Course Outline v2

Module I: Computer Forensics in Today’s World

• Introduction
• History of Forensics
• Definition of Forensic Science
• Definition of Computer Forensics
• What Is Computer Forensics?
• Need for Computer Forensics
• Evolution of Computer Forensics
• Computer Forensics Flaws and Risks
• Corporate Espionage Statistics
• Modes of Attacks
• Cyber Crime
• Examples of Cyber Crime
• Reason for Cyber Attacks
• Role of Computer Forensics in Tracking Cyber Criminals
• Rules of Computer Forensics
• Computer Forensics Methodologies
• Accessing Computer Forensics Resources
• Preparing for Computing Investigations
• Maintaining professional conduct
• Understanding Enforcement Agency Investigations
• Understanding Corporate Investigations
• Investigation Process
• Digital Forensics

Module II: Law And Computer Forensics

• What Is Cyber Crime?
• What Is Computer Forensics?
• Computer Facilitated Crimes
• Reporting Security Breaches to Law Enforcement
• National Infrastructure Protection Center
• FBI
• Federal Statutes
• Cyber Laws
• Approaches to Formulate Cyber Laws
• Scientific Working Group on Digital Evidence (SWGDE)
• Federal Laws
• The USA Patriot Act of 2001
• Freedom of Information Act
• Building Cyber Crime Case
• How the FBI Investigates Computer Crime?
• How to Initiate an Investigation?
• Legal Issues Involved in Seizure of Computer Equipments
• Searching With a Warrant
• Searching Without a Warrant
• Privacy Issues Involved in Investigations
• International Issues Related to Computer Forensics
• Crime Legislation of EU
• Cyber Crime Investigation

Module III: Computer Investigation Process

• Investigating Computer Crime
• Investigating a Company Policy Violation
• Investigation Methodology
• Evaluating the Case
• Before the Investigation
• Document Everything
• Investigation Plan
• Obtain Search Warrant
• Warning Banners
• Shutdown the Computer
• Collecting the Evidence
• Confiscation of Computer Equipments
• Preserving the Evidence
• Importance of Data-recovery Workstations and Software
• Implementing an Investigation
• Understanding Bit-stream Copies
• Imaging the Evidence Disk
• Examining the Digital Evidence
• Closing the Case
• Case Evaluation

Module IV: Computer Security Incident Response Team

• Present Networking Scenario
• Vulnerability
• Vulnerability Statistics
• What Is an Incident?
• A Study by CERT Shows Alarming Rise in Incidents (security Breach
• How to Identify an Incident
• Whom to Report an Incident?
• Incident Reporting
• Category of Incidents
• Handling Incidents
• Procedure for Handling Incident
• Preparation
• Identification
• Containment
• Eradication
• Recovery
• Follow up
• What Is CSIRT?
• Why an Organization Needs an Incident Response Team?
• Need for CSIRT
• Example of CSIRT
• CSIRT Vision
• Vision
• Best Practices for Creating a CSIRT
• Step 1: Obtain Management Support and Buy-In
• Step 2: Determine the CSIRT Development Strategic
• Step 3: Gather Relevant Information
• Step 4: Design your CSIRT Vision
• Step 5: Communicate the CSIRT Vision
• Step 6: Begin CSIRT Implementation
• Step 7: Announce the CSIRT
• Other Response Teams Acronyms and CSIRTs around the world
• World CSIRT

Module V: Computer Forensic Laboratory Requirements

• Budget Allocation for a Forensics Lab
• Physical Location Needs of a Forensic Lab
• Work Area of a Computer Forensics Lab
• General Configuration of a Forensic
• Equipment Needs in a Forensics Lab
• Ambience of a Forensics Lab
• Environmental Conditions
• Recommended Eyestrain Considerations
• Structural Design Considerations
• Electrical Needs
• Communications
• Basic Workstation Requirements in a Forensic Lab
• Consider stocking the following hardware peripherals
• Maintain Operating System and Application Inventories
• Common Terms
• Physical Security Recommendations for a Forensic Lab
• Fire-Suppression Systems
• Evidence Locker Recommendations
• Evidence Locker Combination Recommendations
• Evidence Locker Padlock Recommendations
• Facility Maintenance
• Auditing a Computer Forensics Lab
• Auditing a Forensics Lab
• Forensics Lab
• Mid Sized Lab
• Forensic Lab Licensing Requisite
• Forensic Lab Manager Responsibilities

