CA-CHFI
Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. This course will prepare you to pass the EC0 312-49 exam and achieve Computer Hacking Forensics Investigator (CHFI) certification.
Career Academy is an EC-Council endorsed training provider. We have invited the best security trainers in the industry to help us develop the ultimate training and certification program which includes everything you will need to fully prepare for and pass your certification exams. This officially endorsed product gives our students access to the exam by providing you with a Voucher Number. The EC-Council Voucher Number can be used at any Prometric center, this voucher number is required and mandatory for you to schedule and pay for your exam. Without this voucher number Prometric will not entertain any of your requests to schedule and take the exam. . Note: The cost of the exam is not included in this package.
Expert Trainer
Wayne Burke - CEH, EC-Council Master Certified Instructor
Wayne Burke, Founder and CIO of SecureIA, is a captain of a global operating group of penetration testers and security experts. Wayne and his group have delivered assignments and customized training for Law Enforcement, Police, various Military Units, NSA, FBI, EPA and similar government bodies from South America, Africa, Philippines, Singapore, Malaysia and numerous Gulf locations to name a few from around the world. His office has become his next 12 hour international flight�.
In Europe he works for numerous government agencies, corporate institutes and the military. Wayne is the creator of many popular security training tracks and has built the Certified Penetration Testing� series. Wayne has had considerable IT Security experience in the fields of: Penetration Testing aka Ethical Hacking, Digital Forensics and Wireless Technologies.
His experience in the public / defense sectors is equally complemented by assignments undertaken for heavyweight world renowned corporations including Yahoo, Xerox, AT&T and Texas Instruments to name but a few. He is imminently qualified in his field in that he holds a string of professional qualifications in Networking to name a few (MCT, MCSE, Cisco, Network+) and IT Security (CIW Security Analyst , Security+, CEI, CEH, CPTE, CDFI, CPTM) besides a bachelors degree in science.
Course Features:
* Main Menu
Move through hours of in-depth content - quickly and easily due to the efficient and organized structure.
* PowerPoint
Utilizing PowerPoint presentations enhances the delivery by displaying a variety of visual information to the user. This type of representation allows the user to better interpret the material through charts, definitions, graphs, and more...
* Controls
Move forward, back, and repeat entire topics or just a section. A progress bar illuminates as you advance through exercises.
* Full Motion Video
All courses feature full-motion videos of instructors teaching the information as if they are speaking directly to you. Our unique delivery simulates a one-on-one classroom environment creating a more personal lesson and learning experience.
* Study Guides
Printable study guides for the entire course are available. This allows all material to be viewed, reviewed, and printed for viewing at a later date.
* Review Exercises
Each section has a review quiz to aid in the learning process by validating the comprehension of the material covered before moving on to a new section.
* Resume
All courses are resumed to where you left off last session allowing you to learn when it is convenient for you without the hassle of remembering where you where.
* Live Demonstrations
Demonstrations are a way for the instructor to show and tell the user how to perform a task by actually doing it on screen in front of them. In this format it gives the user the power to see things done by a professional in the intended environment as many times as they would like.
* Certificate of Completion
Career Academy is recognized worldwide for its technology-based IT training curriculums. Upon successful completion of our program, you will be receiving a Career Academy Distance Education Certificate of Completion.
