EC-Council - CHFI (Computer Hacking Forensic Investigator)

EC-Council - CHFI (Computer Hacking Forensic Investigator)

Computer forensics enables the systematic and careful identification of evidence in computer-related crime and abuse cases. This may range from tracing the tracks of a hacker through a client's systems, to tracing the originator of defamatory emails, to recovering signs of fraud. The CHFI course will provide participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute in the court of law.

Audience :

Police and other law enforcement personnel, e-Business Security professional, System administrator, Government agencies and IT managers.

Key Benefits :

The CHFI course will provide participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute in the court of law.

Course Contents :

Module I: Computer Forensics in Today's World:

* Introduction
* History of Forensics
* Definition of Forensic Science
* Definition of Computer Forensics
* What Is Computer Forensics?
* Need for Computer Forensics
* Evolution of Computer Forensics
* Computer Forensics Flaws and Risks
* Corporate Espionage Statistics
* Modes of Attacks
* Cyber Crime
* Examples of Cyber Crime
* Reason for Cyber Attacks
* Role of Computer Forensics in Tracking Cyber Criminals
* Rules of Computer Forensics
* Computer Forensics Methodologies
* Accessing Computer Forensics Resources
* Preparing for Computing Investigations
* Maintaining professional conduct
* Understanding Enforcement Agency Investigations
* Understanding Corporate Investigations
* Investigation Process
* Digital Forensics

Module II: Law And Computer Forensics:

* What Is Cyber Crime?
* What Is Computer Forensics?
* Computer Facilitated Crimes.
* Reporting Security Breaches to Law Enforcement.
* National Infrastructure Protection Center.
* FBI.
* Federal Statutes.
* Cyber Laws.
* Approaches to Formulate Cyber Laws.
* Scientific Working Group on Digital Evidence (SWGDE).
* Federal Laws.
* The USA Patriot Act of 2001.
* Freedom of Information Act.
* Building Cyber Crime Case.
* How the FBI Investigates Computer Crime?
* How to Initiate an Investigation?
* Legal Issues Involved in Seizure of Computer Equipments.
* Searching With a Warrant.
* Searching Without a Warrant.
* Privacy Issues Involved in Investigations.
* International Issues Related to Computer Forensics.
* Crime Legislation of EU.
* Cyber Crime Investigation.

Module III: Computer Investigation Process:

* Investigating Computer Crime.
* Investigating a Company Policy Violation.
* Investigation Methodology.
* Evaluating the Case.
* Before the Investigation.
* Document Everything.
* Investigation Plan.
* Obtain Search Warrant.
* Warning Banners.
* Shutdown the Computer.
* Collecting the Evidence.
* Confiscation of Computer Equipments.
* Preserving the Evidence.
* Importance of Data-recovery Workstations and Software.
* Implementing an Investigation.
* Understanding Bit-stream Copies.
* Imaging the Evidence Disk.
* Examining the Digital Evidence.
* Closing the Case.
* Case Evaluation.

Module IV: Computer Security Incident Response Team:

* Present Networking Scenario
* Vulnerability
* Vulnerability Statistics
* What is an Incident?
* A Study by CERT Shows Alarming Rise in Incidents (security Breach)
* How to Identify an Incident?
* Whom to Report an Incident?
* Incident Reporting
* Category of Incidents
* Handling Incidents
* Procedure for Handling Incident
* Preparation
* Identification
* Containment
* Eradication
* Recovery
* Follow up
* What Is CSIRT?
* Why an Organization Needs an Incident Response Team?
* Need for CSIRT
* Example of CSIRT
* CSIRT Vision
* Vision
* Best Practices for Creating a CSIRT
* Step 1: Obtain Management Support and Buy-In
* Step 2: Determine the CSIRT Development Strategic
* Step 3: Gather Relevant Information
* Step 4: Design your CSIRT Vision
* Step 5: Communicate the CSIRT Vision
* Step 6: Begin CSIRT Implementation
* Step 7: Announce the CSIRT
* Other Response Teams Acronyms and CSIRTs around the world
* World CSIRT

Module V: Computer Forensic Laboratory Requirements:

