logo

EC-Council Course

course overview

download outline

Select Country and City to View dates & book now

Overview

Digital forensic practices stem from forensic science, the science of collecting and examining evidence or materials. Digital or computer forensics focuses on the digital domain including computer forensics, network forensics, and mobile forensics. As the cyber security profession evolves, organizations are learning the importance of employing digital forensic practices into their everyday activities. Computer forensic practices can help investigate attacks, system anomalies, or even help System administrators detect a problem by defining what is normal functional specifications and validating system information for irregular behaviors.

In the event of a cyber-attack or incident, it is critical investigations be carried out in a manner that is forensically sound to preserve evidence in the event of a breach of the law. Far too many cyber-attacks are occurring across the globe where laws are clearly broken and due to improper or non-existent forensic investigations, the cyber criminals go either unidentified, undetected, or are simply not prosecuted.

Cyber Security professionals who acquire a firm grasp on the principles of digital forensics can become invaluable members of Incident Handling and Incident response teams. The Computer Hacking Forensic Investigator course provides a strong baseline knowledge of key concepts and practices in the digital forensic domains relevant to today’s organizations. CHFI provides its attendees a firm grasp on the domains of digital forensics.

Target Audience

The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.

  • Police and other law enforcement personnel
  • Defense and Military personnel
  • e-Business Security professionals
  • Systems administrators
  • Legal professionals
  • Banking, Insurance and other professionals
  • Government agencies
  • IT managers


'For the most up-to-date and enriched knowledge of digital forensics, I chose Computer Hacking Forensic Investigator (C|HFI), and it certainly paid off well. The training content, video streaming, and the hands-on labs, every learning method incorporated in the program were very interactive. I adored the real-time practice sessions as they left me with impressive technical skills. Getting to learn and practice hundreds of investigation tools was another exciting part of the program.'

Reuben Osilaja, Sr Security Compliance Specialist at Accenture Federal Services

Audience

  1. The computer forensic investigation process and the various legal issues involved
  2. Evidence searching, seizing and acquisition methodologies in a legal and forensically sound manner
  3. Types of digital evidence, rules of evidence, digital evidence examination process, and electronic crime and digital evidence consideration by crime category
  4. Roles of the first responder, first responder toolkit, securing and evaluating electronic crime scene, conducting preliminary interviews, documenting electronic crime scene, collecting and preserving electronic evidence, packaging and transporting electronic evidence, and reporting the crime scene
  5. Setting up a computer forensics lab and the tools involved in it
  6. Various file systems and how to boot a disk
  7. Gathering volatile and non-volatile information from Windows
  8. Data acquisition and duplication rules
  9. Validation methods and tools required
  10. Recovering deleted files and deleted partitions in Windows, Mac OS X, and Linux
  11. Forensic investigation using AccessData FTK and EnCase
  12. Steganography and its techniques
  13. Steganalysis and image file forensics
  14. Password cracking concepts, tools, and types of password attacks
  15. Investigating password protected files
  16. Types of log capturing, log management, time synchronization, and log capturing tools
  17. Investigating logs, network traffic, wireless attacks, and web attacks
  18. Tracking emails and investigate email crimes
  19. Mobile forensics and mobile forensics software and hardware tools
  20. Writing investigative reports