Course Outline
Course Introduction
Course Introduction
Module 01 - Computer Forensics in Todays World
Computer Forensics in Todays World
Scenario
Demo - Introduction to IAAC Website
Forensic Science
Computer Forensics
Security Incident Report
Demo - Security Research Studies
Aspects of Organizational Security
Evolution of Computer Forensics
Objectives of Computer Forensics
Need for Computer Forensics
Benefits of Forensic Readiness
Goals of Forensic Readiness
Forensic Readiness Planning
Cyber Crime
Computer Facilitated Crimes
Modes of Attack
Examples of Cyber Crime
Types of Computer Crimes
How Serious Were Different Types of Incidents
Time Spent Responding to the Security Incident
Cyber Crime Investigation
Key Steps in Forensic Investigation
Demo - Crime Scene Processing
Rules of Forensic Investigation
Need for Forensic Investigation
Role of Forensics Investigation
Accessing Computer Forensic Resources
Role of Digital Evidence
Understanding Corporate Investigations
Approach to Forensic Investigation: A Case Study
When an Advocate Contacts the Forensic Investigator, He Specifies How to Approach the Crime Scene
Where and When Do You Use Computer Forensics
Enterprise Theory of Investigation (ETI)
Demo - FBI ETI Model
Legal Issues
Reporting the Results
Module 01 - Review
Module 02 - Computer Forensics Investigation Process
Computer Forensics Investigation Process
Investigating Computer Crime
Before the Investigation
Build a Forensics Workstation
Building Investigation Team
People Involved in Computer Forensics
Review Policies and Laws
Demo - CyberCrime.gov Website Review
Demo - Extra Cyber Crime Resources
Forensics Laws
Notify Decision Makers and Acquire Authorization
Demo - Legal Resources
Risk Assessment
Build a Computer Investigation Toolkit
Demo - Forensics Toolkit of Documentation
Computer Forensics Investigation Methodology
Demo - DOJ Forensics Flow Chart
Steps to Prepare for a Computer Forensic Investigation
Obtain a Search Warrant
Searches Without a Warrant
Evaluate and Secure the Scene
Forensic Photography
Gather the Preliminary Information at Scene
First Responder
Demo - First Responder Guides
Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence
Guidelines in Acquiring Evidence
Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
Demo - Chain of Custody
Original Evidence
Duplicate the Data (Imaging)
Verify Image Integrity
Recover Lost or Deleted Data
Analyze the Data
Data Analysis
Data Analysis Tools
Assess Evidence and Case
Evidence Assessment
Case Assessment
Processing Location Assessment
Best Practices
Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report
Demo - Forensics Report Example
Testify in Court as an Expert Witness
Demo - Extra Reading \"A Hypothesis-Based Approach to Digital Forensic Investigations\"
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers
Module 02 - Review
Module 03 - Searching and Seizing Computers
Searching and Seizing Computers
News Overview
Searching and Seizing Computers without a Warrant
Demo - DOJ Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations
A: Fourth Amendments Reasonable Expectation of Privacy in Cases Involving Computers: General Principles
A.1: Reasonable Expectation of Privacy in Computers as Storage Devices
A.3: Reasonable Expectation of Privacy and Third-Party Possession
A.4: Private Searches
A.5 Use of Technology to Obtain Information
B: Exceptions to the Warrant Requirement in Cases Involving Computers
B.1: Consent
B.1.a: Scope of Consent
B.1.b: Third-Party Consent
B.1.c: Implied Consent
B.3: Plain View
B.5: Inventory Searches
B.6: Border Searches
B.7: International Issues
C: Special Case: Workplace Searches
C.2: Public-Sector Workplace Searches
Searching and Seizing Computers with a Warrant
Successful Search With A Warrant
A.1: Basic Strategies for Executing Computer Searches
A.1.a: When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime
A.2: The Privacy Protection Act
A.2.a: The Terms of the Privacy Protection Act
A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)
A.7: Privileged Documents
B: Drafting the Warrant and Affidavit
