Computer Hacking Forensic Investigator -...
-
Upload
vuongthien -
Category
Documents
-
view
227 -
download
8
Transcript of Computer Hacking Forensic Investigator -...
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 1 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator
Course Outline
(Version 8)
Module 01: Computer Forensics in Today’s World
Forensics Science
Computer Forensics
o Security Incident Report
o Aspects of Organizational Security
o Evolution of Computer Forensics
o Objective of Computer Forensics
o Need for Computer Forensics
Forensics Readiness
o Benefits of Forensics Readiness
o Goals of Forensics Readiness
o Forensics Readiness Planning
Cyber Crime
o Computer Facilitated Crimes
o Modes of Attacks
o Examples of Cyber Crime
o Types of Computer Crimes
o Cyber Criminals
o Organized Cyber Crime: Organizational Chart
o How Serious are Different Types of Incidents?
o Disruptive Incidents to the Business
o Cost Expenditure Responding to the Security Incident
Cyber Crime Investigation
o Key Steps in Forensics Investigation
o Rules of Forensics Investigation
o Need for Forensics Investigator
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 2 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Role of Forensics Investigator
o Accessing Computer Forensics Resources
o Role of Digital Evidence
Corporate Investigations
o Understanding Corporate Investigations
o Approach to Forensics Investigation: A Case Study
o Instructions for the Forensic Investigator to Approach the Crime Scene
o Why and When Do You Use Computer Forensics?
o Enterprise Theory of Investigation (ETI)
o Legal Issues
o Reporting the Results
Reporting a Cyber Crime
o Why you Should Report Cybercrime?
o Reporting Computer-Related Crimes
o Person Assigned to Report the Crime
o When and How to Report an Incident?
o Who to Contact at the Law Enforcement?
o Federal Local Agents Contact
o More Contacts
o CIO Cyberthreat Report Form
Module 02: Computer Forensics Investigation Process
Investigating Computer Crime
o Before the Investigation
o Build a Forensics Workstation
o Building the Investigation Team
o People Involved in Computer Forensics
o Review Policies and Laws
o Forensics Laws
o Notify Decision Makers and Acquire Authorization
o Risk Assessment
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 3 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation
Computer Forensics Investigation Methodology
o Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
o Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
o Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence
Guidelines for Acquiring Evidence
o Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
o Acquire the Data
Duplicate the Data (Imaging)
Verify Image Integrity
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
o Analyze the Data
Data Analysis
Data Analysis Tools
o Assess Evidence and Case
Evidence Assessment
Case Assessment
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 4 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Processing Location Assessment
Best Practices to Assess the Evidence
o Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report
Sample Report
o Testifying as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers
Module 03: Searching and Seizing Computers
Searching and Seizing Computers without a Warrant
o Searching and Seizing Computers without a Warrant
o § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers: General Principles
o § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices
o § A.3: Reasonable Expectation of Privacy and Third-Party Possession
o § A.4: Private Searches
o § A.5 Use of Technology to Obtain Information
o § B: Exceptions to the Warrant Requirement in Cases Involving Computers
o § B.1: Consent
o § B.1.a: Scope of Consent
o § B.1.b: Third-Party Consent
o § B.1.c: Implied Consent
o § B.2: Exigent Circumstances
o § B.3: Plain View
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 5 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o § B.4: Search Incident to a Lawful Arrest
o § B.5: Inventory Searches
o § B.6: Border Searches
o § B.7: International Issues
o § C: Special Case: Workplace Searches
o § C.1: Private Sector Workplace Searches
o § C.2: Public-Sector Workplace Searches
Searching and Seizing Computers with a Warrant
o Searching and Seizing Computers with a Warrant
o A: Successful Search with a Warrant
o A.1: Basic Strategies for Executing Computer Searches
o § A.1.a: When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
o § A.1.b: When Hardware Is Merely a Storage Device for Evidence of Crime
o § A.2: The Privacy Protection Act
o § A.2.a: The Terms of the Privacy Protection Act
o § A.2.b: Application of the PPA to Computer Searches and Seizures
o § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)
o § A.4: Considering the Need for Multiple Warrants in Network Searches
o § A.5: No-Knock Warrants
o § A.6: Sneak-and-Peek Warrants
o § A.7: Privileged Documents
o § B: Drafting the Warrant and Affidavit
o § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant
o § B.1.a: Defending Computer Search Warrants Against Challenges Based on the
Description of the “Things to Be Seized”
o § B.2: Establish Probable Cause in the Affidavit
o § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search
Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search
o § C: Post-Seizure Issues
o § C.1: Searching Computers Already in Law Enforcement Custody
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 6 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o § C.2: The Permissible Time Period for Examining Seized Computers
o § C.3: Rule 41(e) Motions for Return of Property
The Electronic Communications Privacy Act
o The Electronic Communications Privacy Act
o § A. Providers of Electronic Communication Service vs. Remote Computing Service
o § B. Classifying Types of Information Held by Service Providers
o § C. Compelled Disclosure Under ECPA
o § D. Voluntary Disclosure
o § E. Working with Network Providers
Electronic Surveillance in Communications Networks
o Electronic Surveillance in Communications Networks
o § A. Content vs. Addressing Information
o B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127
o C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522
o § C.1: Exceptions to Title III
o § D. Remedies For Violations of Title III and the Pen/Trap Statute
Evidence
o Evidence
o § A. Authentication
o § B. Hearsay
o § C. Other Issues
Module 04: Digital Evidence
Digital Data
o Definition of Digital Evidence
o Increasing Awareness of Digital Evidence
o Challenging Aspects of Digital Evidence
o The Role of Digital Evidence
o Characteristics of Digital Evidence
o Fragility of Digital Evidence
o Anti-Digital Forensics (ADF)
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 7 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Types of Digital Data
o Types of Digital Data
Rules of Evidence
o Rules of Evidence
o Best Evidence Rule
o Federal Rules of Evidence
o International Organization on Computer Evidence (IOCE)
o IOCE International Principles for Digital Evidence
o Scientific Working Group on Digital Evidence (SWGDE)
o SWGDE Standards for the Exchange of Digital Evidence
Electronic Devices: Types and Collecting Potential Evidence
o Electronic Devices: Types and Collecting Potential Evidence
Digital Evidence Examination Process
o Evidence Assessment
Evidence Assessment
Prepare for Evidence Acquisition
o Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Bit-Stream Copies
Write Protection
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Collecting Evidence
Collecting Evidence from RAM
Collecting Evidence from a Standalone Network Computer
Chain of Custody
Chain of Evidence Form
o Evidence Preservation
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 8 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Preserving Digital Evidence: Checklist
Preserving Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
