CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Course Content
Course Description: CHFI v9 covers a detailed methodological approach to computer forensic and evidence analysis. It provides the necessary skillset for identification of intruder’s footprints and gathering necessary evidence for its prosecution. All major tools and theories used by cyber forensic industry are covered in the curriculum. The certification can fortify the applied knowledge level of law enforcement personnel, system administrators, security officers, defense and military personnel, legal professionals, bankers, computer and network security professionals, and anyone who is concerned about the integrity of the network and digital investigations
CHFI provides training in the necessary skills to perform effective digital forensic investigation. It is a comprehensive course covering major forensic investigation scenarios that enables students to acquire necessary hands-on experience on various forensic investigation techniques and standard forensic tools necessary to successfully carryout computer forensic investigation leading to prosecution of perpetrators.
CHFI presents a methodological approach to computer forensics including searching and seizing, chain-of-custody, acquisition, preservation, analysis and reporting of digital evidence.
Target Student: Anyone interested in cyber forensics/investigations Attorneys, Legal Consultants, and Lawyers Law Enforcement Officers Police Officers Federal/Government Agents Defense and Military Detectives/Investigators Incident Response Team Members Information Security Managers Network Defenders IT Professionals, IT Directors/Managers System/Network Engineers Security Analyst/Architect/Auditors/Consultants
www.tcworkshop.com Pages 1 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Prerequisites: IT/Forensics Professionals with basic knowledge on IT/Cyber Security, Computer Forensics, and Incident response. Prior completion of CEH training would be an advantage.
Topics:
Module 01: Computer Forensics in Today’s Computer Forensics as part of an Incident World Response Plan Understanding Computer Forensics Need for Forensic Investigator Why and When Do You Use Computer Roles and Responsibilities of Forensics Forensics? Investigator Cyber Crime (Types of Computer Crimes) What makes a Good Computer Forensics Case Study Investigator? Challenges Cyber Crimes Present For Investigative Challenges Investigators o Computer Forensics: Legal Issues Cyber Crime Investigation o Computer Forensics: Privacy Issues o Civil versus Criminal Investigation Legal and Privacy Issues o Case Study: Criminal Case Code of Ethics o Case Study: Civil Case Accessing Computer Forensics Resources o Administrative Investigation o Case Study: Administrative Case Module 02: Computer Forensics Investigation Rules of Forensics Investigation Process o Enterprise Theory of Investigation (ETI) Importance of Computer Forensics Process Understanding Digital Evidence Phases Involved in the Computer Forensics Types of Digital Evidence Investigation Process Characteristics of Digital Evidence Pre-investigation Phase Role of Digital Evidence o Setting Up a Computer Forensics Lab o Digital Forensics Challenges . Planning and Budgeting Sources of Potential Evidence . Physical Location and Structural Rules of Evidence Design Considerations o Best Evidence Rule . Work Area Considerations o “Hearsay” concept . Physical Security o Federal Rules of Evidence Recommendations . Scientific Working Group on . Fire-Suppression Systems Digital Evidence (SWGDE) . Evidence Locker Forensics Readiness Recommendations o Forensics Readiness Planning . Auditing the Security of a Forensics Lab www.tcworkshop.com Pages 2 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Human Resource Considerations . Incident Response: Different . Build a Forensics Workstation Situations . Basic Workstation Requirements in First Response by System a Forensics