B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant
B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the Things to be Seized
B.2: Establish Probable Cause in the Affidavit
B.3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategy
C: Post-Seizure Issues
C.1: Searching Computers Already in Law Enforcement Custody
C.2: The Permissible Time Period For Examining Seized Computers
C.3: Rule 41(e) Motions for Return of Property
Demo - Legal Extra Reading
The Electronic Communications Privacy Act
B. Classifying Types of Information Held by Service Providers
E. Working with Network Providers
Electronic Surveillance in Communications Networks
A. Content vs. Addressing Information
B. The Pen/Trap Statute, 18 U.S.C. 3121-3127
EVIDENCE
A. Authentication
B. Hearsay
C. Other Issues
Module 03 - Review
Module 04 - Digital Evidence
Digital Evidence
Definition of Digital Evidence
Increasing Awareness of Digital Evidence
Challenging Aspects of Digital Evidence
The Role of Digital Evidence
Characteristics of Digital Evidence
Fragility of Digital Evidence
Types of Digital Data
Demo - Binary and Hex Basics
Rules of Evidence
Best Evidence Rule
Demo - Best Evidence
Federal Rules of Evidence
International Organization on Computer Evidence (IOCE)
IOCE International Principles for Digital Evidence
Scientific Working Group on Digital Evidence (SWGDE)
SWGDE Standards for the Exchange of Digital Evidence
Electronic Devices: Types and Collecting Potential Evidence
Evidence Assessment
Prepare for Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Bit-Stream Copies
Demo - Extra Bit-Stream Example Cases
Write Protection
Demo - Hardware Write Blocker Example
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Collecting the Evidence
Collecting Evidence from RAM
Demo - Freezing RAM to Extract Encryption Keys
Collecting Evidence from Stand-alone Network Computer
Chain of Custody
Preserving Digital Evidence: Checklist
Preserving Floppy and Other Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
Evidence Examination and Analysis
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Demo - Evidence Worksheet
Electronic Crime and Digital Evidence Consideration by Crime Category
Module 04 - Review
Module 05 - First Responder Procedures
First Responder Procedures
Electronic Evidence
First Responder Overview
Great PDF Guide
Demo - First Responders Guide
Demo - PDA and Mobile Take Note
Roles of First Responder
First Responder Toolkit
Creating a First Responder Toolkit
Evidence Collecting Tools and Equipment
First Response Rule
Incident Response: Different Situations
First Response for System Administrators
First Response by Non-Laboratory Staff
First Response by Laboratory Forensic Staff
Securing and Evaluating Electronic Crime Scene: A Check-list
Planning the Search and Seizure
Initial Search of the Scene
Health and Safety Issues
Consent
Witness Signatures
Conducting Preliminary Interviews
Conducting Initial Interviews
Documenting Electronic Incident Scene
Collecting and Preserving Electronic Evidence
Order of Volatility
Dealing with Powered OFF Computers at Seizure Time
Dealing with Powered ON Computers
Demo - Power State and Review
Dealing with Networked Computer
Operating System Shutdown Procedure
Seizing Portable Computers
Switched ON Portables
Evidence Bag Contents List
Packaging Electronic Evidence
Exhibit Numbering
Transporting Electronic Evidence
Handling and Transportation to the Forensics Laboratory
Chain of Custody
Demo - Documentation
Module 05 - Review
Module 06 - Incident Handling
Incident Handling
What is an Incident
Security Incidents
Category of Incidents
Category of Incidents: Low Level
Category of Incidents: Mid Level
Category of Incidents: High Level
Issues in Present Security Scenario
How to Identify an Incident
How to Prevent an Incident
Defining the Relationship between Incident Response, Incident Handling, and Incident Management
Incident Management
Threat Analysis and Assessment
Vulnerability Analysis
Estimating Cost of an Incident
Change Control
Incident Reporting
Demo - Incident Handling Report Form
Whom to Report an Incident