Module VI: Understanding File systems and Hard disks

• Disk Drive Overview - I
• Hard Disk
• Disk Platter
• Tracks
• Tracks Numbering
• Sector
• Sector addressing
• Cluster
• Cluster Size
• Slack Space
• Lost Clusters
• Bad Sector
• Understanding File Systems
• Types of File System
• List of Disk File Systems
• List of Network file systems
• Special Purpose File systems
• Popular Linux File systems
• Sun Solaris 10 File system - ZFS
• Windows File systems
• Mac OS X File system
• CD-ROM / DVD File system
• File system Comparison
• Boot Sector
• Exploring Microsoft File Structures
• Disk Partition Concerns
• Boot Partition Concerns
• Examining FAT
• NTFS
• NTFS System Files
• NTFS Partition Boot Sector
• NTFS Master File Table (MFT)
• NTFS Attributes
• NTFS Data Stream
• NTFS Compressed Files
• NTFS Encrypted File Systems (EFS)
• EFS File Structure
• Metadata File Table (MFT)
• EFS Recovery Key Agent
• Deleting NTFS Files
• Understanding Microsoft Boot Tasks
• Windows XP system files
• Understanding Boot Sequence DOS
• Understanding MS-DOS Startup Tasks
• Other DOS Operating Systems
• Registry Data
• Examining Registry Data

Module VII: Windows Forensics

• Locating Evidence on Windows Systems
• Gathering Volatile Evidence
• Pslist
• Forensic Tool: fport
• Forensic Tool - Psloggedon
• Investigating Windows File Slack
• Examining File Systems
• Built-in Tool: Sigverif
• Word Extractor
• Checking Registry
• Reglite.exe
• Tool: Resplendent Registrar 3.30
• Microsoft Security ID
• Importance of Memory Dump
• Manual Memory Dumping in Windows 2000
• Memory Dumping in Windows XP and Pmdump
• System State Backup
• How to Create a System State Backup?
• Investigating Internet Traces
• Tool - IECookiesView
• Tool - IE History Viewer
• Forensic Tool: Cache Monitor
• CD-ROM Bootable Windows XP
• Bart PE
• Ultimate Boot CD-ROM
• List of Tools in UB CD-ROM
• Desktop Utilities
• File Analysis Tools
• File Management Tools
• File Recovery Tools
• File Transfer Tools
• Hardware Info Tools
• Process Viewer Tools
• Registry Tools

Module VIII:  Linux and Macintosh Boot processes

• UNIX Overview
• Linux Overview
• Understanding Volumes -I
• Exploring Unix/Linux Disk Data Structures
• Understanding Unix/linux Boot Process
• Understanding Linux Loader
• Linux Boot Process Steps
• Step 1: The Boot Manager
• Step 2: init
• Step 2.1: /etc/inittab
• runlevels
• Step 3: Services
• Understanding Permission Modes
• Unix and Linux Disk Drives and Partitioning Schemes
• Mac OS X        
• Mac OS X Hidden Files
• Booting Mac OS X
• Mac OS X Boot Options
• The Mac OS X Boot Process
• Installing Mac OS X on Windows XP
• PearPC
• MacQuisition Boot CD