o Evidence Examination and Analysis
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
o Evidence Documentation and Reporting
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Computer Evidence Worksheet
Hard Drive Evidence Worksheet
Removable Media Worksheet
Electronic Crime and Digital Evidence Consideration by Crime Category
o Electronic Crime and Digital Evidence Consideration by Crime Category
Module 05: First Responder Procedures
Electronic Evidence
First Responder
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 9 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Roles of First Responder
Electronic Devices: Types and Collecting Potential Evidence
First Responder Toolkit
o First Responder Toolkit
o Creating a First Responder Toolkit
o Evidence Collecting Tools and Equipment
First Response Basics
o First Response Rule
o Incident Response: Different Situations
o First Response for System Administrators
o First Response by Non-Laboratory Staff
o First Response by Laboratory Forensics Staff
Securing and Evaluating Electronic Crime Scene
o Securing and Evaluating Electronic Crime Scene: A Checklist
o Securing the Crime Scene
o Warrant for Search and Seizure
o Planning the Search and Seizure
o Initial Search of the Scene
o Health and Safety Issues
Conducting Preliminary Interviews
o Questions to Ask When Client Calls the Forensic Investigator
o Consent
o Sample of Consent Search Form
o Witness Signatures
o Conducting Preliminary Interviews
o Conducting Initial Interviews
o Witness Statement Checklist
Documenting Electronic Crime Scene
o Documenting Electronic Crime Scene
o Photographing the Scene
o Sketching the Scene
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 10 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Video Shooting the Crime Scene
Collecting and Preserving Electronic Evidence
o Collecting and Preserving Electronic Evidence
o Order of Volatility
o Dealing with Powered On Computers
o Dealing with Powered Off Computers
o Dealing with Networked Computer
o Dealing with Open Files and Startup Files
o Operating System Shutdown Procedure
o Computers and Servers
o Preserving Electronic Evidence
o Seizing Portable Computers
o Switched On Portables
o Collecting and Preserving Electronic Evidence
Packaging and Transporting Electronic Evidence
o Evidence Bag Contents List
o Packaging Electronic Evidence
o Exhibit Numbering
o Transporting Electronic Evidence
o Handling and Transportation to the Forensics Laboratory
o Storing Electronic Evidence
o Chain of Custody
o Simple Format of the Chain of Custody Document
o Chain of Custody Forms
o Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
Reporting the Crime Scene
o Reporting the Crime Scene
Note Taking Checklist
First Responder Common Mistakes
Module 06: Computer Forensics Lab
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 11 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Setting a Computer Forensics Lab
o Computer Forensics Lab
o Planning for a Forensics Lab
o Budget Allocation for a Forensics Lab
o Physical Location Needs of a Forensics Lab
o Structural Design Considerations
o Environmental Conditions
o Electrical Needs
o Communication Needs
o Work Area of a Computer Forensics Lab
o Ambience of a Forensics Lab
o Ambience of a Forensics Lab: Ergonomics
o Physical Security Recommendations
o Fire-Suppression Systems
o Evidence Locker Recommendations
o Computer Forensic Investigator
o Law Enforcement Officer
o Lab Director
o Forensics Lab Licensing Requisite
o Features of the Laboratory Imaging System
o Technical Specification of the Laboratory-Based Imaging System
o Forensics Lab
o Auditing a Computer Forensics Lab
o Recommendations to Avoid Eyestrain
Investigative Services in Computer Forensics
o Computer Forensics Investigative Services
o Computer Forensic Investigative Service Sample
o Computer Forensics Services: PenrodEllis Forensic Data Discovery
o Data Destruction Industry Standards
o Computer Forensics Services
Computer Forensics Hardware
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 12 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Equipment Required in a Forensics Lab
o Forensic Workstations
o Basic Workstation Requirements in a Forensics Lab
o Stocking the Hardware Peripherals
o Paraben Forensics Hardware
Handheld First Responder Kit
Wireless StrongHold Bag
Wireless StrongHold Box
Passport StrongHold Bag
Device Seizure Toolbox
Project-a-Phone
Lockdown
iRecovery Stick
Data Recovery Stick
Chat Stick
USB Serial DB9 Adapter
Mobile Field Kit
o Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop
o Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
o Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
o Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
o Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon
o Portable Forensic Systems and Towers: Ultimate Forensic Machine
o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
o Tableau T3u Forensic SATA Bridge Write Protection Kit
o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader
o Tableau TACC 1441 Hardware Accelerator
Multiple TACC1441 Units
o Tableau TD1 Forensic Duplicator
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 13 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Power Supplies and Switches
o Digital Intelligence Forensic Hardware
FRED SR (Dual Xeon)
FRED-L
FRED SC
Forensic Recovery of Evidence Data Center (FREDC)
Rack-A-TACC
FREDDIE
UltraKit
UltraBay II
UltraBlock SCSI
Micro Forensic Recovery of Evidence Device (µFRED)
HardCopy 3P
o Wiebetech
Forensics DriveDock v4
Forensics UltraDock v4
Drive eRazer
v4 Combo Adapters
ProSATA SS8
HotPlug
o CelleBrite
UFED System
UFED Physical Pro
UFED Ruggedized
o DeepSpar
Disk Imager Forensic Edition
3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 14 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o InfinaDyne Forensic Products
Robotic Loader Extension for CD/DVD Inspector
Robotic System Status Light
o Image MASSter
Solo-4 (Super Kit)
RoadMASSter- 3
WipeMASSter
WipePRO
Rapid Image 7020CS IT
o Logicube
Forensic MD5
Forensic Talon®
Portable Forensic Lab™
CellDEK®
Forensic Quest-2®
NETConnect™
RAID I/O Adapter™
GPStamp™
OmniPort
Desktop WritePROtects
USB Adapter
CloneCard Pro
EchoPlus
OmniClone IDE Laptop Adapters
Cables
o VoomTech
HardCopy 3P
SHADOW 2
Computer Forensics Software
o Basic Software Requirements in a Forensic Lab
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 15 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Maintain Operating System and Application Inventories
o Imaging Software
R-drive Image
P2 eXplorer Pro
AccuBurn-R for CD/DVD Inspector
Flash Retriever Forensic Edition
o File Conversion Software
FileMerlin
SnowBatch®
Zamzar
o File Viewer Software
File Viewer
Quick View Plus 11 Standard Edition
o Analysis Software
P2 Commander
DriveSpy
SIM Card Seizure
CD/DVD Inspector
Video Indexer (Vindex™)
o Monitoring Software
Device Seizure
Deployable P2 Commander (DP2C)
ThumbsDisplay
Email Detective
o Computer Forensics Software
DataLifter
X-Ways Forensics
LiveWire Investigator
Module 07: Understanding Hard Disks and File Systems
Hard Disk Drive Overview
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 16 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Disk Drive Overview
o Hard Disk Drive
o Solid-State Drive (SSD)
o Physical Structure of a Hard Disk
o Logical Structure of Hard Disk
o Types of Hard Disk Interfaces
o Hard Disk Interfaces
ATA
SCSI
IDE/EIDE
USB
Fibre Channel
o Disk Platter
o Tracks
Track Numbering
o Sector
Advanced Format: Sectors
Sector Addressing
o Cluster
Cluster Size
Changing the Cluster Size
Slack Space
Lost Clusters
o Bad Sector
o Hard Disk Data Addressing
o Disk Capacity Calculation
o Measuring the Performance of the Hard Disk
Disk Partitions and Boot Process
o Disk Partitions
o Master Boot Record
Structure of a Master Boot Record
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 17 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o What is the Booting Process?
