CHFI 9.0 Syllabus 9.0 Syllabus.pdf · Page 1 CHFI 9.0 Syllabus Module 01: Computer Forensics in...
Transcript of CHFI 9.0 Syllabus 9.0 Syllabus.pdf · Page 1 CHFI 9.0 Syllabus Module 01: Computer Forensics in...
Page 1
CHFI 9.0 Syllabus
Module 01: Computer Forensics in Today's World 2 Hours - 7 Topics
Forensics Science (Day 1)
Computer Forensics (Day 1)
o Security Incident Report
o Aspects of Organizational Security
o Evolution of Computer Forensics
o Objective of Computer Forensics
o Need for Compute Forensics
Forensics Readiness (Day 1)
o Benefits of Forensics Readiness
o Goals of Forensics Readiness
o Forensics Readiness Planning
Cyber Crime (Day 1)
o Computer Facilitated Crimes
o Modes of Attacks
o Examples of Cyber Crime
o Types of Computer Crimes
o Cyber Criminals
o Organized Cyber Crime: Organizational Chart
o How Serious are Different Types of Incidents?
o Disruptive Incidents to the Business
o Cost Expenditure Responding to the Security Incident
Cyber Crime Investigation (Day 1)
o Key Steps in Forensics Investigation
o Rules of Forensics Investigation
o Need for Forensics Investigator
o Role of Forensics Investigator
o Accessing Computer Forensics Resources
o Role of Digital Evidence
Corporate Investigations (Day 1)
o Understanding Corporate Investigations
o Approach to Forensics Investigation: A Case Study
o Instructions for the Forensic Investigator to Approach the Crime Scene
o Why and When Do You Use Computer Forensics?
o Enterprise Theory of Investigation (ETI)
o Legal Issues
o Reporting the Results
Reporting a Cyber Crime (Day 1)
o Why you Should Report Cybercrime?
o Reporting Computer-Related Crimes
o Person Assigned to Report the Crime
Page 2
o When and How to Report an Incident?
o Who to Contact at the Law Enforcement?
o Federal Local Agents Contact
o More Contacts
o CIO Cyberthreat Report Form
Module 2: Computer Forensic Investigation Understanding Hard disk and file systems
2 Hours - 3 Topics
Investigating Computer Crime (Day 2)
o Before the Investigation
o Build a Forensics Workstation
o Building the Investigation Team
o People Involved in Computer Forensics
o Review Policies and Laws
o Forensics Laws
o Notify Decision Makers and Acquire Authorization
o Risk Assessment
o Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation (Day 2)
Computer Forensics Investigation Methodology (Day 2)
o Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
o Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
o Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence
Guidelines for Acquiring Evidence
o Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
o Acquire the Data
Duplicate the Data (Imaging)
Verify Image Integrity
MD5 Hash Calculators: HashCalc, MD5 Calculator and
HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
o Analyze the Data
Data Analysis
Page 3
Data Analysis Tools
o Assess Evidence and Case
Evidence Assessment
Case Assessment
Processing Location Assessment
Best Practices to Assess the Evidence
o Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report
Sample Report
o Testifying as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers
Module 3: Data Acquisition and Duplication 2 Hours - 8 Topics
Data Acquisition and Duplication Concepts (Day 3)
o Data Acquisition
o Forensic and Procedural Principles
o Types of Data Acquisition Systems
o Data Acquisition Formats
o Bit Stream vs. Backups
o Why to Create a Duplicate Image?
o Issues with Data Duplication
o Data Acquisition Methods
o Determining the Best Acquisition Method
o Contingency Planning for Image Acquisitions
o Data Acquisition Mistakes
Data Acquisition Types (Day 3)
o Rules of Thumb
o Static Data Acquisition
Collecting Static Data
Static Data Collection Process
o Live Data Acquisition
Why Volatile Data is Important?