* Budget Allocation for a Forensics Lab.
* Physical Location Needs of a Forensic Lab.
* Work Area of a Computer Forensics Lab.
* General Configuration of a Forensic.
* Equipment Needs in a Forensics Lab.
* Ambience of a Forensics Lab.
* Environmental Conditions.
* Recommended Eyestrain Considerations.
* Structural Design Considerations.
* Electrical Needs.
* Communications.
* Basic Workstation Requirements in a Forensic Lab.
* Consider stocking the following hardware peripherals.
* Maintain Operating System and Application Inventories.
* Common Terms.
* Physical Security Recommendations for a Forensic Lab.
* Fire-Suppression Systems.
* Evidence Locker Recommendations.
* Evidence Locker Combination Recommendations.
* Evidence Locker Padlock Recommendations.
* Facility Maintenance.
* Auditing a Computer Forensics Lab.
* Auditing a Forensics Lab.
* Forensics Lab.
* Mid-Sized Lab.
* Forensic Lab Licensing Requisite.
* Forensic Lab Manager Responsibilities.

Module VI: Understanding File systems and Hard disks:

* Disk Drive Overview - I
* Hard Disk
* Disk Platter
* Tracks
* Tracks Numbering
* Sector
* Sector Addressing
* Cluster
* Cluster Size
* Slack Space
* Lost Clusters
* Bad Sector
* Understanding File Systems
* Types of File System
* List of Disk File Systems
* List of Network file systems
* Special Purpose File systems
* Popular Linux File systems
* Sun Solaris 10 File system - ZFS
* Windows File systems
* Mac OS X File system
* CD-ROM / DVD File system
* File system Comparison
* Boot Sector
* Exploring Microsoft File Structures
* Disk Partition Concerns
* Boot Partition Concerns
* Examining FAT
* NTFS
* NTFS System Files
* NTFS Partition Boot Sector
* NTFS Master File Table (MFT)
* NTFS Attributes
* NTFS Data Stream
* NTFS Compressed Files
* NTFS Encrypted File Systems (EFS)
* EFS File Structure
* Metadata File Table (MFT)
* EFS Recovery Key Agent
* Deleting NTFS Files
* Understanding Microsoft Boot Tasks
* Windows XP system files
* Understanding Boot Sequence DOS
* Understanding MS-DOS Startup Tasks
* Other DOS Operating Systems
* Registry Data
* Examining Registry Data

Module VII: Windows Forensics:

* Locating Evidence on Windows Systems
* Gathering Volatile Evidence
* Pslist
* Forensic Tool: fport
* Forensic Tool - Psloggedon
* Investigating Windows File Slack
* Examining File Systems
* Built-in Tool: Sigverif
* Word Extractor
* Checking Registry
* Reglite.exe
* Tool: Resplendent Registrar 3.30
* Microsoft Security ID
* Importance of Memory Dump
* Manual Memory Dumping in Windows 2000
* Memory Dumping in Windows XP and Pmdump
* System State Backup
* How to Create a System State Backup?
* Investigating Internet Traces
* Tool - IECookiesView
* Tool - IE History Viewer
* Forensic Tool: Cache Monitor
* CD-ROM Bootable Windows XP
* Bart PE
* Ultimate Boot CD-ROM
* List of Tools in UB CD-ROM
* Desktop Utilities
* File Analysis Tools
* File Management Tools
* File Recovery Tools
* File Transfer Tools
* Hardware Info Tools
* Process Viewer Tools
* Registry Tools

Module VIII: Linux and Macintosh Boot processes:

* UNIX Overview
* Linux Overview
* Understanding Volumes -I
* Exploring Unix/Linux Disk Data Structures
* Understanding Unix/linux Boot Process
* Understanding Linux Loader
* Linux Boot Process Steps
* Step 1: The Boot Manager
* Step 2: init
* Step 2.1: /etc/inittab
* runlevels
* Step 3: Services
* Understanding Permission Modes
* Unix and Linux Disk Drives and Partitioning Schemes
* Mac OS X
* Mac OS X Hidden Files
* Booting Mac OS X
* Mac OS X Boot Options
* The Mac OS X Boot Process
* Installing Mac OS X on Windows XP
* PearPC
* MacQuisition Boot CD

Module IX: Linux Forensics:

* Use of Linux as a Forensics Tool
* Recognizing Partitions in Linux
* File System in Linux
* Linux Boot Sequence
* Linux Forensics
* Case Example
* Step-by-step approach to Case 1 (a)
* Step-by-step approach to Case 1 (b)
* Step-by-step approach to Case 1 (c)
* Step-by-step approach to Case 1 (d)
* Case 2
* Challenges in disk forensics with Linux
* Step-by-step approach to Case 2 (a)
* Step-by-step approach to Case 2 (b)
* Step-by-step approach to Case 2 (c)
* Popular Linux Tools