Module IX: Linux Forensics

• Use of Linux as a Forensics Tool
• Recognizing Partitions in Linux
• File System in Linux
• Linux Boot Sequence
• Linux Forensics
• Case Example
• Step-by-step approach to Case 1 (a)
• Step-by-step approach to Case 1 (b)
• Step-by-step approach to Case 1 (c)
• Step-by-step approach to Case 1 (d)
• Case 2
• Challenges in disk forensics with Linux
• Step-by-step approach to Case 2 (a)
• Step-by-step approach to Case 2 (b)
• Step-by-step approach to Case 2 (c)
• Popular Linux Tools           

Module X: Data Acquisition and Duplication

• Determining the Best Acquisition Methods
• Data Recovery Contingencies
• MS-DOS Data Acquisition Tools
• DriveSpy
• DriveSpy Data Manipulation Commands
• DriveSpy Data Preservation Commands
• Using Windows Data Acquisition Tools
• Data Acquisition Tool: AccessData FTK Explorer
• FTK
• Acquiring Data on Linux
• dd.exe (Windows XP Version)
• Data Acquisition Tool: Snapback Exact
• Data Arrest
• Data Acquisition Tool: SafeBack
• Data Acquisition Tool: Encase
• Need for Data Duplication
• Data Duplication Tool: R-drive Image
• Data Duplication Tool: DriveLook
• Data Duplication Tool: DiskExplorer

Module XI: Recovering Deleted Files

• Introduction
• Digital Evidence
• Recycle Bin in Windows
• Recycle Hidden Folder
• Recycle folder
• How to Undelete a File?
• Tool: Search and Recover
• Tool: Zero Assumption Digital Image Recovery
• Data Recovery in Linux
• Data Recovery Tool: E2undel
• Data Recovery Tool: O&O Unerase
• Data Recovery Tool: Restorer 2000
• Data Recovery Tool: Badcopy Pro
• Data Recovery Tool: File Scavenger
• Data Recovery Tool: Mycroft V3
• Data Recovery Tool: PC Parachute
• Data Recovery Tool: Stellar Phoenix
• Data Recovery Tool: Filesaver
• Data Recovery Tool: Virtual Lab
• Data Recovery Tool: R-linux
• Data recovery tool: Drive and Data Recovery
• Data recovery tool: active@ UNERASER - DATA recovery
• Data recovery tool: Acronis Recovery Expert
• Data Recovery Tool: Restoration
• Data Recovery Tool: PC Inspector File Recovery

Module XII: Image Files Forensics

• Introduction to Image Files
• Recognizing an Image File
• Understanding Bitmap and Vector Images
• Metafile Graphics
• Understanding Image File Formats
• File types
• Understanding Data Compression
• Understanding Lossless and Lossy Compression
• Locating and Recovering Image Files
• Repairing Damaged Headers
• Reconstructing File Fragments
• Identifying Unknown File Formats
• Analyzing Image File Headers
• Picture Viewer: Ifran View
• Picture Viewer: Acdsee
• Picture Viewer: Thumbsplus
• Steganography in Image Files
• Steganalysis Tool: Hex Workshop
• Steganalysis Tool: S-tools
• Identifying Copyright Issues With
  Graphics

Module XIII: Steganography

• Introduction
• Important Terms in Stego-forensics
• Background Information to Image Steganography
• Steganography History
• Evolution of Steganography
• Steps for Hiding Information in Steganography
• Six Categories of Steganography in Forensics
• Types of Steganography
• What Is Watermarking
• Classification of Watermarking
• Types of Watermarks
• Steganographic Detection
• Steganographic Attacks
• Real World Uses of Steganography
• Steganography in the Future
• Unethical Use of Steganography
• Hiding Information in Text Files
• Hiding Information in Image Files
• Process of Hiding Information in Image Files
• Least Significant Bit
• Masking and Filtering
• Algorithms and Transformation
• Hiding Information in Audio Files
• Low-bit Encoding in Audio Files
• Phase Coding
• Spread Spectrum
• Echo Data Hiding
• Hiding Information in DNA
• TEMPEST
• The Steganography Tree
• Steganography Tool: Fort Knox
• Steganography Tool: Blindside
• Steganography Tool: S- Tools
• Steganography Tool: Steghide
• Steganography Tool: Digital Identity
• Steganography Tool: Stegowatch
• Tool : Image Hide
• Data Stash
• Tool: Mp3Stego
• Tool: Snow.exe
• Tool: Camera/Shy
• Steganography Detection