Volatile Data
Order of Volatility
Common Mistakes in Volatile Data Collection
Volatile Data Collection Methodology
Basic Steps in Collecting Volatile Data
Types of Volatile Information
Page 4
Disk Acquisition Tool Requirements (Day 3)
o Disk Imaging Tool Requirements
o Disk Imaging Tool Requirements: Mandatory
o Disk Imaging Tool Requirements: Optional
Validation Methods (Day 3)
o Validating Data Acquisitions
o Linux Validation Methods
o Windows Validation Methods
RAID Data Acquisition (Day 3)
o Understanding RAID Disks
o Acquiring RAID Disks
o Remote Data Acquisition
Acquisition Best Practices (Day 3)
o Acquisition Best Practices
Data Acquisition Software Tools (Day 3)
o Acquiring Data on Windows
o Acquiring Data on Linux
o dd Command
o dcfldd Command
o Extracting the MBR
o Netcat Command
o EnCase Forensic
o Analysis Software: DriveSpy
o ProDiscover Forensics
o AccessData FTK Imager
o Mount Image Pro
o Data Acquisition Toolbox
o SafeBack
o ILookPI
o RAID Recovery for Windows
o R-Tools R-Studio
o F-Response
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DataLifter
o X-Ways Forensics
o R-drive Image
o DriveLook
o DiskExplorer
o P2 eXplorer Pro
o Flash Retriever Forensic Edition
Data Acquisition Hardware Tools (Day 3)
o US-LATT
o Image MASSter: Solo-4 (Super Kit)
Page 5
o Image MASSter: RoadMASSter- 3
o Tableau TD1 Forensic Duplicator
o Logicube: Forensic MD5
o Logicube: Portable Forensic Lab™
o Logicube: Forensic Talon®
o Logicube: RAID I/O Adapter™
o DeepSpar: Disk Imager Forensic Edition
o Logicube: USB Adapter
o Disk Jockey PRO
o Logicube: Forensic Quest-2®
o Logicube: CloneCard Pro
o Logicube: EchoPlus
o Paraben Forensics Hardware: Chat Stick
o Image MASSter: Rapid Image 7020CS IT
o Digital Intelligence Forensic Hardware: UltraKit
o Digital Intelligence Forensic Hardware: UltraBay II
o Digital Intelligence Forensic Hardware: UltraBlock SCSI
o Digital Intelligence Forensic Hardware: HardCopy 3P
o Wiebetech: Forensics DriveDock v4
o Wiebetech: Forensics UltraDock v4
o Image MASSter: WipeMASSter
o Image MASSter: WipePRO
o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
o Forensic Tower IV Dual Xeon
o Digital Intelligence Forensic Hardware: FREDDIE
o DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
o Logicube
Cables
Adapters
GPStamp™
OmniPort
CellDEK®
o Paraben Forensics Hardware
Project-a-Phone
Mobile Field Kit
iRecovery Stick
o CelleBrite
UFED System
UFED Physical Pro
Module 4: Volatile Memory Forensic 2 Hours - Day 4
Page 6
Module 5: Defeating Anti forensic technique 4 Hours - Day 5 & 6
Module 6: Operating system Forensic 2 Hours - Day 7
Module 7: Windows forensic 3 Hours - 13 Topics
Collecting Volatile Information (Day 8)
o Volatile Information
System Time
Logged-on Users
Psloggedon
Net Sessions Command
Logonsessions Tool
Open Files
Net File Command
PsFile Command
OpenFiles Command
Network Information
Network Connections
Process Information
Process-to-Port Mapping
Process Memory
Network Status
Other Important Information
Collecting Non-volatile Information (Day 8)
o Non-volatile Information
Examine File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File
Devices and Other Information
Slack Space
Virtual Memory
Swap File
Windows Search Index
Collecting Hidden Partition Information
Hidden ADS Streams
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Windows Memory Analysis (Day 8)
o Memory Dump
o EProcess Structure
o Process Creation Mechanism
o Parsing Memory Contents
o Parsing Process Memory
Page 7
o Extracting the Process Image
o Collecting Process Memory
Windows Registry Analysis (Day 8)
o Inside the Registry
o Registry Structure within a Hive File
o The Registry as a Log File
o Registry Analysis
o System Information
o TimeZone Information
o Shares
o Audit Policy
o Wireless SSIDs
o Autostart Locations
o System Boot
o User Login
o User Activity
o Enumerating Autostart Registry Locations
o USB Removable Storage Devices
o Mounted Devices
o Finding Users
o Tracking User Activity
o The UserAssist Keys
o MRU Lists
o Search Assistant
o Connecting to Other Systems
o Analyzing Restore Point Registry Settings
o Determining the Startup Locations
Cache, Cookie, and History Analysis (Day 8)
o Cache, Cookie, and History Analysis in IE
o Cache, Cookie, and History Analysis in Firefox
o Cache, Cookie, and History Analysis in Chrome
o Analysis Tools
IE Cookies View
IE Cache View
IE History Viewer
MozillaCookiesView
MozillaCacheView
MozillaHistoryView
ChromeCookiesView
ChromeCacheView
ChromeHistoryView
MD5 Calculation (Day 8)
o Message Digest Function: MD5
o Why MD5 Calculation?
o MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Page 8
o MD5 Checksum Verifier
o ChaosMD5
Windows File Analysis (Day 8)
o Recycle Bin
o System Restore Points (Rp.log Files)
o System Restore Points (Change.log.x Files)
o Prefetch Files
o Shortcut Files
o Word Documents
o PDF Documents
o Image Files
o File Signature Analysis
o NTFS Alternate Data Streams
o Executable File Analysis
o Documentation Before Analysis
o Static Analysis Process
o Search Strings
o PE Header Analysis
o Import Table Analysis
o Export Table Analysis
o Dynamic Analysis Process
o Creating Test Environment
o Collecting Information Using Tools
o Process of Testing the Malware
Metadata Investigation (Day 8)
o Metadata
o Types of Metadata
o Metadata in Different File Systems
o Metadata in PDF Files
o Metadata in Word Documents
o Tool: Metadata Analyzer
Text Based Logs (Day 8)
o Understanding Events
o Event Logon Types
o Event Record Structure
o Vista Event Logs
o IIS Logs
Parsing IIS Logs
o Parsing FTP Logs
FTP sc-status Codes
o Parsing DHCP Server Logs
o Parsing Windows Firewall Logs
o Using the Microsoft Log Parser
Other Audit Events (Day 8)
o Evaluating Account Management Events
Page 9
o Examining Audit Policy Change Events
o Examining System Log Entries
o Examining Application Log Entries
Forensic Analysis of Event Logs (Day 9)
o Searching with Event Viewer
o Using EnCase to Examine Windows Event Log Files
o Windows Event Log Files Internals
Windows Password Issues (Day 9)
o Understanding Windows Password Storage
o Cracking Windows Passwords Stored on Running Systems
o Exploring Windows Authentication Mechanisms
LanMan Authentication Process
NTLM Authentication Process
Kerberos Authentication Process
o Sniffing and Cracking Windows Authentication Exchanges
o Cracking Offline Passwords
Forensic Tools (Day 9)
o Windows Forensics Tool: OS Forensics
o Windows Forensics Tool: Helix3 Pro
o Integrated Windows Forensics Software: X-Ways Forensics
o X-Ways Trace
o Windows Forensic Toolchest (WFT)
o Built-in Tool: Sigverif
o Computer Online Forensic Evidence Extractor (COFEE)
o System Explorer
o Tool: System Scanner
o SecretExplorer
o Registry Viewer Tool: Registry Viewer
o Registry Viewer Tool: RegScanner
o Registry Viewer Tool: Alien Registry Viewer
o MultiMon
o CurrProcess
o Process Explorer
o Security Task Manager
o PrcView
o ProcHeapViewer
o Memory Viewer
o Tool: PMDump
o Word Extractor
o Belkasoft Evidence Center
o Belkasoft Browser Analyzer
o Metadata Assistant
o HstEx
o XpoLog Center Suite
o LogViewer Pro
Page 10
o Event Log Explorer
o LogMeister
o ProDiscover Forensics
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DriveLook
Module 8: Linux Forensic 1 Hour - Day 9
Module 9: Deleted file recovery 1 Hour - Day 10
Module 10: Metadata Extraction 1 Hour - Day 10
Module 11: Event log Analysis 1 Hour - Day 11
Module 12: Registry Analysis 1 Hour - Day 12
Module 13: Network Forensics 2 Hours - 7 Topics
Network Forensics (Day 12)
o Network Forensics
o Network Forensics Analysis Mechanism
o Network Addressing Schemes
o Overview of Network Protocols
o Overview of Physical and Data-Link Layer of the OSI Model
o Overview of Network and Transport Layer of the OSI Model
o OSI Reference Model
o TCP/ IP Protocol
o Intrusion Detection Systems (IDS) and ??heir Placement
How IDS Works
Types of Intrusion Detection Systems
General Indications of Intrusions
