Cource - Computer Hacking Forensic Investigator 2CDs ISO

Computer Hacking Forensic Investigator

Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information.

Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases. Electronic evidence is critical in the following situations:

• Disloyal employees
• Computer break-ins
• Possession of pornography
• Breach of contract
• Industrial espionage
• E-mail Fraud
• Bankruptcy
• Disputed dismissals
• Web page defacements
• Theft of company documents

Computer forensics enables the systematic and careful identification of evidence in computer related crime and abuse cases. This may range from tracing the tracks of a hacker through a client’s systems, to tracing the originator of defamatory emails, to recovering signs of fraud.

The CHFI course will provide participants the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law.

The CHFI course will benefit:

• Police and other law enforcement personnel
• Defense and Military personnel
• e-Business Security professionals
• Systems administrators
• Legal professionals
• Banking, Insurance and other professionals
• Government agencies
• IT managers




Course Outline

Module I: Computer Forensics in Today's World
• Introduction
• History of Forensics
• Definition of Forensic Science
• Definition of Computer Forensics
• What Is Computer Forensics?
• Need for Computer Forensics
• Evolution of Computer Forensics
• Computer Forensics Flaws and Risks
• Corporate Espionage Statistics
• Modes of Attacks
• Cyber Crime
• Examples of Cyber Crime
• Reason for Cyber Attacks
• Role of Computer Forensics in Tracking Cyber Criminals
• Rules of Computer Forensics
• Computer Forensics Methodologies
• Accessing Computer Forensics Resources
• Preparing for Computing Investigations
• Maintaining professional conduct
• Understanding Enforcement Agency Investigations
• Understanding Corporate Investigations
• Investigation Process
• Digital Forensics

Module II: Law And Computer Forensics
• What Is Cyber Crime?
• What Is Computer Forensics?
• Computer Facilitated Crimes
• Reporting Security Breaches to Law Enforcement
• National Infrastructure Protection Center
• FBI
• Federal Statutes
• Cyber Laws
• Approaches to Formulate Cyber Laws
• Scientific Working Group on Digital Evidence (SWGDE)
• Federal Laws
• The USA Patriot Act of 2001
• Freedom of Information Act
• Building Cyber Crime Case
• How the FBI Investigates Computer Crime?
• How to Initiate an Investigation?
• Legal Issues Involved in Seizure of Computer Equipments
• Searching With a Warrant
• Searching Without a Warrant
• Privacy Issues Involved in Investigations
• International Issues Related to Computer Forensics
• Crime Legislation of EU
• Cyber Crime Investigation

Module III: Computer Investigation Process
• Investigating Computer Crime
• Investigating a Company Policy Violation
• Investigation Methodology
• Evaluating the Case
• Before the Investigation
• Document Everything
• Investigation Plan
• Obtain Search Warrant
• Warning Banners
• Shutdown the Computer
• Collecting the Evidence
• Confiscation of Computer Equipments
• Preserving the Evidence
• Importance of Data-recovery Workstations and Software
• Implementing an Investigation
• Understanding Bit-stream Copies
• Imaging the Evidence Disk
• Examining the Digital Evidence
• Closing the Case
• Case Evaluation

Module IV: Computer Security Incident Response Team
• Present Networking Scenario
• Vulnerability
• Vulnerability Statistics
• What Is an Incident?
• A Study by CERT Shows Alarming Rise in Incidents (security Breach)
• How to Identify an Incident
• Whom to Report an Incident?
• Incident Reporting
• Category of Incidents
• Handling Incidents
• Procedure for Handling Incident
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Follow up
• What Is CSIRT?
• Why an Organization Needs an Incident Response Team?
• Need for CSIRT
• Example of CSIRT
• CSIRT Vision
• Vision
• Best Practices for Creating a CSIRT
• Other Response Teams Acronyms and CSIRTs around the world
• World CSIRT