Report a Privacy or Security Violation
Demo - Preliminary Info Sec Incident Reporting
Why Don\'t Organizations Report Computer Crimes
Responding to a Security Incident
Demo - Incident Response Documentation
Incident Response Policy
Roles and Responsibilities of SSM, ISSM, and ISSO
Contingency/Continuity of Operations Planning
Handling Incidents
Procedure for Handling Incident
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Follow-up
Post-Incident Activity
Education, Training, and Awareness
Demo - User Awareness Training
Procedural and Technical Countermeasures
Vulnerability Resources
What is CSIRT
CSIRT: Goals and Strategy
Motivation Behind CSIRTs
Global Incident Response Teams
Staffing your Computer Security Incident Response Team: What are the Basic Skills Needed
Team Models
Delegation of Authority
CSIRT Services Can Be Grouped into Three Categories
CSIRT Case Classification
Types of Incidents and Level of Support
Service Description Attributes
Incident Specific Procedures-I (Virus and Worm Incidents)
Incident Specific Procedures-II (Hacker Incidents)
Incident Specific Procedures-III (Social Incidents, Physical Incidents)
How CSIRT Handles Case: Steps
Best Practices for Creating a CSIRT
Limits to Effectiveness in CSIRTs
Module 06 - Review
Module 07 - Computer Forensics Lab
Computer Forensics Lab
Demo - Modules Resources
Planning for a Forensics Lab
Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensic Lab
Structural Design Considerations
Environmental Conditions
Electrical Needs
Communication Needs
Work Area of a Computer Forensic Lab
Ambience of a Forensic Lab
Ambience of a Forensic Lab: Ergonomics
Physical Security Recommendations
Fire-Suppression Systems
Demo - FSSA Website
Evidence Locker Recommendations
Demo - Storage Lockers
Computer Forensic Investigator
Demo - Forensics Certification Exams and Bodies
Forensic Lab Licensing Requisite
Demo - Forensics Legal Requirements Resource
Features of the Laboratory Imaging System
Demo - Eraser
Technical Specification of the Laboratory-based Imaging System
Forensics Lab
Auditing a Computer Forensic Lab
Recommendations to Avoid Eyestrain
Computer Forensic Labs, Inc.
Data Destruction Industry Standards
Demo - Data Destruction with Eraser Free Tool
Demo - DBan Secure Erase
Example Hardware Essential in a Forensics Lab
Forensic Workstations
Basic Workstation Requirements in a Forensic Lab
Stocking the Hardware Peripherals
Demo - Paraben Forensics Webstore Products
Demo - Image Master Product Line Store
Demo - Logicube.com Website
Requirements for a Forensics Lab
Basic Software Requirements in a Forensic Lab
Maintain Operating System and Application Inventories
Demo - A Forensics Software Requirements Intro
Demo - CAINE Computer Aided Investigative Environment Live CD
Demo - Opening a WinXP VirtualMachine Using Vmware Workstation
Demo - 7 Zip Compression
Demo - Unzipping a file with either Zip Genius or 7 Zip
Demo - Nlite Custom Windows Install Deploy
Demo - BackTrack 101
Demo - Live Forensics
Module 07 Review
Module 08 - Understanding Hard Disks and File Systems
Understanding Hard Disks and File Systems
Disk Drive Overview - I
Disk Drive Overview - II
Physical Structure of Hard Disk
Logical Structure of Hard Disk
Types of Hard Disk Interfaces
Types of Hard Disk Interfaces: SCSI
Types of Hard Disk Interfaces: IDE/EIDE
FireWire vs. USB
Types of Hard Disk Interfaces: ATA
Types of Hard Disk Interfaces: Fibre Channel
Disk Platter
Tracks
Track Numbering
Sector
Sector Addressing
Cluster
Cluster Size
Slack Space
Lost Clusters
Bad Sector
Disk Capacity Calculation
Measuring the Performance of Hard Disk
Disk Partitions
Master Boot Record
Windows XP System Files
Windows Boot Process (XP/2003)
Demo - Boot Process
Bootdisk.com
File Systems
Understanding File Systems
Types of File Systems
List of Disk File Systems
List of Network File Systems
List of Special Purpose File Systems
Popular Linux File Systems
Sun Solaris 10 File System: ZFS
Mac OS X File System
Windows File Systems
CD-ROM / DVD File System
Comparison of File Systems
FAT32
FAT
FAT Structure
FAT32 cont.