Lab Administrators . Build a Computer Forensics First Response by Non- Toolkit Forensic Staff . Forensics Hardware First Response by Laboratory . Forensics Software (Cont’d) Forensic Staff o Build the Investigation Team . First Responder Common Mistakes . Forensic Practitioner Certification . Documenting the Electronic Crime and Licensing Scene o Review Policies and Laws Photographing the Scene . Forensics Laws Sketching the Scene o Establish Quality Assurance Processes Note Taking Checklist . Quality Assurance Practices in o Computer Forensics Investigation Digital Forensics Methodology: Search and Seizure . General Quality Assurance in the . Consent Digital Forensic Process Sample of Consent Search . Quality Assurance Practices: Form Laboratory Software and Witness Signatures Hardware Witness Statement Checklist . Laboratory Accreditation . Conducting Preliminary Programs Interviews o Data Destruction Industry Standards . Planning the Search and Seizure o Risk Assessment Initial Search of the Scene . Risk Assessment Matrix . Warrant for Search and Seizure Investigation Phase Obtain Search Warrant o Investigation Process Example of Search Warrant . Questions to Ask When a Client . Searches Without a Warrant Calls the Forensic Investigator . Health and Safety Issues . Checklist to Prepare for a . Securing and Evaluating Electronic Computer Forensics Investigation Crime Scene: A Checklist . Notify Decision Makers and o Computer Forensics Investigation Acquire Authorization Methodology: Collect the Evidence o Computer Forensics Investigation . Collect Physical Evidence Methodology: First Response Evidence Collection Form . First Responder . Collecting and Preserving Roles of First Responder Electronic Evidence . First Response Basics www.tcworkshop.com Pages 3 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Dealing with Powered On . Verify Image Integrity Computers MD5 Hash Calculators: . Dealing with Powered Off HashCalc, MD5 Calculator Computers and HashMyFiles . Dealing with Networked . Recover Lost or Deleted Data Computer Data Recovery Software . Dealing with Open Files and o Computer Forensics Investigation Startup Files Methodology: Data Analysis . Operating System Shutdown . Data Analysis Procedure Post-investigation Phase . Computers and Servers o Computer Forensics Investigation . Preserving Electronic Evidence Methodology: Evidence Assessment . Seizing Portable Computers . Evidence Assessment . Dealing with Switched On . Case Assessment Portable Computers . Processing Location Assessment o Computer Forensics Investigation . Collecting Evidence from Social Methodology: Secure the Evidence Networks . Evidence Management . Best Practices on how to Behave as . Chain of Custody an Investigator on Social Media Simple Format of the Chain . Best Practices to Assess the of Custody Document Evidence Chain of Custody Forms o Computer Forensics Investigation Chain of Custody on Methodology: Documentation and Property Evidence Reporting Envelope/Bag and Sign-out . Documentation in Each Phase Sheet . Gather and Organize Information . Packaging and Transporting . Writing the Investigation Report Electronic Evidence o Computer Forensics Investigation Evidence Bag Contents List Methodology: Testify as an Expert Packaging Electronic Witness Evidence . Expert Witness Exhibit Numbering . Testifying in the Court Room Transporting Electronic . Closing the Case Evidence . Maintaining Professional Conduct . Storing Electronic Evidence o Computer Forensics Investigation Methodology: Data Acquisition . Guidelines for Acquiring Evidence . Duplicate the Data (Imaging) www.tcworkshop.com Pages 4 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Module 03: Understanding Hard Disks and File o What is the Booting Process? Systems o Essential Windows System Files Hard Disk Drive Overview o Windows Boot Process o Disk Drive Overview o Identifying GUID Partition Table (GPT) o Hard Disk Drive (HDD) o Analyzing