Computer Hacking Forensic Investigator

Computer Hacking Forensic Investigator 1

EC-Council

Computer Forensics Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information. Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases. Electronic evidence is critical in the following situations: • Disloyal employees • Computer break-ins • Possession of pornography • Breach of contract • Industrial espionage • E-mail Fraud • Bankruptcy • Disputed dismissals • Web page defacements • Theft of company documents

identification of evidence in computer related crime and abuse cases. This may range from tracing the tracks of a hacker through a client’s systems, to tracing the originator of defamatory emails, to recovering signs of fraud. The CHFI course will provide participants the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute in the court of law. The CHFI course will benefit: • Police and other law enforcement personnel • Defense and Military personnel • e-Business Security professionals • Systems administrators • Legal professionals • Banking, Insurance and other professionals • Government agencies • IT managers

Computer forensics enables the systematic and careful

2

EC-Council

3

EC-Council

Computer Hacking Forensic Investigator (CHFI) Course Outline v1 Module 1 Computer Forensics and Investigations as a Profession

§

Assessing the Case

§

Planning Your Investigation

§

Securing Your Evidence

§

Understanding Data-Recovery Workstations and Software

§

Setting Up Your Workstation for Computer Forensics

§

Understanding Computer Forensics

§

Comparing Definitions of Computer Forensics

§

Executing an Investigation

§

Exploring a Brief History of Computer Forensics

§

Gathering the Evidence

§

Developing Computer Forensics Resources

§

Copying the Evidence Disk

§

Preparing for Computing Investigations

§

Analyzing Your Digital Evidence

§

Understanding Enforcement Agency Investigations

§

Completing the Case

§

Critiquing the Case

§

Understanding Corporate Investigations

§

Maintaining Professional Conduct

Module 3 Working with Windows and DOS Systems

Module 2 Understanding Computer Investigations §

Preparing a Computer Investigation

§

Examining a Computer Crime

§

Examining a Company-Policy Violation

§

Taking a Systematic Approach

4

§

Understanding File Systems

§

Understanding the Boot Sequence

§

Examining Registry Data

§

Disk Drive Overview

§

Exploring Microsoft File Structures

§

Disk Partition Concerns

EC-Council

§

Boot Partition Concerns

§

Exploring Macintosh Boot Tasks

§

Examining FAT Disks

§

Examining UNIX and Linux Disk Structures

§

Examining NTFS Disks

§

UNIX and Linux Overview

§

NTFS System Files

§

Understanding modes

§

NTFS Attributes

§

§

NTFS Data Streams

Understanding UNIX and Linux Boot Processes

§

NTFS Compressed Files

§

Understanding Linux Loader

§

NTFS Encrypted File Systems (EFS)

