensic Screenshot
Analysis Software: DriveSpy
ProDiscover Forensics
AccessData FTK Imager
Mount Image Pro
Data Acquisition Toolbox
SafeBack
ILookPI
ILookPI Screenshot
RAID Recovery for Windows
R-Tools R-Studio
F-Response
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DataLifter
X-Ways Forensics
R-drive Image
Demo - Forensic Imaging
DriveLook
DiskExplorer
P2 eXplorer Pro
Flash Retriever Forensic Edition
Module Flow: Data Acquisition Hardware Tools
US-LATT
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Tableau TD1 Forensic Duplicator
Logicube: Forensic MD5
Logicube: Portable Forensic Lab
Logicube: Forensic Talon
Logicube: RAID I/O Adapter
DeepSpar: Disk Imager Forensic Edition
Logicube: USB Adapter
Disk Jockey PRO
Logicube: Forensic Quest-2
Logicube: CloneCard Pro
Logicube: EchoPlus
Paraben Forensics Hardware: Chat Stick
Image MASSter: Rapid Image 7020CS IT
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensics UltraDock v4
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Forensic Tower IV Dual Xeon
Digital Intelligence Forensic Hardware: FREDDIE
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
Logicube: Cables
Logicube: Adapters
Logicube: GPStamp
Logicube: OmniPort
Logicube: CellDEK
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Mobile Field Kit
Paraben Forensics Hardware: iRecovery Stick
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
Module 09 Review
Module 10 - Recovering Deleted Files and Deleted Partition
Module Flow: Recovering the Deleted Files
Deleting Files
What Happens When a File is Deleted in Windows?
Recycle Bin in Windows (Cont'd)
Recycle Bin in Windows
Storage Locations of Recycle Bin in FAT and NTFS Systems
How the Recycle Bin Works (Cont'd)
How the Recycle Bin Works
Demo - Recycle Bins
Damaged or Deleted INFO File
Damaged Files in Recycle Bin Folder
Damaged Recycle Folder
File Recovery in Mac OS X (Cont'd)
File Recovery in Mac OS X
File Recovery in Linux
Module Flow: File Recovery Tools for Windows
Recover My Files
EASEUS Data Recovery Wizard
PC INSPECTOR File Recovery
Demo - PC INSPECTOR File Recovery
Recuva
DiskDigger
Handy Recovery
Quick Recovery
Stellar Phoenix Windows Data Recovery
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Module Flow: File Recovery Tools for Mac
Mac File Recovery
Mac Data Recovery
Boomerang Data Recovery Software
VirtualLab
File Recovery Tools for Mac OS X
Module Flow: File Recovery Tools for Linux
R-Studio for Linux
Quick Recovery for Linux
Kernal for Linux Data Recovery
TestDisk for Linux
Demo - File Carving
Module Flow: Recovering the Deleted Partitions
Disk Partition
Deletion of Partition
Recovery of the Deleted Partition (Cont'd)
Recovery of the Deleted Partition (Cont'd)
Recovery of the Deleted Partition (Cont'd)
Recovery of the Deleted Partition
Module Flow: Partition Recovery Tools
Active@ Partition Recovery for Windows
Acronis Recovery Expert
DiskInternals Partition Recovery
NTFS Partition Data Recovery
GetDataBack
EASEUS Partition Recovery
Advanced Disk Recovery
Power Data Recovery
Remo Recover (Mac) - Pro
Mac Data Recovery Software
Quick Recovery for Linux
Stellar Phoenix Linux Data Recovery Software
Tools to Recover Deleted Partitions
Tools to Recover Deleted Partitions
Demo - Partition Recovery
Module 10 Review
Module 11 - Forensics Investigation Using AccessData FTK
Module Flow: Overview and Installation of FTK
Overview of Forensic Toolkit (FTK)
Features of FTK
Software Requirement
Configuration Option
Database Installation (Cont'd)
Database Installation
FTK Application Installation (1 of 6)
FTK Application Installation (2 of 6)
FTK Application Installation (3 of 6)
FTK Application Installation (4 of 6)
FTK Application Installation (5 of 6)
FTK Application Installation (6 of 6)
Module Flow: FTK Case Manager User Interface
Case Manager Window
Case Manager Database Menu
Setting Up Additional Users and Assigning Roles
Case Manager Case Menu
Assigning Users Shared Label Visibility
Case Manager Tools Menu
Recovering Processing Jobs
Restoring an Image to a Disk
Case Manager Manage Menu
Managing Carvers
Managing Custom Identifiers
Module Flow: FTK Examiner User Interface
FTK Examiner User Interface
Menu Bar: File Menu
Exporting Files
Exporting Case Data to a Custom Content Image
Exporting the Word List
Menu Bar: Edit Menu
Menu Bar: View Menu
Menu Bar: Evidence Menu
Menu Bar: Tools Menu
Verifying Drive Image Integrity
Demo - Verifying Image Integrity
Mounting an Image to a Drive
File List View
Using Labels
Creating and Applying a Label
Module Flow: Starting with FTK
Creating a case
Selecting Detailed Options: Evidence Processing (Cont'd)
Selecting Detailed Options: Evidence Processing
Selecting Detailed Options: Fuzzy Hashing (Cont'd)
Selecting Detailed Options: Fuzzy Hashing
Selecting Detailed Options: Data Carving
Selecting Detailed Options: Custom File Identification (Cont'd)
Selecting Detailed Options: Custom File Identification
Selecting Detailed Options: Evidence Refinement (Advanced) (Cont'd)
Selecting Detailed Options: Evidence Refinement (Advanced)
Selecting Detailed Options: Index Refinement (Advanced) (Cont'd)
Selecting Detailed Options: Index Refinement (Advanced)
Module Flow: FTK Interface Tabs
Demo - FTK Imaging and Adding
FTK Interface Tabs
Explore Tab
Overview Tab
Email Tab
Graphics Tab
Bookmarks Tab
Live Search Tabs
Volatile Tab
Demo - File Overview Tab
Module Flow: Adding and Processing Static, Live, and Remote Evidence
Adding Evidence to a Case
Evidence Groups
Acquiring Local Live Evidence