NTFS
NTFS Architecture
NTFS System Files
NTFS Partition Boot Sector
NTFS Master File Table (MFT)
NTFS Metadata File Table (MFT)
Cluster Sizes of NTFS Volume
NTFS Files and Data Storage
NTFS Attributes-I
NTFS Attributes-II
NTFS Data Stream-I
NTFS Data Stream-II
Demo - Alternate Data Streams
Demo - LADS
NTFS Compressed Files
NTFS Encrypted File Systems (EFS)
EFS File Structure
EFS Recovery Key Agent-I
EFS Recovery Key Agent -II
EFS Key
Deleting NTFS Files
Registry Data-I
Registry Data-II
Registry Data-III
Examining Registry Data
FAT vs. NTFS
Demo - FAT vs NTFS
Ext2
Ext3
HFS
CDFS
RAID Storage System
RAID Levels
Demo - RAID
Recover Data from Unallocated Space Using File Carving Process
Evidor
WinHex
Logicube Tools
Logicube: CloneCard Pro
ImageMASSter: ImageMASSter 4008i
eDR Solutions: Hard Disk Crusher
Demo - Mac Match
Module 08 - Review
Module 09 - Digital Media Devices
Digital Media Devices
Magnetic Tape
Floppy Disk
Compact Disk
CD-ROM
DVD
DVD-R, DVD+R, and DVD+R(W)
DVD-RW, DVD+RW
DVD Differences
DVD+R DL/ DVD-R DL/ DVD-RAM
Blu-Ray
Network Attached Storage (NAS)
iPod
Zune
Flash Memory Cards
Secure Digital (SD) Memory Card
Secure Digital High Capacity (SDHC) Card
Secure Digital Input Output (SDIO) Card
Secure Digital Input Output (SDIO)
Compact Flash (CF) Memory Card
Memory Stick (MS) Memory Card
Multi Media Memory Card (MMC)
xD-Picture Card (xD)
SmartMedia Memory (SM) Card
Solid-State Drive (SSD)
Tape Libraries and Autoloaders
WD VelociRaptor
Hybrid Hard Drive
Holographic Data Storage
ExpressCard
USB Flash Drives
Demo - USB Deview
NOR / NAND Flash
E-ball Futuristic Computer
Different Models of Digital Devices
Different Types of Pocket Hard Drives
Different Types of Network-Attached Storage Devices
Different Types of Digital Camera Devices
Different Types of Digital Video Cameras
Different Types of Mobile Devices
Mobile Devices in the Future
Module 09 - Review
Module 10 - CD/DVD Forensics
CD/DVD Forensics
SID Code
Pre-Requisite for CD/DVD Forensics
Steps for CD Forensics
Collect the CD/DVD Evidence
Precautions while Collecting the Evidence
Document the Scene
Preserve the Evidence
Create an Image of a CD/DVD
Recover Data from Damaged or Corrupted CDs/DVDs
Data Analysis
Identify Pirated CD/DVDs
Original and Pirated CD/DVDs
CD/DVD Imaging Tools
CD/DVD Data Recovery Tools
CD & DVD Data Recovery Services
Module 10 - Review
Module 11 - Windows Linux Macintosh Boot Process
Windows Linux Macintosh Boot Process
Terminologies
Boot Loader
Boot Sector
Anatomy of MBR
Windows Boot Sequence
Linux Boot Sequence
Macintosh Boot Sequence
Windows XP Boot Process
Windows Vista Boot Sequence
Vista Boot Process
Linux Boot Process
Common Startup Files in UNIX
List of Important Directories in UNIX
Linux Boot Process cont.
