EC-Council - Computer Hacking Forensic Investigator V.8

EC-Council - Computer Hacking Forensic Investigator v.8

Course Introduction2m
Course Introduction
Module 00 - Student Introduction6m
Student Introduction
CHFIv8 Course Outline
EC-Council Certification Program
Computer Hacking Forensic Investigator Track
CHFIv8 Exam Information
What Does CHFI Teach You?
CHFI Class Speed
Let's Start Forensics Investigation!
Module 01 - Computer Forensics in Today's World1h 8m
Module Flow: Computer Forensics
Forensics Science
Computer Forensics
Security Incident Report
Aspects of Organizational Security
Evolution of Computer Forensics (Cont'd)
Evolution of Computer Forensics
Objective of Computer Forensics
Need for Computer Forensics
Module Flow: Forensics Readiness
Benefits of Forensics Readiness
Goals of Forensics Readiness
Forensics Readiness Planning
Module Flow: Cyber Crimes
Cyber Crime
Computer Facilitated Crimes
Modes of Attacks
Examples of Cyber Crime (Cont'd)
Examples of Cyber Crime
Types of Computer Crimes
Cyber Criminals
Organized Cyber Crime: Organizational Chart
How Serious are Different Types of Incidents?
Disruptive Incidents to the Business
Cost Expenditure Responding to the Security Incident
Module Flow: Cyber Crime Investigation
Cyber Crime Investigation
Key Steps in Forensics Investigation (Cont'd)
Key Steps in Forensics Investigation
Rules of Forensics Investigation
Need for Forensics Investigator
Role of Forensics Investigator
Accessing Computer Forensics Resources
Role of Digital Evidence
Module Flow: Corporate Investigations
Understanding Corporate Investigations
Approach to Forensics Investigation: A Case Study (Cont'd)
Approach to Forensics Investigation: A Case Study
Instructions for the Forensic Investigator to Approach the Crime Scene
Why and When Do You Use Computer Forensics?
Enterprise Theory of Investigation (ETI)
Legal Issues
Reporting the Results
Module Flow: Reporting a Cyber Crime
Why you Should Report Cybercrime?
Reporting Computer-Related Crimes (Cont'd)
Reporting Computer-Related Crimes
Person Assigned to Report the Crime
When and How to Report an Incident?
Who to Contact at the Law Enforcement
Federal Local Agents Contact (Cont'd)
Federal Local Agents Contact
More Contacts
CIO Cyberthreat Report Form
Module 01 Review
Module 02 - Computer Forensics Investigation Process1h 20m
Computer Forensics Investigation Process
Investigating Computer Crime
Before the Investigation
Build a Forensics Workstation
Building the Investigation Team
People Involved in Computer Forensics
Review Policies and Laws
Forensics Laws (Cont'd)
Forensics Laws
Notify Decision Makers and Acquire Authorization
Risk Assessment
Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation (Cont'd)
Steps to Prepare for a Computer Forensics Investigation
Computer Forensics Investigation Methodology: Obtain Search Warrant
Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
Computer Forensics Investigation Methodology: Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
Computer Forensics Investigation Methodology: Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence (Cont'd)
Collect Electronic Evidence
Guidelines for Acquiring Evidence
Computer Forensics Investigation Methodology: Secure the Evidence
Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
Computer Forensics Investigation Methodology: Acquire the Data
Original Evidence Should NEVER Be Used for Analysis
Duplicate the Data (Imaging)
Verify Image Integrity
Demo - HashCalc
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
Computer Forensics Investigation Methodology: Analyze the Data
Data Analysis
Data Analysis Tools
Computer Forensics Investigation Methodology: Assess Evidence and Case
Evidence Assessment
Case Assessment (Cont'd)
Case Assessment
Processing Location Assessment
Best Practices to Assess the Evidence
Computer Forensics Investigation Methodology: Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report (Cont'd)
Writing the Investigation Report
Sample Report (1 of 7)
Sample Report (2 of 7)
Sample Report (3 of 7)
Sample Report (4 of 7)
Sample Report (5 of 7)
Sample Report (6 of 7)
Sample Report (7 of 7)
Computer Forensics Investigation Methodology: Testify as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers (Cont'd)
Computer Forensics Service Providers
Module 02 Review
