Computer Hacking

Forensic Investigator
1 EC-Council
 Computer Forensics
Computer hacking forensic investigation is the process identification of evidence in computer related crime
of detecting hacking attacks and properly extracting and abuse cases. This may range from tracing the tracks
evidence to report the crime and conduct audits to of a hacker through a client’s systems, to tracing the
prevent future attacks. Computer forensics is simply originator of defamatory emails, to recovering signs of
the application of computer investigation and analysis fraud.
techniques in the interests of determining potential
legal evidence. Evidence might be sought in a wide The CHFI course will provide participants the necessary
range of computer crime or misuse, including but not skills to identify an intruder’s footprints and to properly
limited to theft of trade secrets, theft of or destruction gather the necessary evidence to prosecute in the court
of intellectual property, and fraud. CHFI investigators of law.
can draw on an array of methods for discovering data
that resides in a computer system, or recovering deleted, The CHFI course will benefit:
encrypted, or damaged file information.
• Police and other law enforcement personnel
Securing and analyzing electronic evidence is a • Defense and Military personnel
central theme in an ever-increasing number of conflict • e-Business Security professionals
situations and criminal cases. Electronic evidence is • Systems administrators
critical in the following situations: • Legal professionals
• Banking, Insurance and other professionals
• Disloyal employees • Government agencies
• Computer break-ins • IT managers
• Possession of pornography
• Breach of contract
• Industrial espionage
• E-mail Fraud
• Bankruptcy
• Disputed dismissals
• Web page defacements
• Theft of company documents

Computer forensics enables the systematic and careful

2 EC-Council
3 EC-Council
 Computer Hacking Forensic Investigator § Assessing the Case
(CHFI)
§ Planning Your Investigation
Course Outline v1
§ Securing Your Evidence
Module 1 Computer Forensics and
Investigations as a Profession § Understanding Data-Recovery Workstations
and Software
§ Understanding Computer Forensics
§ Setting Up Your Workstation for Computer
§ Comparing Definitions of Computer Forensics
Forensics
§ Executing an Investigation
§ Exploring a Brief History of Computer
Forensics § Gathering the Evidence

§ Developing Computer Forensics Resources § Copying the Evidence Disk

§ Preparing for Computing Investigations § Analyzing Your Digital Evidence

§ Understanding Enforcement Agency § Completing the Case

Investigations
§ Critiquing the Case
§ Understanding Corporate Investigations
Module 3 Working with Windows and DOS
§ Maintaining Professional Conduct Systems

Module 2 Understanding Computer § Understanding File Systems

Investigations
§ Understanding the Boot Sequence
§ Preparing a Computer Investigation
§ Examining Registry Data
§ Examining a Computer Crime
§ Disk Drive Overview
§ Examining a Company-Policy Violation
§ Exploring Microsoft File Structures
§ Taking a Systematic Approach
§ Disk Partition Concerns

4 EC-Council
 § Boot Partition Concerns § Exploring Macintosh Boot Tasks

§ Examining FAT Disks § Examining UNIX and Linux Disk Structures

§ Examining NTFS Disks § UNIX and Linux Overview

§ NTFS System Files § Understanding modes

§ NTFS Attributes § Understanding UNIX and Linux Boot

Processes
§ NTFS Data Streams
§ Understanding Linux Loader
§ NTFS Compressed Files
§ UNIX and Linux Drives and Partition
§ NTFS Encrypted File Systems (EFS) Scheme

§ EFS Recovery Key Agent § Examining Compact Disc Data Structures

§ Deleting NTFS Files § Understanding Other Disk Structures

§ Understanding Microsoft Boot Tasks § Examining SCSI Disks

§ Windows XP, 2000, and NT Startup § Examining IDE/EIDE Devices

§ Windows XP System Files

§ Understanding MS-DOS Startup Tasks Module 5 The Investigator’s Office and

Laboratory
§ Other DOS Operating Systems
§ Understanding Forensic Lab Certification
Requirements
Module 4 Macintosh and Linux Boot § Identifying Duties of the Lab Manager and
Processes and Disk Structures Staff
§ Understanding the Macintosh File Structure § Balancing Costs and Needs
§ Understanding Volumes § Acquiring Certification and Training

5 EC-Council
§ Determining the Physical Layout of a § Maintaining Operating Systems and
Computer Forensics Lab Application Software Inventories