o Essential Windows System Files
o Windows 7 Boot Process
o Macintosh Boot Process
o http://www.bootdisk.com
Understanding File Systems
o Understanding File Systems
o Types of File Systems
o List of Disk File Systems
o List of Network File Systems
o List of Special Purpose File Systems
o List of Shared Disk File Systems
o Popular Windows File Systems
File Allocation Table (FAT)
FAT File System Layout
FAT Partition Boot Sector
FAT Structure
FAT Folder Structure
Directory Entries and Cluster Chains
Filenames on FAT Volumes
Examining FAT
FAT32
New Technology File System (NTFS)
NTFS Architecture
NTFS System Files
NTFS Partition Boot Sector
Cluster Sizes of NTFS Volume
NTFS Master File Table (MFT)
o Metadata Files Stored in the MFT
NTFS Files and Data Storage
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 18 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
NTFS Attributes
NTFS Data Stream
NTFS Compressed Files
o Setting the Compression State of a Volume
Encrypting File Systems (EFS)
o Components of EFS
o Operation of Encrypting File System
o EFS Attribute
o Encrypting a File
o EFS Recovery Key Agent
o Tool: Advanced EFS Data Recovery
o Tool: EFS Key
Sparse Files
Deleting NTFS Files
Registry Data
Examining Registry Data
FAT vs. NTFS
o Popular Linux File Systems
Linux File System Architecture
Ext2
Ext3
o Mac OS X File Systems
HFS vs. HFS Plus
HFS
HFS Plus
HFS Plus Volumes
HFS Plus Journal
o Sun Solaris 10 File System: ZFS
o CD-ROM / DVD File System
o CDFS
RAID Storage System
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 19 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o RAID Levels
o Different RAID Levels
o Comparing RAID Levels
o Recover Data from Unallocated Space Using File Carving Process
File System Analysis Using The Sleuth Kit (TSK)
o The Sleuth Kit (TSK)
The Sleuth Kit (TSK): fsstat
The Sleuth Kit (TSK): istat
The Sleuth Kit (TSK): fls and img_stat
Module 08: Windows Forensics
Collecting Volatile Information
o Volatile Information
System Time
Logged-On Users
PsLoggedOn Tool
net sessions Command
LogonSessions Tool
Open Files
net file Command
PsFile Utility
Openfiles Command
Network Information
Network Connections
Process Information
Process-to-Port Mapping
Process Memory
Network Status
Other Important Information
Collecting Non-Volatile Information
o Non-Volatile Information
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 20 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Examine File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File
Devices and Other Information
Slack Space
Virtual Memory
Swap File
Windows Search Index
Collecting Hidden Partition Information
Hidden ADS Streams
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Windows Memory Analysis
o Memory Dump
o EProcess Structure
o Process Creation Mechanism
o Parsing Memory Contents
o Parsing Process Memory
o Extracting the Process Image
o Collecting Process Memory
Windows Registry Analysis
o Inside the Registry
o Registry Structure within a Hive File
o The Registry as a Log File
o Registry Analysis
o System Information
o TimeZone Information
o Shares
o Audit Policy
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 21 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Wireless SSIDs
o Autostart Locations
o System Boot
o User Login
o User Activity
o Enumerating Autostart Registry Locations
o USB Removable Storage Devices
o Mounted Devices
o Finding Users
o Tracking User Activity
o The UserAssist Keys
o MRU Lists
o Search Assistant
o Connecting to Other Systems
o Analyzing Restore Point Registry Settings
o Determining the Startup Locations
Cache, Cookie, and History Analysis
o Cache, Cookie, and History Analysis in IE
o Cache, Cookie, and History Analysis in Firefox
o Cache, Cookie, and History Analysis in Chrome
o Analysis Tools
IECookiesView
IECacheView
IEHistoryView
MozillaCookiesView
MozillaCacheView
MozillaHistoryView
ChromeCookiesView
ChromeCacheView
ChromeHistoryView
MD5 Calculation
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 22 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Message Digest Function: MD5
o Why MD5 Calculation?
o MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
o MD5 Checksum Verifier
o ChaosMD5
Windows File Analysis
o Recycle Bin
o System Restore Points (Rp.log Files)
o System Restore Points (Change.log.x Files)
o Prefetch Files
o Shortcut Files
o Word Documents
o PDF Documents
o Image Files
o File Signature Analysis
o NTFS Alternate Data Streams
o Executable File Analysis
o Documentation Before Analysis
o Static Analysis Process
o Search Strings
o PE Header Analysis
o Import Table Analysis
o Export Table Analysis
o Dynamic Analysis Process
o Creating Test Environment
o Collecting Information Using Tools
o Process of Testing the Malware
Metadata Investigation
o Metadata
o Types of Metadata
o Metadata in Different File Systems
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 23 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Metadata in PDF Files
o Metadata in Word Documents
o Tool: Metadata Analyzer
Text Based Logs
o Understanding Events
o Event Logon Types
o Event Record Structure
o Vista Event Logs
o IIS Logs
Parsing IIS Logs
o Parsing FTP Logs
FTP sc-status Codes
o Parsing DHCP Server Logs
o Parsing Windows Firewall Logs
o Using the Microsoft Log Parser
Other Audit Events
o Evaluating Account Management Events
o Examining Audit Policy Change Events
o Examining System Log Entries
o Examining Application Log Entries
Forensic Analysis of Event Logs
o Searching with Event Viewer
o Using EnCase to Examine Windows Event Log Files
o Windows Event Log Files Internals
Windows Password Issues
o Understanding Windows Password Storage
o Cracking Windows Passwords Stored on Running Systems
o Exploring Windows Authentication Mechanisms
LanMan Authentication Process
NTLM Authentication Process
Kerberos Authentication Process
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 24 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Sniffing and Cracking Windows Authentication Exchanges
o Cracking Offline Passwords
Forensic Tools
o Windows Forensics Tool: OS Forensics
o Windows Forensics Tool: Helix3 Pro
o Integrated Windows Forensics Software: X-Ways Forensics
o X-Ways Trace
o Windows Forensic Toolchest (WFT)
o Built-in Tool: Sigverif
o Computer Online Forensic Evidence Extractor (COFEE)
o System Explorer
o Tool: System Scanner
o SecretExplorer
o Registry Viewer Tool: Registry Viewer
o Registry Viewer Tool: RegScanner
o Registry Viewer Tool: Alien Registry Viewer
o MultiMon
o CurrProcess
o Process Explorer
o Security Task Manager
o PrcView
o ProcHeapViewer
o Memory Viewer
o Tool: PMDump
o Word Extractor
o Belkasoft Evidence Center
o Belkasoft Browser Analyzer
o Metadata Assistant
o HstEx
o XpoLog Center Suite
o LogViewer Pro
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 25 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Event Log Explorer
o LogMeister
o ProDiscover Forensics
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DriveLook
Module 09: Data Acquisition and Duplication
Data Acquisition and Duplication Concepts
o Data Acquisition
o Forensic and Procedural Principles
o Types of Data Acquisition Systems
o Data Acquisition Formats
o Bit Stream vs. Backups
o Why to Create a Duplicate Image?
o Issues with Data Duplication
o Data Acquisition Methods
o Determining the Best Acquisition Method
o Contingency Planning for Image Acquisitions
o Data Acquisition Mistakes
Data Acquisition Types
o Rules of Thumb
o Static Data Acquisition
Collecting Static Data
Static Data Collection Process
o Live Data Acquisition
Why Volatile Data is Important?
Volatile Data
Order of Volatility
Common Mistakes in Volatile Data Collection
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 26 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Volatile Data Collection Methodology
Basic Steps in Collecting Volatile Data
Types of Volatile Information
Disk Acquisition Tool Requirements
o Disk Imaging Tool Requirements
o Disk Imaging Tool Requirements: Mandatory
o Disk Imaging Tool Requirements: Optional
Validation Methods
o Validating Data Acquisitions
o Linux Validation Methods
o Windows Validation Methods
RAID Data Acquisition
o Understanding RAID Disks
o Acquiring RAID Disks
o Remote Data Acquisition
Acquisition Best Practices
o Acquisition Best Practices
Data Acquisition Software Tools
o Acquiring Data on Windows
o Acquiring Data on Linux
dd Command
dcfldd Command
Extracting the MBR
Netcat Command
o EnCase Forensic
o Analysis Software: DriveSpy
o ProDiscover Forensics
o AccessData FTK Imager
o Mount Image Pro
o Data Acquisition Toolbox
o SafeBack
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 27 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o ILookPI
o RAID Recovery for Windows
o R-Tools R-Studio
o F- Response
o PyFlag
o LiveWire Investigator
o ThumbsDisplay
o DataLifter
o X-Ways Forensics
o R-drive Image
o DriveLook
o DiskExplorer
o P2 eXplorer Pro
o Flash Retriever Forensic Edition
Data Acquisition Hardware Tools
o US-LATT
o Image MASSter: Solo-4 (Super Kit)
o Image MASSter: RoadMASSter- 3
o Tableau TD1 Forensic Duplicator
o Logicube: Forensic MD5
o Logicube: Portable Forensic Lab™
o Logicube: Forensic Talon®
o Logicube: RAID I/O Adapter™
o DeepSpar: Disk Imager Forensic Edition
o Logicube: USB Adapter
o Disk Jockey PRO
o Logicube: Forensic Quest-2®
o Logicube: CloneCard Pro
o Logicube: EchoPlus
o Paraben Forensics Hardware: Chat Stick
o Image MASSter: Rapid Image 7020CS IT
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 28 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Digital Intelligence Forensic Hardware: UltraKit
o Digital Intelligence Forensic Hardware: UltraBay II
o Digital Intelligence Forensic Hardware: UltraBlock SCSI
o Digital Intelligence Forensic Hardware: HardCopy 3P
o Wiebetech: Forensics DriveDock v4
o Wiebetech: Forensics UltraDock v4
o Image MASSter: WipeMASSter
o Image MASSter: WipePRO
o Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
o Forensic Tower IV Dual Xeon
o Digital Intelligence Forensic Hardware: FREDDIE
o DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
o Logicube
Cables
Adapters
GPStamp™
OmniPort
CellDEK®
o Paraben Forensics Hardware
Project-a-Phone
Mobile Field Kit
iRecovery Stick
o CelleBrite
UFED System
UFED Physical Pro
Module 10: Recovering Deleted Files and Deleted Partitions
Recovering the Deleted Files
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 29 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Deleting Files
o What Happens When a File is Deleted in Windows?