Module 03 - Searching and Seizing Computers1h 27m
Module Flow: Searching and Seizing Computers without a Warrant
Searching and Seizing Computers without a Warrant
Fourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: Principles
Reasonable Expectation of Privacy in Computers as Storage Devices
Reasonable Expectation of Privacy and Third-Party Possession
Private Searches
Use of Technology to Obtain Information
Exceptions to the Warrant Requirement in Cases Involving Computers
Consent
Scope of Consent
Third-Party Consent
Implied Consent
Exigent Circumstances
Plain View
Search Incident to a Lawful Arrest
Inventory Searches
Border Searches
International Issues
Special Case: Workplace Searches
Private Sector Workplace Searches
Public-Sector Workplace Searches
Module Flow: Searching and Seizing Computers with a Warrant
Searching and Seizing Computers with a Warrant
Successful Search with a Warrant
Basic Strategies for Executing Computer Searches
When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
When Hardware Is Merely a Storage Device for Evidence of Crime
The Privacy Protection Act
The Terms of the Privacy Protection Act
Application of the PPA to Computer Searches and Seizures (Cont'd)
Application of the PPA to Computer Searches and Seizures
Civil Liability Under the Electronic Communications Privacy Act (ECPA)
Considering the Need for Multiple Warrants in Network Searches
No-Knock Warrants
Sneak-and-Peek Warrants
Privileged Documents
Drafting the Warrant and Affidavit
Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments
Defending Computer Search Warrants Against Challenges Based on the "Things to be Seized"
Establish Probable Cause in the Affidavit
Explanation of the Search Strategy and Practical & Legal Considerations
Post-Seizure Issues
Searching Computers Already in Law Enforcement Custody
The Permissible Time Period for Examining Seized Computers
Rule 41(e) Motions for Return of Property
Module Flow: The Electronic Communications Privacy Act
The Electronic Communications Privacy Act
Providers of Electronic Communication Service vs. Remote Computing Service
Classifying Types of Information Held by Service Providers
Compelled Disclosure Under ECPA
Voluntary Disclosure
Working with Network Providers
Module Flow: Electronic Surveillance in Communications Networks
Electronic Surveillance in Communications Networks
Content vs. Addressing Information
The Pen/Trap Statute
The Wiretap Statute ("Title III")
Exceptions to Title III
Remedies For Violations of Title III and the Pen/Trap Statute
Module Flow: Evidence
Evidence (Cont'd)
Evidence
Authentication
Hearsay
Other Issues
Module 03 Review
Module 04 - Digital Evidence2h
Module Flow: Digital Data
Definition of Digital Evidence
Increasing Awareness of Digital Evidence
Challenging Aspects of Digital Evidence
The Role of Digital Evidence
Characteristics of Digital Evidence
Fragility of Digital Evidence
Anti-Digital Forensics (ADF)
Module Flow: Types of Digital Data
Types of Digital Data (Cont'd)
Types of Digital Data
Module Flow: Rules of Evidence
Rules of Evidence
Best Evidence Rule
Federal Rules of Evidence (Cont'd)
Federal Rules of Evidence
International Organization on Computer Evidence (IOCE)
IOCE International Principles for Digital Evidence
Scientific Working Group on Digital Evidence (SWGDE)
SWGDE Standards for the Exchange of Digital Evidence (Cont'd)
SWGDE Standards for the Exchange of Digital Evidence
Module Flow: Electronic Devices: Types and Collecting Potential Evidence
Electronic Devices: Types and Collecting Potential Evidence (Cont'd)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: Digital Evidence Examination Process
Digital Evidence Examination Process - Evidence Assessment
Evidence Assessment
Prepare for Evidence Acquisition
Digital Evidence Examination Process - Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Demo - Disk Sterilization with DD
Bit-Stream Copies
Write Protection
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Demo - Utilizing HD PARM for HD Information
Collecting Evidence (Cont'd)
Collecting Evidence
Collecting Evidence from RAM (Cont'd)
Collecting Evidence from RAM
Collecting Evidence from a Standalone Network Computer
Chain of Custody
Chain of Evidence Form
Digital Evidence Examination Process - Evidence Preservation
Preserving Digital Evidence: Checklist (Cont'd)