§

UNIX and Linux Drives and Partition Scheme

§

EFS Recovery Key Agent

§

Examining Compact Disc Data Structures

§

Deleting NTFS Files

§

Understanding Other Disk Structures

§

Understanding Microsoft Boot Tasks

§

Examining SCSI Disks

§

Windows XP, 2000, and NT Startup

§

Examining IDE/EIDE Devices

§

Windows XP System Files

§

Understanding MS-DOS Startup Tasks

§

Other DOS Operating Systems

Module 5 The Investigator’s Office and Laboratory

Module 4 Macintosh and Linux Boot Processes and Disk Structures

§

Understanding Forensic Lab Certification Requirements

§

Identifying Duties of the Lab Manager and Staff

§

Understanding the Macintosh File Structure

§

Balancing Costs and Needs

§

Understanding Volumes

§

Acquiring Certification and Training

5

EC-Council

§

Determining the Physical Layout of a Computer Forensics Lab

§

Maintaining Operating Systems and Application Software Inventories

§

Identifying Lab Security Needs

§

Using a Disaster Recovery Plan

§

Conducting High-Risk Investigations

§

Planning for Equipment Upgrades

§

Considering Office Ergonomics

§

Using Laptop Forensic Workstations

§

Environmental Conditions

§

§

Lighting

Building a Business Case for Developing a Forensics Lab

§

Structural Design Considerations

§

Creating a Forensic Boot Floppy Disk

§

Electrical Needs

§

Assembling the Tools for a Forensic Boot Floppy Disk

§

Communications

§

§

Fire-suppression Systems

Retrieving Evidence Data Using a Remote Network Connection

§

Evidence Lockers

§

Facility Maintenance

§

Physical Security Needs

§

Auditing a Computer Forensics Lab

§

Computer Forensics Lab Floor Plan Ideas

§

Selecting a Basic Forensic Workstation

§

Selecting Workstations for Police Labs

§

Selecting Workstations for Private and Corporate Labs

§

Module 6 Current Computer Forensics Tools

Stocking Hardware Peripherals

6

§

Evaluating Your Computer Forensics Software Needs

§

Using National Institute of Standards and Technology (NIST) Tools

§

Using National Institute of Justice (NU) Methods

§

Validating Computer Forensics Tools

§

Using Command-Line Forensics Tools

§

Exploring NTI Tools

EC-Council

§

Exploring Ds2dump

§

Exploring DataLifter

§

Reviewing DriveSpy

§

Exploring ASRData

§

Exploring PDBlock

§

Exploring the Internet History Viewer

§

Exploring PDWipe

§

§

Reviewing Image

Exploring Other Useful Computer Forensics Tools

§

Exploring Part

§

Exploring LTOOLS

§

Exploring SnapBack DatArrest

§

Exploring Mtools

§

Exploring Byte Back

§

Exploring R-Tools

§

Exploring MaresWare

§

Using Explore2fs

§

Exploring DIGS Mycroft v3

§

Exploring @stake

§

Exploring Graphical User Interface (GUI) Forensics Tools

§

Exploring TCT and TCTUTILs

§

Exploring ILook

§

Exploring AccessData Programs

§

Exploring HashKeeper

§

Exploring Guidance Software EnCase

§

Using Graphic Viewers

§

Exploring Ontrack

§

Exploring Hardware Tools

§

Using BIAProtect

§

Computing-Investigation Workstations

§

Using LC Technologies Software

§

Building Your Own Workstation

§

Exploring WinHex Specialist Edition

§

Using a Write-blocker

§

Exploring DIGS Analyzer Professional Forensic Software

§

Using LC Technology International Hardware

§

Exploring ProDiscover DFT

§

Forensic Computers

7

EC-Council

§

DIGS

§

Documenting Evidence

§

Digital Intelligence

§

Obtaining a Digital Signature

§

Image MASSter Solo

§

FastBloc

§

Acard

§

NoWrite

§

Wiebe Tech Forensic DriveDock

§

Recommendations for a Forensic Workstation

Module 8 Processing Crime and Incident Scenes

Module 7 Digital Evidence Controls

§

Processing Private-Sector Incident Scenes

§

Processing Law Enforcement Crime Scenes

§

Understanding Concepts and Terms Used in Warrants

§

Preparing for a Search

§

Identifying the Nature of the Case

§

Identifying the Type of Computing System

§

Determining Whether You Can Seize a Computer

§

Identifying Digital Evidence

§

Understanding Evidence Rules

§

Securing Digital Evidence at an Incident Scene

§

Obtaining a Detailed Description of the Location

§

Cataloging Digital Evidence

§

Determining Who Is in Charge

§

Lab Evidence Considerations

§

Using Additional Technical Expertise

§

Processing and Handling Digital Evidence

§

Determining the Tools You Need

§

Storing Digital Evidence

§

Preparing the Investigation Team

§

Evidence Retention and Media Storage Needs

§

Securing a Computer Incident or Crime Scene

8

EC-Council

§

Seizing Digital Evidence at the Scene

§

Using Other Forensics Acquisition Tools

§

Processing a Major Incident or Crime Scene

§

Exploring SnapBack DatArrest

§

Processing Data Centers with an Array of RAIDS

§

Exploring SafeBack

§

Exploring EnCase

§

