Quick Links

CHFI Exam (312-49)

Credit Towards Certification

Computer Hacking Forensic Investigator v3

Exam Details

Number of Questions: 50

Passing Score: 70%

Test Duration: 2 Hours

Test Format: Multiple Choice

Test Delivery: Prometric Prime / Prometric APTC / VUE

Test Objectives v3

Module 01 Computer Forensics in Today's World

 Summarize the History of Forensics

 Summarize the basic concepts of Computer Forensics

o What is Computer Forensics?

o Why Computer Forensics is necessary?

o What are the different ways of Forensic Data Collection?

o Objectives of Computer Forensics

o Benefits of Forensic Readiness

o Categories of Forensics Data

 Identify Computer Forensics Flaws and Risks

 Summarize the basic concepts of Computer Facilitated Crimes

o Type of Computer Crimes

o Cyber Crime

o Modes of Attacks

o Examples of Cyber Crime

o Examples of Evidence

 Identify the Stages of Forensic Investigation in Tracking Cyber Criminals

o Key Steps in Forensics Investigations

o Rules of Computer Forensics

o Need for Forensic Investigator

o Accessing Computer Forensics Resources

 Identify the need and procedure to Maintain professional conduct

 Understand Corporate Investigations

 Define the term Digital Forensics

 Explain the term Enterprise Theory of Investigation (ETI)

 Where and when do you use Computer Forensics?

Module 02 Law and Computer Forensics

 What privacy issues are involved in investigations?

 Discuss the Fourth Amendment

 Explain about Interpol- Information Technology Crime Center

 Summarize Internet Laws and Statutes

 How the FBI Investigates Computer Crime?

o Federal Statutes Investigated by the FBI

 Explain about Scientific Working Group on Digital Evidence (SWGDE)

 Explain Federal Laws (Computer Crime)

 Summarize all the Intellectual Property Rights

 Summarize the laws about Cyber Stalking

 List all Crime Investigating Organizations

 National Infrastructure Protection Center

 Summarize the following acts and laws related to computer forensics:

o The USA Patriot Act of 2001

o The G8 Countries: Principles to Combat High-tech Crime

 The G8 Countries: Action Plan to Combat High-Tech Crime (International Aspects of Computer Crime)

o Crime Legislation of EU

o United Kingdom: Police and Justice Act 2006

o Australia: The Cybercrime Act 2001

o Belgium

o European Laws

o Austrian Laws

o Brazilian Laws

o Belgium Laws

o Canadian Laws

o France Laws

o Indian Laws

o German Laws

o Italian Laws

o Greece Laws

o Denmark Laws

o Norwegian Laws

o Netherlands Laws

 Give the brief idea about Internet Crime Schemes

o Why you should report cybercrime?

o What are the stages to report computer-related crimes?

o Which person is assigned to report the crime?

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o How to contact Federal Local Agents?

Module 03 Computer Investigation Process

 How to investigate computer crime?

 Explain the importance of securing computer evidence

 Discuss about investigating company policy violation

 What are the important things before the investigation?

 Explain Investigation Methodology

 Is there need of search warrant for investigation?

 How can you prepared for searches?

 Discuss about searching without warrant

 What do you mean by Warning Banners?

 How can you collect the evidence?

 Discuss Chain-of Evidence Form

 Explain Bit-stream copies

 How to examine digital evidence?

 Discuss the example of accessing policy violation case

 List down the steps important for computer forensic investigation

 Give the brief idea about investigation process

o Explain policy and procedure development

o Describe the following evidence assessment

 Case Assessment

 Processing Location Assessment

 Legal Considerations

 Evidence Assessment

o How to acquire evidence?

 Explain Imaging

 Describe write protection

 How to acquire the subject evidence?

o Explain in brief about evidence examination

 How can extract the evidence physically?

 How can you extract evidence logically?

 Describe the following analysis over extracted data

 Timeframe analysis

 Data hiding analysis

 Application and file analysis

 Describe about ownership and possession

o Explain documenting and reporting of evidence

 What should be in the final report?

o When to close the case?

 What are important factors to maintain professional conduct?

Module 04 First Responder Procedure

 Define Electronic Evidence

o Explain the forensic process

o Describe different types of Electronic Devices

o Discuss electronic devices and collecting potential evidence

o Summarize the features and basic attributes of evidence collecting tools and equipment

 Describe First Response Rule

 Explain Incident Response for following situations:

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensic Staff

 How can you secure and evaluate electronic crime scene

 Which questions should be asked to a client?

