Contact Us

 

Quick Links





 

CHFI Exam (312-49)

 

Credit Towards Certification
 
bullet Computer Hacking Forensic Investigator v3

Exam Details
 
bullet Number of Questions: 50
bullet Passing Score: 70%
bullet Test Duration: 2 Hours
bullet Test Format: Multiple Choice
bullet Test Delivery: Prometric Prime / Prometric APTC / VUE

Test Objectives v3 

Module 01 Computer Forensics in Today's World

Summarize the History of Forensics

Summarize the basic concepts of Computer Forensics

o What is Computer Forensics?

o Why Computer Forensics is necessary?

o What are the different ways of Forensic Data Collection?

o Objectives of Computer Forensics

o Benefits of Forensic Readiness

o Categories of Forensics Data

Identify Computer Forensics Flaws and Risks

Summarize the basic concepts of Computer Facilitated Crimes

o Type of Computer Crimes

o Cyber Crime

o Modes of Attacks

o Examples of Cyber Crime

o Examples of Evidence

Identify the Stages of Forensic Investigation in Tracking Cyber Criminals

o Key Steps in Forensics Investigations

o Rules of Computer Forensics

o Need for Forensic Investigator

o Accessing Computer Forensics Resources

Identify the need and procedure to Maintain professional conduct

Understand Corporate Investigations

Define the term Digital Forensics

Explain the term Enterprise Theory of Investigation (ETI)

Where and when do you use Computer Forensics?

Module 02 Law and Computer Forensics

What privacy issues are involved in investigations?

Discuss the Fourth Amendment

Explain about Interpol- Information Technology Crime Center

Summarize Internet Laws and Statutes

How the FBI Investigates Computer Crime?

o Federal Statutes Investigated by the FBI

Explain about Scientific Working Group on Digital Evidence (SWGDE)

Explain Federal Laws (Computer Crime)

Summarize all the Intellectual Property Rights

Summarize the laws about Cyber Stalking

List all Crime Investigating Organizations

National Infrastructure Protection Center

Summarize the following acts and laws related to computer forensics:

o The USA Patriot Act of 2001

o The G8 Countries: Principles to Combat High-tech Crime

The G8 Countries: Action Plan to Combat High-Tech Crime (International Aspects of Computer Crime)

o Crime Legislation of EU

o United Kingdom: Police and Justice Act 2006

o Australia: The Cybercrime Act 2001

o Belgium

o European Laws

o Austrian Laws

o Brazilian Laws

o Belgium Laws

o Canadian Laws

o France Laws

o Indian Laws

o German Laws

o Italian Laws

o Greece Laws

o Denmark Laws

o Norwegian Laws

o Netherlands Laws

Give the brief idea about Internet Crime Schemes

o Why you should report cybercrime?

o What are the stages to report computer-related crimes?

o Which person is assigned to report the crime?

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o How to contact Federal Local Agents?

Module 03 Computer Investigation Process

How to investigate computer crime?

Explain the importance of securing computer evidence

Discuss about investigating company policy violation

What are the important things before the investigation?

Explain Investigation Methodology

Is there need of search warrant for investigation?

How can you prepared for searches?

Discuss about searching without warrant

What do you mean by Warning Banners?

How can you collect the evidence?

Discuss Chain-of Evidence Form

Explain Bit-stream copies

How to examine digital evidence?

Discuss the example of accessing policy violation case

List down the steps important for computer forensic investigation

Give the brief idea about investigation process

o Explain policy and procedure development

o Describe the following evidence assessment

Case Assessment

Processing Location Assessment

Legal Considerations

Evidence Assessment

o How to acquire evidence?

Explain Imaging

Describe write protection

How to acquire the subject evidence?

o Explain in brief about evidence examination

How can extract the evidence physically?

How can you extract evidence logically?

Describe the following analysis over extracted data

Timeframe analysis

Data hiding analysis

Application and file analysis

Describe about ownership and possession

o Explain documenting and reporting of evidence

What should be in the final report?

o When to close the case?

What are important factors to maintain professional conduct?