Using a Technical Advisor at an Incident or Crime Scene

§

Sample Civil Investigation

§

Sample Criminal Investigation

§

Understanding Computer Forensic Analysis

§

Collecting Digital Evidence

§

Refining the Investigation Plan

§

Using DriveSpy to Analyze Computer Data

§

DriveSpy Command Switches

Module 10 Computer Forensic Analysis

Module 9 Data Acquisition §

Determining the Best Acquisition Method

§

DriveSpy Keyword Searching

§

Planning Data Recovery Contingencies

§

DriveSpy Scripts

§

Using MS-DOS Acquisition Tools

§

DriveSpy Data-Integrity Tools

§

Understanding How DriveSpy Accesses Sector Ranges

§

DriveSpy Residual Data Collection Tools

§

Other Useful DriveSpy Command Tools

§

Using Other Digital Intelligence Computer Forensics Tools

§

Using PDBlock and PDWipe

§

Using AccessData’s Forensic Toolkit

§

Performing a Computer Forensic Analysis

§

Data Preservation Commands

§

Using DriveSpy Data Manipulation Commands

§

Using Windows Acquisition Tools

§

AccessData FTK Explorer

§

Acquiring Data on Linux Computers

9

EC-Council

§

Setting Up Your Forensic Workstation

§

Copying an E-mail Message

§

Performing Forensic Analysis on Microsoft File Systems

§

Printing an E-mail Message

§

Viewing E-mail Headers

§

UNIX and Linux Forensic Analysis

§

Examining an E-mail Header

§

Macintosh Investigations

§

Examining Additional E-mail Files

§

Addressing Data Hiding Techniques

§

Tracing an E-mail Message

§

Hiding Partitions

§

Using Network Logs Related to E-mail

§

Marking Bad Clusters

§

Understanding E-mail Servers

§

Bit-Shifting

§

Examining UNIX E-mail Server Logs

§

Using Steganography

§

Examining Microsoft E-mail Server Logs

§

Examining Encrypted Files

§

Examining Novell GroupWise E-mail Logs

§

Recovering Passwords

§

Using Specialized E-mail Forensics Tools

Module 11 E-mail Investigations §

Understanding Internet Fundamentals

§

Understanding Internet Protocols

§

Exploring the Roles of the Client and Server in E-mail

§

Module 12 Recovering Image Files §

Recognizing an Image File

§

Understanding Bitmap and Raster Images

§

Understanding Vector Images

Investigating E-mail Crimes and Violations

§

Metafle Graphics

§

Identifying E-mail Crimes and Violations

§

Understanding Image File Formats

§

Examining E-mail Messages

§

Understanding Data Compression

10

EC-Council

§

Reviewing Lossless and Lossy Compression

§

Writing Clearly

§

Locating and Recovering Image Files

§

Providing Supporting Material

§

Identifying Image File Fragments

§

Formatting Consistently

§

Repairing Damaged Headers

§

Explaining Methods

§

Reconstructing File Fragments

§

Data Collection

§

Identifying Unknown File Formats

§

Including Calculations

§

Analyzing Image File Headers

§

§

Tools for Viewing Images

Providing for Uncertainty and Error Analysis

§

Understanding Steganography in Image Files

§

Explaining Results

§

Discussing Results and Conclusions

§

Using Steganalysis Tools

§

Providing References

§

Identifying Copyright Issues with Graphics

§

Including Appendices

§

Providing Acknowledgments

Module 13 Writing Investigation Reports

§

Formal Report Format

§

Understanding the Importance of Reports

§

Writing the Report

§

Limiting the Report to Specifics

§

Using FTK Demo Version

§

Types of Reports

§

Expressing an Opinion

§

Designing the Layout and Presentation

§

§

Litigation Support Reports versus Technical Reports

Comparing Technical and Scientific Testimony

§

Preparing for Testimony

Module 14 Becoming an Expert Witness

11

EC-Council

§

Documenting and Preparing Evidence

§

Understanding Prosecutorial Misconduct

§

Keeping Consistent Work Habits

§

Preparing for a Deposition

§

Processing Evidence

§

Guidelines for Testifying at a Deposition

§

Serving as a Consulting Expert or an Expert Witness

§

Recognizing Deposition Problems

§

Public Release: Dealing with Reporters

§

Creating and Maintaining Your CV

§

Forming an Expert Opinion

§

Preparing Technical Definitions

§

Determining the Origin of a Floppy Disk

§

Testifying in Court

§

Understanding the Trial Process

§

Qualifying Your Testimony and Voir Dire

§

Addressing Potential Problems

§

Incident Response Team

§

Testifying in General

§

Incident Reporting Process

§

Presenting Your Evidence

§

Low-level incidents

§

Using Graphics in Your Testimony

§

Mid-level incidents

§

Helping Your Attorney

§

High-level incidents

§

Avoiding Testimony Problems

§

§

Testifying During Direct Examination

What is a Computer Security Incident Response Team (CSIRT)?

§

Using Graphics During Testimony

§

Why would an organization need a CSIRT?

§

Testifying During Cross-Examination

§

What types of CSIRTs exist?