§ Identifying Lab Security Needs § Using a Disaster Recovery Plan

§ Conducting High-Risk Investigations § Planning for Equipment Upgrades

§ Considering Office Ergonomics § Using Laptop Forensic Workstations

§ Environmental Conditions § Building a Business Case for Developing a

Forensics Lab
§ Lighting
§ Creating a Forensic Boot Floppy Disk
§ Structural Design Considerations
§ Assembling the Tools for a Forensic Boot
§ Electrical Needs Floppy Disk

§ Communications § Retrieving Evidence Data Using a Remote

Network Connection
§ Fire-suppression Systems

§ Evidence Lockers
Module 6 Current Computer Forensics
§ Facility Maintenance Tools
§ Physical Security Needs § Evaluating Your Computer Forensics
Software Needs
§ Auditing a Computer Forensics Lab
§ Using National Institute of Standards and
§ Computer Forensics Lab Floor Plan Ideas
Technology (NIST) Tools
§ Selecting a Basic Forensic Workstation
§ Using National Institute of Justice (NU)
§ Selecting Workstations for Police Labs Methods

§ Selecting Workstations for Private and § Validating Computer Forensics Tools

Corporate Labs
§ Using Command-Line Forensics Tools
§ Stocking Hardware Peripherals
§ Exploring NTI Tools

6 EC-Council
§ Exploring Ds2dump § Exploring DataLifter

§ Reviewing DriveSpy § Exploring ASRData

§ Exploring PDBlock § Exploring the Internet History Viewer

§ Exploring PDWipe § Exploring Other Useful Computer Forensics

Tools
§ Reviewing Image
§ Exploring LTOOLS
§ Exploring Part
§ Exploring Mtools
§ Exploring SnapBack DatArrest
§ Exploring R-Tools
§ Exploring Byte Back
§ Using Explore2fs
§ Exploring MaresWare
§ Exploring @stake
§ Exploring DIGS Mycroft v3
§ Exploring TCT and TCTUTILs
§ Exploring Graphical User Interface (GUI)
Forensics Tools § Exploring ILook

§ Exploring AccessData Programs § Exploring HashKeeper

§ Exploring Guidance Software EnCase § Using Graphic Viewers

§ Exploring Ontrack § Exploring Hardware Tools

§ Using BIAProtect § Computing-Investigation Workstations

§ Using LC Technologies Software § Building Your Own Workstation

§ Exploring WinHex Specialist Edition § Using a Write-blocker

§ Exploring DIGS Analyzer Professional § Using LC Technology International

Forensic Software Hardware

§ Exploring ProDiscover DFT § Forensic Computers

7 EC-Council
 § DIGS § Documenting Evidence

§ Digital Intelligence § Obtaining a Digital Signature

§ Image MASSter Solo

§ FastBloc Module 8 Processing Crime and Incident

Scenes
§ Acard
§ Processing Private-Sector Incident Scenes
§ NoWrite
§ Processing Law Enforcement Crime Scenes
§ Wiebe Tech Forensic DriveDock
§ Understanding Concepts and Terms Used in
§ Recommendations for a Forensic Warrants
Workstation
§ Preparing for a Search

§ Identifying the Nature of the Case

Module 7 Digital Evidence Controls
§ Identifying the Type of Computing System
§ Identifying Digital Evidence
§ Determining Whether You Can Seize a
§ Understanding Evidence Rules Computer
§ Securing Digital Evidence at an Incident § Obtaining a Detailed Description of the
Scene Location

§ Cataloging Digital Evidence § Determining Who Is in Charge

§ Lab Evidence Considerations § Using Additional Technical Expertise

§ Processing and Handling Digital Evidence § Determining the Tools You Need

§ Storing Digital Evidence § Preparing the Investigation Team

§ Evidence Retention and Media Storage § Securing a Computer Incident or Crime

Needs Scene

8 EC-Council
 § Seizing Digital Evidence at the Scene § Using Other Forensics Acquisition Tools

§ Processing a Major Incident or Crime Scene § Exploring SnapBack DatArrest

§ Processing Data Centers with an Array of § Exploring SafeBack

RAIDS
§ Exploring EnCase
§ Using a Technical Advisor at an Incident or
Crime Scene