Module 04 First Responder Procedure

Define Electronic Evidence

o Explain the forensic process

o Describe different types of Electronic Devices

o Discuss electronic devices and collecting potential evidence

o Summarize the features and basic attributes of evidence collecting tools and equipment

Describe First Response Rule

Explain Incident Response for following situations:

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensic Staff

How can you secure and evaluate electronic crime scene

Which questions should be asked to a client?

Discuss health and safety Issues

Explain Consent

Give the brief idea about Search and Seizure

o What is the planning for search and seizing?

o How to start initial search of the scene?

o Discuss the importance of witness signatures

o Give the overview of conducting preliminary interviews

Discuss the initial interviews

o Is there need of documenting electronic crime scene?

o What is the importance of photographing the scene?

o Describe sketching of the scene

o Discuss about collecting and preserving electronic evidence

What important data is present in evidence bag?

Explain order of volatility

Discuss about powered OFF computers at seizure time

Describe the condition with powered ON PC

Explain the role computers and servers

Which devices should be collected and preserved as electronic evidence?

What is the idea behind seizing the portable computers

Explain packaging electronic evidences

Describe exhibit numbering

o How can you transport electronic evidence?

o How can you handle and transport the devices to forensic laboratory?

Explain ‘Chain of Custody’

Give the brief overview for finding forensic examination by crime category

Module 05 CSIRT

Define of Vulnerability

Discuss vulnerability statistics

Give the brief idea about an Incident

o How to Identify an Incident?

o How to Prevent an Incident?

o What is the relationship between Incident Response, Incident Handling, and Incident Management

o Give the checklist for Incident Response

o How can you handle incidents

o Explain the following stages for handling incident:

Preparation

Identification

Containment

Eradication

Recovery

Follow-up

o Explain Incident Management

o Why don’t Organizations Report Computer Crimes?

o Describe about estimation of Incident cost

o Whom to Report an Incident?

o How to report an Incident?

o What are the different vulnerability resources

o Explain the following category of Incidents

Category of Incidents: Low Level

Category of Incidents: Mid Level

Category of Incidents: High Level

Explain in brief about CSIRT?

o What are the goals and strategy of CSIRT?

o Describe CSIRT Vision

Discuss building of CSIRT Vision

o Which are the motivations behind CSIRTs?

o Why an Organization needs an Incident Response Team?

o Who works in a CSIRT?

o Staffing your Computer Security Incident Response Team: What are the basic skills needed?

o Explain the team models

o What are the three categories of CSIRT Services?

o Discuss CSIRT case classification

o Explain types of Incidents and level of Support

o Describe the service attributes

o Explain Incident specific procedures

o How CSIRT handles case: Steps

o Describe US-CERT Incident Reporting System

Discuss CSIRT Incident Report Form

Explain CERT(R) Coordination Center: Incident Reporting Form

o Give the example of CSIRT

o Discuss the Best Practices for Creating a CSIRT

Step 1: Obtain Management Support and Buy-in

Step 2: Determine the CSIRT Development Strategic Plan

Step 3: Gather Relevant Information

Step 4: Design your CSIRT Vision

Step 5: Communicate the CSIRT Vision

Step 6: Begin CSIRT Implementation

Step 7: Announce the CSIRT

o What are the limits to effectiveness in CSIRTs?

o Give the overview of investing in Automated Response

List down the World CERTs http://www.trusted-introducer.nl/teams/country.html

Discuss about http://www.first.org/about/organization/teams/

Discuss IRTs Around the World

Module 06 Computer Forensic Lab

Explain budget allocation for a Forensics Lab

List down the physical location needs for a Forensic Lab

Describe about work area of a computer forensics Lab

Discuss about general configuration of a Forensic Lab

List down the equipment required in a Forensics Lab

Explains ambience of a forensics Lab

o Describe Ergonomics

What are the environmental conditions required for proper lab functioning?

What are the recommendations to avoid Eyestrain?

Discuss about the structural design of Lab

Explain about the electrical needs to lab

Give overview for communications factors

List down the basic workstation requirements in a forensic lab

What are the essential hardware peripherals should be stocked as a back-up?