FTK Role Requirements For Remote Acquisition
Types of Remote Information
Acquiring Data Remotely Using Remote Device Management System (RDMS) (Cont'd)
Acquiring Data Remotely Using Remote Device Management System (RDMS)
Imaging Drives
Mounting and Unmounting a Device
Module Flow: Using and Managing Filters
Accessing Filter Tools
Using Filters
Customizing Filters
Using Predefined Filters
Demo - Filtering
Module Flow: Using Index Search and Live Search
Conducting an Index Search
Selecting Index Search Options
Viewing Index Search Results
Documenting Search Results
Conducting a Live Search: Live Text Search
Conducting a Live Search: Live Hex Search
Conducting a Live Search: Live Pattern Search
Demo - Indexed and Live Searches
Demo - FTK File Carving
Module Flow: Decrypting EFS and other Encrypted Files
Decrypting EFS Files and Folders
Decrypting MS Office Files
Viewing Decrypted Files
Decrypting Domain Account EFS Files from Live Evidence (Cont'd)
Decrypting Domain Account EFS Files from Live Evidence
Decrypting Credant Files
Decrypting Safeboot Files
Demo - FTK File Encryption
Module Flow: Working with Reports
Creating a Report
Entering Case Information
Managing Bookmarks in a Report
Managing Graphics in a Report
Selecting a File Path List
Adding a File Properties List
Making Registry Selections
Selecting the Report Output Options
Customizing the Formatting of Reports
Viewing and Distributing a Report
Demo - Reporting
Module 11 Review
Module 12 - Forensics Investigation Using EnCase
Module Flow: Overview of EnCase Forensic
Official Licensed Content Provided by EnCase to EC-Council
Overview of EnCase Forensic
EnCase Forensic Features (Cont'd)
EnCase Forensic Features
EnCase Forensic Platform
EnCase Forensic Modules (Cont'd)
EnCase Forensic Modules
Module Flow: Installing EnCase Forensic
Minimum Requirements
Installing the Examiner
Installed Files
Installing the EnCase Modules
Configuring EnCase
Configuring EnCase: Case Options Tab
Configuring EnCase: Global Tab
Configuring EnCase: Debug Tab
Configuring EnCase: Colors Tab and Fonts Tab
Configuring EnCase: EnScript Tab and Storage Paths Tab
Sharing Configuration (INI) Files
Module Flow: EnCase Interface
Demo - EnCase Options
Main EnCase Window
System Menu Bar
Toolbar
Panes Overview (Cont'd)
Panes Overview
Tree Pane
Table Pane
Table Pane: Table Tab
Table Pane: Report Tab
Table Pane: Gallery Tab
Table Pane: Timeline Tab
Table Pane: Disk Tab and Code Tab
View Pane (Cont'd)
View Pane
Filter Pane
Filter Pane Tabs
Creating a Filter
Creating Conditions
Status Bar
Demo - EnCase Tabs and Views
Module Flow: Case Management
Overview of Case Structure
Case Management
Indexing a Case (Cont'd)
Indexing a Case
Case Backup
Options Dialog Box
Logon Wizard
New Case Wizard
Setting Time Zones for Case Files
Setting Time Zone Options for Evidence Files
Module Flow: Working with Evidence
Types of Entries
Adding a Device (Cont'd)
Adding a Device
Adding a Device using Tableau Write Blocker (Cont'd)
Adding a Device using Tableau Write Blocker
Performing a Typical Acquisition
Acquiring a Device (Cont'd)
Acquiring a Device
Canceling an Acquisition
Verifying Evidence Files
Demo - Imaging with EnCase
Delayed Loading of Internet Artifacts
Hashing the Subject Drive
Logical Evidence File (LEF)
Creating a Logical Evidence File (Cont'd)
Creating a Logical Evidence File
Recovering Folders on FAT Volumes
Restoring a Physical Drive
Demo - Restoring a Drive from an Image
Module Flow: Source Processor
Source Processor
Starting to Work with Source Processor
Setting Case Options
Collection Jobs
Creating a Collection Job (Cont'd)
Creating a Collection Job
Copying a Collection Job
Running a Collection Job (Cont'd)
Running a Collection Job
Analysis Jobs
Creating an Analysis Job
Running an Analysis Job (Cont'd)
Running an Analysis Job
Creating a Report (Cont'd)
Creating a Report
Demo - Enscripts
Module Flow: Analyzing and Searching Files
Viewing the File Signature Directory
Performing a Signature Analysis
Hash Analysis
Hashing a New Case
Demo - Signature Analysis and Hashing
Creating a Hash Set
Keyword Searches
Creating Global Keywords
Adding Keywords
Importing and Exporting Keywords
Searching Entries for Email and Internet Artifacts
Viewing Search Hits
Generating an Index
Tag Records
Demo - Keyword Searcher
Module Flow: Viewing File Content
Viewing Files
Copying and Unerasing Files (Cont'd)
Copying and Unerasing Files
Adding a File Viewer
Demo - Adding a File Viewer
Viewing File Content Using View Pane
Viewing Compound Files
Viewing Base64 and UUE Encoded Files
Demo - Compound Files
Module Flow: Bookmarking Items
Bookmarks Overview
Creating a Highlighted Data Bookmark
Creating a Note Bookmark
Creating a Folder Information/Structure Bookmark
Creating a Notable File Bookmark
Creating a File Group Bookmark
Creating a Log Record Bookmark
Creating a Snapshot Bookmark
Organizing Bookmarks
Copying/Moving a Table Entry into a Folder
Viewing a Bookmark on the Table Report Tab
Excluding Bookmarks (Cont'd)
Excluding Bookmarks
Copying Selected Items from One Folder to Another
Demo - Bookmarks
Module Flow: Reporting
Reporting
Report User Interface
Creating a Report Using the Report Tab
Report Single/Multiple Files
Viewing a Bookmark Report
Viewing an Email Report
Viewing a Webmail Report
Viewing a Search Hits Report
Creating a Quick Entry Report
Creating an Additional Fields Report
Exporting a Report
Demo - Reporting
Module 12 Review
Module 13 - Steganography and Image File Forensics
Module Flow: Steganography
What is Steganography?