Module V: Computer Forensic Laboratory Requirements
• Budget Allocation for a Forensics Lab
• Physical Location Needs of a Forensic Lab
• Work Area of a Computer Forensics Lab
• General Configuration of a Forensic
• Equipment Needs in a Forensics Lab
• Ambience of a Forensics Lab
• Environmental Conditions
• Recommended Eyestrain Considerations
• Structural Design Considerations
• Electrical Needs
• Communications
• Basic Workstation Requirements in a Forensic Lab
• Consider stocking the following hardware peripherals
• Maintain Operating System and Application Inventories
• Common Terms
• Physical Security Recommendations for a Forensic Lab
• Fire-Suppression Systems
• Evidence Locker Recommendations
• Evidence Locker Combination Recommendations
• Evidence Locker Padlock Recommendations
• Facility Maintenance
• Auditing a Computer Forensics Lab
• Auditing a Forensics Lab
• Forensics Lab
• Mid Sized Lab
• Forensic Lab Licensing Requisite
• Forensic Lab Manager Responsibilities

Module VI: Understanding File systems and Hard disks
Disk Drive Overview - I
Hard Disk
Disk Platter
Tracks
Tracks Numbering
Sector
Sector addressing
Cluster
Cluster Size
Slack Space
Lost Clusters
Bad Sector
Understanding File Systems
Types of File System
List of Disk File Systems
List of Network file systems
Special Purpose File systems
Popular Linux File systems
Sun Solaris 10 File system - ZFS
Windows File systems
Mac OS X File system
CD-ROM / DVD File system
File system Comparison
Boot Sector
Exploring Microsoft File Structures
Disk Partition Concerns
Boot Partition Concerns
Examining FAT
NTFS
NTFS System Files
NTFS Partition Boot Sector
NTFS Master File Table (MFT)
NTFS Attributes
NTFS Data Stream
NTFS Compressed Files
NTFS Encrypted File Systems (EFS)
EFS File Structure
Metadata File Table (MFT)
EFS Recovery Key Agent
Deleting NTFS Files
Understanding Microsoft Boot Tasks
Windows XP system files
Understanding Boot Sequence DOS
Understanding MS-DOS Startup Tasks
Other DOS Operating Systems
Registry Data
Examining Registry Data

Module VII: Windows Forensics
Locating Evidence on Windows Systems
Gathering Volatile Evidence
Pslist
Forensic Tool: fport
Forensic Tool - Psloggedon
Investigating Windows File Slack
Examining File Systems
Built-in Tool: Sigverif
Word Extractor
Checking Registry
Reglite.exe
Tool: Resplendent Registrar 3.30
Microsoft Security ID
Importance of Memory Dump
Manual Memory Dumping in Windows 2000
Memory Dumping in Windows XP and Pmdump
System State Backup
How to Create a System State Backup?
Investigating Internet Traces
Tool - IECookiesView
Tool - IE History Viewer
Forensic Tool: Cache Monitor
CD-ROM Bootable Windows XP
Bart PE
Ultimate Boot CD-ROM
List of Tools in UB CD-ROM
Desktop Utilities
File Analysis Tools
File Management Tools
File Recovery Tools
File Transfer Tools
Hardware Info Tools
Process Viewer Tools
Registry Tools

Module VIII: Linux and Macintosh Boot processes
UNIX Overview
Linux Overview
Understanding Volumes -I
Exploring Unix/Linux Disk Data Structures
Understanding Unix/linux Boot Process
Understanding Linux Loader
Linux Boot Process Steps
Understanding Permission Modes
Unix and Linux Disk Drives and Partitioning Schemes
Mac OS X
Mac OS X Hidden Files
Booting Mac OS X
Mac OS X Boot Options
The Mac OS X Boot Process
Installing Mac OS X on Windows XP
PearPC
MacQuisition Boot CD

Module IX: Linux Forensics
Use of Linux as a Forensics Tool
Recognizing Partitions in Linux
File System in Linux
Linux Boot Sequence
Linux Forensics
Case Example
Popular Linux Tools