Preserving Digital Evidence: Checklist
Preserving Removable Media (Cont'd)
Preserving Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
Digital Evidence Examination Process - Evidence Examination and Analysis
DO NOT WORK on the Original Evidence
Evidence Examination (Cont'd)
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
Digital Evidence Examination Process - Evidence Documentation and Reporting
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Computer Evidence Worksheet (Cont'd)
Computer Evidence Worksheet
Hard Drive Evidence Worksheet (Cont'd)
Hard Drive Evidence Worksheet
Removable Media Worksheet
Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)
Electronic Crime and Digital Evidence Consideration by Crime Category
Module 04 Review
Module 05 - First Responder Procedures1h 59m
Module Flow: First Responder
Electronic Evidence
First Responder
Roles of First Responder
Electronic Devices: Types and Collecting Potential Evidence (Cont' d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: First Responder Toolkit
First Responder Toolkit
Creating a First Responder Toolkit
Evidence Collecting Tools and Equipment (Cont'd)
Evidence Collecting Tools and Equipment
Module Flow: First Response Basics
First Response Rule
Incident Response: Different Situations
First Response for System Administrators
First Response by Non-Laboratory Staff
First Response by Laboratory Forensics Staff (Cont'd)
First Response by Laboratory Forensics Staff
Module Flow: Securing and Evaluating Electronic Crime Scene
Securing and Evaluating Electronic Crime Scene: A Checklist (Cont'd)
Securing and Evaluating Electronic Crime Scene: A Checklist
Securing the Crime Scene
Warrant for Search and Seizure
Planning the Search and Seizure (Cont'd)
Planning the Search and Seizure
Initial Search of the Scene
Health and Safety Issues
Module Flow: Conducting Preliminary Interviews
Questions to Ask When Client Calls the Forensic Investigator
Consent
Sample of Consent Search Form
Witness Signatures
Conducting Preliminary Interviews
Conducting Initial Interviews
Witness Statement Checklist
Module Flow: Documenting Electronic Crime Scene
Documenting Electronic Crime Scene
Photographing the Scene
Sketching the Scene
Video Shooting the Crime Scene
Module Flow: Collecting and Preserving Electronic Evidence
Collecting and Preserving Electronic Evidence (Cont'd)
Collecting and Preserving Electronic Evidence
Order of Volatility
Dealing with Powered On Computers (Cont'd)
Demo - Imaging RAM
Demo - Parsing RAM
Dealing with Powered On Computers
Dealing with Powered Off Computers
Dealing with Networked Computer
Dealing with Open Files and Startup Files
Operating System Shutdown Procedure (Cont'd)
Operating System Shutdown Procedure Example
Computers and Servers
Preserving Electronic Evidence
Seizing Portable Computers
Switched On Portables
Collecting and Preserving Electronic Evidence Wrap-up
Module Flow: Packaging and Transporting Electronic Evidence
Evidence Bag Contents List
Packaging Electronic Evidence
Exhibit Numbering
Transporting Electronic Evidence
Handling and Transportation to the Forensics Laboratory
Storing Electronic Evidence
Chain of Custody
Simple Format of the Chain of Custody Document
Chain of Custody Forms (Cont'd)
Chain of Custody Forms
Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
Demo - Hardware Inventories
Module Flow: Reporting the Crime Scene
Reporting the Crime Scene
Note Taking Checklist (Cont'd)
Note Taking Checklist
First Responder Common Mistakes
Module 05 Review
Module 06 - Computer Forensics Lab2h 5m
Module Flow: Setting a Computer Forensics Lab
Computer Forensics Lab
Planning for a Forensics Lab
Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensics Lab
Structural Design Considerations
Environmental Conditions
Electrical Needs
Communication Needs
Work Area of a Computer Forensics Lab
Ambience of a Forensics Lab
Ambience of a Forensics Lab: Ergonomics
Physical Security Recommendations
Fire-Suppression Systems
Evidence Locker Recommendations
Computer Forensic Investigator
Law Enforcement Officer
Lab Director
Forensics Lab Licensing Requisite
Features of the Laboratory Imaging System
Technical Specifications of the Laboratory Based Imaging System
Forensics Lab (1 of 3)
Forensics Lab (2 of 3)
Forensics Lab (3 of 3)
Auditing a Computer Forensics Lab (Cont'd)
Auditing a Computer Forensics Lab
