CHFI – Computer Hacking Forensic Investigator

Course Description

The CHFI course will give participants the necessary skills to identify an intruder's footprints and
to properly gather the necessary evidence to prosecute. Many of today's top tools of the forensic
trade will be taught during this course, including software, hardware and specialized techniques.
The need for businesses to become more efficient and integrated with one another, as well as the
home user, has given way to a new type of criminal, the "cyber-criminal." It is no longer a matter
of "will your organization be comprised (hacked)?" but, rather, "when?" Today's battles between
corporations, governments, and countries are no longer fought only in the typical arenas of
boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm,
which ties into most every facet of modern day life. If you or your organization requires the
knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for
you.
5 -days

Who Should Attend

Police and other law enforcement personnel, Defense and Military personnel, e-Business
Security professionals, Systems administrators, Legal professionals, Banking, Insurance and
other professionals, Government agencies, IT managers

Certification
The CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the
online Prometric exam to receive the CHFI certification.

Course Outline v2

Module I: Computer Forensics in Today’s World

Introduction

History of Forensics

Definition of Forensic Science

Definition of Computer Forensics

What Is Computer Forensics?

Need for Computer Forensics

Evolution of Computer Forensics

Computer Forensics Flaws and Risks

Corporate Espionage Statistics

Modes of Attacks

Cyber Crime

Examples of Cyber Crime

Reason for Cyber Attacks

Role of Computer Forensics in Tracking Cyber Criminals

Rules of Computer Forensics

Computer Forensics Methodologies

Accessing Computer Forensics Resources

Preparing for Computing Investigations

Maintaining professional conduct

Understanding Enforcement Agency Investigations

Understanding Corporate Investigations

Investigation Process

Digital Forensics

Module II: Law And Computer Forensics

What Is Cyber Crime?

What Is Computer Forensics?

Computer Facilitated Crimes

Reporting Security Breaches to Law Enforcement

National Infrastructure Protection Center

FBI

Federal Statutes

Cyber Laws

Approaches to Formulate Cyber Laws

Scientific Working Group on Digital Evidence (SWGDE)

Federal Laws

The USA Patriot Act of 2001

Freedom of Information Act

Building Cyber Crime Case

How the FBI Investigates Computer Crime?

How to Initiate an Investigation?

Legal Issues Involved in Seizure of Computer Equipments

Searching With a Warrant

Searching Without a Warrant

Privacy Issues Involved in Investigations

International Issues Related to Computer Forensics

Crime Legislation of EU

Cyber Crime Investigation

Module III: Computer Investigation Process

Investigating Computer Crime

Investigating a Company Policy Violation

Investigation Methodology

Evaluating the Case

Before the Investigation

Document Everything

Investigation Plan

Obtain Search Warrant

Warning Banners

Shutdown the Computer

Collecting the Evidence

Confiscation of Computer Equipments

Preserving the Evidence

Importance of Data-recovery Workstations and Software

Implementing an Investigation

Understanding Bit-stream Copies

Imaging the Evidence Disk

Examining the Digital Evidence

Closing the Case

Case Evaluation

Module IV: Computer Security Incident Response Team

Present Networking Scenario

Vulnerability

Vulnerability Statistics

What Is an Incident?

A Study by CERT Shows Alarming Rise in Incidents (security Breach

How to Identify an Incident

Whom to Report an Incident?

Incident Reporting

Category of Incidents

Handling Incidents

Procedure for Handling Incident

Preparation

Identification

Containment

Eradication

Recovery

Follow up

What Is CSIRT?

Why an Organization Needs an Incident Response Team?

