EC-Council Computer Hacking Forensic Investigator v2 1 EC-Council Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases. Electronic evidence is critical in the following situations: • • • • • • • • • • Disloyal employees Computer break-ins Possession of pornography Breach of contract Industrial espionage E-mail Fraud Bankruptcy Disputed dismissals Web page defacements Theft of company documents Computer forensics enables the systematic and careful identification of evidence in computer related crime and abuse cases. This may range from tracing the tracks of a hacker through a client’s systems, to tracing the originator of defamatory emails, to recovering signs of fraud. The CHFI course will provide participants the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law. The CHFI course will benefit: • • • • • • • • Police and other law enforcement personnel Defense and Military personnel e-Business Security professionals Systems administrators Legal professionals Banking, Insurance and other professionals Government agencies IT managers EC-Council Course Description The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will be taught during this course, including software, hardware and specialized techniques. The need for businesses to become more efficient and integrated with one another, as well as the home user, has given way to a new type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization be comprised (hacked)?" but, rather, "when?" Today's battles between corporations, governments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for you. Who Should Attend Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Legal professionals, Banking, Insurance and other professionals, Government agencies, IT managers Duration: 5 days (9:00 – 5:00) Certification The CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the online Prometric exam to receive the CHFI certification. Course Outline v2 Module I: Computer Forensics in Today’s World Introduction History of Forensics Definition of Forensic Science Definition of Computer Forensics What Is Computer Forensics? Need for Computer Forensics Evolution of Computer Forensics Computer Forensics Flaws and Risks Corporate Espionage Statistics Modes of Attacks Cyber Crime EC-Council Examples of Cyber Crime Reason for Cyber Attacks Role of Computer Forensics in Tracking Cyber Criminals Rules of Computer Forensics Computer Forensics Methodologies Accessing Computer Forensics Resources Preparing for Computing Investigations Maintaining professional conduct Understanding Enforcement Agency Investigations Understanding Corporate Investigations Investigation Process Digital Forensics Module II: Law And Computer Forensics What Is Cyber Crime? What Is Computer Forensics? Computer Facilitated Crimes Reporting Security Breaches to Law Enforcement National Infrastructure Protection Center FBI Federal Statutes Cyber Laws Approaches to Formulate Cyber Laws Scientific Working Group on Digital Evidence (SWGDE) Federal Laws The USA Patriot Act of 2001 Freedom of Information Act Building Cyber Crime Case How the FBI Investigates Computer Crime? How to Initiate an Investigation? Legal Issues Involved in Seizure of Computer Equipments Searching With a Warrant Searching Without a Warrant Privacy Issues Involved in Investigations International Issues Related to Computer Forensics Crime Legislation of EU Cyber Crime Investigation Module III: Computer Investigation Process Investigating Computer Crime Investigating a Company Policy Violation Investigation Methodology EC-Council Evaluating the Case Before the Investigation Document Everything Investigation Plan Obtain Search Warrant Warning Banners Shutdown the Computer Collecting the Evidence Confiscation of Computer Equipments Preserving the Evidence Importance of Data-recovery Workstations and Software Implementing an Investigation Understanding Bit-stream Copies Imaging the Evidence Disk Examining the Digital Evidence Closing the Case Case Evaluation Module IV: Computer Security Incident Response Team Present Networking Scenario Vulnerability Vulnerability Statistics What Is an Incident? A Study by CERT Shows Alarming Rise in Incidents (security Breach How to Identify an Incident Whom to Report an Incident? Incident Reporting Category of Incidents Handling