§ Sample Civil Investigation Module 10 Computer Forensic Analysis

§ Sample Criminal Investigation § Understanding Computer Forensic Analysis

§ Collecting Digital Evidence § Refining the Investigation Plan

§ Using DriveSpy to Analyze Computer Data

Module 9 Data Acquisition § DriveSpy Command Switches

§ Determining the Best Acquisition Method § DriveSpy Keyword Searching

§ Planning Data Recovery Contingencies § DriveSpy Scripts

§ Using MS-DOS Acquisition Tools § DriveSpy Data-Integrity Tools

§ Understanding How DriveSpy Accesses § DriveSpy Residual Data Collection Tools

Sector Ranges
§ Other Useful DriveSpy Command Tools
§ Data Preservation Commands
§ Using Other Digital Intelligence Computer
§ Using DriveSpy Data Manipulation Forensics Tools
Commands
§ Using PDBlock and PDWipe
§ Using Windows Acquisition Tools
§ Using AccessData’s Forensic Toolkit
§ AccessData FTK Explorer
§ Performing a Computer Forensic Analysis
§ Acquiring Data on Linux Computers

9 EC-Council
 § Setting Up Your Forensic Workstation § Copying an E-mail Message

§ Performing Forensic Analysis on Microsoft § Printing an E-mail Message

File Systems
§ Viewing E-mail Headers
§ UNIX and Linux Forensic Analysis
§ Examining an E-mail Header
§ Macintosh Investigations
§ Examining Additional E-mail Files
§ Addressing Data Hiding Techniques
§ Tracing an E-mail Message
§ Hiding Partitions
§ Using Network Logs Related to E-mail
§ Marking Bad Clusters
§ Understanding E-mail Servers
§ Bit-Shifting
§ Examining UNIX E-mail Server Logs
§ Using Steganography
§ Examining Microsoft E-mail Server Logs
§ Examining Encrypted Files
§ Examining Novell GroupWise E-mail Logs
§ Recovering Passwords
§ Using Specialized E-mail Forensics Tools

Module 11 E-mail Investigations

Module 12 Recovering Image Files
§ Understanding Internet Fundamentals
§ Recognizing an Image File
§ Understanding Internet Protocols
§ Understanding Bitmap and Raster Images
§ Exploring the Roles of the Client and Server
in E-mail § Understanding Vector Images

§ Investigating E-mail Crimes and Violations § Metafle Graphics

§ Identifying E-mail Crimes and Violations § Understanding Image File Formats

§ Examining E-mail Messages § Understanding Data Compression

10 EC-Council
 § Reviewing Lossless and Lossy Compression § Writing Clearly

§ Locating and Recovering Image Files § Providing Supporting Material

§ Identifying Image File Fragments § Formatting Consistently

§ Repairing Damaged Headers § Explaining Methods

§ Reconstructing File Fragments § Data Collection

§ Identifying Unknown File Formats § Including Calculations

§ Analyzing Image File Headers § Providing for Uncertainty and Error

Analysis
§ Tools for Viewing Images
§ Explaining Results
§ Understanding Steganography in Image
Files § Discussing Results and Conclusions

§ Using Steganalysis Tools § Providing References

§ Identifying Copyright Issues with Graphics § Including Appendices

§ Providing Acknowledgments

Module 13 Writing Investigation Reports § Formal Report Format

§ Understanding the Importance of Reports § Writing the Report

§ Limiting the Report to Specifics § Using FTK Demo Version

§ Types of Reports

§ Expressing an Opinion Module 14 Becoming an Expert Witness

§ Designing the Layout and Presentation § Comparing Technical and Scientific

Testimony
§ Litigation Support Reports versus Technical
Reports § Preparing for Testimony

11 EC-Council
§ Documenting and Preparing Evidence § Understanding Prosecutorial Misconduct

§ Keeping Consistent Work Habits § Preparing for a Deposition

§ Processing Evidence § Guidelines for Testifying at a Deposition

§ Serving as a Consulting Expert or an Expert § Recognizing Deposition Problems

Witness
§ Public Release: Dealing with Reporters
§ Creating and Maintaining Your CV
§ Forming an Expert Opinion
§ Preparing Technical Definitions
§ Determining the Origin of a Floppy Disk
§ Testifying in Court

§ Understanding the Trial Process

Module 15 Computer Security Incident
§ Qualifying Your Testimony and Voir Dire Response Team