the GPT Header and Entries o Solid-State Drive (SSD) o GPT Artifacts o Physical Structure of a Hard Disk o Macintosh Boot Process o Logical Structure of Hard Disk o Linux Boot Process o Types of Hard Disk Interfaces Understanding File Systems o Hard Disk Interfaces o Understanding File Systems . ATA o Types of File Systems . SCSI o Windows File Systems . IDE/EIDE . File Allocation Table (FAT) . USB FAT File System Layout . Fibre Channel FAT Partition Boot Sector o Tracks FAT Folder Structure . Track Numbering Directory Entries and Cluster o Sector Chains . Sector Addressing Filenames on FAT Volumes . Advanced Format: Sectors FAT32 o Cluster . New Technology File System . Cluster Size (NTFS) . Slack Space NTFS Architecture . Lost Clusters NTFS System Files o Bad Sectors NTFS Partition Boot Sector o Understanding Bit, Byte, and Nibble Cluster Sizes of NTFS o Hard Disk Data Addressing Volume o Data Densities on a Hard Disk NTFS Master File Table o Disk Capacity Calculation (MFT) o Measuring the Performance of the Hard o Metadata Files Stored in Disk the MFT Disk Partitions and Boot Process NTFS Attributes o Disk Partitions NTFS Data Stream o BIOS Parameter Block (BPB)Partitioning NTFS Compressed Files utilities o Setting the Compression o Master Boot Record State of a Volume . Structure of a Master Boot Record Encrypting File Systems (EFS) o Globally Unique Identifier (GUID) o Components of EFS . GUID Partition Table (GPT) o EFS Attribute www.tcworkshop.com Pages 5 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Sparse Files . Audio o Linux File Systems o File System Analysis Using Autopsy . Linux File System Architecture o File System Analysis Using The Sleuth . File System Hierarchy Standard Kit (TSK) (FHS) o The Sleuth Kit (TSK): fsstat . Extensible File System (Ext) o The Sleuth Kit (TSK): istat . Second Extensible File System o The Sleuth Kit (TSK): fls and img_stat (Ext2) . Third Extensible File System (Ext3) Module 04: Data Acquisition and Duplication . Fourth Extensible File System Data Acquisition and Duplication Concepts (Ext4) o Understanding Data Acquisition o Mac OS X File Systems . Types of Data Acquisition Systems . HFS vs. HFS Plus o Live Data Acquisition . Hierarchical File System (HFS) o Order of Volatility . Hierarchical File System Plus o Common Mistakes in Volatile Data (HFS+) Collection HFS Plus Volumes o Volatile Data Collection Methodology HFS Plus Journal Static Acquisition o Oracle Solaris 11 File System: ZFS o Static Data Acquisition o CD-ROM / DVD File System o Rules of Thumb o Compact Disc File System (CDFS) o Why to Create a Duplicate Image? o Virtual File System (VFS) and Universal o Bit Stream Image Vs. Backups Disk Format File System (UDF) o Issues with Data Duplication RAID Storage System o Data Acquisition and Duplication Steps o Levels of RAID Storage System o Prepare a Chain of Custody Document o Host Protected Areas (HPA) and Device o Enable Write Protection on the Evidence Configuration Overlays (DCO) Media File System Analysis o Sanitize the Target Media: NIST SP 800- o File Carving 88 Guidelines o Image File Analysis: JPEG o Determine the Data Acquisition Format o Image File Analysis: BMP o Data Acquisition Methods o Hex View of Popular Image File o Determine the Best Acquisition Method Formats o Select the Data Acquisition Tool o PDF File Analysis . Mandatory Requirements o Word File Analysis . Optional Requirements o PPT File Analysis o Data Acquisition and Duplication Tools: o Excel File Analysis Hardware o Hex View of Other Popular File Formats o Data Acquisition and Duplication Tools: . Video Software www.tcworkshop.com Pages 6 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