o Firewall
o Honeypot
Network Attacks (Day 12)
o Network Vulnerabilities
o Types of Network Attacks
IP Address Spoofing
Man-in-the-Middle Attack
Packet Sniffing
How a Sniffer Works
Enumeration
Denial of Service Attack
Session Sniffing
Buffer Overflow
Page 11
Trojan Horse
Log Injection Attacks (Day 12)
o New Line Injection Attack
New Line Injection Attack Countermeasure
o Separator Injection Attack
Defending Separator Injection Attacks
o Timestamp Injection Attack
Defending Timestamp Injection Attacks
o Word Wrap Abuse Attack
Defending Word Wrap Abuse Attacks
o HTML Injection Attack
Defending HTML Injection Attacks
o Terminal Injection Attack
Defending Terminal Injection Attacks
Investigating and Analyzing Logs (Day 12)
o Postmortem and Real-Time Analysis
o Where to Look for Evidence
o Log Capturing Tool: ManageEngine EventLog Analyzer
o Log Capturing Tool: ManageEngine Firewall Analyzer
o Log Capturing Tool: GFI EventsManager
o Log Capturing Tool: Kiwi Syslog Server
o Handling Logs as Evidence
o Log File Authenticity
o Use Signatures, Encryption, and Checksums
o Work with Copies
o Ensure System’s Integrity
o Access Control
o Chain of Custody
o Condensing Log File
Investigating Network Traffic (Day 12)
o Why Investigate Network Traffic?
o Evidence Gathering via Sniffing
o Capturing Live Data Packets Using Wireshark
Display Filters in Wireshark
Additional Wireshark Filters
o Acquiring Traffic Using DNS Poisoning Techniques
Intranet DNS Spoofing (Local Network)
Intranet DNS Spoofing (Remote Network)
Proxy Server DNS Poisoning
DNS Cache Poisoning
o Evidence Gathering from ARP Table
o Evidence Gathering at the Data-Link Layer: DHCP Database
o Gathering Evidence by IDS
Traffic Capturing and Analysis Tools (Day 13)
o NetworkMiner
Page 12
o Tcpdump/Windump
o Intrusion Detection Tool: Snort
How Snort Works
o IDS Policy Manager
o MaaTec Network Analyzer
o Iris Network Traffic Analyzer
o NetWitness Investigator
o Colasoft Capsa Network Analyzer
o Sniff - O - Matic
o NetResident
o Network Probe
o NetFlow Analyzer
o OmniPeek Network Analyzer
o Firewall Evasion Tool: Traffic IQ Professional
o NetworkView
o CommView
o Observer
o SoftPerfect Network Protocol Analyzer
o EffeTech HTTP Sniffer
o Big-Mother
o EtherDetect Packet Sniffer
o Ntop
o EtherApe
o AnalogX Packetmon
o IEInspector HTTP Analyzer
o SmartSniff
o Distinct Network Monitor
o Give Me Too
o EtherSnoop
o Show Traffic
o Argus
Documenting the Evidence Gathered on a Network (Day 13)
Module 14: Investigating Web Attacks 2 Hours - 6 Topics
Introduction to Web Applications and Webservers (Day 13)
o Introduction to Web Applications
o Web Application Components
o How Web Applications Work
o Web Application Architecture
o Open Source Webserver Architecture
o Indications of a Web Attack
o Web Attack Vectors
o Why Web Servers are Compromised
o Impact of Webserver Attacks
o Website Defacement
Page 13
o Case Study
Web Logs (Day 13)
o Overview of Web Logs
o Application Logs
o Internet Information Services (IIS) Logs
IIS Webserver Architecture
IIS Log File Format
o Apache Webserver Logs
o DHCP Server Logs
Web Attacks (Day 13)
o Web Attacks - 1
o Web Attacks - 2
Unvalidated Input
Parameter/Form Tampering
Directory Traversal
Security Misconfiguration
Injection Flaws
SQL Injection Attacks
Command Injection Attacks
Command Injection Example
File Injection Attack
What is LDAP Injection?