o Recycle Bin in Windows
Storage Locations of Recycle Bin in FAT and NTFS Systems
How the Recycle Bin Works
Damaged or Deleted INFO File
Damaged Files in Recycle Bin Folder
Damaged Recycle Folder
o File Recovery in MAC OS X
o File Recovery in Linux
File Recovery Tools for Windows
o Recover My Files
o EASEUS Data Recovery Wizard
o PC INSPECTOR File Recovery
o Recuva
o DiskDigger
o Handy Recovery
o Quick Recovery
o Stellar Phoenix Windows Data Recovery
o Tools to Recover Deleted Files
Total Recall
Advanced Disk Recovery
Windows Data Recovery Software
R-Studio
PC Tools File Recover
Data Rescue PC
Smart Undelete
FileRestore Professional
Deleted File Recovery Software
DDR Professional Recovery Software
Data Recovery Pro
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 30 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
GetDataBack
UndeletePlus
Search and Recover
File Scavenger
Filesaver
Virtual Lab
Active@ UNDELETE
Win Undelete
R-Undelete
Recover4all Professional
eData Unerase
Active@ File Recovery
FinalRecovery
File Recovery Tools for MAC
o MAC File Recovery
o MAC Data Recovery
o Boomerang Data Recovery Software
o VirtualLab
o File Recovery Tools for MAC OS X
DiskWarrior
AppleXsoft File Recovery for MAC
Disk Doctors MAC Data Recovery
R-Studio for MAC
Data Rescue
Stellar Phoenix MAC Data Recovery
FileSalvage
TechTool Pro
File Recovery Tools for Linux
o R-Studio for Linux
o Quick Recovery for Linux
o Kernel for Linux Data Recovery
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 31 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o TestDisk for Linux
Recovering the Deleted Partitions
o Disk Partition
o Deletion of Partition
o Recovery of the Deleted Partition
Partition Recovery Tools
o Active@ Partition Recovery for Windows
o Acronis Recovery Expert
o DiskInternals Partition Recovery
o NTFS Partition Data Recovery
o GetDataBack
o EASEUS Partition Recovery
o Advanced Disk Recovery
o Power Data Recovery
o Remo Recover (MAC) - Pro
o MAC Data Recovery Software
o Quick Recovery for Linux
o Stellar Phoenix Linux Data Recovery Software
o Tools to Recover Deleted Partitions
Handy Recovery
TestDisk for Windows
Stellar Phoenix Windows Data Recovery
ARAX Disk Doctor
Power Data Recovery
Quick Recovery for MAC
Partition Find & Mount
Advance Data Recovery Software Tools
TestDisk for MAC
Kernel for FAT and NTFS – Windows Disk Recovery
Disk Drill
Stellar Phoenix MAC Data Recovery
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 32 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
ZAR Windows Data Recovery
AppleXsoft File Recovery for MAC
Quick Recovery for FAT & NTFS
TestDisk for Linux
Module 11: Forensics Investigation using AccessData FTK
Overview and Installation of FTK
o Overview of Forensic Toolkit (FTK)
o Features of FTK
o Software Requirement
o Configuration Option
o Database Installation
o FTK Application Installation
FTK Case Manager User Interface
o Case Manager Window
Case Manager Database Menu
Setting Up Additional Users and Assigning Roles
Case Manager Case Menu
Assigning Users Shared Label Visibility
Case Manager Tools Menu
Recovering Processing Jobs
Restoring an Image to a Disk
Case Manager Manage Menu
Managing Carvers
Managing Custom Identifiers
FTK Examiner User Interface
o FTK Examiner User Interface
Menu Bar: File Menu
Exporting Files
Exporting Case Data to a Custom Content Image
Exporting the Word List
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 33 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Menu Bar: Edit Menu
Menu Bar: View Menu
Menu Bar: Evidence Menu
Menu Bar: Tools Menu
Verifying Drive Image Integrity
Mounting an Image to a Drive
File List View
Using Labels
Creating and Applying a Label
Starting with FTK
o Creating a case
o Selecting Detailed Options: Evidence Processing
o Selecting Detailed Options: Fuzzy Hashing
o Selecting Detailed Options: Data Carving
o Selecting Detailed Options: Custom File Identification
o Selecting Detailed Options: Evidence Refinement (Advanced)
o Selecting Detailed Options: Index Refinement (Advanced)
FTK Interface Tabs
o FTK Interface Tabs
Explore Tab
Overview Tab
Email Tab
Graphics Tab
Bookmarks Tab
Live Search Tabs
Volatile Tab
Adding and Processing Static, Live, and Remote Evidence
o Adding Evidence to a Case
o Evidence Groups
o Acquiring Local Live Evidence
o FTK Role Requirements For Remote Acquisition
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 34 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Types of Remote Information
o Acquiring Data Remotely Using Remote Device Management System (RDMS)
o Imaging Drives
o Mounting and Unmounting a Device
Using and Managing Filters
o Accessing Filter Tools
o Using Filters
o Customizing Filters
o Using Predefined Filters
Using Index Search and Live Search
o Conducting an Index Search
Selecting Index Search Options
Viewing Index Search Results
Documenting Search Results
o Conducting a Live Search: Live Text Search
o Conducting a Live Search: Live Hex Search
o Conducting a Live Search: Live Pattern Search
Decrypting EFS and other Encrypted Files
o Decrypting EFS Files and Folders
o Decrypting MS Office Files
o Viewing Decrypted Files
o Decrypting Domain Account EFS Files from Live Evidence
o Decrypting Credant Files
o Decrypting Safeboot Files
Working with Reports
o Creating a Report
o Entering Case Information
o Managing Bookmarks in a Report
o Managing Graphics in a Report
o Selecting a File Path List
o Adding a File Properties List
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 35 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Making Registry Selections
o Selecting the Report Output Options
o Customizing the Formatting of Reports
o Viewing and Distributing a Report
Module 12: Forensics Investigation Using En/ase
Overview of Encase Forensic
o Overview of EnCase Forensic
o EnCase Forensic Features
o EnCase Forensic Platform
o EnCase Forensic Modules
Installing EnCase Forensic
o Minimum Requirements
o Installing the Examiner
o Installed Files
o Installing the EnCase Modules
o Configuring EnCase
Configuring EnCase: Case Options Tab
Configuring EnCase: Global Tab
Configuring EnCase: Debug Tab
Configuring EnCase: Colors Tab and Fonts Tab
Configuring EnCase: EnScript Tab and Storage Paths Tab
o Sharing Configuration (INI) Files
EnCase Interface
o Main EnCase Window
System Menu Bar
Toolbar
Panes Overview
Tree Pane
Table Pane
o Table Pane: Table Tab
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 36 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Table Pane: Report Tab
o Table Pane: Gallery Tab
o Table Pane: Timeline Tab
o Table Pane: Disk Tab and Code Tab
View Pane
Filter Pane
o Filter Pane Tabs
o Creating a Filter
o Creating Conditions
Status Bar
Case Management
o Overview of Case Structure
o Case Management
o Indexing a Case
o Case Backup
o Options Dialog Box
o Logon Wizard
o New Case Wizard