o Linux Standard Tools Partition Recovery Tools: o Acquiring Data on Linux: dd Command Active@ Partition Recovery o Acquiring Data on Linux: dcfldd Partition Recovery Tools (For Command Windows, MAC, & Linux all o Acquiring Data on Windows: together) AccessData FTK Imager o Password Protection o Acquiring RAID Disks . Password Types o Remote Data Acquisition . Password Cracker and its Working o Data Acquisition Mistakes . Password Cracking Techniques o Plan for Contingency . Default Passwords Validate Data Acquisitions . Using Rainbow Tables to Crack o Linux Validation Methods Hashed Passwords o Windows Validation Methods Tools to Create Rainbow Acquisition Best Practices Tables: rtgen and Winrtgen . Microsoft Authentication Module 05: Defeating Anti-forensics Techniques How Hash Passwords Are What is Anti-Forensics? Stored in Windows SAM? o Goals of Anti-Forensics . System Software Password Anti-Forensics techniques Cracking o Data/File Deletion . Bypassing BIOS Passwords . What Happens When a File is Using Manufacturer’s deleted in Windows? Backdoor Password to Access . Recycle Bin in Windows the BIOS Storage Locations of Recycle Using Password Cracking Bin in FAT and NTFS Software Systems CmosPwd How the Recycle Bin Works DaveGrohl Damaged or Deleted INFO2 Resetting the CMOS using File the Jumpers or Solder Beads Damaged Files in Recycle Bin Removing CMOS Battery Folder Overloading the Keyboard Damaged Recycle Bin Folder Buffer and Using a File Recovery Tools: Professional Service Windows . Tool to Reset Admin Password . File Recovery in MAC OS X Active@ Password Changer File Recovery Tools: MAC Windows Password Recovery File Recovery in Linux Bootdisk . Recovering the Deleted Partitions Windows Password Recovery Lastic www.tcworkshop.com Pages 7 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Application Password Cracking o Encrypted Network Protocols Tools o Program Packers Word Password Recovery o Rootkits Tools . Detecting Rootkits PowerPoint Password . Steps for Detecting Rootkits Recovery Tools o Minimize Footprint Excel Password Recovery o Exploiting Forensic Tools Bugs Tools o Detecting Forensic Tool Activities PDF Password Recovery o Anti-Forensics Countermeasures Tools o Anti-Forensics Challenges ZIP/RAR Password Recovery o Anti-forensics Tools Tool: Advanced Archive . Privacy Eraser Password Recovery . Azazel Rootkit Other Application Software . QuickCrypto Password Cracking Tools o Anti-forensics Tools . Other Password Cracking Tools o Steganography Module 06: Operating System Forensics . Steganography (Windows, Mac, Linux) Steganography Introduction to OS Forensics Types of Steganography Windows Forensics based on Cover Medium Collecting Volatile Information . Steganalysis o Volatile Information Steganalysis . System Time Steganalysis Methods/Attacks . Logged-On Users on Steganography PsLoggedOn Tool Detecting Steganography net sessions Command Steganography Detection LogonSessions Tool Tool: Gargoyle Investigator™ . Open Files Forensic Pro net file Command Steganography Detection PsFile Utility Tools Openfiles Command o Data Hiding in File System Structures . Network Information o Trail Obfuscation . Network Connections o Artifact Wiping . Process Information o Overwriting Data/Metadata . Process-to-Port Mapping o Encryption . Process Memory . Encrypting File System (EFS): . Network Status Recovery Certificate . Print spool files . Advanced EFS Data Recovery Tool . Other Important Information www.tcworkshop.com Pages 8 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Collecting Non-Volatile Information o Importance of volume shadow copy o Non-Volatile Information services . Examine File Systems o System Boot . Registry Settings o User Login . Microsoft Security ID o User Activity . Event Logs o Enumerating Autostart Registry . ESE Database File Locations . Connected Devices o USB Removable Storage Devices . Slack Space o Mounted Devices . Virtual Memory o Tracking User Activity . Swap Space, hibernation, and Page o The UserAssist Keys Files o MRU Lists . Windows Search Index o Connecting to Other Systems . Collecting Hidden Partition o Analyzing Restore Point Registry Information Settings . Hidden ADS Streams o Determining the Startup