Which are the Application Inventories and Operating System must be maintained?

How can you provide physical security to your forensic lab?

Explain Fire-Suppression systems

Give the general recommendation for evidence locker

What are the steps for auditing a computer forensics lab

o Auditing a Forensics Lab

Explain the licensing requirements for forensic lab

Summarize the features and basic attributes of following forensic laboratory requirements:

o Paraben Forensics Hardware requirements:

Handheld First Responder Kit

Wireless StrongHold Bag

Remote Charger

Device Seizure Toolbox

Wireless StrongHold Tent

Passport StrongHold Bag

Project-a-Phone

SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i

Lockdown

SIM Card Reader/ Sony Clie N & S Series Serial Data Cable

USB Serial DB9 Adapter

o Portable Forensic Systems and Towers:

Forensic Air-Lite VI MKII laptop

Original Forensic Tower II

Portable Forensic Systems and Towers: Portable Forensic Workhorse V

Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

Forensic Air-Lite IV MK II

Forensic Tower II

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

o Power Supplies and Switches

o Explain DIBSŪ Mobile Forensic Workstation

DIBSŪ Advanced Forensic Workstation

DIBSŪ RAID: Rapid Action Imaging Device

o Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

List down the different forensic workstations

Summarize the features and basic attributes of LiveWire Investigator tool

What are the features of Laboratory Imaging System?

o List down technical specification of the Laboratory-based Imaging System

Explain about the Computer Forensic Labs, Inc

o Discuss procedures at Computer Forensic Labs (CFL), Inc

List down Data Destruction Industry Standards

Module 07 Understanding File Systems and Hard Disks

Give the overview of Disk Drive

Explain in brief about Hard Disk

o Describe types of Hard Disk Interfaces:

SCSI

IDE/EIDE

USB

ATA

Fibre Channel

o What is Disk Platter?

Describe Tracks

Explain Tracks Numbering

o Give detail idea about Sector

Explain Sector Addressing

o Describe in details Cluster?

Cluster Size

What is Slack Space?

Discuss about lost Clusters

o Write more about Bad Sector

o How can you calculate Disk Capacity?

o Summarize the features of following forensic tools:

Evidor: The Evidence Collector

WinHex

Understanding File Systems

o Explain in details about file system:

Types of File System

List down the various disk file systems

List down Network file systems

List down special purpose file systems

List down the Linux file systems?

Explain Sun Solaris 10 File System: ZFS

List down the Mac OS X File System

List down Windows File systems

Explain CD-ROM / DVD File system

o Compare different file systems

o Explain Disk Partition

o Describe Master Boot Record

o Explain more about FAT

Describe Boot Sector

o Give the brief idea about NTFS

List down different NTFS System Files

Explain NTFS partition boot sector

Describe NTFS Master File Table (MFT)

Write down about Metadata File Table

Explain NTFS Attributes

Give an idea about NTFS Data Stream-I

Give the overview of NTFS Compressed Files

Explain in brief about NTFS Encrypted File Systems (EFS)

Discuss EFS File Structure

Describe EFS Recovery Key Agent

What is EFS Key?

How can you delete NTFS Files?

o What is Registry?

How can you examine Registry Data

o Compare FAT and NTFS

o Describe Windows XP system files

o Write down the steps for booting Windows (XP/2003)

o Explain http://www.bootdisk.com

Module 08 Understanding Digital Media Devices

Summarize features and basic attributes of following digital storage devices:

o Magnetic Tape

o Floppy Disk

o Compact Disk

o CD-ROM

o DVD

DVD-R, DVD+R, and DVD+R(W)

DVD-RW, DVD+RW

DVD+R DL/ DVD-R DL/ DVD-RAM

HD-DVD (High Definition DVD)

HD-DVD

o Blu-Ray

o Compare the following:

CD and DVD Vs Blu-Ray

HD-DVD and Blu-Ray

o iPod

o Zune

o Explain in brief about different Flash Memory Cards

Secure Digital (SD) Memory Card

Compact Flash (CF) Memory Card

Memory Stick (MS) Memory Card

Multi Media Memory Card (MMC)

xD-Picture Card (xD)