Incidents Procedure for Handling Incident Preparation Identification Containment Eradication Recovery Follow up What Is CSIRT? Why an Organization Needs an Incident Response Team? Need for CSIRT Example of CSIRT CSIRT Vision Vision Best Practices for Creating a CSIRT Step 1: Obtain Management Support and Buy-In EC-Council Step 2: Determine the CSIRT Development Strategic Step 3: Gather Relevant Information Step 4: Design your CSIRT Vision Step 5: Communicate the CSIRT Vision Step 6: Begin CSIRT Implementation Step 7: Announce the CSIRT Other Response Teams Acronyms and CSIRTs around the world World CSIRT Module V: Computer Forensic Laboratory Requirements Budget Allocation for a Forensics Lab Physical Location Needs of a Forensic Lab Work Area of a Computer Forensics Lab General Configuration of a Forensic Equipment Needs in a Forensics Lab Ambience of a Forensics Lab Environmental Conditions Recommended Eyestrain Considerations Structural Design Considerations Electrical Needs Communications Basic Workstation Requirements in a Forensic Lab Consider stocking the following hardware peripherals Maintain Operating System and Application Inventories Common Terms Physical Security Recommendations for a Forensic Lab Fire-Suppression Systems Evidence Locker Recommendations Evidence Locker Combination Recommendations Evidence Locker Padlock Recommendations Facility Maintenance Auditing a Computer Forensics Lab Auditing a Forensics Lab Forensics Lab Mid Sized Lab Forensic Lab Licensing Requisite Forensic Lab Manager Responsibilities Module VI: Understanding File systems and Hard disks Disk Drive Overview - I Hard Disk Disk Platter EC-Council Tracks Tracks Numbering Sector Sector addressing Cluster Cluster Size Slack Space Lost Clusters Bad Sector Understanding File Systems Types of File System List of Disk File Systems List of Network file systems Special Purpose File systems Popular Linux File systems Sun Solaris 10 File system - ZFS Windows File systems Mac OS X File system CD-ROM / DVD File system File system Comparison Boot Sector Exploring Microsoft File Structures Disk Partition Concerns Boot Partition Concerns Examining FAT NTFS NTFS System Files NTFS Partition Boot Sector NTFS Master File Table (MFT) NTFS Attributes NTFS Data Stream NTFS Compressed Files NTFS Encrypted File Systems (EFS) EFS File Structure Metadata File Table (MFT) EFS Recovery Key Agent Deleting NTFS Files Understanding Microsoft Boot Tasks Windows XP system files Understanding Boot Sequence DOS Understanding MS-DOS Startup Tasks Other DOS Operating Systems Registry Data Examining Registry Data EC-Council Module VII: Windows Forensics Locating Evidence on Windows Systems Gathering Volatile Evidence Pslist Forensic Tool: fport Forensic Tool - Psloggedon Investigating Windows File Slack Examining File Systems Built-in Tool: Sigverif Word Extractor Checking Registry Reglite.exe Tool: Resplendent Registrar 3.30 Microsoft Security ID Importance of Memory Dump Manual Memory Dumping in Windows 2000 Memory Dumping in Windows XP and Pmdump System State Backup How to Create a System State Backup? Investigating Internet Traces Tool - IECookiesView Tool - IE History Viewer Forensic Tool: Cache Monitor CD-ROM Bootable Windows XP Bart PE Ultimate Boot CD-ROM List of Tools in UB CD-ROM Desktop Utilities File Analysis Tools File Management Tools File Recovery Tools File Transfer Tools Hardware Info Tools Process Viewer Tools Registry Tools Module VIII: Linux and Macintosh Boot processes UNIX Overview Linux Overview Understanding Volumes -I Exploring Unix/Linux Disk Data Structures Understanding Unix/linux Boot Process EC-Council Understanding Linux Loader Linux Boot Process Steps Step 1: The Boot Manager Step 2: init Step 2.1: /etc/inittab runlevels Step 3: Services Understanding Permission Modes Unix and Linux Disk Drives and Partitioning Schemes Mac OS X Mac OS X Hidden Files Booting Mac OS X Mac OS X Boot Options The Mac OS X Boot Process Installing Mac OS X on Windows XP PearPC MacQuisition Boot CD Module IX: Linux Forensics Use of Linux as a Forensics Tool Recognizing Partitions in Linux File System in Linux Linux Boot Sequence Linux Forensics Case Example Step-by-step approach to Case 1 (a) Step-by-step approach to Case 1 (b) Step-by-step approach to Case 1 (c) Step-by-step approach to Case 