Locations Investigating ADS Streams: Cache, Cookie, and History Analysis StreamArmor o Cache, Cookie, and History Analysis: . Other Non-Volatile Information Mozilla Firefox Analyze the Windows thumbcaches . Analysis Tool: MZCacheView Windows Memory Analysis . Analysis Tool: MZCookiesView o Virtual Hard Disk (VHD) . Analysis Tool: MZHistoryView o Memory Dump o Cache, Cookie, and History Analysis: o EProcess Structure Google Chrome o Process Creation Mechanism . Analysis Tool: o Parsing Memory Contents ChromeCookiesView o Parsing Process Memory . Analysis Tool: ChromeCacheView o Extracting the Process Image . Analysis Tool: o Collecting Process Memory ChromeHistoryView Windows Registry Analysis o Cache, Cookie, and History Analysis: o Inside the Registry Microsoft Edge o Registry Structure within a Hive File . Analysis Tool: IECookiesView o The Registry as a Log File . Analysis Tool: IECacheView o Registry Analysis . Analysis Tool: o System Information BrowsingHistoryView o TimeZone Information Windows File Analysis o Shares o System Restore Points (Rp.log Files) o Wireless SSIDs o System Restore Points (Change.log.x o Startup Locations Files) www.tcworkshop.com Pages 9 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
o Prefetch Files MAC Forensics Tools o Shortcut Files o Image Files Module 07: Network Forensics Metadata Investigation Introduction to Network Forensics o Understanding Metadata o Network Forensics o Types of Metadata o Postmortem and Real-Time Analysis o Metadata in Different File Systems o Network Vulnerabilities o Metadata in PDF Files o Network Attacks o Metadata in Word Documents o Where to Look for Evidence o Tool: Metashield Analyzer Fundamental Logging Concepts Text Based Logs o Log Files as Evidence o Understanding Events o Laws and Regulations o Types of Logon Events o Legality of using Logs o Event Log File Format o Records of Regularly Conducted o Organization of Event Records Activity as Evidence o ELF_LOGFILE_HEADER structure Event Correlation Concepts o EventLogRecord Structure o Event Correlation o Windows 10 Event Logs o Types of Event Correlation Other Audit Events o Prerequisites of Event Correlation o Evaluating Account Management o Event Correlation Approaches Events Network Forensic Readiness o Examining System Log Entries o Ensuring Log File Accuracy o Examining Application Log Entries . Log Everything Forensic Analysis of Event Logs . Keeping Time o Searching with Event Viewer Why Synchronize Computer o Using Event Log explorer to Examine Times? Windows Log Files What is Network Time o Windows Event Log Files Internals Protocol (NTP)? Windows Forensics Tools . Use Multiple Sensors Linux Forensics . Avoid Missing Logs Shell Commands o Implement Log Management Linux Log files . Functions of Log Management Collecting Volatile Data Infrastructure Collecting Non-Volatile Data . Challenges in Log Management MAC Forensics . Meeting the Challenges in Log Introduction to MAC Forensics Management MAC Forensics Data . Centralized Logging MAC Log Files . Syslog MAC Directories . IIS Centralized Binary Logging www.tcworkshop.com Pages 10 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
o Ensure System’s Integrity o Why Investigate Network Traffic? o Control Access to Logs o Evidence Gathering via Sniffing Network Forensics Steps . Sniffing Tool: Wireshark o Ensure Log File Authenticity . Display Filters in Wireshark . Use Signatures, Encryption, and . Additional Wireshark Filters Checksums . Sniffing Tool: SteelCentral Packet o Work with Copies Analyzer o Maintain Chain of Custody . Sniffing Tool: Tcpdump/Windump o Condensing Log File . Packet Sniffing Tool: Capsa o Analyze Logs Network Analyzer . Network Forensics Analysis . Network Packet Analyzer: Mechanism OmniPeek Network Analyzer Log Capturing and Analysis . Network Packet Analyzer: Tools: GFI EventsManager Observer Log Capturing and Analysis . Network Packet Analyzer: Capsa Tools: EventLog Analyzer