How Steganography Works
Legal Use of Steganography
Unethical Use of Steganography
Module Flow: Steganography Techniques
Steganography Techniques
Application of Steganography
Classification of Steganography
Technical Steganography
Linguistic Steganography (Cont'd)
Linguistic Steganography
Types of Steganography
Image Steganography
Least Significant Bit Insertion
Masking and Filtering
Algorithms and Transformation
Image Steganography: Hermetic Stego
Steganography Tool: S-Tools
Image Steganography Tools
Audio Steganography
Audio Steganography Methods (Cont'd)
Audio Steganography Methods
Audio Steganography: Mp3stegz
Audio Steganography Tools
Video Steganography
Video Steganography: MSU StegoVideo
Video Steganography Tools
Document Steganography: wbStego
Byte Shelter I
Document Steganography Tools
Whitespace Steganography Tool: SNOW
Folder Steganography: Invisible Secrets 4
Demo - Invisible Secrets
Folder Steganography Tools
Spam/Email Steganography: Spam Mimic
Steganographic File System
Issues in Information Hiding
Module Flow: Steganalysis
Steganalysis
How to Detect Steganography (Cont'd)
How to Detect Steganography
Detecting Text, Image, Audio, and Video Steganography (Cont'd)
Detecting Text, Image, Audio, and Video Steganography
Steganalysis Methods/Attacks on Steganography
Disabling or Active Attacks
Steganography Detection Tool: Stegdetect
Steganography Detection Tools
Demo - Steg Detection
Module Flow: Image Files
Image Files
Common Terminologies
Understanding Vector Images
Understanding Raster Images
Metafile Graphics
Understanding Image File Formats
GIF (Graphics Interchange Format) (Cont'd)
GIF (Cont'd)
GIF
JPEG (Joint Photographic Experts Group)
JPEG Files Structure (Cont'd)
JPEG Files Structure
JPEG 2000
BMP (Bitmap) File
BMP File Structure
PNG (Portable Network Graphics)
PNG File Structure
TIFF (Tagged Image File Format)
TIFF File Structure (Cont'd)
TIFF File Structure
Module Flow: Data Compression
Understanding Data Compression
How Does File Compression Work?
Lossless Compression
Huffman Coding Algorithm (Cont'd)
Huffman Coding Algorithm
Lempel-Ziv Coding Algorithm (Cont'd)
Lempel-Ziv Coding Algorithm
Lossy Compression
Vector Quantization
Module Flow: Locating and Recovering Image Files
Best Practices for Forensic Image Analysis
Forensic Image Processing Using MATLAB
Advantages of MATLAB
MATLAB Screenshot
Locating and Recovering Image Files
Analyzing Image File Headers
Repairing Damaged Headers (Cont'd)
Repairing Damaged Headers
Reconstructing File Fragments
Identifying Unknown File Formats
Identifying Image File Fragments
Identifying Copyright Issues on Graphics
Picture Viewer: IrfanView
Picture Viewer: ACDSee Photo Manager 12
Picture Viewer: Thumbsplus
Picture Viewer: AD Picture Viewer Lite
Picture Viewer Max
Picture Viewer: FastStone Image Viewer
Picture Viewer: XnView
Demo - Picture Viewers
Faces - Sketch Software
Digital Camera Data Discovery Software: File Hound
Module Flow: Image File Forensics Tools
Hex Workshop
GFE Stealth - Forensics Graphics File Extractor
Ilook
Adroit Photo Forensics 2011
Digital Photo Recovery
Digital Photo Recovery Screenshots
Stellar Phoenix Photo Recovery Software
Zero Assumption Recovery (ZAR)
Photo Recovery Software
Forensic Image Viewer
File Finder
DiskGetor Data Recovery
DERescue Data Recovery Master
Recover My Files
Universal Viewer
Module 13 Review
Module 14 - Application Password Crackers
Module Flow: Password Cracking Concepts
Password - Terminology
Password Types
Password Cracker
How Does a Password Cracker Work?