o Setting Time Zones for Case Files
o Setting Time Zone Options for Evidence Files
Working with Evidence
o Types of Entries
o Adding a Device
Adding a Device using Tableau Write Blocker
o Performing a Typical Acquisition
o Acquiring a Device
o Canceling an Acquisition
o Acquiring a Handsprings PDA
o Delayed Loading of Internet Artifacts
o Hashing the Subject Drive
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 37 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Logical Evidence File (LEF)
o Creating a Logical Evidence File
o Recovering Folders on FAT Volumes
o Restoring a Physical Drive
Source Processor
o Source Processor
Starting to Work with Source Processor
Setting Case Options
Collection Jobs
Creating a Collection Job
Copying a Collection Job
Running a Collection Job
Analysis Jobs
Creating an Analysis Job
Running an Analysis Job
Creating a Report
Analyzing and Searching Files
o Viewing the File Signature Directory
o Performing a Signature Analysis
o Hash Analysis
o Hashing a New Case
o Creating a Hash Set
o Keyword Searches
o Creating Global Keywords
o Adding Keywords
o Importing and Exporting Keywords
o Searching Entries for Email and Internet Artifacts
o Viewing Search Hits
o Generating an Index
o Tag Records
Viewing File Content
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 38 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Viewing Files
o Copying and Unerasing Files
o Adding a File Viewer
o Viewing File Content Using View Pane
o Viewing Compound Files
o Viewing Base64 and UUE Encoded Files
Bookmarking Items
o Bookmarks Overview
o Creating a Highlighted Data Bookmark
o Creating a Note Bookmark
o Creating a Folder Information/ Structure Bookmark
o Creating a Notable File Bookmark
o Creating a File Group Bookmark
o Creating a Log Record Bookmark
o Creating a Snapshot Bookmark
o Organizing Bookmarks
o Copying/Moving a Table Entry into a Folder
o Viewing a Bookmark on the Table Report Tab
o Excluding Bookmarks
o Copying Selected Items from One Folder to Another
Reporting
o Reporting
o Report User Interface
o Creating a Report Using the Report Tab
o Report Single/Multiple Files
o Viewing a Bookmark Report
o Viewing an Email Report
o Viewing a Webmail Report
o Viewing a Search Hits Report
o Creating a Quick Entry Report
o Creating an Additional Fields Report
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 39 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Exporting a Report
Module 13: Steganography and Image File Forensics
Steganography
o What is Steganography?
o How Steganography Works
o Legal Use of Steganography
o Unethical Use of Steganography
Steganography Techniques
o Steganography Techniques
o Application of Steganography
o Classification of Steganography
o Technical Steganography
o Linguistic Steganography
o Types of Steganography
Image Steganography
Least Significant Bit Insertion
Masking and Filtering
Algorithms and Transformation
Image Steganography: Hermetic Stego
Steganography Tool: S- Tools
Image Steganography Tools
o ImageHide
o QuickStego
o gifshuffle
o OutGuess
o Contraband
o Camera/Shy
o JPHIDE and JPSEEK
o StegaNote
Audio Steganography
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 40 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Audio Steganography Methods
Audio Steganography: Mp3stegz
Audio Steganography Tools
o MAXA Security Tools
o Stealth Files
o Audiostegano
o BitCrypt
o MP3Stego
o Steghide
o Hide4PGP
o CHAOS Universal
Video Steganography
Video Steganography: MSU StegoVideo
Video Steganography Tools
o Masker
o Max File Encryption
o Xiao Steganography
o RT Steganography
o Our Secret
o BDV DataHider
o CHAOS Universal
o OmniHide PRO
Document Steganography: wbStego
Byte Shelter I
Document Steganography Tools
o Merge Streams
o Office XML
o CryptArkan
o Data Stash
o FoxHole
o Xidie Security Suite
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 41 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o StegParty
o Hydan
Whitespace Steganography Tool: SNOW
Folder Steganography: Invisible Secrets 4
Folder Steganography Tools
o StegoStick
o QuickCrypto
o Max Folder Secure
o WinMend Folder Hidden
o PSM Encryptor
o XPTools
o Universal Shield
o Hide My Files
Spam/Email Steganography: Spam Mimic
o Steganographic File System
o Issues in Information Hiding
Steganalysis
o Steganalysis
o How to Detect Steganography
o Detecting Text, Image, Audio, and Video Steganography
o Steganalysis Methods/Attacks on Steganography
o Disabling or Active Attacks
o Steganography Detection Tool: Stegdetect
o Steganography Detection Tools
Xstegsecret
Stego Watch
StegAlyzerAS
StegAlyzerRTS
StegSpy
Gargoyle Investigator™ Forensic Pro
StegAlyzerSS
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 42 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
StegMark
Image Files
o Image Files
o Common Terminologies
o Understanding Vector Images
o Understanding Raster Images
o Metafile Graphics
o Understanding Image File Formats
o GIF (Graphics Interchange Format)
o JPEG (Joint Photographic Experts Group)
JPEG File Structure
JPEG 2000
o BMP (Bitmap) File
BMP File Structure
o PNG (Portable Network Graphics)
PNG File Structure
o TIFF (Tagged Image File Format)
TIFF File Structure
Data Compression
o Understanding Data Compression
o How Does File Compression Work?
o Lossless Compression
o Huffman Coding Algorithm
o Lempel-Ziv Coding Algorithm
o Lossy Compression
o Vector Quantization
Locating and Recovering Image Files
o Best Practices for Forensic Image Analysis
o Forensic Image Processing Using MATLAB
o Locating and Recovering Image Files
o Analyzing Image File Headers
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 43 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Repairing Damaged Headers
o Reconstructing File Fragments
o Identifying Unknown File Formats
o Identifying Image File Fragments
o Identifying Copyright Issues on Graphics
o Picture Viewer: IrfanView
o Picture Viewer: ACDSee Photo Manager 12
o Picture Viewer: Thumbsplus
o Picture Viewer: AD Picture Viewer Lite
o Picture Viewer Max
o Picture Viewer: FastStone Image Viewer
o Picture Viewer: XnView
o Faces – Sketch Software
o Digital Camera Data Discovery Software: File Hound
Image File Forensics Tools
o Hex Workshop
o GFE Stealth™ - Forensics Graphics File Extractor
o Ilook
o Adroit Photo Forensics 2011
o Digital Photo Recovery
o Stellar Phoenix Photo Recovery Software
o Zero Assumption Recovery (ZAR)
o Photo Recovery Software
o Forensic Image Viewer
o File Finder
o DiskGetor Data Recovery
o DERescue Data Recovery Master
o Recover My Files
o Universal Viewer
Module 14: Application Password Crackers
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 44 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Password Cracking Concepts
o Password - Terminology
o Password Types
o Password Cracker
o How Does a Password Cracker Work?