 Discuss health and safety Issues

 Explain Consent

 Give the brief idea about Search and Seizure

o What is the planning for search and seizing?

o How to start initial search of the scene?

o Discuss the importance of witness signatures

o Give the overview of conducting preliminary interviews

 Discuss the initial interviews

o Is there need of documenting electronic crime scene?

o What is the importance of photographing the scene?

o Describe sketching of the scene

o Discuss about collecting and preserving electronic evidence

 What important data is present in evidence bag?

 Explain order of volatility

 Discuss about powered OFF computers at seizure time

 Describe the condition with powered ON PC

 Explain the role computers and servers

 Which devices should be collected and preserved as electronic evidence?

 What is the idea behind seizing the portable computers

 Explain packaging electronic evidences

 Describe exhibit numbering

o How can you transport electronic evidence?

o How can you handle and transport the devices to forensic laboratory?

 Explain ‘Chain of Custody’

 Give the brief overview for finding forensic examination by crime category

Module 05 CSIRT

 Define of Vulnerability

 Discuss vulnerability statistics

 Give the brief idea about an Incident

o How to Identify an Incident?

o How to Prevent an Incident?

o What is the relationship between Incident Response, Incident Handling, and Incident Management

o Give the checklist for Incident Response

o How can you handle incidents

o Explain the following stages for handling incident:

 Preparation

 Identification

 Containment

 Eradication

 Recovery

 Follow-up

o Explain Incident Management

o Why don’t Organizations Report Computer Crimes?

o Describe about estimation of Incident cost

o Whom to Report an Incident?

o How to report an Incident?

o What are the different vulnerability resources

o Explain the following category of Incidents

 Category of Incidents: Low Level

 Category of Incidents: Mid Level

 Category of Incidents: High Level

 Explain in brief about CSIRT?

o What are the goals and strategy of CSIRT?

o Describe CSIRT Vision

 Discuss building of CSIRT Vision

o Which are the motivations behind CSIRTs?

o Why an Organization needs an Incident Response Team?

o Who works in a CSIRT?

o Staffing your Computer Security Incident Response Team: What are the basic skills needed?

o Explain the team models

o What are the three categories of CSIRT Services?

o Discuss CSIRT case classification

o Explain types of Incidents and level of Support

o Describe the service attributes

o Explain Incident specific procedures

o How CSIRT handles case: Steps

o Describe US-CERT Incident Reporting System

 Discuss CSIRT Incident Report Form

 Explain CERT(R) Coordination Center: Incident Reporting Form

o Give the example of CSIRT

o Discuss the Best Practices for Creating a CSIRT

 Step 1: Obtain Management Support and Buy-in

 Step 2: Determine the CSIRT Development Strategic Plan

 Step 3: Gather Relevant Information

 Step 4: Design your CSIRT Vision

 Step 5: Communicate the CSIRT Vision

 Step 6: Begin CSIRT Implementation

 Step 7: Announce the CSIRT

o What are the limits to effectiveness in CSIRTs?

o Give the overview of investing in Automated Response

 List down the World CERTs http://www.trusted-introducer.nl/teams/country.html

 Discuss about http://www.first.org/about/organization/teams/

 Discuss IRTs Around the World

Module 06 Computer Forensic Lab

 Explain budget allocation for a Forensics Lab

 List down the physical location needs for a Forensic Lab

 Describe about work area of a computer forensics Lab

 Discuss about general configuration of a Forensic Lab

 List down the equipment required in a Forensics Lab

 Explains ambience of a forensics Lab

o Describe Ergonomics

 What are the environmental conditions required for proper lab functioning?

 What are the recommendations to avoid Eyestrain?

 Discuss about the structural design of Lab

 Explain about the electrical needs to lab

 Give overview for communications factors

 List down the basic workstation requirements in a forensic lab

 What are the essential hardware peripherals should be stocked as a back-up?

 Which are the Application Inventories and Operating System must be maintained?

 How can you provide physical security to your forensic lab?