How Hash Passwords are Stored in Windows SAM
Module Flow: Types of Password Attacks
Password Cracking Techniques
Types of Password Attacks
Passive Online Attacks: Wire Sniffing
Password Sniffing
Passive Online Attack: Man-in-the-Middle and Replay Attack
Active Online Attack: Password Guessing
Active Online Attack: Trojan/Spyware/keylogger
Active Online Attack: Hash Injection Attack
Rainbow Attacks: Pre-Computed Hash
Distributed Network Attack
Elcomsoft Distributed Password Recovery
Non-Electronic Attacks
Manual Password Cracking (Guessing)
Automatic Password Cracking Algorithm
Time Needed to Crack Passwords
Classification of Cracking Software
Systems Software vs. Applications Software
Module Flow: System Software Password Cracking
System Software Password Cracking
Bypassing BIOS Passwords
Using Manufacturer's Backdoor Password to Access the BIOS
Using Password Cracking Software
CmosPwd
Resetting the CMOS using the Jumpers or Solder Beads
Removing CMOS Battery
Overloading the Keyboard Buffer and Using a Professional Service
Tool to Reset Admin Password: Active@ Password Changer
Tool to Reset Admin Password: Windows Key
Module Flow: Application Software Password Cracking
Passware Kit Forensic
Accent Keyword Extractor
Distributed Network Attack
Password Recovery Bundle
Advanced Office Password Recovery
Office Password Recovery
Office Password Recovery Toolbox
Office Multi-document Password Cracker
Word Password Recovery Master
Accent WORD Password Recovery
Word Password
PowerPoint Password Recovery
PowerPoint Password
Powerpoint Key
Stellar Phoenix Powerpoint Password Recovery
Excel Password Recovery Master
Accent EXCEL Password Recovery
Excel Password
Advanced PDF Password Recovery
PDF Password Cracker
PDF Password Cracker Pro
Atomic PDF Password Recovery
PDF Password
Recover PDF Password
Appnimi PDF Password Recovery
Advanced Archive Password Recovery
KRyLack Archive Password Recovery
Zip Password
Atomic ZIP Password Recovery
RAR Password Unlocker
Demo - Office Password Cracking
Default Passwords
http://www.defaultpassword.com
http://www.cirt.net/passwords
http://default-password.info
http://www.defaultpassword.us
http://www.passwordsdatabase.com
http://www.virus.org
Module Flow: Password Cracking Tools
L0phtCrack
OphCrack
Cain & Abel
RainbowCrack
Windows Password Unlocker
Windows Password Breaker
SAMInside
PWdump7 and Fgdump
Password Cracking Tools
Demo - System Password Cracking
Module 14 Review
Module 15 - Log Capturing and Event Correlation
Module Flow: Computer Security Logs
Computer Security Logs
Operating System Logs
Application Logs
Security Software Logs
Router Log Files
Honeypot Logs
Linux Process Accounting
Logon Event in Windows
Windows Log File
Configuring Windows Logging
Analyzing Windows Logs
Windows Log File: System Logs
Windows Log Files: Application Logs
Logon Events that appear in the Security Event Log (Cont'd)
Logon Events that appear in the Security Event Log
Demo - Windows Event Viewer
IIS Logs
IIS Log File Format
Maintaining Credible IIS Log Files
Log File Accuracy
Log Everything
Keeping Time
UTC Time
View the DHCP Logs
Sample DHCP Audit Log File
ODBC Logging
Module Flow: Logs and Legal Issues
Legality of Using Logs (Cont'd)
Legality of Using Logs
Records of Regularly Conducted Activity as Evidence
Laws and Regulations
Module Flow: Log Management
Log Management
Functions of Log Management
Challenges in Log Management
Meeting the Challenges in Log Management
Module Flow: Centralized Logging and Syslogs
Centralized Logging
Centralized Logging Architecture
Steps to Implement Central Logging
Syslog
Syslog in Unix-Like Systems
Steps to Set Up a Syslog Server for Unix Systems
Advantages of Centralized Syslog Server
IIS Centralized Binary Logging
Module Flow: Time Synchronization
Why Synchronize Computer Times?
What is NTP?
NTP Stratum Levels (Cont'd)
NTP Stratum Levels
NIST Time Servers (Cont'd)
NIST Time Servers
Configuring Time Server in Windows Server
Module Flow: Event Correlation
Event Correlation
Types of Event Correlation
Prerequisites for Event Correlation
Event Correlation Approaches (Cont'd)
Event Correlation Approaches
Module Flow: Log Capturing and Analysis Tools
GFI EventsManager
GFI EventsManager Screenshot
Activeworx Security Center
EventLog Analyzer
EventLog Analyzer Screenshot
Syslog-ng OSE
Syslog-ng Screenshot
Kiwi Syslog Server
Kiwi Syslog Server Screenshot
WinSyslog
Firewall Analyzer: Log Analysis Tool
Firewall Analyzer Architecture
Firewall Analyzer Screenshot
Activeworx Log Center
EventReporter
Kiwi Log Viewer
Event Log Explorer
WebLog Expert
XpoLog Center Suite
XpoLog Center Suite Screenshot
ELM Event Log Monitor
EventSentry
LogMeister
LogViewer Pro
WinAgents EventLog Translation Service
EventTracker Enterprise
Corner Bowl Log Manager
Ascella Log Monitor Plus
FLAG - Forensic and Log Analysis GUI
FLAG Screenshot
Simple Event Correlator (SEC)
OSSEC
Module 15 Review
Module 16 - Network Forensics, Investigating Logs and Investigating Network Traffic
Module Flow: Network Forensics
Network Attack Statistics
Network Forensics
Network Forensics Analysis Mechanism
Network Addressing Schemes
Overview of Network Protocols
Overview of Physical and Data-Link Layer of the OSI Model
Overview of Network and Transport Layer of the OSI Model
OSI Reference Model
TCP/IP Protocol
Intrusion Detection Systems (IDS) and Their Placement
How IDS Works
Types of Intrusion Detection Systems
General Indications of Intrusions
Firewall
Honeypot
Module Flow: Network Attacks
Network Vulnerabilities
Types of Network Attacks
IP Address Spoofing
Man-in-the-Middle Attack
Packet Sniffing
How a Sniffer Works
Enumeration
Denial of Service Attack
Session Sniffing
Buffer Overflow
Trojan Horse
Module Flow: Log Injection Attacks
New Line Injection Attack
New Line Injection Attack Countermeasure
Separator Injection Attack (Cont'd)
Separator Injection Attack
Defending Separator Injection Attacks
Timestamp Injection Attack (Cont'd)
Timestamp Injection Attack
Defending Timestamp Injection Attacks
Word Wrap Abuse Attack
Defending Word Wrap Abuse Attacks
HTML Injection Attack
Defending HTML Injection Attacks
Terminal Injection Attack
Defending Terminal Injection Attacks
Module Flow: Investigating and Analyzing Logs
Postmortem and Real-Time Analysis
Where to Look for Evidence
Log Capturing Tool: ManageEngine EventLog Analyzer
Log Capturing Tool: ManageEngine Firewall Analyzer
Log Capturing Tool: GFI EventsManager
GFI EventsManager Screenshot
Log Capturing Tool: Kiwi Syslog Server
Kiwi Syslog Server Screenshot
Handling Logs as Evidence
Log File Authenticity
Demo - Kiwi Log Viewer
Use Signatures, Encryption, and Checksums
Work with Copies
Ensure System's Integrity
Access Control
Chain of Custody
Condensing Log File
Module Flow: Investigating Network Traffic
Why Investigate Network Traffic?