Module XIV: Computer Forensic Tools

• Dump Tool:  DS2DUMP
• Dump Tool: Chaosreader
• Slack Space & Data Recovery Tools: Drivespy
• Slack Space & Data Recovery Tools: Ontrack
• Hard Disk Write Protection Tools: Pdblock
• Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock
• Permanent Deletion of Files:pdwipe
• Disk Imaging Tools: Image & Iximager
• Disk Imaging Tools: Snapback Datarrest
• Partition Managers: PART & Explore2fs
• Linux/unix Tools: Ltools and Mtools
• Linux/UNIX tools: TCT and TCTUTILs
• Password Recovery Tool: @Stake
• ASRData
• SMART Screenshot
• Ftime
• Oxygen Phone Manager
• Multipurpose Tools: Byte Back  & Biaprotect
• Multipurpose Tools: Maresware
• Multipurpose Tools: LC Technologies Software
• Multipurpose Tools: Winhex Specialist Edition
• Multipurpose Tools: Prodiscover DFT
• Toolkits: NTI tools
• Toolkits: R-Tools-I
• Toolkits: R-Tools-II
• Toolkits: DataLifter
• Toolkits: AccessData
• LC Technology International Hardware
• Screenshot of Forensic Hardware
• Image MASSter Solo  and FastBloc
• RMON2 Tracing Tools and
  MCI DoStracker
• EnCase

Module XV: Application password crackers

• Password - Terminology
• What is a Password Cracker?
• How Does A Password Cracker Work?
• Various Password Cracking Methods
• Classification of Cracking Software
• System Level  Password Cracking
• Application Password Cracking
• Application Software Password Cracker
• Distributed Network Attack-I
• Distributed Network Attack-II
• Passware Kit
• Accent Keyword Extractor
• Advanced Zip Password Recovery
• Default Password Database
• http://phenoelit.darklab.org/
• http://www.defaultpassword.com/
• http://www.cirt.net/cgi-bin/passwd.pl
• Password Cracking Tools List

Module XVI: Investigating Logs

• Audit Logs and Security
• Audit Incidents
• Syslog
• Remote Logging
• Linux Process Accounting
• Configuring Windows Logging
• Setting up Remote Logging in Windows
• NtSyslog
• EventReporter
• Application Logs
• Extended Logging in IIS Server
• Examining Intrusion and Security Events
• Significance of Synchronized Time
• Event Gathering
• EventCombMT
• Writing Scripts
• Event Gathering Tools
• Forensic Tool: Fwanalog
• End-to End Forensic Investigation
• Correlating Log files
• Investigating TCPDump
• IDS Loganalyais:RealSecure
• IDS Loganalysis :SNORT

Module XVII:  Investigating network traffic

• Overview of Network Protocols
• Sources of Evidence on a Network
• Overview of Physical and Data-link Layer of the OSI Model
• Evidence Gathering at the Physical Layer
• Tool: Windump
• Evidence Gathering at the Data-link Layer
• Tool: Ethereal
• Tool: NetIntercept
• Overview of Network and Transport Layer of the OSI Model
• Evidence Gathering at the Network and Transport Layer-(I)
• Gathering Evidence on a Network
• GPRS Network Sniffer : Nokia LIG
• NetWitness
• McAffee Infinistream Security Forensics
• Snort 2.1.0
• Documenting the Gathered Evidence on a Network
• Evidence Reconstruction for Investigation