1 (d) Case 2 Challenges in disk forensics with Linux Step-by-step approach to Case 2 (a) Step-by-step approach to Case 2 (b) Step-by-step approach to Case 2 (c) Popular Linux Tools Module XX: Data Acquisition and Duplication Determining the Best Acquisition Methods Data Recovery Contingencies MS-DOS Data Acquisition Tools DriveSpy DriveSpy Data Manipulation Commands EC-Council DriveSpy Data Preservation Commands Using Windows Data Acquisition Tools Data Acquisition Tool: AccessData FTK Explorer FTK Acquiring Data on Linux dd.exe (Windows XP Version) Data Acquisition Tool: Snapback Exact Data Arrest Data Acquisition Tool: SafeBack Data Acquisition Tool: Encase Need for Data Duplication Data Duplication Tool: R-drive Image Data Duplication Tool: DriveLook Data Duplication Tool: DiskExplorer Module XI: Recovering Deleted Files Introduction Digital Evidence Recycle Bin in Windows Recycle Hidden Folder Recycle folder How to Undelete a File? Tool: Search and Recover Tool: Zero Assumption Digital Image Recovery Data Recovery in Linux Data Recovery Tool: E2undel Data Recovery Tool: O&O Unerase Data Recovery Tool: Restorer 2000 Data Recovery Tool: Badcopy Pro Data Recovery Tool: File Scavenger Data Recovery Tool: Mycroft V3 Data Recovery Tool: PC Parachute Data Recovery Tool: Stellar Phoenix Data Recovery Tool: Filesaver Data Recovery Tool: Virtual Lab Data Recovery Tool: R-linux Data recovery tool: Drive and Data Recovery Data recovery tool: active@ UNERASER - DATA recovery Data recovery tool: Acronis Recovery Expert Data Recovery Tool: Restoration Data Recovery Tool: PC Inspector File Recovery Module XII: Image Files Forensics EC-Council Introduction to Image Files Recognizing an Image File Understanding Bitmap and Vector Images Metafile Graphics Understanding Image File Formats File types Understanding Data Compression Understanding Lossless and Lossy Compression Locating and Recovering Image Files Repairing Damaged Headers Reconstructing File Fragments Identifying Unknown File Formats Analyzing Image File Headers Picture Viewer: Ifran View Picture Viewer: Acdsee Picture Viewer: Thumbsplus Steganography in Image Files Steganalysis Tool: Hex Workshop Steganalysis Tool: S-tools Identifying Copyright Issues With Graphics Module XIII: Steganography Introduction Important Terms in Stego-forensics Background Information to Image Steganography Steganography History Evolution of Steganography Steps for Hiding Information in Steganography Six Categories of Steganography in Forensics Types of Steganography What Is Watermarking Classification of Watermarking Types of Watermarks Steganographic Detection Steganographic Attacks Real World Uses of Steganography Steganography in the Future Unethical Use of Steganography Hiding Information in Text Files Hiding Information in Image Files Process of Hiding Information in Image Files Least Significant Bit Masking and Filtering EC-Council Algorithms and Transformation Hiding Information in Audio Files Low-bit Encoding in Audio Files Phase Coding Spread Spectrum Echo Data Hiding Hiding Information in DNA TEMPEST The Steganography Tree Steganography Tool: Fort Knox Steganography Tool: Blindside Steganography Tool: S- Tools Steganography Tool: Steghide Steganography Tool: Digital Identity Steganography Tool: Stegowatch Tool : Image Hide Data Stash Tool: Mp3Stego Tool: Snow.exe Tool: Camera/Shy Steganography Detection Module XIV: Computer Forensic Tools Dump Tool: DS2DUMP Dump Tool: Chaosreader Slack Space & Data Recovery Tools: Drivespy Slack Space & Data Recovery Tools: Ontrack Hard Disk Write Protection Tools: Pdblock Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock Permanent Deletion of Files:pdwipe Disk Imaging Tools: Image & Iximager Disk Imaging Tools: Snapback Datarrest Partition Managers: PART & Explore2fs Linux/unix Tools: Ltools and Mtools Linux/UNIX tools: TCT and TCTUTILs Password Recovery Tool: @Stake ASRData SMART Screenshot Ftime Oxygen Phone Manager Multipurpose Tools: Byte Back & Biaprotect Multipurpose Tools: Maresware Multipurpose Tools: LC Technologies Software Multipurpose Tools: Winhex Specialist Edition EC-Council Multipurpose Tools: Prodiscover DFT Toolkits: NTI tools Toolkits: R-Tools-I Toolkits: R-Tools-II Toolkits: DataLifter Toolkits: AccessData LC Technology International Hardware Screenshot