§ Addressing Potential Problems § Incident Response Team

§ Testifying in General § Incident Reporting Process

§ Presenting Your Evidence § Low-level incidents

§ Using Graphics in Your Testimony § Mid-level incidents

§ Helping Your Attorney § High-level incidents

§ Avoiding Testimony Problems § What is a Computer Security Incident

Response Team (CSIRT)?
§ Testifying During Direct Examination
§ Why would an organization need a CSIRT?
§ Using Graphics During Testimony
§ What types of CSIRTs exist?
§ Testifying During Cross-Examination
§ Other Response Teams Acronyms
§ Exercising Ethics When Testifying

12 EC-Council
 § What does a CSIRT do? § Passive Detection Methods

§ What is Incident Handling? § Dump Event Log Tool (Dumpel.exe)

§ Need for CSIRT in Organizations § EventCombMT

§ Best Practices for Creating a CSIRT? § Event Collection

§ Scripting

Module 16 Logfile Analysis § Event Collection Tools

§ Secure Audit Logging § Forensic Tool: fwanalog

§ Audit Events § Elements of an End-to-End Forensic Trace

§ Syslog § Log Analysis and Correlation

§ Message File § TCPDump logs

§ Setting Up Remote Logging § Intrusion Detection Log (RealSecure)

§ Linux Process Tracking § Intrusion Detection Log (SNORT)

§ Windows Logging

§ Remote Logging in Windows Module 17 Recovering Deleted Files

§ ntsyslog

§ Application Logging § The Windows Recycle Bin

§ Extended Logging § Digital evidence

§ Monitoring for Intrusion and Security § Recycle Hidden Folder

Events
§ How do I undelete a file?
§ Importance of Time Synchronization
§ e2undel

13 EC-Council
 § O&O UnErase § APDFPR

§ Restorer2000 § Distributed Network Attack

§ BadCopy Pro § Windows XP / 2000 / NT Key

§ File Scavenger § Passware Kit

§ Mycroft v3 § How to Bypass BIOS Passwords

§ PC ParaChute § BIOS Password Crackers

§ Search and Recover § Removing the CMOS Battery

§ Stellar Phoenix Ext2,Ext3 § Default Password Database

§ Zero Assumption Digital Image Recovery

§ FileSaver Module 19 Investigating E-Mail Crimes

§ VirtualLab Data Recovery § E-mail Crimes

§ R-Linux § Sending Fakemail

§ Drive & Data Recovery § Sending E-mail using Telnet

§ Active@ UNERASER - DATA Recovery § Tracing an e-mail

§ Mail Headers

Module 18 Application Password Crackers § Reading Email Headers

§ Advanced Office XP Password Recovery § Tracing Back

§ AOXPPR § Tracing Back Web Based E-mail

§ Accent Keyword Extractor § Microsoft Outlook Mail

§ Advanced PDF Password Recovery § Pst File Location

14 EC-Council
 § Tool: R-Mail destination

§ Tool: FinaleMail § How to detect attacks on your server?

§ Searching E-mail Addresses § Investigating Log Files

§ E-mail Search Site § IIS Logs

§ abuse.net § Log file Codes

§ Network Abuse Clearing House § Apache Logs

§ Handling Spam § Access_log

§ Protecting your E-mail Address from Spam § Log Security

§ Tool: Enkoder Form § Log File Information

§ Tool: eMailTrackerPro § Simple Request

§ Tool: SPAM Punisher § Time/Date Field

§ Mirrored Site Detection

Module 20 Investigating Web Attacks § Mirrored Site in IIS Logs

§ Vulnerability Scanning Detection

§ How to Tell an Attack is in Progress § Example of Attack in Log file

§ What to Do When You Are Under Attack? § Web Page Defacement

§ Conducting the Investigation § Defacement using DNS Compromise

§ Attempted Break-in § Investigating DNS Poisoning

§ Step 1: Identifing the System(s) § Investigating FTP Servers

§ Step 2: Traffic between source and § Example of FTP Compromise

15 EC-Council
 § FTP logs § Preventing DNS Spoofing

§ SQL Injection Attacks § VisualZone

§ Investigating SQL Injection Attacks § DShield

§ Web Based Password Brute Force Attack § Forensic Tools for Network Investigations