How LDAP Injection Works
Hidden Field Manipulation Attack
Cross-Site Scripting (XSS) Attacks
How XSS Attacks Work
Cross-Site Request Forgery (CSRF) Attack
How CSRF Attacks Work
Web Application Denial-of-Service (DoS) Attack
Denial of Service (DoS) Examples
Buffer Overflow Attacks
Cookie/Session Poisoning
How Cookie Poisoning Works
Session Fixation Attack
Insufficient Transport Layer Protection
Improper Error Handling
Insecure Cryptographic Storage
Broken Authentication and Session Management
Unvalidated Redirects and Forwards
DMZ Protocol Attack/ Zero Day Attack
Log Tampering
URL Interpretation and Impersonation Attack
Web Services Attack
Web Services Footprinting Attack
Web Services XML Poisoning
Page 14
Webserver Misconfiguration
HTTP Response Splitting Attack
Web Cache Poisoning Attack
HTTP Response Hijacking
SSH Bruteforce Attack
Man-in-the-Middle Attack
Defacement Using DNS Compromise
Web Attack Investigation (Day 14)
o Investigating Web Attacks
o Investigating Web Attacks in Windows-Based Servers
o Investigating IIS Logs
o Investigating Apache Logs
o Example of FTP Compromise
o Investigating FTP Servers
o Investigating Static and Dynamic IP Addresses
o Sample DHCP Audit Log File
o Investigating Cross-Site Scripting (XSS)
o Investigating SQL Injection Attacks
o Pen-Testing CSRF Validation Fields
o Investigating Code Injection Attack
o Investigating Cookie Poisoning Attack
o Detecting Buffer Overflow
o Investigating Authentication Hijacking
o Web Page Defacement
o Investigating DNS Poisoning
o Intrusion Detection
o Security Strategies to Web Applications
o Checklist for Web Security
Web Attack Detection Tools (Day 14)
o Web Application Security Tools
Acunetix Web Vulnerability Scanner
Falcove Web Vulnerability Scanner
Netsparker
N-Stalker Web Application Security Scanner
Sandcat
Wikto
WebWatchBot
OWASP ZAP
SecuBat Vulnerability Scanner
Websecurify
HackAlert
WebCruiser
o Web Application Firewalls
dotDefender
IBM AppScan
Page 15
ServerDefender VP
o Web Log Viewers
Deep Log Analyzer
WebLog Expert
AlterWind Log Analyzer
Webalizer
eWebLog Analyzer
Apache Logs Viewer (ALV)
o Web Attack Investigation Tools
AWStats
Paros Proxy
Scrawlr
Tools for Locating IP Address (Day 14)
o Whois Lookup
o SmartWhois
o ActiveWhois
o LanWhois
o CountryWhois
o CallerIP
o Hide Real IP
o IP - Address Manager
o Pandora FMS
Module 15: Database Forensics 2 Hours - Day 14 & 15
Module 16: Cloud Forensics 2 Hours - Day 15 & 16
Module 17: Malware Forensics 2 Hours - Day 16 & 17
Module 18: Investigating EMail Crimes 2 Hours - 6 Topics
Email System Basics (Day 17)
o Email Terminology
o Email System
o Email Clients
o Email Server
o SMTP Server
o POP3 and IMAP Servers
o Email Message
o Importance of Electronic Records Management
Email Crimes (Day 17)
o Email Crime
o Email Spamming
o Mail Bombing/Mail Storm
o Phishing
o Email Spoofing
Page 16
o Crime via Chat Room
o Identity Fraud/Chain Letter
Email Headers (Day 17)
o Examples of Email Headers
o List of Common Headers
Steps to Investigate (Day 18)
o Why to Investigate Emails
o Investigating Email Crime and Violation
Obtain a Search Warrant and Seize the Computer and Email
Account
Obtain a Bit-by-Bit Image of Email Information
Examine Email Headers
Viewing Email Headers in Microsoft Outlook
Viewing Email Headers in AOL
Viewing Email Headers in Hotmail
Viewing Email Headers in Gmail
Viewing Headers in Yahoo Mail
Forging Headers
Analyzing Email Headers
Email Header Fields
Received: Headers
Microsoft Outlook Mail
Examining Additional Files (.pst or .ost files)