Module X: Data Acquisition and Duplication
Determining the Best Acquisition Methods
Data Recovery Contingencies
MS-DOS Data Acquisition Tools
DriveSpy
DriveSpy Data Manipulation Commands
DriveSpy Data Preservation Commands
Using Windows Data Acquisition Tools
Data Acquisition Tool: AccessData FTK Explorer
FTK
Acquiring Data on Linux
dd.exe (Windows XP Version)
Data Acquisition Tool: Snapback Exact
Data Arrest
Data Acquisition Tool: SafeBack
Data Acquisition Tool: Encase
Need for Data Duplication
Data Duplication Tool: R-drive Image
Data Duplication Tool: DriveLook
Data Duplication Tool: DiskExplorer

Module XI: Recovering Deleted Files
Introduction
Digital Evidence
Recycle Bin in Windows
Recycle Hidden Folder
Recycle folder
How to Undelete a File?
Tool: Search and Recover
Tool: Zero Assumption Digital Image Recovery
Data Recovery in Linux
Data Recovery Tool: E2undel
Data Recovery Tool: O&O Unerase
Data Recovery Tool: Restorer 2000
Data Recovery Tool: Badcopy Pro
Data Recovery Tool: File Scavenger
Data Recovery Tool: Mycroft V3
Data Recovery Tool: PC Parachute
Data Recovery Tool: Stellar Phoenix
Data Recovery Tool: Filesaver
Data Recovery Tool: Virtual Lab
Data Recovery Tool: R-linux
Data recovery tool: Drive and Data Recovery
Data recovery tool: active@ UNERASER - DATA recovery
Data recovery tool: Acronis Recovery Expert
Data Recovery Tool: Restoration
Data Recovery Tool: PC Inspector File Recovery

Module XII: Image Files Forensics
Introduction to Image Files
Recognizing an Image File
Understanding Bitmap and Vector Images
Metafile Graphics
Understanding Image File Formats
File types
Understanding Data Compression
Understanding Lossless and Lossy Compression
Locating and Recovering Image Files
Repairing Damaged Headers
Reconstructing File Fragments
Identifying Unknown File Formats
Analyzing Image File Headers
Picture Viewer: Ifran View
Picture Viewer: Acdsee
Picture Viewer: Thumbsplus
Steganography in Image Files
Steganalysis Tool: Hex Workshop
Steganalysis Tool: S-tools
Identifying Copyright Issues With Graphics

Module XIII: Steganography
Introduction
Important Terms in Stego-forensics
Background Information to Image Steganography
Steganography History
Evolution of Steganography
Steps for Hiding Information in Steganography
Six Categories of Steganography in Forensics
Types of Steganography
What Is Watermarking
Classification of Watermarking
Types of Watermarks
Steganographic Detection
Steganographic Attacks
Real World Uses of Steganography
Steganography in the Future
Unethical Use of Steganography
Hiding Information in Text Files
Hiding Information in Image Files
Process of Hiding Information in Image Files
Least Significant Bit
Masking and Filtering
Algorithms and Transformation
Hiding Information in Audio Files
Low-bit Encoding in Audio Files
Phase Coding
Spread Spectrum
Echo Data Hiding
Hiding Information in DNA
TEMPEST
The Steganography Tree
Steganography Tool: Fort Knox
Steganography Tool: Blindside
Steganography Tool: S- Tools
Steganography Tool: Steghide
Steganography Tool: Digital Identity
Steganography Tool: Stegowatch
Tool : Image Hide
Data Stash
Tool: Mp3Stego
Tool: Snow.exe
Tool: Camera/Shy
Steganography Detection

Module XIV: Computer Forensic Tools
Dump Tool: DS2DUMP
Dump Tool: Chaosreader
Slack Space & Data Recovery Tools: Drivespy
Slack Space & Data Recovery Tools: Ontrack
Hard Disk Write Protection Tools: Pdblock
Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock
Permanent Deletion of Files:pdwipe
Disk Imaging Tools: Image & Iximager
Disk Imaging Tools: Snapback Datarrest
Partition Managers: PART & Explore2fs
Linux/unix Tools: Ltools and Mtools
Linux/UNIX tools: TCT and TCTUTILs
Password Recovery Tool: @Stake
ASRData
SMART Screenshot
Ftime
Oxygen Phone Manager
Multipurpose Tools: Byte Back & Biaprotect
Multipurpose Tools: Maresware
Multipurpose Tools: LC Technologies Software
Multipurpose Tools: Winhex Specialist Edition
Multipurpose Tools: Prodiscover DFT
Toolkits: NTI tools
Toolkits: R-Tools-I
Toolkits: R-Tools-II
Toolkits: DataLifter
Toolkits: AccessData
LC Technology International Hardware
Screenshot of Forensic Hardware
Image MASSter Solo and FastBloc
RMON2 Tracing Tools and MCI DoStracker
EnCase