Skills Gained

Classroom Live Outline 1. Computer Forensics in Today's World 2. Computer Forensics Investigation Process 3. Searching and Seizing Computers 4. Digital Evidence 5. First Responder Procedures 6. Computer Forensics Lab 7. Understanding Hard Disks and File Systems 8. Windows Forensics 9. Data Acquisition and Duplication 10. Recovering Deleted Files and Deleted Partitions 11. Forensics Investigation Using AccessData FTK 12. Forensics Investigation Using EnCase 13. Steganography and Image File Forensics 14. Application Password Crackers 15. Log Capturing and Event Correlation 16. Network Forensics, Investigating Logs and Investigating Network Traffic 17. Investigating Wireless Attacks 18. Investigating Web Attacks 19. Tracking Emails and Investigating Email Crimes 20. Mobile Forensics 21. Investigative Reports 22. Becoming an Expert Witness Classroom Live Labs Lab 1: Computer Forensics in Today's World Lab 2: Learning about Computer Crime Policies, Programs, and Computer Forensics Laws Lab 3: Reporting a Cybercrime to the FBI Lab 4: Case Study: Child Pornography Lab 5: Additional Reading Material Lab 6: Computer Forensics Investigation Process Lab 7: Recovering Data Using the Recover My Files Tool Lab 8: Performing Hash, Checksum, or HMAC Calculations Using the HashCalc Tool Lab 9: Generating MD5 Hashes Using MD5 Calculator Lab 10: Additional Reading Material Lab 11: Searching and Seizing Computers with a Search Warrant Lab 12: Understanding an Application for a Search Warrant (Exhibit A) Lab 13: Additional Reading Material Lab 14: Studying the Digital Evidence Examination Process - Case Study 1 Lab 15: Studying Digital Evidence Examination Process - Case Study 2 Lab 16: Additional Reading Material Lab 17: Studying First Responder Procedures Lab 18: Understanding the First Responder Toolkit Lab 19: Additional Reading Material Lab 20: Computer Forensics Lab Lab 21: Gathering Evidence Using the Various Tools of DataLifter Lab 22: Viewing Files of Various Formats Using the File Viewer Tool Lab 23: Handling Evidence Data Using the P2 Commander Tool Lab 24: Creating a Disk Image File of a Hard Disk Partition Using the R-Drive Image Tool Lab 25: Additional Reading Material Lab 26: Understanding Hard Disks and File Systems Lab 27: Recovering Deleted Files from Hard Disks Using WinHex Lab 28: Analyzing File System Types Using The Sleuth Kit (TSK) Lab 29: Case Study: Corporate Espionage Lab 30: Additional Reading Material Lab 31: Performing Windows Forensics Lab 32: Discovering and Extracting Hidden Forensic Material on Computers Using OSForensics Lab 33: Extracting Information about Loaded Processes Using Process Explorer Lab 34: Investigating Metadata Using Metadata Analyzer Lab 35: Viewing, Monitoring, and Analyzing Events Using the Event Log Explorer Tool Lab 36: Performing a Computer Forensic Investigation Using the Helix Tool Lab 37: Case Study: Terrorist Attack Lab 38: Case Study: Brutal Murder Lab 39: Forensics Challenge: Banking Troubles Lab 40: Additional Reading Material Lab 41: Data Acquisition and Duplication Lab 42: Investigating NTFS Drive Using DiskExplorer for NTFS Lab 43: Viewing Content of Forensic Image Using AccessData FTK Imager Tool Lab 44: Searching Text Strings in the Hard Disk Partition Image Using DriveLook Lab 45: Forensics Challenge: Forensic Analysis of a Compromised Server Lab 46: Additional Reading Material Lab 47: Recovering Deleted Files and Deleted Partitions Lab 48: File Recovery Using EASEUS Data Recovery Wizard Lab 49: File Recovery Using Quick Recovery Tool Lab 50: Partition Recovery Using MiniTool Power Data Recovery Tool Lab 51: Case Study: Employee Sabotage Lab 52: Case Study: Virus Attack Lab 53: Additional Reading Material Lab 54: Forensics Investigation Lab 55: Investigating a Case Using AccessData FTK Lab 56: Case Study: Business Rivalry Lab 57: Case Study: Sabotage Lab 58: Forensics Investigation Using EnCase Lab 59: Case Study: Disaster Recovery Investigation Lab 60: Performing a Steganalysis and Forensics of an Image File Lab 61: Analyzing Images for Hidden Messages Using Stegdetect Lab 62: Analyzing Image File Headers Using Hex Workshop Lab 63: Identifying Image File Format Using IrfanView Lab 64: Recovering Photo Evidence from a Raw File Using Adroit Photo Forensics 2011 Lab 65: Case Study: Steganography Lab 66: Forensics Challenge: Malware Reverse Engineering Lab 67: Additional Reading Material Lab 68: Application Password Crackers Lab 69: Cracking Password Using the Password Recovery Bundle Tool Lab 70: Cracking Password Using the Advanced Office Password Recovery Tool Lab 71: Password Cracking Using the Advanced PDF Password Recovery Tool Lab 72: Cracking Password Using KRyLack Archive Password Recovery Tool Lab 73: Password Cracking Using the Windows Password Breaker Tool Lab 74: Case Study: Encrypted Documents Lab 75: Additional Reading Material Lab 76: Capturing and Analyzing Log Files Lab 77: Capturing and Analyzing the Logs of a Computer using GFI EventsManager Tool Lab 78: Investigating System Log Data Using XpoLog Center Suite Tool Lab 79: Viewing Event Logs Using Kiwi Syslog Server Tool Lab 80: Forensics Challenge: Log Mysteries Lab 81: Additional Reading Material Lab 82: Network Forensics Lab 83: Capturing and Analyzing Live Data Packets Using Wireshark Tool Lab 84: Analyzing a Network Using the Colasoft Capsa Network Analyzer Tool Lab 85: Monitoring the Network and Capturing Live Traffic Using NetWitness Investigator Tool Lab 86: Forensics Challenge: Pcap Attack Trace Lab 87: Additional Reading Material Lab 88: Investigating Wireless Attacks Lab 89: Cracking a WEP Network with Aircrack-ng for Windows Lab 90: Sniffing the Network Using the OmniPeek Network Analyzer Lab 91: Forensics Challenge: VoIP Lab 92: Additional Reading Material Lab 93: Investigating Web Attacks Lab 94: Finding Web Security Vulnerabilities Using N-Stalker Web Application Security Scanner Lab 95: Analyzing Domain and IP Address Queries Using SmartWhois Tool Lab 96: Case Study: Trademark Infringement Lab 97: Forensics Challenge: Browsers Under Attack Lab 98: Additional Reading Material Lab 99: Investigating Email Crimes Lab 100: Recovering Deleted Emails Using the Recover My Email Utility Lab 101: Investigating Email Crimes Using Paraben's Email Examiner Tool Lab 102: Tracing an Email Using the eMailTrackerPro Tool Lab 103: Case Study: Racial Discrimination Lab 104: Forensics Challenge: Analyzing Malicious Portable Destructive Files Lab 105: Additional Reading Material Lab 106: Mobile Forensics Lab 107: Investigating Mobile Information Using Oxygen Forensic Suite 2011 Lab 108: Case Study: iP od - A Handy Tool for Crime Lab 109: Additional Reading Material Lab 110: Investigative Reports Lab 111: Creating an Investigative Report Using ProDiscover Tool Lab 112: Case Study: Pornography Lab 113: Additional Reading Material Lab 114: Studying about Computerlegalexperts.com Lab 115: Finding a Computer Forensics Expert Lab 116: Understand to Becoming an Expert Witness Lab 117: Case Study: Expert WitnessExpert Witness Lab 118: Additional Reading Material Lab 119: Analyzing Al-Qaida Hard Disk Using Various Forensics Tools