Portable Network Analyzer Log Capturing and Analysis . TCP/IP Packet Crafter: Colasoft Tools Packet Builder . Analyzing Router Logs . Network Packet Analyzer: RSA . Evidence Gathering from ARP NetWitness Investigator Table . Additional Sniffing Tools . Analyzing Router Logs (Cont’d) o Gathering Evidence from an IDS . Analyzing Router Logs: Cisco . Documenting the Evidence . Analyzing Router Logs: Juniper . Evidence Reconstruction . Analyzing Firewall Logs . Analyzing Firewall Logs: Cisco Module 08: Investigating Web Attacks . Analyzing Firewall Logs: Introduction to Web Application Forensics Checkpoint o Introduction to Web Application . Analyzing IDS Logs Forensics . Analyzing IDS Logs: Juniper o Web Application Architecture . Analyzing IDS Logs: Checkpoint o Challenges in Web Application . Analyzing Honeypot Logs Forensics . DHCP Logging Web Attack Investigation Sample DHCP Audit Log File o Indications of a Web Attack Evidence Gathering at the o Web Application Threats - 1 Data-Link Layer: DHCP o Web Application Threats - 2 Database o Investigating a Web Attack . ODBC Logging o Investigating Web Attacks in Windows- Network Traffic Investigation Based Servers www.tcworkshop.com Pages 11 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Investigating Web Server Logs . Collecting Active Transaction Logs o Internet Information Services (IIS) Logs Using SQL Server Management . IIS Web Server Architecture Studio . IIS Logs . Collecting Database Plan Cache . Investigating IIS Logs . Collecting Windows Logs . Maintaining Credible IIS Log Files . Collecting SQL Server Trace Files . Investigating IIS Logs: Best . Collecting SQL Server Error Logs Practices . Database Forensics Using SQL . UTC Time Server Management Studio o Investigating Apache Logs . Database Forensics Using . Apache Web Server Architecture ApexSQL DBA . Apache Web Server Logs MySQL Forensics . Investigating Apache Logs o Internal Architecture of MySQL o Investigating Cross-Site Scripting (XSS) . Structure of the Data Directory o Investigating XSS: Using Regex to o MySQL Forensics Search XSS Strings . Viewing the Information Schema o Investigating SQL Injection Attacks . MySQL Utility Programs For o Pen-Testing CSRF Validation Fields Forensic Analysis o Investigating Code Injection Attack . Common Scenario for Reference o Investigating Cookie Poisoning Attack . MySQL Forensics for WordPress Web Attack Detection Tools Website Database: Scenario 1 o Web Log Viewers Collect the Evidences Tools for Locating IP Address Examine the Log Files o IP Address Locating Tools Analyze the General Log WHOIS Lookup Tools Take a Backup of the WHOIS Lookup Tools Database Create an Evidence Database Module 09: Database Forensics Select the Database Database Forensics and Its Importance View the Tables in the MSSQL Forensics Database o Data Storage in SQL Server View the Users in the o Database Evidence Repositories Database o Collecting Volatile Database Data View Columns in the Table . Collecting Primary Data File and Collect the Posts Made by the Active Transaction Logs Using User SQLCMD Examine the Posts Made by . Collecting Primary Data File & the User Transaction Logs . MySQL Forensics for WordPress Website Database: Scenario 2 www.tcworkshop.com Pages 12 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Collect the Database and all o Investigating Google Drive Cloud the Logs Storage Service Examine the .frm Files . Artifacts Left by Google Drive Web Examine the Binary Logs Portal Retrieve the Deleted User . Artifacts Left by Google Drive Account Client on Windows ibdata1 in Data Directory o Cloud Forensics Tools: UFED Cloud Analyzer Module 10: Cloud Forensics Introduction to Cloud Computing Module 11: Malware Forensics o Types of Cloud Computing Services Introduction to Malware o Separation of Responsibilities in Cloud o Different Ways a Malware can Get into o Cloud Deployment Models a System o Cloud Computing Threats o Common Techniques Attackers