Linux Boot Process Steps
Step 1: The Boot Manager
GRUB: Boot Loader
Step 2: init
Step 2.1: /etc/inittab
Runlevels
The Run Level Scripts
How Processes in Run Level Starts
Run Level Actions
Step 3: Services
Step 4: More inittab
Operating Modes
Macintosh Boot Process
Mac OS X
Mac OS X Hidden Files
Booting Mac OS X (Supported on Non-Intel Macs)
Screenshot
Mac OS X Boot Options
The Mac OS X Boot Process
Module 11 - Review
Module 12 - Windows Forensics I
Windows Forensics I
Volatile Information
Demo - Volatile Information
Non-Volatile Information
Module Overview
System Time
Demo - System Time
Demo - Uptime
Logged-On-Users
Open Files
Demo - Open Files
Net File Command
Psfile Tool
Openfiles Command
NetBIOS Name Table Cache
Network Connections
Netstat with ano Switch: Screenshot
Netstat with the r Switch: Screenshot
Demo - Networking Command Line Tools
Process Information
Tlist Tool
Tasklist Command
Tasklist with the /v Switch: Screenshot
Pslist Tool
Listdlls Tool
Handle Tool
Demo - Process Explorer
Process-to-Port Mapping
Netstat Command
Fport Tool
Openports Tool
Network Status
Ipconfig Command
Demo - TCP View
Demo - IP2
Promiscdetect Tool
Promqry Tool
Other Important Information
Demo - System Information
Collecting Nonvolatile Information
Examining File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File
Vista Index.dat Location
Demo - Index.dat File
Text View of an Index.dat File
Devices and Other Information
Demo - PS Tools
Demo - Agile
DevCon Screenshot
Slack Space
Slack Space Information Collection
Virtual Memory
Tool: DriveSpy
Swap File
Windows Search Index
Tool: Search Index Examiner
Collecting Hidden Partition Information
Hidden ADS Streams
Windows Memory Analysis
Importance of Memory Dump
EProcess Structure
Process Creation Mechanism
Parsing Memory Contents
Demo - Parsing Memory Contents
Collecting Process Memory
Windows Registry Analysis
Registry Contents
Demo - Windows Registry Editors Overview
Registry Structure within a Hive File
Registry Analysis
System Information
Time Zone Information
Shares
Audit Policy
Demo - Win Audit
Demo - Audit Policy
Wireless SSIDs
Autostart Locations
Demo - System Config Utility
System Boot
User Login
User Activity
Enumerating Autostart Registry Locations
USB Removable Storage Devices
Mounted Devices
Finding Users
Tracking User Activity
The UserAssist Keys
MRU Lists
Search Assistant
Connecting to Other Systems
Analyzing Restore Point Registry Settings
Demo - Using System Restore
Determining the Startup Locations
Demo - Finding Auto Run Using Regedt32
Cache, Cookie and History Analysis
Cache, Cookie and History Analysis in IE
Demo - IE Analysis
Cache, Cookie and History Analysis in Firefox/Netscape
Browsing Analysis Tool: Pasco
Tool - IE Cache View
Forensic Tool: Cache Monitor
IE Cookie Analysis
Tool - IECookiesView
Tool - IE Sniffer
MD5 Calculation
MD5 Algorithm
MD5 Pseudocode
MD5 Generator: Chaos MD5
Demo - Hashing
Secure Hash Signature Generator
Windows File Analysis
Recycle Bin
System Restore Points
Prefetch Files
Shortcut Files
Searching with Event Viewer
Word Documents
PDF Documents
Image Files
File Signature Analysis
NTFS Alternate Data Streams
Executable File Analysis
Documentation Before Analysis
Static Analysis Process
Search Strings
PE Header Analysis
Import Table Analysis
Export Table Analysis
Dynamic Analysis Process
Creating Test Environment
Collecting Information Using Tools
Dynamic Analysis Steps
Metadata Investigation
Metadata
Types of Metadata
Metadata in Different File Systems
Viewing Metadata
Demo - ReSysInfo
Demo - Anti-Forensics
Module 12 - Review
Module 13 - Windows Forensics II
