Overview

EC-Council released the most advanced computer forensic investigation program in the world. This course covers major forensic investigation scenarios that enable you to acquire hands-on experience on various forensic investigation techniques and standard tools necessary to successfully carry-out a computer forensic investigation.

 

Battles between corporations, governments, and countries are no longer fought using physical force. Cyber war has begun and the consequences can be seen in everyday life. With the onset of sophisticated cyber attacks, the need for advanced cybersecurity and investigation training is critical. If you or your organization requires the knowledge or skills to identify, track, and prosecute cyber criminals, then this is the course for you. You will learn how to excel in digital evidence acquisition, handling, and forensically sound analysis. These skills will lead to successful prosecutions in various types of security incidents such as data breaches, corporate espionage, insider threats, and other intricate cases involving computer systems.

 

Objectives

  • Perform incident response and forensics
  • Perform electronic evidence collections
  • Perform digital forensic acquisitions
  • Perform bit-stream Imaging/acquiring of the digital media seized during the process of investigation.
  • Examine and analyze text, graphics, multimedia, and digital images
  • Conduct thorough examinations of computer hard disk drives, and other electronic data storage media
  • Recover information and electronic data from computer hard drives and other data storage devices
  • Follow strict data and evidence handling procedures
  • Maintain audit trail (i.e., chain of custody) and evidence integrity
  • Work on technical examination, analysis and reporting of computer-based evidence
  • Prepare and maintain case files
  • Utilize forensic tools and investigative methods to find electronic data, including Internet use history, word processing documents, images and other files
  • Gather volatile and non-volatile information from Windows, MAC and Linux
  • Recover deleted files and partitions in Windows, Mac OS X, and Linux
  • Perform keyword searches including using target words or phrases
  • Investigate events for evidence of insider threats or attacks
  • Support the generation of incident reports and other collateral
  • Investigate and analyze all response activities related to cyber incidents
  • Plan, coordinate and direct recovery activities and incident analysis tasks
  • Examine all available information and supporting evidence or artefacts related to an incident or event
  • Collect data using forensic technology methods in accordance with evidence handling procedures, including collection of hard copy and electronic documents
  • Conduct reverse engineering for known and suspected malware files
  • Perform detailed evaluation of the data and any evidence of activity in order to analyze the full circumstances and implications of the event
  • Identify data, images and/or activity which may be the target of an internal investigation
  • Establish threat intelligence and key learning points to support pro-active profiling and scenario modelling
  • Search file slack space where PC type technologies are employed
  • File MAC times (Modified, Accessed, and Create dates and times) as evidence of access and event sequences
  • Examine file type and file header information
  • Review e-mail communications including web mail and Internet Instant Messaging programs
  • Examine the Internet browsing history
  • Generate reports which detail the approach, and an audit trail which documents actions taken to support the integrity of the internal investigation process
  • Recover active, system and hidden files with date/time stamp information
  • Crack (or attempt to crack) password protected files
  • Perform anti-forensics detection
  • Maintain awareness and follow laboratory evidence handling, evidence examination, laboratory safety, and laboratory security policy and procedures
  • Play a role of first responder by securing and evaluating a cybercrime scene, conducting preliminary interviews, documenting crime scene, collecting and preserving electronic evidence, packaging and transporting electronic evidence, reporting of the crime scene
  • Perform post-intrusion analysis of electronic and digital media to determine the who, where, what, when, and how the intrusion occurred
  • Apply advanced forensic tools and techniques for attack reconstruction
  • Perform fundamental forensic activities and form a base for advanced forensics
  • Identify and check the possible source/incident origin
  • Perform event co-relation
  • Extract and analyze logs from various devices such as proxies, firewalls, IPSes, IDSes, Desktops, laptops, servers, SIM tools, routers, switches, AD servers, DHCP servers, Access Control Systems, etc.
  • Ensure that reported incident or suspected weaknesses, malfunctions and deviations are handled with confidentiality
  • Assist in the preparation of search and seizure warrants, court orders, and subpoenas
  • Provide expert witness testimony in support of forensic examinations conducted by the examiner

 

Audience

The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

  • Police and other law enforcement personnel
  • Defense and Military personnel
  • e-Business Security professionals
  • Systems administrators
  • Legal professionals
  • Banking, Insurance and other professionals
  • Government agencies
  • IT managers