Recommendations to Avoid Eyestrain
Module Flow: Investigative Services in Forensics
Computer Forensics Investigative Services
Computer Forensic Investigative Service Sample
Computer Forensics Services: PenrodEllis Forensic Data Discovery
Data Destruction Industry Standards
Computer Forensics Services (Cont'd)
Computer Forensics Services
Module Flow: Computer Forensics Hardware
Equipment Required in a Forensics Lab
Forensic Workstations
Basic Workstation Requirements in a Forensics Lab
Stocking the Hardware Peripherals
Paraben Forensics Hardware: Handheld First Responder Kit
Paraben Forensics Hardware: Wireless StrongHold Bag
Paraben Forensics Hardware: Wireless StrongHold Box
Paraben Forensics Hardware: Passport StrongHold Bag
Paraben Forensics Hardware: Device Seizure Toolbox
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Lockdown
Paraben Forensics Hardware: iRecovery Stick
Paraben Forensics Hardware: Data Recovery Stick
Paraben Forensics Hardware: Chat Stick
Paraben Forensics Hardware: USB Serial DB9 Adapter
Paraben Forensics Hardware: Mobile Field Kit
Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop
Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon
Portable Forensic Systems and Towers: Ultimate Forensic Machine
Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
Tableau T3u Forensic SATA Bridge Write Protection Kit
Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader
Tableau TACC 1441 Hardware Accelerator
Multiple TACC1441 Units
Tableau TD1 Forensic Duplicator
Power Supplies and Switches
Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon)
Digital Intelligence Forensic Hardware: FRED-L
Digital Intelligence Forensic Hardware: FRED SC
Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)
Digital Intelligence Forensic Hardware: Rack-A-TACC
Digital Intelligence Forensic Hardware: FREDDIE
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensic UltraDock v4
Wiebetech: Drive eRazer
Wiebetech: v4 Combo Adapters
Wiebetech: ProSATA SS8
Wiebetech: HotPlug
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
CelleBrite: UFED Ruggedized
DeepSpar: Disk Imager Forensic Edition
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector
InfinaDyne Forensic Products: Robotic System Status Light
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Image MASSter: Rapid Image 7020CS IT
Logicube: Forensic MD5
Logicube: Forensic Talon
Logicube: Portable Forensic Lab
Logicube: CellDEK
Logicube: Forensic Quest-2
Logicube: NETConnect
Logicube: RAID I/O Adapter
Logicube: GPStamp
Logicube: OmniPort
Logicube: Desktop WritePROtects
Logicube: USB Adapter
Logicube: CloneCard Pro
Logicube: EchoPlus
OmniClone IDE Laptop Adapters
Logicube: Cables
VoomTech: HardCopy 3P
VoomTech: SHADOW 2
Module Flow: Computer Forensics Software
Basic Software Requirements in a Forensics Lab
Main Operating System and Application Inventories
Imaging Software: R-drive Image
Demo - R-Drive Image
Imaging Software: P2 eXplorer Pro
Imaging Software: AccuBurn-R for CD/DVD Inspector
Imaging Software: Flash Retriever Forensic Edition
File Conversion Software: FileMerlin
File Conversion Software: SnowBatch
File Conversion Software: Zamzar
File Viewer Software: File Viewer
File Viewer Software: Quick View Plus 11 Standard Edition
Demo - File Viewers
Analysis Software: P2 Commander
P2 Commander Screenshot
Analysis Software: DriveSpy
Analysis Software: SIM Card Seizure
Analysis Software: CD/DVD Inspector
Analysis Software: Video Indexer (Vindex)
Monitoring Software: Device Seizure
Device Seizure Screenshots
Monitoring Software: Deployable P2 Commander (DP2C)
Monitoring Software: ThumbsDisplay
ThumbsDisplay Screenshot
Monitoring Software: Email Detective
Computer Forensics Software: DataLifter
Computer Forensics Software: X-Ways Forensics
Demo - X-Ways Forensics
Computer Forensics Software: LiveWire Investigator
Module 06 Review
Module 07 - Understanding Hard Disks and File Systems3h 59m
Module Flow: Hard Disk Drive Overview
Disk Drive Overview (Cont'd)
Disk Drive Overview
Hard Disk Drive
Solid-State Drive (SSD)
Physical Structure of a Hard Disk (Cont'd)
Physical Structure of a Hard Disk
Logical Structure of Hard Disk
Types of Hard Disk Interfaces
Hard Disk Interfaces: ATA
Hard Disk Interfaces: SCSI (Cont'd)
Hard Disk Interfaces: SCSI
Hard Disk Interfaces: IDE/EIDE
Hard Disk Interfaces: USB