Evidence Gathering via Sniffing
Capturing Live Data Packets Using Wireshark
Wireshark Screenshot
Display Filters in Wireshark
Additional Wireshark Filters
Demo - Wireshark
Acquiring Traffic Using DNS Poisoning Techniques
Intranet DNS Spoofing (Local Network)
Intranet DNS Spoofing (Remote Network)
Proxy Server DNS Poisoning
DNS Cache Poisoning
Evidence Gathering from ARP Table
Evidence Gathering at the Data-Link Layer: DHCP Database
Gathering Evidence by IDS
Module Flow: Traffic Capturing and Analysis Tools
NetworkMiner
Tcpdump/Windump
Intrusion Detection Tool: Snort
How Snort Works
IDS Policy Manager
MaaTec Network Analyzer
Iris Network Traffic Analyzer
NetWitness Investigator
NetWitness Investigator Screenshot
Colasoft Capsa Network Analyzer
Sniff - O - Matic
NetResident
Network Probe
NetFlow Analyzer
OmniPeek Network Analyzer
Firewall Evasion Tool: Traffic IQ Professional
NetworkView
CommView
Observer
SoftPerfect Network Protocol Analyzer
EffeTech HTTP Sniffer
Big-Mother
EtherDetect Packet Sniffer
Ntop
EtherApe
Demo - Nmap
AnalogX Packetmon
IEInspector HTTP Analyzer
SmartSniff
Distinct Network Monitor
Give Me Too
EtherSnoop
Show Traffic
Argus
Documenting the Evidence Gathered on a Network
Module 16 Review
Module 17 - Investigating Wireless Attacks
Module Flow: Wireless Technologies
Wi-Fi Usage Statistics in the US
Wireless Networks
Wireless Terminologies
Wireless Components
Types of Wireless Networks
Wireless Standards
MAC Filtering
Service Set Identifier (SSID)
Types of Wireless Encryption: WEP
Types of Wireless Encryption: WPA
Types of Wireless Encryption: WPA2
WEP vs. WPA vs. WPA2
Module Flow: Wireless Attacks
Wi-Fi Chalking
Wi-Fi Chalking Symbols
Access Control Attacks (Cont'd)
Access Control Attacks
Integrity Attacks (Cont'd)
Integrity Attacks
Confidentiality Attacks (Cont'd)
Confidentiality Attacks
Availability Attacks (Cont'd)
Availability Attacks
Authentication Attacks (Cont'd)
Authentication Attacks
Module Flow: Investigating Wireless Attacks
Key Points to Remember
Steps for Investigation
Obtain a Search Warrant
Identify Wireless Devices at Crime Scene (Cont'd)
Identify Wireless Devices at Crime Scene
Search for Additional Devices
Detect Rogue Access Point
Document the Scene and Maintain a Chain of Custody
Detect the Wireless Connections
Methodologies to Detect Wireless Connections
Wi-Fi Discovery Tool: inSSIDer
GPS Mapping
GPS Mapping Tool: WIGLE
GPS Mapping Tool: Skyhook
How to Discover Wi-Fi Networks Using Wardriving
Check for MAC Filtering (Cont'd)
Check for MAC Filtering
Changing the MAC Address (Cont'd)
Changing the MAC Address
Detect WAPs Using the Nessus Vulnerability Scanner
Capturing Wireless Traffic
Sniffing Tool: Wireshark
Follow TCP Stream in Wireshark
Display Filters in Wireshark
Additional Wireshark Filters
Determine Wireless Field Strength: FSM
Determine Wireless Field Strength: ZAP Checker Products
What is Spectrum Analysis?