Module X: Data Acquisition and Duplication:

* Determining the Best Acquisition Methods
* Data Recovery Contingencies
* MS-DOS Data Acquisition Tools
* DriveSpy
* DriveSpy Data Manipulation Commands
* DriveSpy Data Preservation Commands
* Using Windows Data Acquisition Tools
* Data Acquisition Tool: AccessData FTK Explorer
* FTK
* Acquiring Data on Linux
* dd.exe (Windows XP Version)
* Data Acquisition Tool: Snapback Exact
* Data Arrest
* Data Acquisition Tool: SafeBack
* Data Acquisition Tool: Encase
* Need for Data Duplication
* Data Duplication Tool: R-drive Image
* Data Duplication Tool: DriveLook
* Data Duplication Tool: DiskExplorer

Module XI: Recovering Deleted Files:

* Introduction
* Digital Evidence
* Recycle Bin in Windows
* Recycle Hidden Folder
* Recycle folder
* How to Un-delete a File?
* Tool: Search and Recover
* Tool: Zero Assumption Digital Image Recovery
* Data Recovery in Linux
* Data Recovery Tool: E2undel
* Data Recovery Tool: O&O Unerase
* Data Recovery Tool: Restorer 2000
* Data Recovery Tool: Badcopy Pro
* Data Recovery Tool: File Scavenger
* Data Recovery Tool: Mycroft V3
* Data Recovery Tool: PC Parachute
* Data Recovery Tool: Stellar Phoenix
* Data Recovery Tool: Filesaver
* Data Recovery Tool: Virtual Lab
* Data Recovery Tool: R-linux
* Data recovery tool: Drive and Data Recovery
* Data recovery tool: active@ UNERASER - DATA recovery
* Data recovery tool: Acronis Recovery Expert
* Data Recovery Tool: Restoration
* Data Recovery Tool: PC Inspector File Recovery

Module XII: Image Files Forensics:

* Introduction to Image Files
* Recognizing an Image File
* Understanding Bitmap and Vector Images
* Metafile Graphics
* Understanding Image File Formats
* File types
* Understanding Data Compression
* Understanding Lossless and Lossy Compression
* Locating and Recovering Image Files
* Repairing Damaged Headers
* Reconstructing File Fragments
* Identifying Unknown File Formats
* Analyzing Image File Headers
* Picture Viewer: Ifran View
* Picture Viewer: Acdsee
* Picture Viewer: Thumbsplus
* Steganography in Image Files
* Steganalysis Tool: Hex Workshop
* Steganalysis Tool: S-tools
* Identifying Copyright Issues With
Graphics

Module XIII: Steganography:

* Introduction
* Important Terms in Stego-forensics
* Background Information to Image Steganography
* Steganography History
* Evolution of Steganography
* Steps for Hiding Information in Steganography
* Six Categories of Steganography in Forensics
* Types of Steganography
* What Is Watermarking?
* Classification of Watermarking
* Types of Watermarks
* Steganographic Detection
* Steganographic Attacks
* Real World Uses of Steganography
* Steganography in the Future
* Unethical Use of Steganography
* Hiding Information in Text Files
* Hiding Information in Image Files
* Process of Hiding Information in Image Files
* Least Significant Bit
* Masking and Filtering
* Algorithms and Transformation
* Hiding Information in Audio Files
* Low-bit Encoding in Audio Files
* Phase Coding
* Spread Spectrum
* Echo Data Hiding
* Hiding Information in DNA
* TEMPEST
* The Steganography Tree
* Steganography Tool: Fort Knox
* Steganography Tool: Blindside
* Steganography Tool: S- Tools
* Steganography Tool: Steghide
* Steganography Tool: Digital Identity
* Steganography Tool: Stegowatch
* Tool : Image Hide
* Data Stash
* Tool: Mp3Stego
* Tool: Snow.exe
* Tool: Camera/Shy
* Steganography Detection

Module XIV: Computer Forensic Tools:

* Dump Tool: DS2DUMP
* Dump Tool: Chaosreader
* Slack Space & Data Recovery Tools: Drivespy
* Slack Space & Data Recovery Tools: Ontrack
* Hard Disk Write Protection Tools: Pdblock
* Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock
* Permanent Deletion of Files:pdwipe
* Disk Imaging Tools: Image & Iximager
* Disk Imaging Tools: Snapback Datarrest
* Partition Managers: PART & Explore2fs
* Linux/unix Tools: Ltools and Mtools
* Linux/UNIX tools: TCT and TCTUTILs
* Password Recovery Tool: @Stake
* ASRData
* SMART Screenshot
* Ftime
* Oxygen Phone Manager
* Multipurpose Tools: Byte Back & Biaprotect
* Multipurpose Tools: Maresware
* Multipurpose Tools: LC Technologies Software
* Multipurpose Tools: Winhex Specialist Edition
* Multipurpose Tools: Prodiscover DFT
* Toolkits: NTI tools
* Toolkits: R-Tools-I
* Toolkits: R-Tools-II
* Toolkits: DataLifter
* Toolkits: AccessData
* LC Technology International Hardware
* Screenshot of Forensic Hardware
* Image MASSter Solo and FastBloc
* RMON2 Tracing Tools and
MCI DoStracker
* EnCase

Module XV: Application password crackers:

* Password - Terminology
* What is a Password Cracker?
* How Does A Password Cracker Work?
* Various Password Cracking Methods
* Classification of Cracking Software
* System Level Password Cracking
* Application Password Cracking
* Application Software Password Cracker
* Distributed Network Attack-I
* Distributed Network Attack-II
* Passware Kit
* Accent Keyword Extractor
* Advanced Zip Password Recovery
* Default Password Database
* http://phenoelit.darklab.org/
* http://www.defaultpassword.com/
* http://www.cirt.net/cgi-bin/passwd.pl
* Password Cracking Tools List

Module XVI: Investigating Logs:

* Audit Logs and Security
* Audit Incidents
* Syslog
* Remote Logging
* Linux Process Accounting
* Configuring Windows Logging
* Setting up Remote Logging in Windows
* NtSyslog
* EventReporter
* Application Logs
* Extended Logging in IIS Server
* Examining Intrusion and Security Events
* Significance of Synchronized Time
* Event Gathering
* EventCombMT
* Writing Scripts
* Event Gathering Tools
* Forensic Tool: Fwanalog
* End-to End Forensic Investigation
* Correlating Log files
* Investigating TCPDump
* IDS Loganalyais:RealSecure
* IDS Loganalysis :SNORT

Module XVII: Investigating network traffic:

* Overview of Network Protocols
* Sources of Evidence on a Network
* Overview of Physical and Data-link Layer of the OSI Model
* Evidence Gathering at the Physical Layer
* Tool: Windump
* Evidence Gathering at the Data-link Layer
* Tool: Ethereal
* Tool: NetIntercept
* Overview of Network and Transport Layer of the OSI Model
* Evidence Gathering at the Network and Transport Layer-(I)
* Gathering Evidence on a Network
* GPRS Network Sniffer : Nokia LIG
* NetWitness
* McAffee Infinistream Security Forensics
* Snort 2.1.0
* Documenting the Gathered Evidence on a Network
* Evidence Reconstruction for Investigation

Module XVIII: Router Forensics:

* What Is a Router?
* Functions of a Router
* A Router in an OSI Model
* Routing Table and its Components
* Router Architecture
* Implications of a Router Attack
* Types of Router Attacks
* Denial of Service (DoS) Attacks
* Investigating Dos Attacks
* Smurfing - Latest in Dos Attacks
* Packet "Mistreating" Attacks
* Routing Table Poisoning
* Hit-and-run Attacks Vs. Persistent Attacks
* Router Forensics Vs. Traditional Forensics
* Investigating Routers
* Chain of Custody
* Incident Response & Session Recording
* Accessing the Router
* Volatile Evidence Gathering
* Router Investigation Steps - I
* Analyzing the Intrusion
* Logging
* Incident Forensics
* Handling a Direct Compromise Incident
* Other Incidents

Module XIX: Investigating Web Attacks

* Indications of a web attack
* Responding to a web attack
* Overview of web logs
* Mirrored Sites
* N-Stealth
* Investigating static and dynamic IP address
* Tools for locating IP Address: Nslookup
* Tools for locating IP Address: Traceroute