Use to o Cloud Computing Attacks Distribute Malware on the Web Cloud Forensics o Components of Malware o Usage of Cloud Foreniscs Introduction to Malware Forensics o Cloud Crimes o Why Analyze Malware . Case Study: Cloud as a o Identifying and Extracting Malware Subject o Prominence of Setting up a Controlled . Case Study: Cloud as the Malware Analysis Lab Object o Preparing Testbed for Malware Analysis . Case Study: Cloud as a Tool o Supporting Tools for Malware Analysis o Cloud Forensics: Stakeholders and their o General Rules for Malware Analysis Roles o Documentation Before Analysis o Cloud Forensics Challenges o Types of Malware Analysis . Architecture and Identification . Malware Analysis: Static . Data Collection . Static Malware Analysis: File . Legal Fingerprinting . Analysis . Online Malware Testing: . Cloud Forensics Challenges VirusTotal o Investigating Cloud Storage Services . Online Malware Analysis Services o Investigating Dropbox Cloud Storage . Local and Online Malware Service Scanning . Artifacts Left by Dropbox Web . Performing Strings Search Portal . Identifying Packing/Obfuscation . Artifacts Left by Dropbox Client Methods on Windows . Finding the Portable Executables (PE) Information www.tcworkshop.com Pages 13 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Identifying File Dependencies o Windows 10 Startup . Malware Disassembly Registry Entries . Malware Analysis Tool: IDA Pro o Startup Programs . Malware Analysis: Dynamic Monitoring Tool: Installation Monitor Security AutoRun Process Monitor o Startup Programs o Process Monitoring Monitoring Tools Tool: What's Running Windows Services Monitor o Process Monitoring o Windows Service Tools Manager (SrvMan) Files and Folder Monitor o Windows Services o Files and Folder Monitoring Tools Integrity Checkers: . Analysis of Malicious Documents FastSum and WinMD5 . Malware Analysis Challenges o Files and Folder Integrity Checkers Module 12: Investigating Email Crimes Registry Monitor Email System o Registry Entry o Email Clients Monitoring Tool: o Email Server RegScanner o SMTP Server o Registry Entry o POP3 Server Monitoring Tools o IMAP Server Network Activity Monitor o Importance of Electronic Records o Detecting Trojans and Management Worms with Capsa Email Crimes (Email Spamming, Mail Network Analyzer Bombing/Mail Storm, Phishing, Email Port Monitor Spoofing, Crime via Chat Room, Identity o Port Monitoring Tools: Fraud/Chain Letter) TCPView and CurrPorts o Crime Via Chat Room DNS Monitoring/Resolution Email Message API Calls Monitor o Sample of Email Header Device Drivers Monitor o List of Common Headers o Device Drivers o List of Common X-Headers Monitoring Tool: Steps to Investigate Email Crimes and DriverView Violation o Device Drivers o Obtain a Search Warrant and Seize the Monitoring Tools Computer and Email Account Startup Programs Monitor o Examine E-mail Messages www.tcworkshop.com Pages 14 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Copy and Print the E-mail o MailXaminer Message o Email Forensics Tools . Viewing Email Headers in Laws and Acts against Email Crimes Microsoft Outlook o U.S. Laws Against Email Crime: CAN- . Viewing Email Headers in SPAM Act Microsoft Outlook.com . Viewing Email Headers in AOL Module 13: Mobile Phone Forensics . Viewing Email Headers in Apple Mobile Device Forensics Mail o Why Mobile Forensics? . Viewing Email Headers in Gmail o Top Threats Targeting Mobile Devices . Viewing Headers in Yahoo Mail o Mobile Hardware and Forensics . Received Headers o Mobile OS and Forensics . Analyzing Email Headers . Architectural Layers of Mobile . Examining Additional Files (.pst or Device Environment .ost files) . Android Architecture Stack . Checking the E-mail Validity . Android Boot Process . Examine the Originating IP . iOS Architecture Address . iOS Boot Process . Trace the E-mail Origin . Normal and DFU Mode Booting . Validating Header Information . Booting iPhone in DFU Mode . Tracing Back Web-based E-mail . Mobile Storage and Evidence o Acquire Email Archives Locations . Email Archives o What Should You Do Before the . Content of Email Archives Investigation? . Local Archive . Build a Forensics Workstation . Server Storage Archive . Build the Investigation Team . Forensic Acquisition of Email . Review Policies and Laws Archive . Notify Decision Makers and o Recover Deleted Emails Acquire Authorization . Deleted Email Recovery . Risk Assessment o Examining Email Logs . Build a Mobile forensics Toolkit . Examining Linux E-mail Server . Mobile Phone Evidence Analysis Logs o Mobile Forensics Process . Examining Microsoft Exchange E- . Collecting the Evidence mail Server Logs . Document the Scene . Examining Novel Group-wise E- . Document the Evidence mail Server Logs . Evidence Preservation Email Forensics Tools . Set of Rules for Switching ON/OFF o Recover My Email Mobile Phone www.tcworkshop.com Pages 15 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
. Mobile Phone Signal Containment SIM Forensic Analysis Tools . Packing, Transporting, and Storing . Logical Acquisition the Evidence Android Logical Acquisition . Forensics Imaging Using MOBILedit Forensics Imaging of Android Additional Logical Device Using FTK Imager Acquisition Tools Creating Disk Image of an . Physical Acquisition iPhone Using SSH Physical Acquisition Using . Phone Locking Oxygen Forensic Suite Bypassing Android Phone . File System Acquisition Lock Password Using ADB File System Acquisition iPhone Passcodes Using Oxygen Forensic Suite Bypassing the iPhone . File Carving Passcode Using IExplorer File Carving Using Forensic . Enabling USB Debugging Explorer . Platform Security Removal iPhone File Carving Using Techniques: Jailbreaking/Rooting Scalpel Tool . Mobile Evidence Acquisition File Carving Tools Data Acquisition Methods . SQLite Database Extraction . Cellular Network Forensics Analysis of SQLite Components of Cellular Database Using Andriller Network SQLite Database Browsing Different Cellular Networks Tools: Oxygen Forensics Cell Site Analysis: Analyzing SQLite Viewer Service Provider Data SQLite Database Browsing CDR Contents Tools Sample CDR Log File . Android Forensics Analysis . Subscriber Identity Module (SIM) . iPhone Data Extraction SIM File System iPhone Data Acquisition Data Stored in a Subscriber Tools Identity Module iPhone Forensics Analysis Integrated Circuit Card Using the Oxygen Forensics Identification (ICCID) Suite International Mobile . Examination and Analysis Equipment Identifier (IMEI) . Generating Investigation Report Electronic Serial Number . Mobile Forensics Report Template (ESN) Sample Mobile Forensics SIM Cloning Analysis Worksheet SIM Data Acquisition Tools www.tcworkshop.com Pages 16 of 17 800.639.3535 CHFI: Computer Hacking Forensic Investigator Course ID #: 1275-200-ZZ-W Hours: 40
Cellebrite UFED Touch . Guidelines to Testify at a Sample Mobile Forensic Deposition Report Snapshot o Dealing with Media
Module 14: Forensics Report Writing and Presentation Writing Investigation Reports o Forensic Investigation Report o Important Aspects of a Good Report o Forensic Investigation Report Template o Report Classification o Guidelines for Writing a Report o Other Guidelines for Writing a Report Expert Witness Testimony o What is an Expert Witness? o Roles of an Expert Witness o Technical Witness Vs. Expert Witness o Daubert Standard o Frye Standard o What Makes a Good Expert Witness? o Importance of Curriculum Vitae o Professional Code of Conduct for an Expert Witness o Preparing for a Testimony . Testifying in the Court General Order of Trial Proceedings . General Ethics While Testifying . Importance of Graphics in a Testimony . Helping your Attorney . Avoiding Testimony Issues . Testifying during Direct Examination . Testifying during Cross- Examination . Testifying during Cross- Examination: Best Practices o Deposition www.tcworkshop.com Pages 17 of 17 800.639.3535