Need for CSIRT

Example of CSIRT

CSIRT Vision

Vision

Best Practices for Creating a CSIRT

Step 1: Obtain Management Support and Buy-In

Step 2: Determine the CSIRT Development Strategic

Step 3: Gather Relevant Information

Step 4: Design your CSIRT Vision

Step 5: Communicate the CSIRT Vision

Step 6: Begin CSIRT Implementation

Step 7: Announce the CSIRT

Other Response Teams Acronyms and CSIRTs around the world

World CSIRT

Module V: Computer Forensic Laboratory Requirements

Budget Allocation for a Forensics Lab

Physical Location Needs of a Forensic Lab

Work Area of a Computer Forensics Lab

General Configuration of a Forensic

Equipment Needs in a Forensics Lab

Ambience of a Forensics Lab

Environmental Conditions

Recommended Eyestrain Considerations

Structural Design Considerations

Electrical Needs

Communications

Basic Workstation Requirements in a Forensic Lab

Consider stocking the following hardware peripherals

Maintain Operating System and Application Inventories

Common Terms

Physical Security Recommendations for a Forensic Lab

Fire-Suppression Systems

Evidence Locker Recommendations

Evidence Locker Combination Recommendations

Evidence Locker Padlock Recommendations

Facility Maintenance

Auditing a Computer Forensics Lab

Auditing a Forensics Lab

Forensics Lab

Mid Sized Lab

Forensic Lab Licensing Requisite

Forensic Lab Manager Responsibilities

Module VI: Understanding File systems and Hard disks

Disk Drive Overview - I

Hard Disk

Disk Platter

Tracks

Tracks Numbering

Sector

Sector addressing

Cluster

Cluster Size

Slack Space

Lost Clusters

Bad Sector

Understanding File Systems

Types of File System

List of Disk File Systems

List of Network file systems

Special Purpose File systems

Popular Linux File systems

Sun Solaris 10 File system - ZFS

Windows File systems

Mac OS X File system

CD-ROM / DVD File system

File system Comparison

Boot Sector

Exploring Microsoft File Structures

Disk Partition Concerns

Boot Partition Concerns

Examining FAT

NTFS

NTFS System Files

NTFS Partition Boot Sector

NTFS Master File Table (MFT)

NTFS Attributes

NTFS Data Stream

NTFS Compressed Files

NTFS Encrypted File Systems (EFS)

EFS File Structure

Metadata File Table (MFT)

EFS Recovery Key Agent

Deleting NTFS Files

Understanding Microsoft Boot Tasks

Windows XP system files

Understanding Boot Sequence DOS

Understanding MS-DOS Startup Tasks

Other DOS Operating Systems

Registry Data

Examining Registry Data

Module VII: Windows Forensics

Locating Evidence on Windows Systems

Gathering Volatile Evidence

Pslist

Forensic Tool: fport

Forensic Tool - Psloggedon

Investigating Windows File Slack

Examining File Systems

Built-in Tool: Sigverif

Word Extractor

Checking Registry

Reglite.exe

Tool: Resplendent Registrar 3.30

Microsoft Security ID

Importance of Memory Dump

Manual Memory Dumping in Windows 2000

Memory Dumping in Windows XP and Pmdump

System State Backup

How to Create a System State Backup?

Investigating Internet Traces

Tool - IECookiesView

Tool - IE History Viewer

Forensic Tool: Cache Monitor

CD-ROM Bootable Windows XP

Bart PE

Ultimate Boot CD-ROM

List of Tools in UB CD-ROM

Desktop Utilities

File Analysis Tools

File Management Tools

File Recovery Tools

File Transfer Tools

Hardware Info Tools

Process Viewer Tools

Registry Tools

Module VIII: Linux and Macintosh Boot processes

UNIX Overview

Linux Overview

Understanding Volumes -I

Exploring Unix/Linux Disk Data Structures

Understanding Unix/linux Boot Process

Understanding Linux Loader

Linux Boot Process Steps

Step 1: The Boot Manager

Step 2: init

Step 2.1: /etc/inittab

runlevels

Step 3: Services

Understanding Permission Modes

Unix and Linux Disk Drives and Partitioning Schemes

Mac OS X

Mac OS X Hidden Files

Booting Mac OS X

Mac OS X Boot Options

The Mac OS X Boot Process

Installing Mac OS X on Windows XP

PearPC

MacQuisition Boot CD

Module IX: Linux Forensics

Use of Linux as a Forensics Tool

Recognizing Partitions in Linux

File System in Linux

Linux Boot Sequence

Linux Forensics

Case Example

Step-by-step approach to Case 1 (a)

Step-by-step approach to Case 1 (b)

Step-by-step approach to Case 1 (c)

Step-by-step approach to Case 1 (d)

Case 2

Challenges in disk forensics with Linux

Step-by-step approach to Case 2 (a)

Step-by-step approach to Case 2 (b)

Step-by-step approach to Case 2 (c)

Popular Linux Tools

Module XX: Data Acquisition and Duplication

Determining the Best Acquisition Methods

Data Recovery Contingencies

MS-DOS Data Acquisition Tools

DriveSpy

DriveSpy Data Manipulation Commands

DriveSpy Data Preservation Commands

Using Windows Data Acquisition Tools

Data Acquisition Tool: AccessData FTK Explorer

FTK

Acquiring Data on Linux

dd.exe (Windows XP Version)

Data Acquisition Tool: Snapback Exact

Data Arrest

Data Acquisition Tool: SafeBack

Data Acquisition Tool: Encase

Need for Data Duplication

Data Duplication Tool: R-drive Image

Data Duplication Tool: DriveLook

Data Duplication Tool: DiskExplorer

Module XI: Recovering Deleted Files

Introduction

Digital Evidence

Recycle Bin in Windows

Recycle Hidden Folder

Recycle folder

How to Undelete a File?