o How Hash Passwords are Stored in Windows SAM
Types of Password Attacks
o Password Cracking Techniques
o Types of Password Attacks
o Passive Online Attacks: Wire Sniffing
o Password Sniffing
o Passive Online Attack: Man-in-the-Middle and Replay Attack
o Active Online Attack: Password Guessing
o Active Online Attack: Trojan/Spyware/keylogger
o Active Online Attack: Hash Injection Attack
o Rainbow Attacks: Pre-Computed Hash
o Distributed Network Attack
Elcomsoft Distributed Password Recovery
o Non-Electronic Attacks
o Manual Password Cracking (Guessing)
o Automatic Password Cracking Algorithm
o Time Needed to Crack Passwords
Classification of Cracking Software
Systems Software vs. Applications Software
System Software Password Cracking
o Bypassing BIOS Passwords
Using Manufacturer’s Backdoor Password to Access the BIOS
Using Password Cracking Software
CmosPwd
Resetting the CMOS using the Jumpers or Solder Beads
Removing CMOS Battery
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 45 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Overloading the Keyboard Buffer and Using a Professional Service
o Tool to Reset Admin Password: Active@ Password Changer
o Tool to Reset Admin Password: Windows Key
Application Software Password Cracking
o Passware Kit Forensic
o Accent Keyword Extractor
o Distributed Network Attack
o Password Recovery Bundle
o Advanced Office Password Recovery
o Office Password Recovery
o Office Password Recovery Toolbox
o Office Multi-document Password Cracker
o Word Password Recovery Master
o Accent WORD Password Recovery
o Word Password
o PowerPoint Password Recovery
o PowerPoint Password
o Powerpoint Key
o Stellar Phoenix Powerpoint Password Recovery
o Excel Password Recovery Master
o Accent EXCEL Password Recovery
o Excel Password
o Advanced PDF Password Recovery
o PDF Password Cracker
o PDF Password Cracker Pro
o Atomic PDF Password Recovery
o PDF Password
o Recover PDF Password
o Appnimi PDF Password Recovery
o Advanced Archive Password Recovery
o KRyLack Archive Password Recovery
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 46 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Zip Password
o Atomic ZIP Password Recovery
o RAR Password Unlocker
o Default Passwords
o http://www.defaultpassword.com
o http://www.cirt.net/passwords
o http://default-password.info
o http://www.defaultpassword.us
o http://www.passwordsdatabase.com
o http://www.virus.org
Password Cracking Tools
o L0phtCrack
o OphCrack
o Cain & Abel
o RainbowCrack
o Windows Password Unlocker
o Windows Password Breaker
o SAMInside
o PWdump7 and Fgdump
o PCLoginNow
o KerbCrack
o Recover Keys
o Windows Password Cracker
o Proactive System Password Recovery
o Password Unlocker Bundle
o Windows Password Reset Professional
o Windows Password Reset Standard
o Krbpwguess
o Password Kit
o WinPassword
o Passware Kit Enterprise
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 47 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Rockxp
o PasswordsPro
o LSASecretsView
o LCP
o MessenPass
o Mail PassView
o Messenger Key
o Dialupass
o Protected Storage PassView
o Network Password Recovery
o Asterisk Key
o IE PassView
Module 15: Log Capturing and Event Correlation
Computer Security Logs
o Computer Security Logs
o Operating System Logs
o Application Logs
o Security Software Logs
o Router Log Files
o Honeypot Logs
o Linux Process Accounting
o Logon Event in Window
o Windows Log File
Configuring Windows Logging
Analyzing Windows Logs
Windows Log File: System Logs
Windows Log File: Application Logs
Logon Events that appear in the Security Event Log
o IIS Logs
IIS Log File Format
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 48 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Maintaining Credible IIS Log Files
o Log File Accuracy
o Log Everything
o Keeping Time
o UTC Time
o View the DHCP Logs
Sample DHCP Audit Log File
o ODBC Logging
Logs and Legal Issues
o Legality of Using Logs
o Records of Regularly Conducted Activity as Evidence
o Laws and Regulations
Log Management
o Log Management
Functions of Log Management
Challenges in Log Management
Meeting the Challenges in Log Management
Centralized Logging and Syslogs
o Centralized Logging
Centralized Logging Architecture
Steps to Implement Central Logging
o Syslog
Syslog in Unix-Like Systems
Steps to Set Up a Syslog Server for Unix Systems
Advantages of Centralized Syslog Server
o IIS Centralized Binary Logging
Time Synchronization
o Why Synchronize Computer Times?
o What is NTP?
NTP Stratum Levels
o NIST Time Servers
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 49 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Configuring Time Server in Windows Server
Event Correlation
o Event Correlation
Types of Event Correlation
Prerequisites for Event Correlation
Event Correlation Approaches
Log Capturing and Analysis Tools
o GFI EventsManager
o Activeworx Security Center
o EventLog Analyzer
o Syslog-ng OSE
o Kiwi Syslog Server
o WinSyslog
o Firewall Analyzer: Log Analysis Tool
o Activeworx Log Center
o EventReporter
o Kiwi Log Viewer
o Event Log Explorer
o WebLog Expert
o XpoLog Center Suite
o ELM Event Log Monitor
o EventSentry
o LogMeister
o LogViewer Pro
o WinAgents EventLog Translation Service
o EventTracker Enterprise
o Corner Bowl Log Manager
o Ascella Log Monitor Plus
o FLAG - Forensic and Log Analysis GUI
o Simple Event Correlator (SEC)
o OSSEC
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 50 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic
Network Forensics
o Network Forensics
o Network Forensics Analysis Mechanism
o Network Addressing Schemes
o Overview of Network Protocols
o Overview of Physical and Data-Link Layer of the OSI Model
o Overview of Network and Transport Layer of the OSI Model
o OSI Reference Model
o TCP/ IP Protocol
o Intrusion Detection Systems (IDS) and Their Placement
How IDS Works
Types of Intrusion Detection Systems
General Indications of Intrusions
o Firewall
o Honeypot
Network Attacks
o Network Vulnerabilities
o Types of Network Attacks
IP Address Spoofing
Man-in-the-Middle Attack
Packet Sniffing
How a Sniffer Works
Enumeration
Denial of Service Attack
Session Sniffing
Buffer Overflow
Trojan Horse
Log Injection Attacks
o New Line Injection Attack
New Line Injection Attack Countermeasure
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 51 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Separator Injection Attack
Defending Separator Injection Attacks
o Timestamp Injection Attack
Defending Timestamp Injection Attacks
o Word Wrap Abuse Attack
Defending Word Wrap Abuse Attacks
o HTML Injection Attack
Defending HTML Injection Attacks
o Terminal Injection Attack
Defending Terminal Injection Attacks
Investigating and Analyzing Logs
o Postmortem and Real-Time Analysis
o Where to Look for Evidence
o Log Capturing Tool: ManageEngine EventLog Analyzer
o Log Capturing Tool: ManageEngine Firewall Analyzer
o Log Capturing Tool: GFI EventsManager
o Log Capturing Tool: Kiwi Syslog Server
o Handling Logs as Evidence
o Log File Authenticity
o Use Signatures, Encryption, and Checksums
o Work with Copies
o Ensure System’s Integrity
o Access Control
o Chain of Custody
o Condensing Log File
Investigating Network Traffic
o Why Investigate Network Traffic?
o Evidence Gathering via Sniffing
o Capturing Live Data Packets Using Wireshark
Display Filters in Wireshark
Additional Wireshark Filters
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 52 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Acquiring Traffic Using DNS Poisoning Techniques
Intranet DNS Spoofing (Local Network)
Intranet DNS Spoofing (Remote Network)
Proxy Server DNS Poisoning
DNS Cache Poisoning
o Evidence Gathering from ARP Table
o Evidence Gathering at the Data-Link Layer: DHCP Database
o Gathering Evidence by IDS
Traffic Capturing and Analysis Tools
o NetworkMiner
o Tcpdump/Windump
o Intrusion Detection Tool: Snort
How Snort Works
o IDS Policy Manager
o MaaTec Network Analyzer
o Iris Network Traffic Analyzer
o NetWitness Investigator
o Colasoft Capsa Network Analyzer
o Sniff - O - Matic
o NetResident
o Network Probe
o NetFlow Analyzer
o OmniPeek Network Analyzer
o Firewall Evasion Tool: Traffic IQ Professional
o NetworkView
o CommView
o Observer
o SoftPerfect Network Protocol Analyzer
o EffeTech HTTP Sniffer
o Big-Mother
o EtherDetect Packet Sniffer
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 53 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Ntop
o EtherApe
o AnalogX Packetmon
o IEInspector HTTP Analyzer
o SmartSniff
o Distinct Network Monitor
o Give Me Too
o EtherSnoop
o Show Traffic
o Argus
Documenting the Evidence Gathered on a Network
Module 17: Investigating Wireless Attacks
Wireless Technologies
o Wireless Networks
o Wireless Terminologies
o Wireless Components
o Types of Wireless Networks
o Wireless Standards
o MAC Filtering
o Service Set Identifier (SSID)
o Types of Wireless Encryption: WEP
o Types of Wireless Encryption: WPA
o Types of Wireless Encryption: WPA2
o WEP vs. WPA vs. WPA2
Wireless Attacks
o Wi-Fi Chalking
Wi-Fi Chalking Symbols
o Access Control Attacks
o Integrity Attacks
o Confidentiality Attacks
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 54 Computer Hacking Forensic Investigator Copyright © by EC-Council
All Rights Reserved. Reproduction Is Strictly Prohibited.