Map Wireless Zones and Hotspots
Connect to the Wireless Access Point (Cont'd)
Connect to the Wireless Access Point
Access Point Data Acquisition and Analysis: Attached Devices
Access Point Data Acquisition and Analysis: LAN TCP/IP Setup
Access Point Data Acquisition and Analysis
Firewall Analyzer
Firewall Log Analyzer
Wireless Devices Data Acquisition and Analysis (Cont'd)
Wireless Devices Data Acquisition and Analysis
Report Generation
Module Flow: Features of a Good Wireless Forensics Tool
Features of a Good Wireless Forensics Tool (Cont'd)
Features of a Good Wireless Forensics Tool
Module Flow: Wireless Forensics Tools
Wi-Fi Discovery Tool: NetStumbler
Demo - inSSIDer NetStumbler
Wi-Fi Discovery Tool: NetSurveyor
Wi-Fi Discovery Tool: Vistumbler
Wi-Fi Discovery Tool: WirelessMon
Wi-Fi Discovery Tool: Kismet
Wi-Fi Discovery Tool: AirPort Signal
Wi-Fi Discovery Tools
Wi-Fi Packet Sniffer: OmniPeek (Cont'd)
Wi-Fi Packet Sniffer: OmniPeek
Wi-Fi Packet Sniffer: CommView for WiFi
Wi-Fi USB Dongle: AirPcap
Wi-Fi Packet Sniffer: Wireshark with AirPcap
Wi-Fi Packet Sniffer: tcpdump
tcpdump Commands (Cont'd)
tcpdump Commands
Wi-Fi Packet Sniffer: KisMAC
Aircrack-ng Suite
Demo - AirCrack
AirMagnet WiFi Analyzer
Wardriving Tools
RF Monitoring Tools
Wi-Fi Connection Manager Tools
Wi-Fi Traffic Analyzer Tools
Wi-Fi Raw Packet Capturing Tools / Wi-Fi Spectrum Analyzing Tools
Module 17 Review
Module 18 - Investigating Web Attacks
Module Flow: Introduction to Web Applications and Web Servers
Web Application Security Statistics
Webserver Market Shares
Introduction to Web Applications
Web Application Components
How Web Applications Work
Web Application Architecture
Open Source Web Server Architecture
Indications of a Web Attack
Web Attack Vectors
Why Web Servers are Compromised
Impact of Web Server Attacks
Website Defacement
Case Study
Module Flow: Web Logs
Overview of Web Logs
Application Logs
Internet Information Services (IIS) Logs
IIS Web Server Architecture
IIS Log File Format
Apache Web Server Logs
DHCP Server Logs
Module Flow: Web Attacks
Web Attacks - 1
Web Attacks - 2
Unvalidated Input
Parameter/Form Tampering
Directory Traversal
Security Misconfiguration
Injection Flaws
SQL Injection Attacks
Command Injection Attacks
Command Injection Example
File Injection Attack
What is LDAP Injection?
How LDAP Injection Works
Hidden Field Manipulation Attack
Cross-Site Scripting (XSS) Attacks
How XSS Attacks Work
Cross-Site Request Forgery (CSRF) Attack
How CSRF Attacks Work
Web Application Denial-of-Service (DoS) Attack
Denial of Service (DoS) Examples
Buffer Overflow Attacks
Cookie/Session Poisoning
How Cookie Poisoning Works
Session Fixation Attack
Insufficient Transport Layer Protection
Improper Error Handling
Insecure Cryptographic Storage
Broken Authentication and Session Management
Unvalidated Redirects and Forwards
DMZ Protocol Attack/ Zero Day Attack
Log Tampering
URL Interpretation and Impersonation Attack
Web Services Attack
Web Services Footprinting Attack
Web Services XML Poisoning
Web Server Misconfiguration
Example
HTTP Response Splitting Attack
Web Cache Poisoning Attack
HTTP Response Hijacking
SSH Bruteforce Attack
Man-in-the-Middle Attack
Defacement Using DNS Compromise
Module Flow: Web Attack Investigation
Investigating Web Attacks
Investigating Web Attacks in Windows-Based Servers (Cont'd)
Investigating Web Attacks in Windows-Based Servers
Investigating IIS Logs
Investigating Apache Logs (Cont'd)
Investigating Apache Logs
Example of FTP Compromise
Investigating FTP Servers
Investigating Static and Dynamic IP Addresses
Sample DHCP Audit Log File
Investigating Cross-Site Scripting (XSS) (Cont'd)
Investigating Cross-Site Scripting (XSS)
Investigating SQL Injection Attacks (Cont'd)
Investigating SQL Injection Attacks
Pen-Testing CSRF Validation Fields
Investigating Code Injection Attack
Investigating Cookie Poisoning Attack
Detecting Buffer Overflow
Investigating Authentication Hijacking
Web Page Defacement
Investigating DNS Poisoning
Intrusion Detection
Security Strategies for Web Applications
Checklist for Web Security
Module Flow: Web Attack Detection Tools
Demo - Nessus
Web Application Security Tool: Acunetix Web Vulnerability Scanner
Web Application Security Tool: Falcove Web Vulnerability Scanner
Web Application Security Tool: Netsparker
Web Application Security Tool: N-Stalker Web Application Security Scanner
Web Application Security Tool: Sandcat
Web Application Security Tool: Wikto
Web Application Security Tools: WebWatchBot
Web Application Security Tool: OWASP ZAP
Web Application Security Tool: SecuBat Vulnerability Scanner
Web Application Security Tool: Websecurify
Web Application Security Tool: HackAlert
Web Application Security Tool: WebCruiser
Web Application Firewall: dotDefender
Web Application Firewall: IBM AppScan
Web Application Firewall: ServerDefender VP
Web Log Viewer : Deep Log Analyzer
Web Log Viewer: WebLog Expert
Web Log Viewer: AlterWind Log Analyzer
Web Log Viewer: Webalizer
Web Log Viewer: eWebLog Analyzer
Web Log Viewer: Apache Logs Viewer (ALV)
Web Attack Investigation Tool: AWStats
Web Attack Investigation Tools: Paros Proxy