Tool: Search and Recover

Tool: Zero Assumption Digital Image Recovery

Data Recovery in Linux

Data Recovery Tool: E2undel

Data Recovery Tool: O&O Unerase

Data Recovery Tool: Restorer 2000

Data Recovery Tool: Badcopy Pro

Data Recovery Tool: File Scavenger

Data Recovery Tool: Mycroft V3

Data Recovery Tool: PC Parachute

Data Recovery Tool: Stellar Phoenix

Data Recovery Tool: Filesaver

Data Recovery Tool: Virtual Lab

Data Recovery Tool: R-linux

Data recovery tool: Drive and Data Recovery

Data recovery tool: active@ UNERASER - DATA recovery

Data recovery tool: Acronis Recovery Expert

Data Recovery Tool: Restoration

Data Recovery Tool: PC Inspector File Recovery

Module XII: Image Files Forensics

Introduction to Image Files

Recognizing an Image File

Understanding Bitmap and Vector Images

Metafile Graphics

Understanding Image File Formats

File types

Understanding Data Compression

Understanding Lossless and Lossy Compression

Locating and Recovering Image Files

Repairing Damaged Headers

Reconstructing File Fragments

Identifying Unknown File Formats

Analyzing Image File Headers

Picture Viewer: Ifran View

Picture Viewer: Acdsee

Picture Viewer: Thumbsplus

Steganography in Image Files

Steganalysis Tool: Hex Workshop

Steganalysis Tool: S-tools

Identifying Copyright Issues With
Graphics
Module XIII: Steganography

Introduction

Important Terms in Stego-forensics

Background Information to Image Steganography

Steganography History

Evolution of Steganography

Steps for Hiding Information in Steganography

Six Categories of Steganography in Forensics

Types of Steganography

What Is Watermarking

Classification of Watermarking

Types of Watermarks

Steganographic Detection

Steganographic Attacks

Real World Uses of Steganography

Steganography in the Future

Unethical Use of Steganography

Hiding Information in Text Files

Hiding Information in Image Files

Process of Hiding Information in Image Files

Least Significant Bit

Masking and Filtering

Algorithms and Transformation

Hiding Information in Audio Files

Low-bit Encoding in Audio Files

Phase Coding

Spread Spectrum

Echo Data Hiding

Hiding Information in DNA

TEMPEST

The Steganography Tree

Steganography Tool: Fort Knox

Steganography Tool: Blindside

Steganography Tool: S- Tools

Steganography Tool: Steghide

Steganography Tool: Digital Identity

Steganography Tool: Stegowatch

Tool : Image Hide

Data Stash

Tool: Mp3Stego

Tool: Snow.exe

Tool: Camera/Shy

Steganography Detection

Module XIV: Computer Forensic Tools

Dump Tool: DS2DUMP

Dump Tool: Chaosreader

Slack Space & Data Recovery Tools: Drivespy

Slack Space & Data Recovery Tools: Ontrack

Hard Disk Write Protection Tools: Pdblock

Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock

Permanent Deletion of Files:pdwipe

Disk Imaging Tools: Image & Iximager

Disk Imaging Tools: Snapback Datarrest

Partition Managers: PART & Explore2fs

Linux/unix Tools: Ltools and Mtools

Linux/UNIX tools: TCT and TCTUTILs

Password Recovery Tool: @Stake

ASRData

SMART Screenshot

Ftime

Oxygen Phone Manager

Multipurpose Tools: Byte Back & Biaprotect

Multipurpose Tools: Maresware

Multipurpose Tools: LC Technologies Software

Multipurpose Tools: Winhex Specialist Edition

Multipurpose Tools: Prodiscover DFT

Toolkits: NTI tools

Toolkits: R-Tools-I

Toolkits: R-Tools-II

Toolkits: DataLifter

Toolkits: AccessData

LC Technology International Hardware

Screenshot of Forensic Hardware

Image MASSter Solo and FastBloc

RMON2 Tracing Tools and
MCI DoStracker

EnCase

Module XV: Application password crackers

Password - Terminology

What is a Password Cracker?

How Does A Password Cracker Work?