 Explain Fire-Suppression systems

 Give the general recommendation for evidence locker

 What are the steps for auditing a computer forensics lab

o Auditing a Forensics Lab

 Explain the licensing requirements for forensic lab

 Summarize the features and basic attributes of following forensic laboratory requirements:

o Paraben Forensics Hardware requirements:

 Handheld First Responder Kit

 Wireless StrongHold Bag

 Remote Charger

 Device Seizure Toolbox

 Wireless StrongHold Tent

 Passport StrongHold Bag

 Project-a-Phone

 SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i

 Lockdown

 SIM Card Reader/ Sony Clie N & S Series Serial Data Cable

 USB Serial DB9 Adapter

o Portable Forensic Systems and Towers:

 Forensic Air-Lite VI MKII laptop

 Original Forensic Tower II

 Portable Forensic Systems and Towers: Portable Forensic Workhorse V

 Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

 Forensic Air-Lite IV MK II

 Forensic Tower II

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

o Power Supplies and Switches

o Explain DIBS® Mobile Forensic Workstation

 DIBS® Advanced Forensic Workstation

 DIBS® RAID: Rapid Action Imaging Device

o Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

 List down the different forensic workstations

 Summarize the features and basic attributes of LiveWire Investigator tool

 What are the features of Laboratory Imaging System?

o List down technical specification of the Laboratory-based Imaging System

 Explain about the Computer Forensic Labs, Inc

o Discuss procedures at Computer Forensic Labs (CFL), Inc

 List down Data Destruction Industry Standards

Module 07 Understanding File Systems and Hard Disks

 Give the overview of Disk Drive

 Explain in brief about Hard Disk

o Describe types of Hard Disk Interfaces:

 SCSI

 IDE/EIDE

 USB

 ATA

 Fibre Channel

o What is Disk Platter?

 Describe Tracks

 Explain Tracks Numbering

o Give detail idea about Sector

 Explain Sector Addressing

o Describe in details Cluster?

 Cluster Size

 What is Slack Space?

 Discuss about lost Clusters

o Write more about Bad Sector

o How can you calculate Disk Capacity?

o Summarize the features of following forensic tools:

 Evidor: The Evidence Collector

 WinHex

 Understanding File Systems

o Explain in details about file system:

 Types of File System

 List down the various disk file systems

 List down Network file systems

 List down special purpose file systems

 List down the Linux file systems?

 Explain Sun Solaris 10 File System: ZFS

 List down the Mac OS X File System

 List down Windows File systems

 Explain CD-ROM / DVD File system

o Compare different file systems

o Explain Disk Partition

o Describe Master Boot Record

o Explain more about FAT

 Describe Boot Sector

o Give the brief idea about NTFS

 List down different NTFS System Files

 Explain NTFS partition boot sector

 Describe NTFS Master File Table (MFT)

 Write down about Metadata File Table

 Explain NTFS Attributes

 Give an idea about NTFS Data Stream-I

 Give the overview of NTFS Compressed Files

 Explain in brief about NTFS Encrypted File Systems (EFS)

 Discuss EFS File Structure

 Describe EFS Recovery Key Agent

 What is EFS Key?

 How can you delete NTFS Files?

o What is Registry?

 How can you examine Registry Data

o Compare FAT and NTFS

o Describe Windows XP system files

o Write down the steps for booting Windows (XP/2003)

o Explain http://www.bootdisk.com

Module 08 Understanding Digital Media Devices

 Summarize features and basic attributes of following digital storage devices:

o Magnetic Tape

o Floppy Disk

o Compact Disk

o CD-ROM

o DVD

 DVD-R, DVD+R, and DVD+R(W)

 DVD-RW, DVD+RW

 DVD+R DL/ DVD-R DL/ DVD-RAM

 HD-DVD (High Definition DVD)

 HD-DVD

o Blu-Ray

o Compare the following:

 CD and DVD Vs Blu-Ray

 HD-DVD and Blu-Ray

o iPod

o Zune

o Explain in brief about different Flash Memory Cards

 Secure Digital (SD) Memory Card

 Compact Flash (CF) Memory Card

 Memory Stick (MS) Memory Card

 Multi Media Memory Card (MMC)

 xD-Picture Card (xD)

 SmartMedia Memory (SM) Card

o USB Flash Drives

 USB Flash in a Pen

Module 09 Windows, Linux and Macintosh Boot Processes

 Discuss the different terminologies

 Give the brief idea about:

o Boot Loader

o Boot Sector

o Anatomy of MBR

 Explain basic system boot process

 Give the brief idea about MS-DOS Boot Process

 Explain in details Windows XP Boot Process

 Describe in brief Linux boot process

o Write down about common startup files in UNIX

o List down important directories present in UNIX

o Explain steps for Linux Boot Process:

 Step 1: The Boot Manager

 Step 2: init

 Step 2.1: /etc/inittab

 runlevels

 Step 3: Services

 Step 4: More inittab

 Give brief idea about Mac OS X:

o Discuss Hidden Files in Mac OS X

o Describe booting in Mac OS X

o Explain Mac OS X Boot Options

o Write down the steps for booting Mac OS X

o How to install Mac OS X on Windows XP?

o Explain PearPC

o Describe MacQuisition Boot CD by BlackBag

o Summarize features of Macintosh Forensic Software by BlackBag

 Directory Scan

 FileSpy

 HeaderBuilder

o Summarize the features of following Mac OS forensics tools:

 Carbon Copy Cloner (CCC)

 MacDrive6

Module 10 Windows Forensics

 Where you can find the evidence on a Windows system?