o Availability Attacks
o Authentication Attacks
Investigating Wireless Attacks
o Key Points to Remember
o Steps for Investigation
Obtain a Search Warrant
Identify Wireless Devices at Crime Scene
Search for Additional Devices
Detect Rogue Access Point
Document the Scene and Maintain a Chain of Custody
Detect the Wireless Connections
Methodologies to Detect Wireless Connections
Wi-Fi Discovery Tool: inSSIDer
GPS Mapping
o GPS Mapping Tool: WIGLE
o GPS Mapping Tool: Skyhook
How to Discover Wi-Fi Networks Using Wardriving
Check for MAC Filtering
Changing the MAC Address
Detect WAPs using the Nessus Vulnerability Scanner
Capturing Wireless Traffic
o Sniffing Tool: Wireshark
o Follow TCP Stream in Wireshark
o Display Filters in Wireshark
o Additional Wireshark Filters
Determine Wireless Field Strength
Determine Wireless Field Strength: FSM
Determine Wireless Field Strength: ZAP Checker Products
What is Spectrum Analysis?
Map Wireless Zones & Hotspots
Connect to Wireless Network
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 55 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
Connect to the Wireless Access Point
Access Point Data Acquisition and Analysis: Attached Devices
Access Point Data Acquisition and Analysis: LAN TCP/IP Setup
Access Point Data Acquisition and Analysis
o Firewall Analyzer
o Firewall Log Analyzer
Wireless Devices Data Acquisition and Analysis
Report Generation
Features of a Good Wireless Forensics Tool
Wireless Forensics Tools
o Wi-Fi Discovery Tools
NetStumbler
NetSurveyor
Vistumbler
WirelessMon
Kismet
AirPort Signal
WiFi Hopper
Wavestumbler
iStumbler
WiFinder
Meraki WiFi Stumbler
Wellenreiter
AirCheck Wi-Fi Tester
AirRadar 2
o Wi-Fi Packet Sniffers
OmniPeek
CommView for Wi-Fi
Wi-Fi USB Dongle: AirPcap
tcpdump
KisMAC
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 56 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
Aircrack-ng Suite
AirMagnet WiFi Analyzer
o Wardriving Tools
MiniStumbler
Airbase
ApSniff
WiFiFoFum
StumbVerter
ClassicStumbler
Driftnet
WarLinux
o RF Monitoring Tools
NetworkManager
KWiFiManager
NetworkControl
KOrinoco
KWaveControl
Aphunter
Qwireless
SigMon
o Wi-Fi Connection Manager Tools
Aironet Wireless LAN
Boingo
HandyWi
Avanquest Connection Manager
Intel PROSet
Odyssey Access Client
WiFi-Manager
QuickLink Mobile
o Wi-Fi Traffic Analyzer Tools
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 57 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
AirMagnet WiFi Analyzer
Cascade Pilot Personal Edition
OptiView® XG Network Analysis Tablet
Network Packet Analyzer
Network Observer
Ufasoft Snif
CommView for WiFi
Network Assistant
o Wi-Fi Raw Packet Capturing Tools
WirelessNetView
Pirni Sniffer
Tcpdump
Airview
o Wi-Fi Spectrum Analyzing Tools
Cisco Spectrum Expert
AirMedic
BumbleBee
Wi-Spy
Module 18: Investigating Web Attacks
Introduction to Web Applications and Web Servers
o Introduction to Web Applications
o Web Application Components
o How Web Applications Work
o Web Application Architecture
o Open Source Web Server Architecture
o Indications of a Web Attack
o Web Attack Vectors
o Why Web Servers are Compromised
o Impact of Web Server Attacks
o Website Defacement
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 58 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Case Study
Web Logs
o Overview of Web Logs
o Application Logs
o Internet Information Services (IIS) Logs
IIS Web Server Architecture
IIS Log File Format
o Apache Web Server Logs
o DHCP Server Logs
Web Attacks
o Web Attacks - 1
o Web Attacks - 2
Unvalidated Input
Parameter/Form Tampering
Directory Traversal
Security Misconfiguration
Injection Flaws
SQL Injection Attacks
Command Injection Attacks
Command Injection Example
File Injection Attack
What is LDAP Injection?
How LDAP Injection Works
Hidden Field Manipulation Attack
Cross-Site Scripting (XSS) Attacks
How XSS Attacks Work
Cross-Site Request Forgery (CSRF) Attack
How CSRF Attacks Work
Web Application Denial-of-Service (DoS) Attack
Denial of Service (DoS) Examples
Buffer Overflow Attacks
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 59 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
Cookie/Session Poisoning
How Cookie Poisoning Works
Session Fixation Attack
Insufficient Transport Layer Protection
Improper Error Handling
Insecure Cryptographic Storage
Broken Authentication and Session Management
Unvalidated Redirects and Forwards
DMZ Protocol Attack/ Zero Day Attack
Log Tampering
URL Interpretation and Impersonation Attack
Web Services Attack
Web Services Footprinting Attack
Web Services XML Poisoning
Webserver Misconfiguration
HTTP Response Splitting Attack
Web Cache Poisoning Attack
HTTP Response Hijacking
SSH Bruteforce Attack
Man-in-the-Middle Attack
Defacement Using DNS Compromise
Web Attack Investigation
o Investigating Web Attacks
o Investigating Web Attacks in Windows-Based Servers
o Investigating IIS Logs
o Investigating Apache Logs
o Example of FTP Compromise
o Investigating FTP Servers
o Investigating Static and Dynamic IP Addresses
o Sample DHCP Audit Log File
o Investigating Cross-Site Scripting (XSS)
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 60 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Investigating SQL Injection Attacks
o Pen-Testing CSRF Validation Fields
o Investigating Code Injection Attack
o Investigating Cookie Poisoning Attack
o Detecting Buffer Overflow
o Investigating Authentication Hijacking
o Web Page Defacement
o Investigating DNS Poisoning
o Intrusion Detection
o Security Strategies for Web Applications
o Checklist for Web Security
Web Attack Detection Tools
o Web Application Security Tools
Acunetix Web Vulnerability Scanner
Falcove Web Vulnerability Scanner
Netsparker
N-Stalker Web Application Security Scanner
Sandcat
Wikto
WebWatchBot
OWASP ZAP
SecuBat Vulnerability Scanner
Websecurify
HackAlert
WebCruiser
o Web Application Firewalls
dotDefender
IBM AppScan
ServerDefender VP
o Web Log Viewers
Deep Log Analyzer
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 61 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
WebLog Expert
AlterWind Log Analyzer
Webalizer
eWebLog Analyzer
Apache Logs Viewer (ALV)
o Web Attack Investigation Tools
AWStats
Paros Proxy
Scrawlr
Tools for Locating IP Address
o Whois Lookup
o SmartWhois
o ActiveWhois
o LanWhois
o CountryWhois
o CallerIP
o Real Hide IP
o IP - Address Manager
o Pandora FMS
Module 19: Tracking Emails and Investigating Email Crimes
Email System Basics
o Email Terminology
o Email System
o Email Clients
o Email Server
o SMTP Server
o POP3 and IMAP Servers
o Email Message
o Importance of Electronic Records Management
Email Crimes
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 62 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Email Crime
o Email Spamming
o Mail Bombing/Mail Storm
o Phishing
o Email Spoofing
o Crime via Chat Room
o Identity Fraud/Chain Letter
Email Headers
o Example of Email Header
o List of Common Headers
Steps to Investigate
o Why to Investigate Emails
o Investigating Email Crime and Violation
Obtain a Search Warrant and Seize the Computer and Email Account