Prerequisites

  • IT/forensics professionals with basic knowledge on IT/cyber security, computer forensics, and incident response
  • Prior completion of CEH training would be an advantage

Outline

Module 01: Computer Forensics in Today’s World

  • Understanding Computer Forensics
  • Why and When Do You Use Computer Forensics?
  • Cyber Crime (Types of Computer Crimes)
  • Case Study
  • Challenges Cyber Crimes Present For Investigators
  • Cyber Crime Investigation
    • Civil versus Criminal Investigation
    • Case Study: Criminal Case
    • Case Study: Civil Case
    • Administrative Investigation
    • Case Study: Administrative Case
  • Rules of Forensics Investigation
    • Enterprise Theory of Investigation (ETI)
  • Understanding Digital Evidence
  • Types of Digital Evidence
  • Characteristics of Digital Evidence
  • Role of Digital Evidence
    • Digital Forensics Challenges
  • Sources of Potential Evidence
  • Rules of Evidence
    • Best Evidence Rule
    • “Hearsay” concept
    • Federal Rules of Evidence
      • Scientific Working Group on Digital Evidence (SWGDE)
  • Forensics Readiness
    • Forensics Readiness Planning
  • Computer Forensics as part of an Incident Response Plan
  • Need for Forensic Investigator
  • Roles and Responsibilities of Forensics Investigator
  • What makes a Good Computer Forensics Investigator?
  • Investigative Challenges
    • Computer Forensics: Legal Issues
    • Computer Forensics: Privacy Issues
  • Legal and Privacy Issues
  • Code of Ethics
  • Accessing Computer Forensics Resources