 

Prerequisites

  • Certified Ethical Hacking and Countermeasures (CEH) v10

 

Outline

Module 1: Computer Forensics in Today’s World

  • Understanding Computer Forensics
  • Why and When Do You Use Computer Forensics?
  • Cyber Crime (Types of Computer Crimes)
  • Case Study
  • Challenges Cyber Crimes Present For Investigators
  • Cyber Crime Investigation
  • Rules of Forensics Investigation
  • Understanding Digital Evidence
  • Types of Digital Evidence
  • Characteristics of Digital Evidence
  • Role of Digital Evidence
  • Sources of Potential Evidence
  • Rules of Evidence
  • Forensics Readiness
  • Computer Forensics as part of an Incident Response Plan
  • Need for Forensic Investigator
  • Roles and Responsibilities of Forensics Investigator
  • What makes a Good Computer Forensics Investigator?
  • Investigative Challenges
  • Legal and Privacy Issues
  • Code of Ethics
  • Accessing Computer Forensics Resources

 

Module 2: Computer Forensics Investigation Process

  • Importance of Computer Forensics Process
  • Phases Involved in the Computer Forensics Investigation Process
  • Pre-investigation Phase
  • Investigation Phase
  • Post-investigation Phase

 

Module 3: Understanding Hard Disks and File Systems

  • Hard Disk Drive Overview
  • Disk Partitions and Boot Process
  • Understanding File Systems
  • RAID Storage System
  • File System Analysis

 

Module 4: Data Acquisition and Duplication

  • Data Acquisition and Duplication Concepts
  • Static Acquisition
  • Validate Data Acquisitions
  • Acquisition Best Practices

 

Module 5: Defeating Anti-forensics Techniques

  • What is Anti-Forensics?
  • Anti-Forensics techniques

 

Module 6: Operating System Forensics (Windows, Mac, Linux)

  • Introduction to OS Forensics
  • Windows Forensics
  • Collecting Volatile Information
  • Collecting Non-Volatile Information
  • Analyze the Windows thumbcaches
  • Windows Memory Analysis
  • Windows Registry Analysis
  • Cache, Cookie, and History Analysis
  • Windows File Analysis
  • Metadata Investigation
  • Text Based Logs
  • Other Audit Events
  • Forensic Analysis of Event Logs
  • Windows Forensics Tools
  • Linux Forensics
  • Shell Commands
  • Linux Log files
  • Collecting Volatile Data
  • Collecting Non-Volatile Data
  • MAC Forensics
  • Introduction to MAC Forensics
  • MAC Forensics Data
  • MAC Log Files
  • MAC Directories
  • MAC Forensics Tools

 

Module 7: Network Forensics

  • Introduction to Network Forensics
  • Fundamental Logging Concepts
  • Event Correlation Concepts
  • Network Forensic Readiness
  • Network Forensics Steps
  • Network Traffic Investigation
  • Documenting the Evidence
  • Evidence Reconstruction

 

Module 8: Investigating Web Attacks

  • Introduction to Web Application Forensics
  • Web Attack Investigation
  • Investigating Web Server Logs
  • Web Attack Detection Tools
  • Tools for Locating IP Address
  • WHOIS Lookup Tools
  • WHOIS Lookup Tools

 

Module 9: Database Forensics

  • Database Forensics and Its Importance
  • MSSQL Forensics
  • MySQL Forensics

 

Module 10: Cloud Forensics

  • Introduction to Cloud Computing
  • Cloud Forensics

 

Module 11: Malware Forensics

  • Introduction to Malware
  • Introduction to Malware Forensics

 

Module 12: Investigating Email Crimes

  • Email System
  • Email Crimes (Email Spamming, Mail Bombing/Mail Storm, Phishing, Email Spoofing, Crime via Chat Room, Identity Fraud/Chain Letter)
  • Email Message
  • Steps to Investigate Email Crimes and Violation
  • Email Forensics Tools
  • Laws and Acts against Email Crimes

 

Module 13: Mobile Phone Forensics

  • Mobile Device Forensics

 

Module 14: Forensics Report Writing and Presentation

  • Writing Investigation Reports
  • Expert Witness Testimony

 

Related Certification

  • Computer Hacking Forensic Investigator Certification (Exam 312-49)