SmartMedia Memory (SM) Card

o USB Flash Drives

USB Flash in a Pen

Module 09 Windows, Linux and Macintosh Boot Processes

Discuss the different terminologies

Give the brief idea about:

o Boot Loader

o Boot Sector

o Anatomy of MBR

Explain basic system boot process

Give the brief idea about MS-DOS Boot Process

Explain in details Windows XP Boot Process

Describe in brief Linux boot process

o Write down about common startup files in UNIX

o List down important directories present in UNIX

o Explain steps for Linux Boot Process:

Step 1: The Boot Manager

Step 2: init

Step 2.1: /etc/inittab

runlevels

Step 3: Services

Step 4: More inittab

Give brief idea about Mac OS X:

o Discuss Hidden Files in Mac OS X

o Describe booting in Mac OS X

o Explain Mac OS X Boot Options

o Write down the steps for booting Mac OS X

o How to install Mac OS X on Windows XP?

o Explain PearPC

o Describe MacQuisition Boot CD by BlackBag

o Summarize features of Macintosh Forensic Software by BlackBag

Directory Scan

FileSpy

HeaderBuilder

o Summarize the features of following Mac OS forensics tools:

Carbon Copy Cloner (CCC)

MacDrive6

Module 10 Windows Forensics

Where you can find the evidence on a Windows system?

How can you gathering volatile evidence?

Summarize the features and advantages of Windows forensics tools:

o Give brief idea about Helix

List down the tools present in Helix CD for Windows forensics

Discuss Helix Tool: SecReport

Explain Helix Tool: Windows Forensic Toolchest (WFT)

o MD5 Generator: Chaos MD5

Describe Secure Hash Signature Generator

Explain MD5 Generator: Mat-MD5

Explain MD5 Checksum Verifier 2.1

o Pslist

o fport

o Psloggedon

What is File Slack? How can you investigate Windows File Slack?

How to examine file systems?

Discuss about built-in tool: Sigverif

Discuss the Word Extractor forensic tool

How can you check Registry?

o Summarize features of following registry tools:

o Registry Viewer Tool: RegScanner

o Microsoft Security ID

Summarize features and importance of Memory Dump

o Pagefile.sys and PMDump

What is Virtual Memory?

o Discuss System Scanner

Explain Integrated Windows Forensics Software: X-Ways Forensics and its features

How can you investigate Internet Traces

Summarize the features of following Internet tracing tools:

o Traces Viewer

o IECookiesView

o IE History Viewer

o Cache Monitor

Give overview about Investigating ADS Streams

How can you create CD-ROM Bootable for Windows XP

o Bart PE (Bart Preinstalled Environment): Screenshot

o Ultimate Boot CD-ROM

o List down the tools present in UB CD-ROM

Module 11 Linux Forensics

Why use Linux for Forensics?

How to recognize partitions in Linux?

Explain file system in Linux

o Describe file system

Discuss mount Command

Discuss the Boot Sequence in Linux

Explain Linux Forensics

Discuss case example

o Explain Step-by-step approach to case

What are the challenges in disk forensics with Linux

Discuss Jason Smith Case

o Explain Step-by-step approach to case

Summarize the features of following Linux forensics tools:

o The Sleuth Kit

List down the tools present in “The Sleuth Kit”

o Autopsy

Describe evidence analysis techniques in Autopsy

o SMART for Linux

o Penguin Sleuth

List down the tools included in Penguin Sleuth Kit

o Forensix

o Maresware

List down the various programs present in Maresware

o Captain Nemo

o THE FARMER'S BOOT CD

Module 12 Data Acquisition and Duplication

What are the different acquisition methods?

Explain data recovery contingencies

What is the need of data duplication?