Module 02: Computer Forensics Investigation Process

  • Importance of Computer Forensics Process
  • Phases Involved in the Computer Forensics Investigation Process
  • Pre-investigation Phase
    • Setting Up a Computer Forensics Lab
      • Planning and Budgeting
      • Physical Location and Structural Design Considerations
      • Work Area Considerations
      • Physical Security Recommendations
      • Fire-Suppression Systems
      • Evidence Locker Recommendations
      • Auditing the Security of a Forensics Lab
      • Human Resource Considerations
      • Build a Forensics Workstation
      • Basic Workstation Requirements in a Forensics Lab
      • Build a Computer Forensics Toolkit
      • Forensics Hardware
      • Forensics Software (Cont’d)
    • Build the Investigation Team
      • Forensic Practitioner Certification and Licensing
    • Review Policies and Laws
      • Forensics Laws
    • Establish Quality Assurance Processes
      • Quality Assurance Practices in Digital Forensics
      • General Quality Assurance in the Digital Forensic Process
      • Quality Assurance Practices: Laboratory Software and Hardware
      • Laboratory Accreditation Programs
    • Data Destruction Industry Standards
    • Risk Assessment
      • Risk Assessment Matrix
  • Investigation Phase
    • Investigation Process
      • Questions to Ask When a Client Calls the Forensic Investigator
      • Checklist to Prepare for a Computer Forensics Investigation
      • Notify Decision Makers and Acquire Authorization
    • Computer Forensics Investigation Methodology: First Response
      • First Responder
        • Roles of First Responder
      • First Response Basics
      • Incident Response: Different Situations
        • First Response by System Administrators
        • First Response by Non-Forensic Staff
        • First Response by Laboratory Forensic Staff
      • First Responder Common Mistakes
      • Documenting the Electronic Crime Scene
        • Photographing the Scene
        • Sketching the Scene
        • Note Taking Checklist
    • Computer Forensics Investigation Methodology: Search and Seizure
      • Consent
        • Sample of Consent Search Form
        • Witness Signatures
        • Witness Statement Checklist
      • Conducting Preliminary Interviews
      • Planning the Search and Seizure
        • Initial Search of the Scene
      • Warrant for Search and Seizure
        • Obtain Search Warrant
        • Example of Search Warrant
      • Searches Without a Warrant
      • Health and Safety Issues
      • Securing and Evaluating Electronic Crime Scene: A Checklist
    • Computer Forensics Investigation Methodology: Collect the Evidence
      • Collect Physical Evidence
        • Evidence Collection Form
      • Collecting and Preserving Electronic Evidence
      • Dealing with Powered On Computers
      • Dealing with Powered Off Computers
      • Dealing with Networked Computer
      • Dealing with Open Files and Startup Files
      • Operating System Shutdown Procedure
      • Computers and Servers
      • Preserving Electronic Evidence
      • Seizing Portable Computers
      • Dealing with Switched On Portable Computers
    • Computer Forensics Investigation Methodology: Secure the Evidence
      • Evidence Management
      • Chain of Custody
        • Simple Format of the Chain of Custody Document
        • Chain of Custody Forms
        • Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
      • Packaging and Transporting Electronic Evidence
        • Evidence Bag Contents List
        • Packaging Electronic Evidence
        • Exhibit Numbering
        • Transporting Electronic Evidence
      • Storing Electronic Evidence
    • Computer Forensics Investigation Methodology: Data Acquisition
      • Guidelines for Acquiring Evidence
      • Duplicate the Data (Imaging)
      • Verify Image Integrity
        • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
      • Recover Lost or Deleted Data
        • Data Recovery Software
    • Computer Forensics Investigation Methodology: Data Analysis
      • Data Analysis
  • Post-investigation Phase
    • Computer Forensics Investigation Methodology: Evidence Assessment
      • Evidence Assessment
      • Case Assessment
      • Processing Location Assessment
      • Collecting Evidence from Social Networks
      • Best Practices on how to Behave as an Investigator on Social Media
      • Best Practices to Assess the Evidence
    • Computer Forensics Investigation Methodology: Documentation and Reporting
      • Documentation in Each Phase
      • Gather and Organize Information
      • Writing the Investigation Report
    • Computer Forensics Investigation Methodology: Testify as an Expert Witness
      • Expert Witness
      • Testifying in the Court Room
      • Closing the Case
      • Maintaining Professional Conduct

Module 03: Understanding Hard Disks and File Systems

  • Hard Disk Drive Overview
    • Disk Drive Overview
    • Hard Disk Drive (HDD)
    • Solid-State Drive (SSD)
    • Physical Structure of a Hard Disk
    • Logical Structure of Hard Disk
    • Types of Hard Disk Interfaces
    • Hard Disk Interfaces
      • ATA
      • SCSI
      • IDE/EIDE
      • USB
      • Fibre Channel
    • Tracks
      • Track Numbering
    • Sector
      • Sector Addressing
      • Advanced Format: Sectors
    • Cluster
      • Cluster Size
      • Slack Space
      • Lost Clusters
    • Bad Sectors
    • Understanding Bit, Byte, and Nibble
    • Hard Disk Data Addressing
    • Data Densities on a Hard Disk
    • Disk Capacity Calculation
    • Measuring the Performance of the Hard Disk
  • Disk Partitions and Boot Process
    • Disk Partitions
    • BIOS Parameter Block (BPB)Partitioning utilities
    • Master Boot Record
      • Structure of a Master Boot Record
    • Globally Unique Identifier (GUID)
      • GUID Partition Table (GPT)
    • What is the Booting Process?
    • Essential Windows System Files
    • Windows Boot Process
    • Identifying GUID Partition Table (GPT)
    • Analyzing the GPT Header and Entries
    • GPT Artifacts
    • Macintosh Boot Process
    • Linux Boot Process
  • Understanding File Systems
    • Understanding File Systems
    • Types of File Systems
    • Windows File Systems
      • File Allocation Table (FAT)
        • FAT File System Layout
        • FAT Partition Boot Sector
        • FAT Folder Structure
        • Directory Entries and Cluster Chains
        • Filenames on FAT Volumes
        • FAT32
      • New Technology File System (NTFS)
        • NTFS Architecture
        • NTFS System Files
        • NTFS Partition Boot Sector
        • Cluster Sizes of NTFS Volume
        • NTFS Master File Table (MFT)
          • Metadata Files Stored in the MFT
        • NTFS Attributes
        • NTFS Data Stream
        • NTFS Compressed Files
          • Setting the Compression State of a Volume
        • Encrypting File Systems (EFS)
          • Components of EFS
          • EFS Attribute
        • Sparse Files
    • Linux File Systems
      • Linux File System Architecture
      • File System Hierarchy Standard (FHS)
      • Extensible File System (Ext)
      • Second Extensible File System (Ext2)
      • Third Extensible File System (Ext3)
      • Fourth Extensible File System (Ext4)
    • Mac OS X File Systems
      • HFS vs. HFS Plus
      • Hierarchical File System (HFS)
      • Hierarchical File System Plus (HFS+)
        • HFS Plus Volumes
        • HFS Plus Journal
    • Oracle Solaris 11 File System: ZFS
    • CD-ROM / DVD File System
    • Compact Disc File System (CDFS)
    • Virtual File System (VFS) and Universal Disk Format File System (UDF)
  • RAID Storage System
    • Levels of RAID Storage System
    • Host Protected Areas (HPA) and Device Configuration Overlays (DCO)
  • File System Analysis
    • File Carving
    • Image File Analysis: JPEG
    • Image File Analysis: BMP
    • Hex View of Popular Image File Formats
    • PDF File Analysis
    • Word File Analysis
    • PPT File Analysis
    • Excel File Analysis
    • Hex View of Other Popular File Formats
      • Video
      • Audio
    • File System Analysis Using Autopsy
    • File System Analysis Using The Sleuth Kit (TSK)
    • The Sleuth Kit (TSK): fsstat
    • The Sleuth Kit (TSK): istat
    • The Sleuth Kit (TSK): fls and img_stat