Web Attack Investigation Tools: Scrawlr
Module Flow: Tools for Locating IP Addresses
Whois Lookup (Cont'd)
Whois Lookup Result
SmartWhois
ActiveWhois
LanWhoIs
CountryWhois
CallerIP
Real Hide IP
Demo - Real Hide IP
IP - Address Manager
Pandora FMS
Demo - Whois Lookup
Module 18 Review
Module 19 - Tracking Emails and Investigating Email Crimes
Module Flow: Email System Basics
Email Terminology
Email System
Email Clients
Email Server
SMTP Server
POP3 and IMAP Servers
Email Message
Importance of Electronic Records Management
Module Flow: Email Crimes
Email Crime
Email Spamming
Mail Bombing/Mail Storm
Phishing (Cont'd)
Phishing
Email Spoofing
Crime via Chat Room
Identity Fraud/Chain Letter
Module Flow: Email Headers
Example of Email Header
List of Common Headers (Cont'd)
List of Common Headers
Module Flow: Steps to Investigate
Why to Investigate Emails
Investigating Email Crime and Violation
Obtain a Search Warrant and Seize the Computer and Email Account
Obtain a Bit-by-Bit Image of Email Information
Examine Email Headers
Viewing Email Headers in Microsoft Outlook
Viewing Email Headers in AOL
Viewing Email Headers in Hotmail
Viewing Email Headers in Gmail
Viewing Headers in Yahoo Mail
Forging Headers
Analyzing Email Headers (Cont'd)
Analyzing Email Headers
Email Header Fields
Received: Headers
Demo - Email Headers
Microsoft Outlook Mail
Examining Additional Files (.pst or .ost Files)
Checking the Email Validity
Examine the Originating IP Address
Tracing Back
Tracing Back Web-Based Email
Email Archives
Content of Email Archives
Local Archive (Cont'd)
Local Archive
Server Storage Archive (Cont'd)
Server Storage Archive
Forensic Acquisition of Email Archive (Cont'd)
Forensic Acquisition of Email Archive
Deleted Email Recovery
Module Flow: Email Forensics Tools
Stellar Phoenix Deleted Email Recovery
Recover My Email
Outlook Express Recovery
Zmeil
Quick Recovery for MS Outlook
Email Detective
Email Trace - Email Tracking
R-Mail
FINALeMAIL
eMailTrackerPro
Forensic Tool Kit (FTK)
Paraben's E-mail Examiner
Paraben's Network E-mail Examiner
DiskInternal's Outlook Express Repair
Abuse.Net
MailDetective Tool
Module Flow: Laws and Acts against Email Crimes
U.S. Laws Against Email Crime: CAN-SPAM Act (Cont'd)
U.S. Laws Against Email Crime: CAN-SPAM Act
18 U.S.C. - 2252A
18 U.S.C. - 2252B
Email Crime Law in Washington: RCW 19.190.020
Module 19 Review
Module 20 - Mobile Forensics
Module Flow: Mobile Phones
Smartphone Sales Statistics 2010/2011
Mobile Phone
Different Mobile Devices
Hardware Characteristics of Mobile Devices
Software Characteristics of Mobile Devices
Components of Cellular Network
Cellular Network
Different Cellular Networks
Module Flow: Mobile Operating Systems
Mobile Operating Systems
Types of Mobile Operating Systems
webOS
webOS System Architecture
Symbian OS
Symbian OS Architecture
Android OS
Android OS Architecture
RIM Blackberry OS
Windows Phone 7
Windows Phone 7 Architecture
Apple iOS
Module Flow: Mobile Forensics
What a Criminal Can Do with Mobile Phones
Mobile Forensics
Mobile Forensics Challenges
Forensics Information in Mobile Phones
Memory Considerations in Mobiles
Subscriber Identity Module (SIM)
SIM File System
Integrated Circuit Card Identification (ICCID)
International Mobile Equipment Identifier (IMEI)
Electronic Serial Number (ESN)
Precautions to Be Taken Before Investigation (Cont'd)
Precautions to Be Taken Before Investigation
Module Flow: Mobile Forensics Process
Mobile Forensics Process
Collecting the Evidence
Points to Remember while Collecting the Evidence
Collecting an iPod/iPhone Connected to a Computer
Demo - Mac-based iPods
Demo - Windows-based iPods
Document the Scene and Preserve the Evidence (Cont'd)
Document the Scene and Preserve the Evidence
Imaging and Profiling
Acquire the Information
Device Identification
Acquire Data from SIM Cards (Cont'd)
Acquire Data from SIM Cards
Acquire Data from Unobstructed Mobile Devices
Acquire the Data from Obstructed Mobile Devices
Acquire Data from Memory Cards (Cont'd)
Acquire Data from Memory Cards
Acquire Data from Synched Devices
Gather Data from Network Operator
Check Call Data Records (CDRs)
Gather Data from SQLite Record (Cont'd)
Gather Data from SQLite Record
Analyze the Information (Cont'd)
Analyze the Information
Generate Report
Module Flow: Mobile Forensics Software Tools
Oxygen Forensic Suite 2011
MOBILedit! Forensic
MOBILedit! Forensic: Screenshot
BitPim
SIM Analyzer
SIMCon
SIM Card Data Recovery
Memory Card Data Recovery
Device Seizure
SIM Card Seizure
ART (Automatic Reporting Tool)
iPod Data Recovery Software
Recover My iPod
PhoneView
Elcomsoft Blackberry Backup Explorer
Oxygen Phone Manager II
Sanmaxi SIM Recoverer
Mobile Forensics Tools
Demo - Mobile Forensic Software
Module Flow: Mobile Forensics Hardware Tools
Secure View Kit
Deployable Device Seizure (DDS)
Paraben's Mobile Field Kit
PhoneBase
XACT System
Logicube CellDEK
Logicube CellDEK TEK
RadioTactics ACESO
UME-36Pro - Universal Memory Exchanger
Cellebrite UFED System - Universal Forensic Extraction Device
ZRT 2
ICD 5200
ICD 1300
Module 20 Review
Module 21 - Investigative Reports
Module Flow: Computer Forensics Report
Computer Forensics Report