Explain features of MS-DOS Data Acquisition tool: DriveSpy

Give the overview of Windows Data Acquisition tools

o FTK Imager

Describe data acquiring in Linux

o Explain Dd Command

o How can you extract the MBR?

o Explain Netcat Command

Discuss dd Command (Windows XP Version)

Summarize the features of following data acquisition tools:

o Mount Image Pro

o Snapshot Tool

o Snapback DatArrest

o Data Acquisition Tool: SafeBack

o Hardware Tool: Image MASSter Solo-3 Forensic

o Hardware Tool: LinkMASSter-2 Forensic

o Hardware Tool: RoadMASSter-2

o Data Duplication Tool: R-drive Image

o Data Duplication Tool: DriveLook

o Data Duplication Tool: DiskExplorer

o Save-N-Sync

o Hardware Tool: ImageMASSter 6007SAS

o Hardware Tool: Disk Jockey IT

o SCSIPAK

o IBM DFSMSdss

o Tape Duplication System: QuickCopy

Module 13 Computer Forensic Tools

Part I- Software Forensics Tools

Summarize the features and advantages of following software forensics tools:

o Visual TimeAnalyzer

o X-Ways Forensics

o Evidor

o Slack Space & Data Recovery Tools: Ontrack

o Data Recovery Tools:

Device Seizure 1.0

Forensic Sorter v2.0.1

Directory Snoop

o Permanent Deletion of Files:

PDWipe

Darik's Boot and Nuke (DBAN)

o File Integrity Checker:

FileMon

File Date Time Extractor (FDTE)

Decode - Forensic Date/Time Decoder

o Disk Imaging Tools:

Snapback Datarrest

o Partition Managers: Partimage

o Linux/Unix Tools: Ltools and Mtools

o Password Recovery Tool:

@Stake

Decryption Collection Enterprise v2.5

AIM Password Decoder

MS Access Database Password Decoder

o Internet History Viewer:

CookieView - Cookie Decoder

Cookie Viewer

Cache View

FavURLView - Favourite Viewer

NetAnalysis

o Multipurpose Tools:

Maresware

LC Technologies Software

Winhex Specialist Edition

Prodiscover DFT

o Toolkits:

NTI Tools

R-Tools-I

Datalifter

Toolkits: Accessdata

FTK- Forensic Toolkit

Image Master Solo and Fastbloc

Encase

o Email Recovery Tool:

E-mail Examiner

Network E-mail Examiner

o Case Agent Companion

o Chat Examiner

o Forensic Replicator

o Registry Analyzer

o ASR Data’s SMART

o Oxygen Phone Manager

o SIM Card Seizure

o Text Searcher

o Autoruns

o Autostart Viewer

o Belkasoft RemovEx

o HashDig

o Inforenz Forager

o KaZAlyser

o DiamondCS OpenPorts

o Pasco

o Patchit

o PE Explorer

o Port Explorer

o PowerGREP

o Process Explorer

o PyFLAG

o Registry Analyzing Tool: Regmon

o Reverse Engineering Compiler

o SafeBack

o TapeCat

o Vision

Part II- Hardware Forensics Tools

Summarize the features and advantages of following hardware computer forensic tools:

o Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock

o LockDown

o Write Protect Card Reader

o Drive Lock IDE

o Serial-ATA DriveLock Kit

o Wipe MASSter

o ImageMASSter Solo-3 IT

o ImageMASSter 4002i

o ImageMasster 3002SCSI

o Image MASSter 3004SATA

 

 

Module 14 Forensics Investigations Using Encase

What is Evidence File

o Explain evidence file format

o How can you verifying file integrity

Describe Hashing

How can you acquiring image?

Explain configuring of Encase and discuss following:

o Encase Options Screen

o Encase Screens

o View Menu

o Device Tab

o Viewing Files and Folders

o Bottom Pane

Viewers in Bottom Pane

Status Bar

Explain in brief about searching ability of Encase

o Discuss about Keywords

How to add Keywords?

How can you group keywords?

How can you add multiple Keywords?

o How to do Search?

o Discuss Search Hits tab

Give the brief idea about Bookmark:

o What is Bookmarks?

o How to create Bookmarks?

o Discuss about adding Bookmarks

Explain the procedure for recovering Deleted Files/folders in FAT Partition

o How can you recover folders in NTFS?

o Explain Master Boot Record(MBT)

o How to view Disk Geometry?