Various Password Cracking Methods

Classification of Cracking Software

System Level Password Cracking

Application Password Cracking

Application Software Password Cracker

Distributed Network Attack-I

Distributed Network Attack-II

Passware Kit

Accent Keyword Extractor

Advanced Zip Password Recovery

Default Password Database

http://phenoelit.darklab.org/

http://www.defaultpassword.com/

http://www.cirt.net/cgi-bin/passwd.pl

Password Cracking Tools List

Module XVI: Investigating Logs

Audit Logs and Security

Audit Incidents

Syslog

Remote Logging

Linux Process Accounting

Configuring Windows Logging

Setting up Remote Logging in Windows

NtSyslog

EventReporter

Application Logs

Extended Logging in IIS Server

Examining Intrusion and Security Events

Significance of Synchronized Time

Event Gathering

EventCombMT

Writing Scripts

Event Gathering Tools

Forensic Tool: Fwanalog

End-to End Forensic Investigation

Correlating Log files

Investigating TCPDump

IDS Loganalyais:RealSecure

IDS Loganalysis :SNORT

Module XVII: Investigating network traffic

Overview of Network Protocols

Sources of Evidence on a Network

Overview of Physical and Data-link Layer of the OSI Model

Evidence Gathering at the Physical Layer

Tool: Windump

Evidence Gathering at the Data-link Layer

Tool: Ethereal

Tool: NetIntercept

Overview of Network and Transport Layer of the OSI Model

Evidence Gathering at the Network and Transport Layer-(I)

Gathering Evidence on a Network

GPRS Network Sniffer : Nokia LIG

NetWitness

McAffee Infinistream Security Forensics

Snort 2.1.0

Documenting the Gathered Evidence on a Network

Evidence Reconstruction for Investigation

Module XVIII: Router Forensics

What Is a Router?

Functions of a Router

A Router in an OSI Model

Routing Table and Its Components

Router Architecture

Implications of a Router Attack

Types of Router Attacks

Denial of Service (DoS) Attacks

Investigating Dos Attacks

Smurfing – Latest in Dos Attacks

Packet “Mistreating” Attacks

Routing Table Poisoning

Hit-and-run Attacks Vs. Persistent Attacks

Router Forensics Vs. Traditional Forensics

Investigating Routers

Chain of Custody

Incident Response & Session Recording

Accessing the Router

Volatile Evidence Gathering

Router Investigation Steps - I

Analyzing the Intrusion

Logging

Incident Forensics

Handling a Direct Compromise Incident

Other Incidents

Module XIX: Investigating Web Attacks

Indications of a web attack

Responding to a web attack

Overview of web logs

Mirrored Sites

N-Stealth

Investigating static and dynamic IP address

Tools for locating IP Address: Nslookup

Tools for locating IP Address: Traceroute

Tools for locating IP Address:
NeoTrace (Now McAfee Visual Trace)

Tools for locating IP Address: Whois

Web page defacement

Defacement using DNS compromise

Investigating DNS Poisoning

SQL Injection Attacks

Investigating SQL Injection Attacks

Investigating FTP Servers

Investigating FTP Logs

Investigating IIS Logs

Investigating Apache Logs

Investigating DHCP Server Logfile

Module XX: Tracking E-mails and Investigating E-mail crimes

Understanding Internet Fundamentals

Understanding Internet Protocols

Exploring the Roles of the Client and Server in E-mail

E-mail Crime

Spamming, Mail Bombing, Mail Storm

Chat Rooms

Identity Fraud , Chain Letter

Sending Fakemail

Investigating E-mail Crime and Violation

Viewing E-mail Headers

Examining an E-mail Header

Viewing Header in Microsoft Outlook

Viewing Header in Eudora

Viewing Header in Outlook Express

Viewing Header in AOL

Viewing Header in Hot Mail

Viewing Header using Pine for Unix

Viewing Header in Juno

Viewing Header in Yahoo

Examining Additional Files

Microsoft Outlook Mail

Pst File Location

Tracing an E-mail Message

Using Network Logs Related to E-mail

Understanding E-mail Server

Examining UNIX E-mail Server Logs

Examining Microsoft E-mail Server Logs

Examining Novell GroupWise E-mail Logs

Using Specialized E-mail Forensic Tools

Tool:FINALeMAIL

Tool: R-Mail

E-Mail Examiner by Paraben

Network E-Mail Examiner by Paraben

Tracing Back

Tracing Back Web Based E-mail

Searching E-mail Addresses

E-mail Search Site

Handling Spam

Network Abuse Clearing House

Abuse.Net

Protecting Your E-mail Address From Spam

Tool: Enkoder Form

Tool:eMailTrackerPro

Tool:SPAM Punisher

Module XXI: Mobile and PDA Forensics

Latest Mobile Phone Access Technologies

Evidence in Mobile Phones

Mobile Phone Forensic Examination Methodology

Examining Phone Internal Memory

Examining SIM

Examining Flash Memory and Call data records

Personal Digital Assistant (PDA)