Salient Features of a Good Report (Cont'd)
Salient Features of a Good Report
Aspects of a Good Report
Module Flow: Computer Forensics Report Template
Computer Forensics Report Template (Cont'd)
Computer Forensics Report Template
Simple Format of the Chain of Custody Document
Chain of Custody Forms (Cont'd)
Chain of Custody Forms
Evidence Collection Form
Computer Evidence Worksheet (Cont'd)
Computer Evidence Worksheet
Hard Drive Evidence Worksheet (Cont'd)
Hard Drive Evidence Worksheet
Removable Media Worksheet
Module Flow: Investigative Report Writing
Report Classification
Layout of an Investigative Report
Layout of an Investigative Report: Numbering
Report Specifications
Guidelines for Writing a Report
Use of Supporting Material
Importance of Consistency
Investigative Report Format
Attachments and Appendices
Include Metadata
Signature Analysis
Investigation Procedures
Collecting Physical and Demonstrative Evidence
Collecting Testimonial Evidence
Do's and Don'ts of Computer Forensics Investigations
Case Report Writing and Documentation
Creating a Report to Attach to the Media Analysis Worksheet
Best Practices for Investigators
Module Flow: Sample Forensics Report
Sample Forensics Report
Sample Forensics Report 1 (1 of 5)
Sample Forensics Report 1 (2 of 5)
Sample Forensics Report 1 (3 of 5)
Sample Forensics Report 1 (4 of 5)
Sample Forensics Report 1 (5 of 5)
Sample Forensics Report 2 (1 of 3)
Sample Forensics Report 2 (2 of 3)
Sample Forensics Report 2 (3 of 3)
Module Flow: Report Writing Using Tools
Writing Report Using FTK (1 of 10)
Writing Report Using FTK (2 of 10)
Writing Report Using FTK (3 of 10)
Writing Report Using FTK (4 of 10)
Writing Report Using FTK (5 of 10)
Writing Report Using FTK (6 of 10)
Writing Report Using FTK (7 of 10)
Writing Report Using FTK (8 of 10)
Writing Report Using FTK (9 of 10)
Writing Report Using FTK (10 of 10)
Writing Report Using ProDiscover (1 of 7)
Writing Report Using ProDiscover (2 of 7)
Writing Report Using ProDiscover (3 of 7)
Writing Report Using ProDiscover (4 of 7)
Writing Report Using ProDiscover (5 of 7)
Writing Report Using ProDiscover (6 of 7)
Writing Report Using ProDiscover (7 of 7)
Demo - Investigative Reports
Module 21 Review
Module 22 - Becoming an Expert Witness
Module Flow: Expert Witness
What is an Expert Witness?
Role of an Expert Witness
What Makes a Good Expert Witness?
Module Flow: Types of Expert Witnesses
Types of Expert Witnesses
Computer Forensics Experts
Role of Computer Forensics Expert
Medical & Psychological Experts
Civil Litigation Experts
Construction & Architecture Experts
Criminal Litigation Experts
Module Flow: Scope of Expert Witness Testimony
Scope of Expert Witness Testimony (Cont'd)
Scope of Expert Witness Testimony
Technical Witness vs. Expert Witness
Preparing for Testimony
Module Flow: Evidence Processing
Evidence Preparation and Documentation
Evidence Processing Steps (Cont'd)
Evidence Processing Steps
Checklists for Processing Evidence
Examining Computer Evidence
Prepare the Report
Evidence Presentation
Module Flow: Rules for Expert Witness
Rules Pertaining to an Expert Witness's Qualifications (Cont'd)
Rules Pertaining to an Expert Witness' Qualification
Daubert Standard
Frye Standard
Importance of Resume
Testifying in the Court
The Order of Trial Proceedings
Module Flow: General Ethics While Testifying
General Ethics While Testifying
Importance of Graphics in a Testimony
Helping your Attorney
Avoiding Testimony Issues
Testifying during Direct Examination (Cont'd)
Testifying during Direct Examination
Testifying during Cross-Examination
Deposing
Recognizing Deposition Problems
Guidelines to Testifying at a Deposition
Dealing with Media
Finding a Computer Forensics Expert
Learn More…
Module 22 Review
Course Closure



MCITP Training
Shopping Cart
Your cart is empty.

Need More IT Certification Online 

Training 

Courses?

Win A Free Course

Our Reputation Speaks for Itself!

"I have worked with Career Academy in many different formats over the last 8 years. I have been an instructor in their products, a reseller, and a business partner. I have been continually impressed with Career Academy's professionalism, quality of products, and ethics. Their whole team works very hard on all fronts and treats their customers and partners with respect. Career Academy is certainly one of the 'good guys' in the industry who can be trusted to do the right thing by all. "

Shon Harris
President
Logical Security
Author of Best Selling
"CISSP All-in-One Exam Guide"


"New Horizons of Columbus, Omaha, Memphis, Pittsburgh, Lincoln, Atlanta, Indianapolis, and Nashville's addition of Career Academy's VideoTrainer learning systems has given us the ability to offer our students an additional training venue. The Remote Mentored Learning capabilities offered by Career Academy have helped revolutionize our virtual training delivery worldwide. Career Academy's Video Learning Solution through New Horizons Computer Learning Centers delivery gives our customers what they want, how they want and when they want with quality delivery."

Bob Outlaw
Director/General Manager
New Horizons of Omaha and Lincoln

  • See More...