Explain the recovery of deleted partitions

Explain in brief about Hash Values?

o How to create Hash Sets

o Describe MD5 Hash

o How to create Hash?

What do you mean by Viewers?

Discuss Signature Analysis

How can you view the results?

Explain the process for copying files/folders

Describe E-mail Recovery

Discuss Reporting

Explain Boot Disks in Encase

What is IE Cache Images?

Module 15 Recovering Deleted Files and Deleted partitions

Part I: Recovering Deleted Files

How can you delete the files?

What happens when a File is Deleted in Windows?

Give the brief idea about Recycle Bin in Windows

o Discuss the storage locations of Recycle Bin in FAT and NTFS system

o How The Recycle Bin Works?

o Explain damaged or deleted INFO File

o Describe damaged files in Recycled folder

o Give the overview of damaged Recycle folder

How to Undelete a File?

Explain Data Recovery in Linux

Summarize the features of following deleted files recovery tools:

o Search and Recover

o Zero Assumption Digital Image Recovery

o e2Undel

o R-linux

o O&O Unerase

o Restorer 2000

o Badcopy Pro

o File Scavenger

o Mycroft V3

o PC ParaChute

o Stellar Phoenix

o Filesaver

o Virtual Lab

o Drive and Data Recovery

o Active@ UNERASER - DATA Recovery

o Restoration

o PC Inspector File Recovery

o PC Inspector Smart Recovery

o Fundelete

o RecoverPlus Pro

o OfficeFIX

o Recover My Files

o Zero Assumption Recovery

o SuperFile Recover

o IsoBuster

o CDRoller

o DiskInternals Uneraser

o DiskInternal Flash Recovery

o DiskInternals NTFS Recovery

o Recover Lost/Deleted/Corrupted files on CDs and DVDs

o Undelete

o Active@ UNDELETE

o CD Data Rescue

o File Recover

o WinUndelete

o R-Undelete

o Image Recall

o eIMAGE Recovery

o File Scavenger

o Recover4all Professional

o eData Unerase

o Easy-Undelete

o InDisk Recovery

o Repair My Excel

o Repair Microsoft Word Files

o Zip Repair

o Canon RAW File Recovery Software

Part II: Recovering Deleted Partitions

Explain deletion of partition

How can you delete partition using Windows

How can you delete partition using command line

Describe recovery of deleted partition

Summarize the features of following deleted partition recovery tools:

o GetDataBack

o DiskInternals Partition Recovery

o Active@ Partition Recovery

o Handy Recovery

o Acronis Recovery Expert

o Active Disk Image

o TestDisk

o Recover It All!

o Scaven

o Partition Table Doctor

o NTFS Deleted Partition Recovery

Module 16 Image Files Forensics

Define the common terminologies

Give the brief idea about Image files

o What do you understand by vector images?

o Explain raster images?

o Discuss Metafile Graphics

o Summarize the structure, features and basic attributes of following Image file formats:

GIF (Graphics Interchange Format)

JPEG (Joint Photographic Experts Group)

JPEG 2000

BMP (Bitmap) File

PNG (Portable Network Graphics)

Tagged Image File Format (TIFF)

ZIP (Zone Information Protocol)

How file compression works?

Discuss data compression and its types

o Explain following data compression algorithms:

Huffman Coding Algorithm

Lempel-Ziv Coding Algorithm

What is mean Lossy Compression

o Explain Vector Quantization

Give the overview about locating and recovering image files

What is the importance of Image file headers?

How can you repair the damaged headers?

Explain reconstruction of file fragments

Identify and discuss unknown file formats

o Summarize the features of following tools to identify unknown file formats:

http://www.filext.com

Picture Viewer: Ifran View

Picture Viewer: ACDsee

Picture Viewer: Thumbsplus

Picture Viewer: AD

Picture Viewer: Max

FastStone Image Viewer

XnView

Faces – Sketch Software

Describe Steganography in image files

Define the term Steganalysis