Module 04: Data Acquisition and Duplication

  • Data Acquisition and Duplication Concepts
    • Understanding Data Acquisition
      • Types of Data Acquisition Systems
    • Live Data Acquisition
    • Order of Volatility
    • Common Mistakes in Volatile Data Collection
    • Volatile Data Collection Methodology
  • Static Acquisition
    • Static Data Acquisition
    • Rules of Thumb
    • Why to Create a Duplicate Image?
    • Bit Stream Image Vs. Backups
    • Issues with Data Duplication
    • Data Acquisition and Duplication Steps
    • Prepare a Chain of Custody Document
    • Enable Write Protection on the Evidence Media
    • Sanitize the Target Media: NIST SP 800-88 Guidelines
    • Determine the Data Acquisition Format
    • Data Acquisition Methods
    • Determine the Best Acquisition Method
    • Select the Data Acquisition Tool
      • Mandatory Requirements
      • Optional Requirements
    • Data Acquisition and Duplication Tools: Hardware
    • Data Acquisition and Duplication Tools: Software
    • Linux Standard Tools
    • Acquiring Data on Linux: dd Command
    • Acquiring Data on Linux: dcfldd Command
    • Acquiring Data on Windows: AccessData FTK Imager
    • Acquiring RAID Disks
    • Remote Data Acquisition
    • Data Acquisition Mistakes
    • Plan for Contingency
  • Validate Data Acquisitions
    • Linux Validation Methods
    • Windows Validation Methods
  • Acquisition Best Practices

Module 05: Defeating Anti-forensics Techniques

  • What is Anti-Forensics?
    • Goals of Anti-Forensics
  • Anti-Forensics techniques
    • Data/File Deletion
      • What Happens When a File is Deleted in Windows?
      • Recycle Bin in Windows
        • Storage Locations of Recycle Bin in FAT and NTFS Systems
        • How the Recycle Bin Works
        • Damaged or Deleted INFO2 File
        • Damaged Files in Recycle Bin Folder
        • Damaged Recycle Bin Folder
        • File Recovery Tools: Windows
      • File Recovery in MAC OS X
        • File Recovery Tools: MAC
        • File Recovery in Linux
      • Recovering the Deleted Partitions
        • Partition Recovery Tools: Active@ Partition Recovery
        • Partition Recovery Tools (For Windows, MAC, & Linux all together)
    • Password Protection
      • Password Types
      • Password Cracker and its Working
      • Password Cracking Techniques
      • Default Passwords
      • Using Rainbow Tables to Crack Hashed Passwords
        • Tools to Create Rainbow Tables: rtgen and Winrtgen
      • Microsoft Authentication
        • How Hash Passwords Are Stored in Windows SAM?
      • System Software Password Cracking
      • Bypassing BIOS Passwords
        • Using Manufacturer’s Backdoor Password to Access the BIOS
        • Using Password Cracking Software
          • CmosPwd
          • DaveGrohl
        • Resetting the CMOS using the Jumpers or Solder Beads
        • Removing CMOS Battery
        • Overloading the Keyboard Buffer and Using a Professional Service
      • Tool to Reset Admin Password
        • Active@ Password Changer
        • Windows Password Recovery Bootdisk
        • Windows Password Recovery Lastic
      • Application Password Cracking Tools
        • Word Password Recovery Tools
        • PowerPoint Password Recovery Tools
        • Excel Password Recovery Tools
        • PDF Password Recovery Tools
        • ZIP/RAR Password Recovery Tool: Advanced Archive Password Recovery
        • Other Application Software Password Cracking Tools
      • Other Password Cracking Tools
    • Steganography
      • Steganography
        • Steganography
        • Types of Steganography based on Cover Medium
      • Steganalysis
        • Steganalysis
        • Steganalysis Methods/Attacks on Steganography
        • Detecting Steganography
        • Steganography Detection Tool: Gargoyle Investigator™ Forensic Pro
        • Steganography Detection Tools
    • Data Hiding in File System Structures
    • Trail Obfuscation
    • Artifact Wiping
    • Overwriting Data/Metadata
    • Encryption
      • Encrypting File System (EFS): Recovery Certificate
      • Advanced EFS Data Recovery Tool
    • Encrypted Network Protocols
    • Program Packers
    • Rootkits
      • Detecting Rootkits
      • Steps for Detecting Rootkits
    • Minimize Footprint
    • Exploiting Forensic Tools Bugs
    • Detecting Forensic Tool Activities
    • Anti-Forensics Countermeasures
    • Anti-Forensics Challenges
    • Anti-forensics Tools
      • Privacy Eraser
      • Azazel Rootkit
      • QuickCrypto
    • Anti-forensics Tools