of Forensic Hardware Image MASSter Solo and FastBloc RMON2 Tracing Tools and MCI DoStracker EnCase Module XV: Application password crackers Password - Terminology What is a Password Cracker? How Does A Password Cracker Work? Various Password Cracking Methods Classification of Cracking Software System Level Password Cracking Application Password Cracking Application Software Password Cracker Distributed Network Attack-I Distributed Network Attack-II Passware Kit Accent Keyword Extractor Advanced Zip Password Recovery Default Password Database http://phenoelit.darklab.org/ http://www.defaultpassword.com/ http://www.cirt.net/cgi-bin/passwd.pl Password Cracking Tools List Module XVI: Investigating Logs Audit Logs and Security Audit Incidents Syslog Remote Logging Linux Process Accounting Configuring Windows Logging Setting up Remote Logging in Windows NtSyslog EC-Council EventReporter Application Logs Extended Logging in IIS Server Examining Intrusion and Security Events Significance of Synchronized Time Event Gathering EventCombMT Writing Scripts Event Gathering Tools Forensic Tool: Fwanalog End-to End Forensic Investigation Correlating Log files Investigating TCPDump IDS Loganalyais:RealSecure IDS Loganalysis :SNORT Module XVII: Investigating network traffic Overview of Network Protocols Sources of Evidence on a Network Overview of Physical and Data-link Layer of the OSI Model Evidence Gathering at the Physical Layer Tool: Windump Evidence Gathering at the Data-link Layer Tool: Ethereal Tool: NetIntercept Overview of Network and Transport Layer of the OSI Model Evidence Gathering at the Network and Transport Layer-(I) Gathering Evidence on a Network GPRS Network Sniffer : Nokia LIG NetWitness McAffee Infinistream Security Forensics Snort 2.1.0 Documenting the Gathered Evidence on a Network Evidence Reconstruction for Investigation Module XVIII: Router Forensics What Is a Router? Functions of a Router A Router in an OSI Model Routing Table and Its Components Router Architecture Implications of a Router Attack EC-Council Types of Router Attacks Denial of Service (DoS) Attacks Investigating Dos Attacks Smurfing – Latest in Dos Attacks Packet “Mistreating” Attacks Routing Table Poisoning Hit-and-run Attacks Vs. Persistent Attacks Router Forensics Vs. Traditional Forensics Investigating Routers Chain of Custody Incident Response & Session Recording Accessing the Router Volatile Evidence Gathering Router Investigation Steps - I Analyzing the Intrusion Logging Incident Forensics Handling a Direct Compromise Incident Other Incidents Module XIX: Investigating Web Attacks Indications of a web attack Responding to a web attack Overview of web logs Mirrored Sites N-Stealth Investigating static and dynamic IP address Tools for locating IP Address: Nslookup Tools for locating IP Address: Traceroute Tools for locating IP Address: NeoTrace (Now McAfee Visual Trace) Tools for locating IP Address: Whois Web page defacement Defacement using DNS compromise Investigating DNS Poisoning SQL Injection Attacks Investigating SQL Injection Attacks Investigating FTP Servers Investigating FTP Logs Investigating IIS Logs Investigating Apache Logs Investigating DHCP Server Logfile EC-Council Module XX: Tracking E-mails and Investigating E-mail crimes Understanding Internet Fundamentals Understanding Internet Protocols Exploring the Roles of the Client and Server in E-mail E-mail Crime Spamming, Mail Bombing, Mail Storm Chat Rooms Identity Fraud , Chain Letter Sending Fakemail Investigating E-mail Crime and Violation Viewing E-mail Headers Examining an E-mail Header Viewing Header in Microsoft Outlook Viewing Header in Eudora Viewing Header in Outlook Express Viewing Header in AOL Viewing Header in Hot Mail Viewing Header using Pine for Unix Viewing Header in Juno Viewing Header in Yahoo Examining Additional Files Microsoft Outlook Mail Pst File Location Tracing an E-mail Message Using Network Logs Related to E-mail Understanding E-mail Server Examining UNIX E-mail Server Logs Examining Microsoft E-mail Server Logs Examining Novell GroupWise E-mail Logs Using Specialized E-mail Forensic Tools Tool:FINALeMAIL Tool: R-Mail E-Mail Examiner by Paraben Network E-Mail Examiner by Paraben Tracing Back Tracing Back Web Based E-mail Searching E-mail Addresses E-mail Search Site