Checking the Email Validity
Examine the Originating IP Address
Trace Email Origin
Tracing Back
Tracing Back Web-based Email
Acquire Email Archives
Email Archives
Content of Email Archives
Local Archive
Server Storage Archive
Forensic Acquisition of Email Archive
Recover Deleted Emails
Deleted Email Recovery
Email Forensics Tools (Day 18)
o Stellar Phoenix Deleted Email Recovery
o Recover My Email
o Outlook Express Recovery
o Zmeil
o Quick Recovery for MS Outlook
o Email Detective
o Email Trace - Email Tracking
o R-Mail
Page 17
o FINALeMAIL
o eMailTrackerPro
o Forensic Tool Kit (FTK)
o Paraben’s email Examiner
o Network Email Examiner by Paraben
o DiskInternal’s Outlook Express Repair
o Abuse.Net
o MailDetective Tool
Laws and Acts against Email Crimes (Day 18)
o U.S. Laws Against Email Crime: CAN-SPAM Act
o 18 U.S.C. § 2252A
o 18 U.S.C. § 2252B
o Email Crime Law in Washington: RCW 19.190.020
Module 19: Mobile Forensics 4 Hours - 6 Topics
Mobile Phone (Day 18)
o Mobile Phone
o Different Mobile Devices
o Hardware Characteristics of Mobile Devices
o Software Characteristics of Mobile Devices
o Components of Cellular Network
o Cellular Network
o Different Cellular Networks
Mobile Operating Systems (Day 18)
o Mobile Operating Systems
o Types of Mobile Operating Systems
o WebOS
WebOS System Architecture
o Symbian OS
Symbian OS Architecture
o Android OS
Android OS Architecture
o RIM BlackBerry OS
o Windows Phone 7
Windows Phone 7 Architecture
o Apple iOS
Mobile Forensics (Day 19)
o What a Criminal can do with Mobiles Phones?
o Mobile Forensics
o Mobile Forensics Challenges
o Forensics Information in Mobile Phones
o Memory Considerations in Mobiles
o Subscriber Identity Module (SIM)
o SIM File System
o Integrated Circuit Card Identification (ICCID)
Page 18
o International Mobile Equipment Identifier (IMEI)
o Electronic Serial Number (ESN)
o Precautions to be Taken Before Investigation
Mobile Forensic Process (Day 19)
o Mobile Forensic Process
Collect the Evidence
Collecting the Evidence
Points to Remember while Collecting the Evidence
Collecting iPod/iPhone Connected with Computer
Document the Scene and Preserve the Evidence
Imaging and Profiling
Acquire the Information
Device Identification
Acquire Data from SIM Cards
Acquire Data from Unobstructed Mobile Devices
Acquire the Data from Obstructed Mobile Devices
Acquire Data from Memory Cards
Acquire Data from Synched Devices
Gather Data from Network Operator
Check Call Data Records (CDRs)
Gather Data from SQLite Record
Analyze the Information
Generate Report
Mobile Forensics Software Tools (Day 19)
o Oxygen Forensic Suite 2011
o MOBILedit! Forensic
o BitPim
o SIM Analyzer
o SIMCon
o SIM Card Data Recovery
o Memory Card Data Recovery
o Device Seizure
o SIM Card Seizure
o ART (Automatic Reporting Tool)
o iPod Data Recovery Software
o Recover My iPod
o PhoneView
o Elcomsoft Blackberry Backup Explorer
o Oxygen Phone Manager II
o Sanmaxi SIM Recoverer
o USIMdetective
o CardRecovery
o Stellar Phoenix iPod Recovery Software
o iCare Data Recovery Software
o Cell Phone Analyzer
Page 19
o iXAM
o BlackBerry Database Viewer Plus
o BlackBerry Signing Authority Tool
Mobile Forensics Hardware Tools (Day 19)
o Secure View Kit
o Deployable Device Seizure (DDS)
o Paraben's Mobile Field Kit
o PhoneBase
o XACT System
o Logicube CellDEK
o Logicube CellDEK TEK
o TadioTactics ACESO
o UME-36Pro - Universal Memory Exchanger
o Cellebrite UFED System - Universal Forensic Extraction Device
o ZRT 2
o ICD 5200
o ICD 1300
Module 20: Report Writing and Presentation 2 Hours - Day 20