Module 06: Operating System Forensics (Windows, Mac, Linux)

Introduction to OS Forensics

Windows Forensics

  • Collecting Volatile Information
    • Volatile Information
      • System Time
      • Logged-On Users
        • PsLoggedOn Tool
        • net sessions Command
        • LogonSessions Tool
      • Open Files
        • net file Command
        • PsFile Utility
        • Openfiles Command
      • Network Information
      • Network Connections
      • Process Information
      • Process-to-Port Mapping
      • Process Memory
      • Network Status
      • Print spool files
      • Other Important Information
  • Collecting Non-Volatile Information
    • Non-Volatile Information
      • Examine File Systems
      • Registry Settings
      • Microsoft Security ID
      • Event Logs
      • ESE Database File
      • Connected Devices
      • Slack Space
      • Virtual Memory
      • Swap Space, hibernation, and Page Files
      • Windows Search Index
      • Collecting Hidden Partition Information
      • Hidden ADS Streams
        • Investigating ADS Streams: StreamArmor
      • Other Non-Volatile Information
  • Analyze the Windows thumbcaches
  • Windows Memory Analysis
    • Virtual Hard Disk (VHD)
    • Memory Dump
    • EProcess Structure
    • Process Creation Mechanism
    • Parsing Memory Contents
    • Parsing Process Memory
    • Extracting the Process Image
    • Collecting Process Memory
  • Windows Registry Analysis
    • Inside the Registry
    • Registry Structure within a Hive File
    • The Registry as a Log File
    • Registry Analysis
    • System Information
    • TimeZone Information
    • Shares
    • Wireless SSIDs
    • Startup Locations
    • Importance of volume shadow copy services
    • System Boot
    • User Login
    • User Activity
    • Enumerating Autostart Registry Locations
    • USB Removable Storage Devices
    • Mounted Devices
    • Tracking User Activity
    • The UserAssist Keys
    • MRU Lists
    • Connecting to Other Systems
    • Analyzing Restore Point Registry Settings
    • Determining the Startup Locations
  • Cache, Cookie, and History Analysis
    • Cache, Cookie, and History Analysis: Mozilla Firefox
      • Analysis Tool: MZCacheView
      • Analysis Tool: MZCookiesView
      • Analysis Tool: MZHistoryView
    • Cache, Cookie, and History Analysis: Google Chrome
      • Analysis Tool: ChromeCookiesView
      • Analysis Tool: ChromeCacheView
      • Analysis Tool: ChromeHistoryView
    • Cache, Cookie, and History Analysis: Microsoft Edge
      • Analysis Tool: IECookiesView
      • Analysis Tool: IECacheView
      • Analysis Tool: BrowsingHistoryView
  • Windows File Analysis
    • System Restore Points (Rp.log Files)
    • System Restore Points (Change.log.x Files)
    • Prefetch Files
    • Shortcut Files
    • Image Files
  • Metadata Investigation
    • Understanding Metadata
    • Types of Metadata
    • Metadata in Different File Systems
    • Metadata in PDF Files
    • Metadata in Word Documents
    • Tool: Metashield Analyzer
  • Text Based Logs
    • Understanding Events
    • Types of Logon Events
    • Event Log File Format
    • Organization of Event Records
    • ELF_LOGFILE_HEADER structure
    • EventLogRecord Structure
    • Windows 10 Event Logs
  • Other Audit Events
    • Evaluating Account Management Events
    • Examining System Log Entries
    • Examining Application Log Entries
  • Forensic Analysis of Event Logs
    • Searching with Event Viewer
    • Using Event Log explorer to Examine Windows Log Files
    • Windows Event Log Files Internals
  • Windows Forensics Tools

Linux Forensics

  • Shell Commands
  • Linux Log files
  • Collecting Volatile Data
  • Collecting Non-Volatile Data

MAC Forensics

  • Introduction to MAC Forensics
  • MAC Forensics Data
  • MAC Log Files
  • MAC Directories
  • MAC Forensics Tools