Windows Forensics II
Understanding Events
Event Record Structure
Vista Event Logs
Demo - Windows Server Event Viewer
IIS Logs
Parsing IIS Logs
Parsing FTP Logs
Parsing DHCP Server Logs
Parsing Windows Firewall Logs
Using the Microsoft Log Parser
Evaluating Account Management Events
Examining Audit Policy Change Events
Examining System Log Entries
Examining Application Log Entries
Using EnCase to Examine Windows Event Log Files
Windows Event Log Files Internals
Window Password Issues
Understanding Windows Password Storage
Cracking Windows Passwords Stored on Running Systems
Exploring Windows Authentication Mechanisms
Sniffing and Cracking Windows Authentication Exchanges
Cracking Offline Passwords
Module 13 - Review
Module 14 - Linux Forensics
Linux Forensics
Introduction of Linux OS
Linux Boot Sequence
File System Description
Common Directories / Contents
Linux Forensics
Use of Linux as a Forensics Tool
Advantages of Linux in Forensics
Disadvantages of Linux in Forensics
Precautions During Investigation
Recognizing Partitions in Linux
Mount Command
Demo - Linux Drive Mounting
Floppy Disk Analysis
Hard Disk Analysis
Linux Crash Utility
Crash Commands
Case Examples
Case Example I
Step-by-Step Approach to Case
Challenges in Disk Forensics with Linux
Case Example II
Step-by-Step Approach to Case
Linux Forensics Tools
Popular Linux Forensics Tools
The Sleuth Kit
Tools in �The Sleuth Kit�
The Evidence Analysis Techniques in Autopsy
SMART for Linux
Features of SMART for Linux
SMART: Screenshots 1
SMART: Screenshots 2
Penguin Sleuth
The Farmer\'s Boot CD
Demo - Helix
Forensix
Tool: Maresware
Module 14 - Review
Module 15 - Mac Forensics
Mac Forensics
Mac OS X
Partitioning Schemes
Apple Partition Map(APM)
Apple Partition Map Entry Record
GUID Partition Table
Mac OS X File System
HFS+ File System
Mac OS X Directory Structure
Mac Security Architecture Overview
Screenshot: Mac Security Architecture
Pre-requisites for Mac Forensics
Obtaining System Date and Time
Single User Mode
Determining and Resetting Open Firmware Password
Checking Plist Files
Gathering Network Setting Information from Plist Files
Collect User Home Directory Information
Forensic Information in User Library Folder
Collect User Accounts Information
User IDs
Gathering User Information from Plist files
Use Spotlight for Keyword Search
Cracking File Vault
POSIX Permissions
Viewing POSIX Permissions
Viewing ACL Permissions
Mac OS X Log Files
Locating iChat Configuration File
Checking Instant Messaging Configuration Plist Files
Viewing iChat Logs
Gathering Safari Information
Checking Wi-Fi Support
Checking Bluetooth Support
Gathering Information from Printer Spool (CUPS)
Vulnerable Features of Mac
Imaging a Target Macintosh
Target Disk Mode
LiveCD Method
Drive Removal
Acquiring the Encrypted User Home Directory
.Mac and Related Evidence
Quick View Plus
Cover Flow
Module 15 Review
Module 16 - Data Acquisition and Duplication
Data Acquisition and Duplication
Data Acquisition
Data Acquisition Terminology
Types of Data Acquisition Systems
Determining the Best Acquisition Methods
Data Recovery Contingencies
Data Acquisition Mistakes
Data Duplication
Issues with Data Duplication
Data Duplication in Mobile Multi-Database System
Data Duplication System Used in USB Devices
Data Backup
Data Acquisition Tools and Commands
MS-DOS Data Acquisition Tool: DriveSpy
Using Windows Data Acquisition Tools
FTK Imager
Acquiring Data on Linux
Demo - Using DD
Demo - Netcat
Demo - Mount Image Pro
Demo - Snapshot
Data Acquisition Toolbox
Data Acquisition Tool: SafeBack
Demo - Data Acquisition
Demo - Data Acquisition II