Obtain a Bit-by-Bit Image of Email Information
Examine Email Headers
Viewing Email Headers in Microsoft Outlook
Viewing Email Headers in AOL
Viewing Email Headers in Hotmail
Viewing Email Headers in Gmail
Viewing Headers in Yahoo Mail
Forging Headers
Analyzing Email Headers
Email Header Fields
Received: Headers
Microsoft Outlook Mail
Examining Additional Files (.pst or .ost files)
Checking the Email Validity
Examine the Originating IP Address
Trace Email Origin
Tracing Back
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 63 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
Tracing Back Web-based Email
Acquire Email Archives
Email Archives
Content of Email Archives
Local Archive
Server Storage Archive
Forensic Acquisition of Email Archive
Recover Deleted Emails
Deleted Email Recovery
Email Forensics Tools
o Stellar Phoenix Deleted Email Recovery
o Recover My Email
o Outlook Express Recovery
o Zmeil
o Quick Recovery for MS Outlook
o Email Detective
o Email Trace - Email Tracking
o R-Mail
o FINALeMAIL
o eMailTrackerPro
o Forensic Tool Kit (FTK)
o Paraben’s E-mail Examiner
o Paraben's Network E-mail Examiner
o DiskInternal’s Outlook Express Repair
o Abuse.Net
o MailDetective Tool
Laws and Acts against Email Crimes
o U.S. Laws Against Email Crime: CAN-SPAM Act
o 18 U.S.C. § 2252A
o 18 U.S.C. § 2252B
o Email Crime Law in Washington: RCW 19.190.020
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 64 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
Module 20: Mobile Forensics
Mobile Phones
o Mobile Phone
o Different Mobile Devices
o Hardware Characteristics of Mobile Devices
o Software Characteristics of Mobile Devices
o Components of Cellular Network
o Cellular Network
o Different Cellular Networks
Mobile Operating Systems
o Mobile Operating Systems
o Types of Mobile Operating Systems
o webOS
webOS System Architecture
o Symbian OS
Symbian OS Architecture
o Android OS
Android OS Architecture
o RIM BlackBerry OS
o Windows Phone 7
Windows Phone 7 Architecture
o Apple iOS
Mobile Forensics
o What a Criminal Can Do with Mobiles Phones
o Mobile Forensics
o Mobile Forensics Challenges
o Forensics Information in Mobile Phones
o Memory Considerations in Mobiles
o Subscriber Identity Module (SIM)
o SIM File System
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 65 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Integrated Circuit Card Identification (ICCID)
o International Mobile Equipment Identifier (IMEI)
o Electronic Serial Number (ESN)
o Precautions to Be Taken Before Investigation
Mobile Forensics Process
o Mobile Forensics Process
Collect the Evidence
Collecting the Evidence
Points to Remember while Collecting the Evidence
Collecting an iPod/iPhone Connected to a Computer
Document the Scene and Preserve the Evidence
Imaging and Profiling
Acquire the Information
Device Identification
Acquire Data from SIM Cards
Acquire Data from Unobstructed Mobile Devices
Acquire the Data from Obstructed Mobile Devices
Acquire Data from Memory Cards
Acquire Data from Synched Devices
Gather Data from Network Operator
Check Call Data Records (CDRs)
Gather Data from SQLite Record
Analyze the Information
Generate Report
Mobile Forensics Software Tools
o Oxygen Forensic Suite 2011
o MOBILedit! Forensic
o BitPim
o SIM Analyzer
o SIMCon
o SIM Card Data Recovery
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 66 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Memory Card Data Recovery
o Device Seizure
o SIM Card Seizure
o ART (Automatic Reporting Tool)
o iPod Data Recovery Software
o Recover My iPod
o PhoneView
o Elcomsoft Blackberry Backup Explorer
o Oxygen Phone Manager II
o Sanmaxi SIM Recoverer
o USIMdetective
o CardRecovery
o Stellar Phoenix iPod Recovery Software
o iCare Data Recovery Software
o Cell Phone Analyzer
o iXAM
o BlackBerry Database Viewer Plus
o BlackBerry Signing Authority Tool
Mobile Forensics Hardware Tools
o Secure View Kit
o Deployable Device Seizure (DDS)
o Paraben's Mobile Field Kit
o PhoneBase
o XACT System
o Logicube CellDEK
o Logicube CellDEK TEK
o RadioTactics ACESO
o UME-36Pro - Universal Memory Exchanger
o Cellebrite UFED System - Universal Forensic Extraction Device
o ZRT 2
o ICD 5200
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 67 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o ICD 1300
Module 21: Investigative Reports
Computer Forensics Report
o Computer Forensics Report
o Salient Features of a Good Report
o Aspects of a Good Report
Computer Forensics Report Template
o Computer Forensics Report Template
o Simple Format of the Chain of Custody Document
o Chain of Custody Forms
o Evidence Collection Form
o Computer Evidence Worksheet
o Hard Drive Evidence Worksheet
o Removable Media Worksheet
Investigative Report Writing
o Report Classification
o Layout of an Investigative Report
Layout of an Investigative Report: Numbering
o Report Specifications
o Guidelines for Writing a Report
o Use of Supporting Material
o Importance of Consistency
o Investigative Report Format
o Attachments and Appendices
o Include Metadata
o Signature Analysis
o Investigation Procedures
o Collecting Physical and Demonstrative Evidence
o Collecting Testimonial Evidence
o Do’s and Don'ts of /ƻƳLJdzǘŜNJ Forensics Investigations
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 68 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Case Report Writing and Documentation
o Create a Report to Attach to the Media Analysis Worksheet
o Best Practices for Investigators
Sample Forensics Report
o Sample Forensics Report
Report Writing Using Tools
o Writing Report Using FTK
o Writing Report Using ProDiscover
Module 22: Becoming an Expert Witness
Expert Witness
o What is an Expert Witness?
o Role of an Expert Witness
o What Makes a Good Expert Witness?
Types of Expert Witnesses
o Types of Expert Witnesses
Computer Forensics Experts
Role of Computer Forensics Expert
Medical & Psychological Experts
Civil Litigation Experts
Construction & Architecture Experts
Criminal Litigation Experts
Scope of Expert Witness Testimony
o Scope of Expert Witness Testimony
o Technical Witness vs. Expert Witness
o Preparing for Testimony
Evidence Processing
o Evidence Preparation and Documentation
o Evidence Processing Steps
o Checklists for Processing Evidence
o Examining Computer Evidence
Computer Hacking Forensic Investigator Exam 312-49 Course Outline
Page | 69 Computer Hacking Forensic Investigator Copyright © by EC-Council All Rights Reserved. Reproduction Is Strictly Prohibited.
o Prepare the Report
o Evidence Presentation
Rules for Expert Witness
o Rules Pertaining to an Expert Witness’s Qualification
o Daubert Standard
o Frye Standard
o Importance of Resume
o Testifying in the Court
o The Order of Trial Proceedings
General Ethics While Testifying
o General Ethics While Testifying
o Importance of Graphics in a Testimony
o Helping your Attorney
o Avoiding Testimony Issues
o Testifying during Direct Examination
o Testifying during Cross-Examination
o Deposing
o Recognizing Deposition Problems
o Guidelines to Testifying at a Deposition
o Dealing with Media
o Finding a Computer Forensics Expert