Module 07: Network Forensics

  • Introduction to Network Forensics
    • Network Forensics
    • Postmortem and Real-Time Analysis
    • Network Vulnerabilities
    • Network Attacks
    • Where to Look for Evidence
  • Fundamental Logging Concepts
    • Log Files as Evidence
    • Laws and Regulations
    • Legality of using Logs
    • Records of Regularly Conducted Activity as Evidence
  • Event Correlation Concepts
    • Event Correlation
    • Types of Event Correlation
    • Prerequisites of Event Correlation
    • Event Correlation Approaches
  • Network Forensic Readiness
    • Ensuring Log File Accuracy
      • Log Everything
      • Keeping Time
        • Why Synchronize Computer Times?
        • What is Network Time Protocol (NTP)?
      • Use Multiple Sensors
      • Avoid Missing Logs
    • Implement Log Management
      • Functions of Log Management Infrastructure
      • Challenges in Log Management
      • Meeting the Challenges in Log Management
      • Centralized Logging
      • Syslog
      • IIS Centralized Binary Logging
    • Ensure System’s Integrity
    • Control Access to Logs
  • Network Forensics Steps
    • Ensure Log File Authenticity
      • Use Signatures, Encryption, and Checksums
    • Work with Copies
    • Maintain Chain of Custody
    • Condensing Log File
    • Analyze Logs
      • Network Forensics Analysis Mechanism
        • Log Capturing and Analysis Tools: GFI EventsManager
        • Log Capturing and Analysis Tools: EventLog Analyzer
        • Log Capturing and Analysis Tools
      • Analyzing Router Logs
      • Evidence Gathering from ARP Table
      • Analyzing Router Logs (Cont’d)
      • Analyzing Router Logs: Cisco
      • Analyzing Router Logs: Juniper
      • Analyzing Firewall Logs
      • Analyzing Firewall Logs: Cisco
      • Analyzing Firewall Logs: Checkpoint
      • Analyzing IDS Logs
      • Analyzing IDS Logs: Juniper
      • Analyzing IDS Logs: Checkpoint
      • Analyzing Honeypot Logs
      • DHCP Logging
      • Sample DHCP Audit Log File
      • Evidence Gathering at the Data-Link Layer: DHCP Database
      • ODBC Logging
  • Network Traffic Investigation
    • Why Investigate Network Traffic
    • Evidence Gathering via Sniffing
      • Sniffing Tool: Wireshark
      • Display Filters in Wireshark
      • Additional Wireshark Filters
      • Sniffing Tool: SteelCentral Packet Analyzer
      • Sniffing Tool: Tcpdump/Windump
      • Packet Sniffing Tool: Capsa Network Analyzer
      • Network Packet Analyzer: OmniPeek Network Analyzer
      • Network Packet Analyzer: Observer
      • Network Packet Analyzer: Capsa Portable Network Analyzer
      • TCP/IP Packet Crafter: Colasoft Packet Builder
      • Network Packet Analyzer: RSA NetWitness Investigator
      • Additional Sniffing Tools
    • Gathering Evidence from an IDS
  • Documenting the Evidence
  • Evidence Reconstruction

Module 08: Investigating Web Attacks

  • Introduction to Web Application Forensics
    • Introduction to Web Application Forensics
    • Web Application Architecture
    • Challenges in Web Application Forensics
  • Web Attack Investigation
    • Indications of a Web Attack
    • Web Application Threats - 1
    • Web Application Threats - 2
    • Investigating a Web Attack
    • Investigating Web Attacks in Windows-Based Servers
  • Investigating Web Server Logs
    • Internet Information Services (IIS) Logs
      • IIS Web Server Architecture
      • IIS Logs
      • Investigating IIS Logs
      • Maintaining Credible IIS Log Files
      • Investigating IIS Logs: Best Practices
      • UTC Time
    • Investigating Apache Logs
      • Apache Web Server Architecture
      • Apache Web Server Logs
      • Investigating Apache Logs
    • Investigating Cross-Site Scripting (XSS)
    • Investigating XSS: Using Regex to Search XSS Strings
    • Investigating SQL Injection Attacks
    • Pen-Testing CSRF Validation Fields
    • Investigating Code Injection Attack
    • Investigating Cookie Poisoning Attack
  • Web Attack Detection Tools
    • Web Log Viewers
  • Tools for Locating IP Address
    • IP Address Locating Tools
  • WHOIS Lookup Tools

Module 09: Database Forensics

  • Database Forensics and Its Importance
  • MSSQL Forensics
    • Data Storage in SQL Server
    • Database Evidence Repositories
    • Collecting Volatile Database Data
      • Collecting Primary Data File and Active Transaction Logs Using SQLCMD
      • Collecting Primary Data File & Transaction Logs
      • Collecting Active Transaction Logs Using SQL Server Management Studio
      • Collecting Database Plan Cache
      • Collecting Windows Logs
      • Collecting SQL Server Trace Files
      • Collecting SQL Server Error Logs
      • Database Forensics Using SQL Server Management Studio
      • Database Forensics Using ApexSQL DBA
  • MySQL Forensics
    • Internal Architecture of MySQL
      • Structure of the Data Directory
    • MySQL Forensics
      • Viewing the Information Schema
      • MySQL Utility Programs For Forensic Analysis
      • Common Scenario for Reference
      • MySQL Forensics for WordPress Website Database: Scenario 1
        • Collect the Evidences
        • Examine the Log Files
        • Analyze the General Log
        • Take a Backup of the Database
        • Create an Evidence Database
        • Select the Database
        • View the Tables in the Database
        • View the Users in the Databas
        • View Columns in the Table
        • Collect the Posts Made by the User
        • Examine the Posts Made by the User
      • MySQL Forensics for WordPress Website Database: Scenario 2
      • Collect the Database and all the Logs
      • Examine the .frm Files
      • Examine the Binary Logs
      • Retrieve the Deleted User Account
      • ibdata1 in Data Directory