§ Investigating IP Address § TCPDump

§ Tools for locating IP Address § Ethereal

§ Investigating Dynamic IP Address § NetAnalyst

§ Location of DHCP Server Logfile § Ettercap

§ Ethereal

Module 21 Investigating Network Traffic

§ Network Intrusions and Attacks Module 22 Investigating Router Attacks

§ Direct vs. Distributed Attacks § DoS Attacks

§ Automated Attacks § Investigating DoS Attacks

§ Accidental “Attacks” § Investigating Router Attacks

§ Address Spoofing

§ IP Spoofing Module 23 The Computer Forensics

Process
§ ARP Spoofing
§ Evidence Seizure Methodology
§ DNS Spoofing
§ Before the Investigation
§ Preventing IP Spoofing
§ Document Everything
§ Preventing ARP Spoofing

16 EC-Council
 § Confiscation of Computer Equipment § System State Backup

§ Forensic Tool: Back4Win

Module 24 Data Duplication
§ Forensic Tool: Registry Watch
§ Tool: R-Drive Image
§ System Processes
§ Tool: DriveLook
§ Process Monitors
§ Tool: DiskExplorer for NTFS
§ Default Processes in Windows NT, 2000,
and XP

Module 25 Windows Forensics § Process-Monitoring Programs

§ Gathering Evidence in Windows § Process Explorer

§ Collecting Data from Memory § Look for Hidden Files

§ Collecting Evidence § Viewing Hidden Files in Windows

§ Memory Dump § NTFS Streams

§ Manual Memory Dump (Windows 2000) § Detecting NTFS Streams

§ Manual Memory Dump (Windows XP) § Rootkits

§ PMDump § Detecting Rootkits

§ Windows Registry § Sigverif

§ Registry Data § Detecting Trojans and Backdoors

§ Regmon utility § Removing Trojans and Backdoors

§ Forensic Tool: InCntrl5 § Port Numbers Used by Trojans

§ Backing Up of the entire Registry § Examining the Windows Swap File

17 EC-Council
 § Swap file as evidence § LKM

§ Viewing the Contents of the Swap/Page File § Open Ports and Listening Applications

§ Recovering Evidence from the Web Browser § /proc file system

§ Locating Browser History Evidence § Log Files

§ Forensic Tool: Cache Monitor § Configuration Files

§ Print Spooler Files § Low Level Analysis

§ Steganography § Log Messages

§ Forensic Tool: StegDetect § Running syslogd

§ Investigating User Accounts

Module 26 Linux Forensics § Collecting an Evidential Image

§ Performing Memory Dump on Unix Systems § File Auditing Tools

§ Viewing Hidden Files

§ Executing Process Module 27 Investigating PDA

§ Create a Linux Forensic Toolkit § Paraben’s PDA Seizure

§ Collect Volatile Data Prior to Forensic

Duplication
Module 28 Enforcement Law and
§ Executing a Trusted Shell Prosecution

§ Determining Who is logged on to the System § Freedom of Information Act

§ Determining the Running Processes § Reporting Security Breaches to Law

Enforcement
§ Detecting Loadable Kernel Module Rootkits
§ National Infrastructure Protection Center

18 EC-Council
 § Federal Computer Crimes and Laws § What is trade dress?

§ Federal Laws § Internet domain name

§ The USA Patriot Act of 2001 § Trademark Infringement

§ Building the Cybercrime Case § Conducting a Trademark Search

§ How the FBI Investigates Computer Crime § Using Internet to Search for Trademarks

§ Cyber Crime Investigations § Hiring a professional firm to conduct my

trademark search
§ Computer-facilitated crime
§ Trademark Registrations
§ FBI
§ Benefits of Trademark Registration
§ Federal Statutes
§ Copyright
§ Local laws
§ How long does a copyright last?
§ Federal Investigative Guidelines
§ Copyright Notice
§ Gather Proprietary Information
§ Copyright “Fair Use” Doctrine
§ Contact law enforcement
§ U.S. Copyright Office
§ To initiate an investigation
§ How are copyrights enforced?

§ SCO vs IBM
Module 29 Investigating Trademark and
Copyright Infringement § What is Plagiarism?

§ Trademarks § Turnitin

§ Trademark Eligibility § Plagiarism Detection Tools

§ What is a service mark?

19 EC-Council
International Council of E-Commerce Consultants
67 Wall Street, 22nd Floor
New York, NY 10005-3198
USA

Phone: 212.709.8253
Fax: 212.943.2300

© 2002 EC-Council. All rights reserved.

This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.

20 EC-Council