Module XVIII: Router Forensics

• What Is a Router?
• Functions of a Router
• A Router in an OSI Model
• Routing Table and Its Components
• Router Architecture
• Implications of a Router Attack
• Types of Router Attacks
• Denial of Service (DoS) Attacks
• Investigating Dos Attacks
• Smurfing – Latest in Dos Attacks
• Packet “Mistreating” Attacks
• Routing Table Poisoning
• Hit-and-run Attacks Vs. Persistent Attacks
• Router Forensics Vs. Traditional Forensics
• Investigating Routers
• Chain of Custody
• Incident Response & Session Recording
• Accessing the Router
• Volatile Evidence Gathering
• Router Investigation Steps - I
• Analyzing the Intrusion
• Logging
• Incident Forensics
• Handling a Direct Compromise Incident
• Other Incidents

Module XIX: Investigating Web Attacks

• Indications of a web attack
• Responding to a web attack
• Overview of web logs
• Mirrored Sites
• N-Stealth
• Investigating static and dynamic IP address
• Tools for locating IP Address: Nslookup
• Tools for locating IP Address: Traceroute
• Tools for locating IP Address:
   NeoTrace (Now McAfee Visual Trace)
• Tools for locating IP Address: Whois
• Web page defacement
• Defacement using DNS compromise
• Investigating DNS Poisoning
• SQL Injection Attacks
• Investigating SQL Injection Attacks
• Investigating FTP Servers
• Investigating FTP Logs
• Investigating IIS Logs
• Investigating Apache Logs
• Investigating DHCP Server Logfile

Module XX: Tracking E-mails and Investigating E-mail crimes

• Understanding Internet Fundamentals
• Understanding Internet Protocols
• Exploring the Roles of the Client and Server in E-mail
• E-mail Crime
• Spamming, Mail Bombing, Mail Storm
• Chat Rooms
• Identity Fraud , Chain Letter
• Sending Fakemail
• Investigating E-mail Crime and Violation
• Viewing E-mail Headers
• Examining an E-mail Header
• Viewing Header in Microsoft Outlook
• Viewing Header in Eudora
• Viewing Header in Outlook Express
• Viewing Header in AOL
• Viewing Header in Hot Mail
• Viewing Header using Pine for Unix
• Viewing Header in Juno
• Viewing Header in Yahoo
• Examining Additional Files
• Microsoft Outlook Mail
• Pst File Location
• Tracing an E-mail Message
• Using Network Logs Related  to E-mail
• Understanding E-mail Server
• Examining UNIX E-mail Server Logs
• Examining Microsoft E-mail Server Logs
• Examining Novell GroupWise E-mail Logs
• Using Specialized E-mail Forensic Tools
• Tool:FINALeMAIL
• Tool: R-Mail
• E-Mail Examiner by Paraben
• Network E-Mail Examiner by Paraben
• Tracing Back
• Tracing Back Web Based E-mail
• Searching E-mail Addresses
• E-mail Search Site
• Handling Spam
• Network Abuse Clearing House
• Abuse.Net
• Protecting Your E-mail Address From Spam
• Tool: Enkoder Form
• Tool:eMailTrackerPro
• Tool:SPAM Punisher

Module XXI: Mobile and PDA Forensics

• Latest Mobile Phone Access Technologies
• Evidence in Mobile Phones
• Mobile Phone Forensic Examination Methodology
• Examining Phone Internal Memory
• Examining SIM
• Examining Flash Memory and Call data records
• Personal Digital Assistant (PDA)
• PDA Components
• PDA Forensics
• PDA Forensics - Examination
• PDA Forensics - Identification
• PDA Forensics - Collection
• PDA Forensics - Documentation
• Points to Be Remembered While Conducting Investigation
• PDA Seizure by Paraben
• SIM Card Seizure by Paraben
  (SIM Card acquisition tool)
• Forensic Tool – Palm dd (pdd)
• Forensic Tool - POSE

Module XXII:  Investigating Trademark and Copyright Infringement

• Trademarks
• Trademark Eligibility and Benefits of Registering It
• Service Mark and Trade Dress
• Trademark infringement
• Trademark Search
• www.uspto.gov
• Copyright and Copyright Notice
• Investigating Copyright Status of a Particular Work
• How Long Does a Copyright Last?
• U.S Copyright Office
• Doctrine of “Fair Use”
• How Are Copyrights Enforced?
• SCO Vs. IBM
• SCO Vs Linux
• Line-by-Line Copying
• Plagiarism
• Turnitin
• Plagiarism detection tools
• CopyCatch
• Patent
• Patent Infringement
• Patent Search
• Case Study: Microsoft Vs Forgent
• Internet Domain Name and ICANN
• Domain Name Infringement
• Case Study: Microsoft.com Vs MikeRoweSoft.com
• How to check for Domain Name Infringement?