§

Exercising Ethics When Testifying

§

Other Response Teams Acronyms

Module 15 Computer Security Incident Response Team

12

EC-Council

§

What does a CSIRT do?

§

Passive Detection Methods

§

What is Incident Handling?

§

Dump Event Log Tool (Dumpel.exe)

§

Need for CSIRT in Organizations

§

EventCombMT

§

Best Practices for Creating a CSIRT?

§

Event Collection

§

Scripting

§

Event Collection Tools

Module 16 Logfile Analysis §

Secure Audit Logging

§

Forensic Tool: fwanalog

§

Audit Events

§

Elements of an End-to-End Forensic Trace

§

Syslog

§

Log Analysis and Correlation

§

Message File

§

TCPDump logs

§

Setting Up Remote Logging

§

Intrusion Detection Log (RealSecure)

§

Linux Process Tracking

§

Intrusion Detection Log (SNORT)

§

Windows Logging

§

Remote Logging in Windows

§

ntsyslog

§

Application Logging

§

The Windows Recycle Bin

§

Extended Logging

§

Digital evidence

§

Monitoring for Intrusion and Security Events

§

Recycle Hidden Folder

§

How do I undelete a file?

§

Importance of Time Synchronization

§

e2undel

Module 17 Recovering Deleted Files

13

EC-Council

§

O&O UnErase

§

APDFPR

§

Restorer2000

§

Distributed Network Attack

§

BadCopy Pro

§

Windows XP / 2000 / NT Key

§

File Scavenger

§

Passware Kit

§

Mycroft v3

§

How to Bypass BIOS Passwords

§

PC ParaChute

§

BIOS Password Crackers

§

Search and Recover

§

Removing the CMOS Battery

§

Stellar Phoenix Ext2,Ext3

§

Default Password Database

§

Zero Assumption Digital Image Recovery

§

FileSaver

§

VirtualLab Data Recovery

§

E-mail Crimes

§

R-Linux

§

Sending Fakemail

§

Drive & Data Recovery

§

Sending E-mail using Telnet

§

Active@ UNERASER - DATA Recovery

§

Tracing an e-mail

§

Mail Headers

§

Reading Email Headers

Module 19 Investigating E-Mail Crimes

Module 18 Application Password Crackers §

Advanced Office XP Password Recovery

§

Tracing Back

§

AOXPPR

§

Tracing Back Web Based E-mail

§

Accent Keyword Extractor

§

Microsoft Outlook Mail

§

Advanced PDF Password Recovery

§

Pst File Location

14

EC-Council

§

Tool: R-Mail

destination

§

Tool: FinaleMail

§

How to detect attacks on your server?

§

Searching E-mail Addresses

§

Investigating Log Files

§

E-mail Search Site

§

IIS Logs

§

abuse.net

§

Log file Codes

§

Network Abuse Clearing House

§

Apache Logs

§

Handling Spam

§

Access_log

§

Protecting your E-mail Address from Spam

§

Log Security

§

Tool: Enkoder Form

§

Log File Information

§

Tool: eMailTrackerPro

§

Simple Request

§

Tool: SPAM Punisher

§

Time/Date Field

§

Mirrored Site Detection

§

Mirrored Site in IIS Logs

§

Vulnerability Scanning Detection

Module 20 Investigating Web Attacks

§

How to Tell an Attack is in Progress

§

Example of Attack in Log file

§

What to Do When You Are Under Attack?

§

Web Page Defacement

§

Conducting the Investigation

§

Defacement using DNS Compromise

§

Attempted Break-in

§

Investigating DNS Poisoning

§

Step 1: Identifing the System(s)

§

Investigating FTP Servers

§

Step 2: Traffic between source and

§

Example of FTP Compromise

15

EC-Council

§

FTP logs

§

Preventing DNS Spoofing

§

SQL Injection Attacks

§

VisualZone

§

Investigating SQL Injection Attacks

§

DShield

§

Web Based Password Brute Force Attack

§

Forensic Tools for Network Investigations

§

Investigating IP Address

§

TCPDump

§

Tools for locating IP Address

§

Ethereal

§

Investigating Dynamic IP Address

§

NetAnalyst

§

Location of DHCP Server Logfile

§

Ettercap

§

Ethereal

Module 21 Investigating Network Traffic Module 22 Investigating Router Attacks

§

Network Intrusions and Attacks

§

Direct vs. Distributed Attacks

§

DoS Attacks

§

Automated Attacks

§

Investigating DoS Attacks

§

Accidental “Attacks”