Module XV: Application password crackers
Password - Terminology
What is a Password Cracker?
How Does A Password Cracker Work?
Various Password Cracking Methods
Classification of Cracking Software
System Level Password Cracking
Application Password Cracking
Application Software Password Cracker
Distributed Network Attack-I
Distributed Network Attack-II
Passware Kit
Accent Keyword Extractor
Advanced Zip Password Recovery
Default Password Database
http://phenoelit.darklab.org/
http://www.defaultpassword.com/
http://www.cirt.net/cgi-bin/passwd.pl
Password Cracking Tools List

Module XVI: Investigating Logs
Audit Logs and Security
Audit Incidents
Syslog
Remote Logging
Linux Process Accounting
Configuring Windows Logging
Setting up Remote Logging in Windows
NtSyslog
EventReporter
Application Logs
Extended Logging in IIS Server
Examining Intrusion and Security Events
Significance of Synchronized Time
Event Gathering
EventCombMT
Writing Scripts
Event Gathering Tools
Forensic Tool: Fwanalog
End-to End Forensic Investigation
Correlating Log files
Investigating TCPDump
IDS Loganalyais:RealSecure
IDS Loganalysis :SNORT

Module XVII: Investigating network traffic
Overview of Network Protocols
Sources of Evidence on a Network
Overview of Physical and Data-link Layer of the OSI Model
Evidence Gathering at the Physical Layer
Tool: Windump
Evidence Gathering at the Data-link Layer
Tool: Ethereal
Tool: NetIntercept
Overview of Network and Transport Layer of the OSI Model
Evidence Gathering at the Network and Transport Layer-(I)
Gathering Evidence on a Network
GPRS Network Sniffer : Nokia LIG
NetWitness
McAffee Infinistream Security Forensics
Snort 2.1.0
Documenting the Gathered Evidence on a Network
Evidence Reconstruction for Investigation

Module XVIII: Router Forensics
What Is a Router?
Functions of a Router
A Router in an OSI Model
Routing Table and Its Components
Router Architecture
Implications of a Router Attack
Types of Router Attacks
Denial of Service (DoS) Attacks
Investigating Dos Attacks
Smurfing Latest in Dos Attacks
Packet Mistreating Attacks
Routing Table Poisoning
Hit-and-run Attacks Vs. Persistent Attacks
Router Forensics Vs. Traditional Forensics
Investigating Routers
Chain of Custody
Incident Response & Session Recording
Accessing the Router
Volatile Evidence Gathering
Router Investigation Steps - I
Analyzing the Intrusion

Module XIX: Investigating Web Attacks
Indications of a web attack
Responding to a web attack
Overview of web logs
Mirrored Sites
N-Stealth
Investigating static and dynamic IP address
Tools for locating IP Address: Nslookup
Tools for locating IP Address: Traceroute
Tools for locating IP Address: NeoTrace (Now McAfee Visual Trace)
Tools for locating IP Address: Whois
Web page defacement
Defacement using DNS compromise
Investigating DNS Poisoning
SQL Injection Attacks
Investigating SQL Injection Attacks
Investigating FTP Servers
Investigating FTP Logs
Investigating IIS Logs
Investigating Apache Logs
Investigating DHCP Server Logfile