PDA Components

PDA Forensics

PDA Forensics - Examination

PDA Forensics - Identification

PDA Forensics - Collection

PDA Forensics - Documentation

Points to Be Remembered While Conducting Investigation

PDA Seizure by Paraben

SIM Card Seizure by Paraben
(SIM Card acquisition tool)

Forensic Tool – Palm dd (pdd)

Forensic Tool - POSE

Module XXII: Investigating Trademark and Copyright Infringement

Trademarks

Trademark Eligibility and Benefits of Registering It

Service Mark and Trade Dress

Trademark infringement

Trademark Search

www.uspto.gov

Copyright and Copyright Notice

Investigating Copyright Status of a Particular Work

How Long Does a Copyright Last?

U.S Copyright Office

Doctrine of “Fair Use”

How Are Copyrights Enforced?

SCO Vs. IBM

SCO Vs Linux

Line-by-Line Copying

Plagiarism

Turnitin

Plagiarism detection tools

CopyCatch

Patent

Patent Infringement

Patent Search

Case Study: Microsoft Vs Forgent

Internet Domain Name and ICANN

Domain Name Infringement

Case Study: Microsoft.com Vs MikeRoweSoft.com

How to check for Domain Name Infringement?

Module XXIII: Investigative Reports

Need of an investigative report

Report specification

Report Classification

Report and Opinion

Layout of an Investigative Report

Writing Report

Use of Supporting Material

Importance of Consistency

Salient Features of a Good Report

Investigative Report Format

Before Writing the Report

Writing Report Using FTK

Module XIV: Becoming an Expert Witness

Who Is an Expert?

Who Is an Expert Witness?

Role of an Expert Witness

Technical Testimony Vs.
Expert Testimony

Preparing for Testimony

Evidence Preparation and Documentation

Evidence Processing Steps

Rules Pertaining to an Expert Witness’ Qualification

Importance of Curriculum Vitae

Technical Definitions

Testifying in Court

The Order of Trial Proceedings

Voir dire

General Ethics While Testifying-i

Evidence Presentation

Importance of Graphics in a Testimony

Helping Your Attorney

Avoiding Testimony Problems

Testifying During Direct Examination

Testifying During Cross Examination

Deposition

Guidelines to Testify at a Deposition

Dealing With Reporters

Module XXV: Forensics in action

E-mail Hoax

Trade Secret Theft

Operation Cyberslam

APPENDIX:

1. Investigating Wireless Attacks

Passive Attacks

Netstumbler

Active Attacks On Wireless Networks

Rogue Access Points

Investigating Wireless Attacks

Airmagnet
2. Forensics Investigation Using EnCase

Evidence File

Evidence File Format

Verifying File Integrity

Hashing

Acquiring Image

Configuring Encase

Encase Options Screen

Encase Screens

View Menu

Device Tab

Viewing Files and Folders

Bottom Pane

Viewers in Bottom Pane

Status Bar

Searching

Keywords

Adding Keywords

Grouping

Add multiple Keywords

Starting the Search

Search Hits Tab

Search Hits

Bookmarks

Creating Bookmarks

Adding Bookmarks

Bookmarking Selected Data

Recovering Deleted Files/folders in FAT Partition

Recovering Folders in NTFS

Master Boot Record

NTFS Starting Point

Viewing disk Geometry

Recovering Deleted Partitions

Hash Values

Creating Hash Sets

MD5 Hash

Creating Hash

Viewers

Signature Analysis

Copying Files Folders

E-mail Recovery

Reporting

Encase Boot Disks

IE Cache Images
3. First Responder Procedures

Steps At Crime Scene

People Involved In Incident Response

The Role Of A System Administrator

First Response By Non-Laboratory Staff

Guidelines For Search And Seizure

Planning The Search And Seizure

Evidence Collection

Dealing With Powered Up Computers At Seizure Time

How To Pull The Power

Seizing Computer Equipment

Removable Media

Seizing Portable Computers

How To Remove HD From Laptops?

Initial Interviews

Chain Of Custody
4. Checklist for Choosing a Forensic Examiner
5. Investigation Checklist