§

Investigating Router Attacks

§

Address Spoofing

§

IP Spoofing

§

ARP Spoofing

§

DNS Spoofing

§

Preventing IP Spoofing

§

Preventing ARP Spoofing

Module 23 The Computer Forensics Process

16

§

Evidence Seizure Methodology

§

Before the Investigation

§

Document Everything

EC-Council

§

Confiscation of Computer Equipment

Module 24 Data Duplication §

Tool: R-Drive Image

§

Tool: DriveLook

§

Tool: DiskExplorer for NTFS

Module 25 Windows Forensics

§

System State Backup

§

Forensic Tool: Back4Win

§

Forensic Tool: Registry Watch

§

System Processes

§

Process Monitors

§

Default Processes in Windows NT, 2000, and XP

§

Process-Monitoring Programs

§

Gathering Evidence in Windows

§

Process Explorer

§

Collecting Data from Memory

§

Look for Hidden Files

§

Collecting Evidence

§

Viewing Hidden Files in Windows

§

Memory Dump

§

NTFS Streams

§

Manual Memory Dump (Windows 2000)

§

Detecting NTFS Streams

§

Manual Memory Dump (Windows XP)

§

Rootkits

§

PMDump

§

Detecting Rootkits

§

Windows Registry

§

Sigverif

§

Registry Data

§

Detecting Trojans and Backdoors

§

Regmon utility

§

Removing Trojans and Backdoors

§

Forensic Tool: InCntrl5

§

Port Numbers Used by Trojans

§

Backing Up of the entire Registry

§

Examining the Windows Swap File

17

EC-Council

§

Swap file as evidence

§

LKM

§

Viewing the Contents of the Swap/Page File

§

Open Ports and Listening Applications

§

Recovering Evidence from the Web Browser

§

/proc file system

§

Locating Browser History Evidence

§

Log Files

§

Forensic Tool: Cache Monitor

§

Configuration Files

§

Print Spooler Files

§

Low Level Analysis

§

Steganography

§

Log Messages

§

Forensic Tool: StegDetect

§

Running syslogd

§

Investigating User Accounts

§

Collecting an Evidential Image

§

File Auditing Tools

Module 26 Linux Forensics §

Performing Memory Dump on Unix Systems

§

Viewing Hidden Files

§

Executing Process

§

Create a Linux Forensic Toolkit

§

Collect Volatile Data Prior to Forensic Duplication

§

Executing a Trusted Shell

§

Determining Who is logged on to the System

§

Freedom of Information Act

§

Determining the Running Processes

§

§

Detecting Loadable Kernel Module Rootkits

Reporting Security Breaches to Law Enforcement

§

National Infrastructure Protection Center

Module 27 Investigating PDA §

Paraben’s PDA Seizure

Module 28 Enforcement Law and Prosecution

18

EC-Council

§

Federal Computer Crimes and Laws

§

What is trade dress?

§

Federal Laws

§

Internet domain name

§

The USA Patriot Act of 2001

§

Trademark Infringement

§

Building the Cybercrime Case

§

Conducting a Trademark Search

§

How the FBI Investigates Computer Crime

§

Using Internet to Search for Trademarks

§

Cyber Crime Investigations

§

§

Computer-facilitated crime

Hiring a professional firm to conduct my trademark search

§

FBI

§

Trademark Registrations

§

Federal Statutes

§

Benefits of Trademark Registration

§

Local laws

§

Copyright

§

Federal Investigative Guidelines

§

How long does a copyright last?

§

Gather Proprietary Information

§

Copyright Notice

§

Contact law enforcement

§

Copyright “Fair Use” Doctrine

§

To initiate an investigation

§

U.S. Copyright Office

§

How are copyrights enforced?

§

SCO vs IBM

§

What is Plagiarism?

Module 29 Investigating Trademark and Copyright Infringement §

Trademarks

§

Turnitin

§

Trademark Eligibility

§

Plagiarism Detection Tools

§

What is a service mark?

19

EC-Council

International Council of E-Commerce Consultants 67 Wall Street, 22nd Floor New York, NY 10005-3198 USA Phone: 212.709.8253 Fax: 212.943.2300

© 2002 EC-Council. All rights reserved. This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.

20

EC-Council