Hardware Tool: Image MASSter Solo-3 Fornsic
Image MASSter Solo-3 Forensic
Image MASSter: RoadMASSter -3
Image MASSter: Wipe MASSter
Image MASSter: DriveLock
Logicube: Echo PLUS & Sonix
Logicube: OmniPORT
Logicube: Forensic MD5
Logicube: RAID I/O Adapter
Logicube: GPStamp
Logicube: CellDEK
Data Duplication Tools
Data Duplication Tool: R-drive Image
Data Duplication Tool: DriveLook
Data Duplication Tool: DiskExplorer
Demo - File Recovery
Hardware Tool: ImageMASSter 6007SAS
Hardware Tool: Disk Jockey IT
SCSIPAK
IBM DFSMSdss
DeepSpar: Disk Imager Forensic Edition
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
MacQuisition
MacQuisition: Screenshot
Module 16 Review
Module 17 Recovering Deleted Files and Partitions
Recovering Deleted Files and Partitions
Recovering Deleted Files
Deleting Files
What Happens When a File is Deleted in Windows
Recycle Bin in Windows
Storage Locations of Recycle Bin in FAT and NTFS System
How the Recycle Bin Works
Damaged or Deleted INFO File
Damaged Files in Recycled Folder
Damaged Recycle Folder
How to Undelete a File
Data Recovery in Linux
Tools to Recover Deleted Files
Tool: Search and Recover
Tool: Zero Assumption Digital Image Recovery
More Tools to Recover Deleted Files
Tool: Mycroft V3
Tool: PC ParaChute
Other Tools to Recover Deleted Files
Tool: Image Recall
Tool: eIMAGE Recovery
Demo - Handy Recovery
Demo - Recovering Files and Partitions
Tools to Recover Deleted Files
Recovering Deleted Partitions
Deletion of Partition
Deletion of Partition using Windows
Deletion of Partition using Command Line
Recovery of Deleted Partition
Recovering Deleted Partition Tools
Tool: TestDisk
ThumbsDisplay
Demo - HD Tune
Module 17 - Review
Module 18 - Forensic Investigation Using AccessData FTK
Forensic Investigation Using AccessData FTK
Forensic Toolkit (FTK)
Features of FKT
Installation of FTK
Demo - Installing FTK V1.7
Software Requirement
Installing FTK
FTK Installation
Codemeter Stick Installation
Oracle Installation
Single Computer Installation
Choosing An Evidence Server
Installing the KFF Library
Installing on Separate Computers
Demo - KFF Install v1.7
Setting Up The Application Administrator
Case Manager Window
Toolbar Components
Properties Pane
Hex Interpreter Pane
Web Tab
Filtered Tab
Text Tab
Hex Tab
Explore Tab
Quickpicks Filter
Data Processing Status Dialog
Email Tab
Graphics Tab
Thumbnails Pane
Bookmarks Tab
Live Search Tab
Index Search Tab
Creating Tabs
Launching FTK
Working with FTK
Creating A Case
Demo - Creating a New Case with FTK v1.7
Demo - FTK
Evidence Processing Options
Selecting Data Carving Options
Selecting Evidence Discovery Options
Selecting Evidence Refinement (Advanced) Options
Selecting Index Refinement (Advanced) Options
Refining an Index by File Date/Size
Adding Evidence
Backing Up the Case
Restoring a Case
Deleting a Case
Working with Cases
Opening an Existing Case
Adding Evidence
Selecting a Language
Additional Analysis
Properties Tab
The Hex Interpreter Tab
Using The Bookmark Information Pane
Creating a Bookmark
Bookmarking Selected Text
Adding Evidence to an Existing Bookmark
Moving A Bookmark
Removing A Bookmark
Deleting Files From A Bookmark
Verifying Drive Image Integrity
Copying Information From FTK
Exporting File List Info
Exporting the Word List
Creating a Fuzzy Hash Library
Selecting Fuzzy Hash Options During Initial Processing
Additional Analysis Fuzzy Hashing
Comparing Files Using Fuzzy Hashing
Viewing Fuzzy Hash Results
Demo - Opening a Case Run Data Carving and Bookmark Evidence
Searching A Case
Conducting A Live Search
Customizing The Live Search Tab
Documen