Module XXIII:  Investigative Reports

• Need of an investigative report
• Report specification
• Report Classification
• Report and Opinion
• Layout of an Investigative Report
• Writing Report
• Use of Supporting Material
• Importance of Consistency
• Salient Features of a Good Report
• Investigative Report Format
• Before Writing the Report
• Writing Report Using FTK

Module XXIV:  Becoming an Expert Witness

• Who Is an Expert?
• Who Is an Expert Witness?
• Role of an Expert Witness
• Technical Testimony  Vs.
  Expert Testimony
• Preparing for Testimony
• Evidence Preparation and Documentation
• Evidence Processing Steps
• Rules Pertaining to an Expert Witness’ Qualification
• Importance of Curriculum Vitae
• Technical Definitions
• Testifying in Court
• The Order of Trial Proceedings
• Voir dire
• General Ethics While Testifying-i
• Evidence Presentation
• Importance of Graphics in a Testimony
• Helping Your Attorney
• Avoiding Testimony Problems
• Testifying During Direct Examination
• Testifying During Cross Examination
• Deposition
• Guidelines to Testify at a Deposition
• Dealing With Reporters

Module XXV: Forensics in action

• E-mail Hoax     
• Trade Secret Theft
• Operation Cyberslam

APPENDIX:

1. Investigating Wireless Attacks

§         Passive Attacks

§         Netstumbler

§         Active Attacks On Wireless Networks

§         Rogue Access Points

§         Investigating Wireless Attacks

§         Airmagnet

2. Forensics Investigation Using EnCase

§         Evidence File

§         Evidence File Format

§         Verifying File Integrity

§         Hashing

§         Acquiring Image

§         Configuring Encase

§         Encase Options Screen

§         Encase Screens

§         View Menu

§         Device Tab

§         Viewing Files and Folders

§         Bottom Pane

§         Viewers in Bottom Pane

§         Status Bar

§         Searching

§         Keywords

§         Adding Keywords

§         Grouping

§         Add multiple Keywords

§         Starting the Search

§         Search Hits Tab

§         Search Hits

§         Bookmarks

§         Creating Bookmarks     

§         Adding Bookmarks

§         Bookmarking Selected Data

§         Recovering Deleted Files/folders in FAT Partition

§         Recovering Folders in NTFS

§         Master Boot Record

§         NTFS Starting Point

§         Viewing disk Geometry

§         Recovering Deleted Partitions

§         Hash Values

§         Creating Hash Sets

§         MD5 Hash

§         Creating Hash

§         Viewers

§         Signature Analysis

§         Copying Files Folders

§         E-mail Recovery

§         Reporting

§         Encase Boot Disks

§         IE Cache Images

3. First Responder Procedures

§         Steps At Crime Scene

§         People Involved In Incident Response

§         The Role Of A System Administrator

§         First Response By Non-Laboratory Staff

§         Guidelines For Search And Seizure

§         Planning The Search And Seizure

§         Evidence Collection

§         Dealing With Powered Up Computers At Seizure Time

§         How To Pull The Power

§         Seizing Computer Equipment

§         Removable Media

§         Seizing Portable Computers

§         How To Remove HD From Laptops?

§         Initial Interviews

§         Chain Of Custody

4. Checklist for Choosing a Forensic Examiner
5. Investigation Checklist

 
© 2002 EC-Council. All rights reserved.
This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.