Module 10: Cloud Forensics

  • Introduction to Cloud Computing
    • Types of Cloud Computing Services
    • Separation of Responsibilities in Cloud
    • Cloud Deployment Models
    • Cloud Computing Threats
    • Cloud Computing Attacks
  • Cloud Forensics
    • Usage of Cloud Foreniscs
    • Cloud Crimes
      • Case Study: Cloud as a Subject
      • Case Study: Cloud as the Object
      • Case Study: Cloud as a Tool
    • Cloud Forensics: Stakeholders and their Roles
    • Cloud Forensics Challenges
      • Architecture and Identification
      • Data Collection
      • Legal
      • Analysis
      • Cloud Forensics Challenges
    • Investigating Cloud Storage Services
    • Investigating Dropbox Cloud Storage Service
      • Artifacts Left by Dropbox Web Portal
      • Artifacts Left by Dropbox Client on Windows
    • Investigating Google Drive Cloud Storage Service
      • Artifacts Left by Google Drive Web Portal
      • Artifacts Left by Google Drive Client on Windows
    • Cloud Forensics Tools: UFED Cloud Analyzer

Module 11: Malware Forensics

  • Introduction to Malware
    • Different Ways a Malware can Get into a System
    • Common Techniques Attackers Use to Distribute Malware on the Web
    • Components of Malware
  • Introduction to Malware Forensics
    • Why Analyze Malware
    • Identifying and Extracting Malware
    • Prominence of Setting up a Controlled Malware Analysis Lab
    • Preparing Testbed for Malware Analysis
    • Supporting Tools for Malware Analysis
    • General Rules for Malware Analysis
    • Documentation Before Analysis
    • Types of Malware Analysis
      • Malware Analysis: Static
        • Static Malware Analysis: File Fingerprinting
        • Online Malware Testing: VirusTotal
        • Online Malware Analysis Services
        • Local and Online Malware Scanning
        • Performing Strings Search
        • Identifying Packing/Obfuscation Methods
        • Finding the Portable Executables (PE) Information
        • Identifying File Dependencies
        • Malware Disassembly
        • Malware Analysis Tool: IDA Pro
      • Malware Analysis: Dynamic
        • Installation Monitor
        • Process Monitor
          • Process Monitoring Tool: What's Running
          • Process Monitoring Tools
        • Files and Folder Monitor
          • Files and Folder Integrity Checkers: FastSum and WinMD5
          • Files and Folder Integrity Checkers
        • Registry Monitor
          • Registry Entry Monitoring Tool: RegScanner
          • Registry Entry Monitoring Tools
        • Network Activity Monitor
          • Detecting Troja

Certification

Please note that this courses will focus on the US forensic judicial systems and processes best practice and not cover UK specific law enforcement policy or UK legislation.

You will receive your Pearson Vue exam voucher in your course fee, and will need to arrange this at Pearson Vue testing facility.
Once you have completed the course, please submit the course evaluation via the ASPEN portal for your exam voucher to be released.
The EC Council exam is taken post-course, and EC Council recommend additional post-course study in order to fully prepare for it.
Your 6 month access to the iLabs platform will commence once you complete the course.
Commencing January 1st, 2019, EC-Council will no longer ship out physical certificates. EC-Council certified members can continue to download their e-Certificates from the ASPEN portal. Certified members who still wish to receive a physical certificate may request one via 'certsupport@eccouncil.org'. Printed certificate requests in the UK will cost $75 ($50 for the US).

Talk to an expert

Thinking about Onsite?

If you need training for 3 or more people, you should ask us about onsite training. Putting aside the obvious location benefit, content can be customised to better meet your business objectives and more can be covered than in a public classroom. Its a cost effective option. One on one training can be delivered too, at reasonable rates.

Submit an enquiry from any page on this site and let us know you are interested in the requirements box, or simply mention it when we contact you.

All $ prices are in USD unless it’s a NZ or AU date

SPVC = Self Paced Virtual Class

LVC = Live Virtual Class

Please Note: All courses are availaible as Live Virtual Classes

Trusted by over 1/2 million students in 15 countries

Our clients have included prestigious national organisations such as Oxford University Press, multi-national private corporations such as JP Morgan and HSBC, as well as public sector institutions such as the Department of Defence and the Department of Health.