Module XX: Tracking E-mails and Investigating E-mail crimes
Understanding Internet Fundamentals
Understanding Internet Protocols
Exploring the Roles of the Client and Server in E-mail
E-mail Crime
Spamming, Mail Bombing, Mail Storm
Chat Rooms
Identity Fraud , Chain Letter
Sending Fakemail
Investigating E-mail Crime and Violation
Viewing E-mail Headers
Examining an E-mail Header
Viewing Header in Microsoft Outlook
Viewing Header in Eudora
Viewing Header in Outlook Express
Viewing Header in AOL
Viewing Header in Hot Mail
Viewing Header using Pine for Unix
Viewing Header in Juno
Viewing Header in Yahoo
Examining Additional Files
Microsoft Outlook Mail
Pst File Location
Tracing an E-mail Message
Using Network Logs Related to E-mail
Understanding E-mail Server
Examining UNIX E-mail Server Logs
Examining Microsoft E-mail Server Logs
Examining Novell GroupWise E-mail Logs
Using Specialized E-mail Forensic Tools
Tool:FINALeMAIL
Tool: R-Mail
E-Mail Examiner by Paraben
Network E-Mail Examiner by Paraben
Tracing Back
Tracing Back Web Based E-mail
Searching E-mail Addresses
E-mail Search Site
Handling Spam
Network Abuse Clearing House
Abuse.Net
Protecting Your E-mail Address From Spam
Tool: Enkoder Form
Tool:eMailTrackerPro
Tool:SPAM Punisher

Module XXI: Mobile and PDA Forensics
Latest Mobile Phone Access Technologies
Evidence in Mobile Phones
Mobile Phone Forensic Examination Methodology
Examining Phone Internal Memory
Examining SIM
Examining Flash Memory and Call data records
Personal Digital Assistant (PDA)
PDA Components
PDA Forensics
PDA Forensics - Examination
PDA Forensics - Identification
PDA Forensics - Collection
PDA Forensics - Documentation
Points to Be Remembered While Conducting Investigation
PDA Seizure by Paraben
SIM Card Seizure by Paraben (SIM Card acquisition tool)
Forensic Tool Palm dd (pdd)
Forensic Tool - POSE

Module XXII: Investigating Trademark and Copyright Infringement
Trademarks
Trademark Eligibility and Benefits of Registering It
Service Mark and Trade Dress
Trademark infringement
Trademark Search
www.uspto.gov
Copyright and Copyright Notice
Investigating Copyright Status of a Particular Work
How Long Does a Copyright Last?
U.S Copyright Office
Doctrine of Fair Use
How Are Copyrights Enforced?
SCO Vs. IBM
SCO Vs Linux
Line-by-Line Copying
Plagiarism
Turnitin
Plagiarism detection tools
CopyCatch
Patent
Patent Infringement
Patent Search
Case Study: Microsoft Vs Forgent
Internet Domain Name and ICANN
Domain Name Infringement
Case Study: Microsoft.com Vs MikeRoweSoft.com
How to check for Domain Name Infringement?

Module XXIII: Investigative Reports
Need of an investigative report
Report specification
Report Classification
Report and Opinion
Layout of an Investigative Report
Writing Report
Use of Supporting Material
Importance of Consistency
Salient Features of a Good Report
Investigative Report Format
Before Writing the Report
Writing Report Using FTK

Module XIV: Becoming an Expert Witness
Who Is an Expert?
Who Is an Expert Witness?
Role of an Expert Witness
Technical Testimony Vs. Expert Testimony
Preparing for Testimony
Evidence Preparation and Documentation
Evidence Processing Steps
Rules Pertaining to an Expert Witness Qualification
Importance of Curriculum Vitae
Technical Definitions
Testifying in Court
The Order of Trial Proceedings
Voir dire
General Ethics While Testifying-i
Evidence Presentation
Importance of Graphics in a Testimony
Helping Your Attorney
Avoiding Testimony Problems
Testifying During Direct Examination
Testifying During Cross Examination
Deposition
Guidelines to Testify at a Deposition
Dealing With Reporters

Module XXV: Forensics in action
E-mail Hoax
Trade Secret Theft
Operation Cyberslam

http://www.hiltoncomputer.com/training/outlines/CHFI.asp