Handling Spam Network Abuse Clearing House Abuse.Net Protecting Your E-mail Address From Spam Tool: Enkoder Form Tool:eMailTrackerPro EC-Council Tool:SPAM Punisher Module XXI: Mobile and PDA Forensics Latest Mobile Phone Access Technologies Evidence in Mobile Phones Mobile Phone Forensic Examination Methodology Examining Phone Internal Memory Examining SIM Examining Flash Memory and Call data records Personal Digital Assistant (PDA) PDA Components PDA Forensics PDA Forensics - Examination PDA Forensics - Identification PDA Forensics - Collection PDA Forensics - Documentation Points to Be Remembered While Conducting Investigation PDA Seizure by Paraben SIM Card Seizure by Paraben (SIM Card acquisition tool) Forensic Tool – Palm dd (pdd) Forensic Tool - POSE Module XXII: Investigating Trademark and Copyright Infringement Trademarks Trademark Eligibility and Benefits of Registering It Service Mark and Trade Dress Trademark infringement Trademark Search www.uspto.gov Copyright and Copyright Notice Investigating Copyright Status of a Particular Work How Long Does a Copyright Last? U.S Copyright Office Doctrine of “Fair Use” How Are Copyrights Enforced? SCO Vs. IBM SCO Vs Linux Line-by-Line Copying Plagiarism Turnitin Plagiarism detection tools EC-Council CopyCatch Patent Patent Infringement Patent Search Case Study: Microsoft Vs Forgent Internet Domain Name and ICANN Domain Name Infringement Case Study: Microsoft.com Vs MikeRoweSoft.com How to check for Domain Name Infringement? Module XXIII: Investigative Reports Need of an investigative report Report specification Report Classification Report and Opinion Layout of an Investigative Report Writing Report Use of Supporting Material Importance of Consistency Salient Features of a Good Report Investigative Report Format Before Writing the Report Writing Report Using FTK Module XIV: Becoming an Expert Witness Who Is an Expert? Who Is an Expert Witness? Role of an Expert Witness Technical Testimony Vs. Expert Testimony Preparing for Testimony Evidence Preparation and Documentation Evidence Processing Steps Rules Pertaining to an Expert Witness’ Qualification Importance of Curriculum Vitae Technical Definitions Testifying in Court The Order of Trial Proceedings Voir dire General Ethics While Testifying-i Evidence Presentation Importance of Graphics in a Testimony EC-Council Helping Your Attorney Avoiding Testimony Problems Testifying During Direct Examination Testifying During Cross Examination Deposition Guidelines to Testify at a Deposition Dealing With Reporters Module XXV: Forensics in action E-mail Hoax Trade Secret Theft Operation Cyberslam APPENDIX: 1. Investigating Wireless Attacks Passive Attacks Netstumbler Active Attacks On Wireless Networks Rogue Access Points Investigating Wireless Attacks Airmagnet 2. Forensics Investigation Using EnCase Evidence File Evidence File Format Verifying File Integrity Hashing Acquiring Image Configuring Encase Encase Options Screen Encase Screens View Menu EC-Council Device Tab Viewing Files and Folders Bottom Pane Viewers in Bottom Pane Status Bar Searching Keywords Adding Keywords Grouping Add multiple Keywords Starting the Search Search Hits Tab Search Hits Bookmarks Creating Bookmarks Adding Bookmarks Bookmarking Selected Data Recovering Deleted Files/folders in FAT Partition Recovering Folders in NTFS Master Boot Record NTFS Starting Point Viewing disk Geometry Recovering Deleted Partitions Hash Values Creating Hash Sets MD5 Hash Creating Hash EC-Council Viewers Signature Analysis Copying Files Folders E-mail Recovery Reporting Encase Boot Disks IE Cache Images 3. First Responder Procedures Steps At Crime Scene People Involved In Incident Response The Role Of A System Administrator First Response By Non-Laboratory Staff Guidelines For Search And Seizure Planning The Search And Seizure Evidence Collection Dealing With Powered Up Computers At Seizure Time How To Pull The Power Seizing Computer Equipment Removable Media Seizing Portable Computers How To Remove HD From Laptops? Initial Interviews Chain Of Custody 4. Checklist for Choosing a Forensic Examiner 5. Investigation Checklist EC-Council © 2005 EC-Council. All rights reserved. This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.
Pages to are hidden for
"CHFI (PDF)"Please download to view full document