 How can you gathering volatile evidence?

 Summarize the features and advantages of Windows forensics tools:

o Give brief idea about Helix

 List down the tools present in Helix CD for Windows forensics

 Discuss Helix Tool: SecReport

 Explain Helix Tool: Windows Forensic Toolchest (WFT)

o MD5 Generator: Chaos MD5

 Describe Secure Hash Signature Generator

 Explain MD5 Generator: Mat-MD5

 Explain MD5 Checksum Verifier 2.1

o Pslist

o fport

o Psloggedon

 What is File Slack? How can you investigate Windows File Slack?

 How to examine file systems?

 Discuss about built-in tool: Sigverif

 Discuss the Word Extractor forensic tool

 How can you check Registry?

o Summarize features of following registry tools:

o Registry Viewer Tool: RegScanner

o Microsoft Security ID

 Summarize features and importance of Memory Dump

o Pagefile.sys and PMDump

 What is Virtual Memory?

o Discuss System Scanner

 Explain Integrated Windows Forensics Software: X-Ways Forensics and its features

 How can you investigate Internet Traces

 Summarize the features of following Internet tracing tools:

o Traces Viewer

o IECookiesView

o IE History Viewer

o Cache Monitor

 Give overview about Investigating ADS Streams

 How can you create CD-ROM Bootable for Windows XP

o Bart PE (Bart Preinstalled Environment): Screenshot

o Ultimate Boot CD-ROM

o List down the tools present in UB CD-ROM

Module 11 Linux Forensics

 Why use Linux for Forensics?

 How to recognize partitions in Linux?

 Explain file system in Linux

o Describe file system

 Discuss mount Command

 Discuss the Boot Sequence in Linux

 Explain Linux Forensics

 Discuss case example

o Explain Step-by-step approach to case

 What are the challenges in disk forensics with Linux

 Discuss Jason Smith Case

o Explain Step-by-step approach to case

 Summarize the features of following Linux forensics tools:

o The Sleuth Kit

 List down the tools present in “The Sleuth Kit”

o Autopsy

 Describe evidence analysis techniques in Autopsy

o SMART for Linux

o Penguin Sleuth

 List down the tools included in Penguin Sleuth Kit

o Forensix

o Maresware

 List down the various programs present in Maresware

o Captain Nemo

o THE FARMER'S BOOT CD

Module 12 Data Acquisition and Duplication

 What are the different acquisition methods?

 Explain data recovery contingencies

 What is the need of data duplication?

 Explain features of MS-DOS Data Acquisition tool: DriveSpy

 Give the overview of Windows Data Acquisition tools

o FTK Imager

 Describe data acquiring in Linux

o Explain Dd Command

o How can you extract the MBR?

o Explain Netcat Command

 Discuss dd Command (Windows XP Version)

 Summarize the features of following data acquisition tools:

o Mount Image Pro

o Snapshot Tool

o Snapback DatArrest

o Data Acquisition Tool: SafeBack

o Hardware Tool: Image MASSter Solo-3 Forensic

o Hardware Tool: LinkMASSter-2 Forensic

o Hardware Tool: RoadMASSter-2

o Data Duplication Tool: R-drive Image

o Data Duplication Tool: DriveLook

o Data Duplication Tool: DiskExplorer

o Save-N-Sync

o Hardware Tool: ImageMASSter 6007SAS

o Hardware Tool: Disk Jockey IT

o SCSIPAK

o IBM DFSMSdss

o Tape Duplication System: QuickCopy

Module 13 Computer Forensic Tools

Part I- Software Forensics Tools

 Summarize the features and advantages of following software forensics tools:

o Visual TimeAnalyzer

o X-Ways Forensics

o Evidor

o Slack Space & Data Recovery Tools: Ontrack

o Data Recovery Tools:

 Device Seizure 1.0

 Forensic Sorter v2.0.1

 Directory Snoop

o Permanent Deletion of Files:

 PDWipe

 Darik's Boot and Nuke (DBAN)

o File Integrity Checker:

 FileMon

 File Date Time Extractor (FDTE)

 Decode - Forensic Date/Time Decoder

o Disk Imaging Tools:

 Snapback Datarrest

o Partition Managers: Partimage

o Linux/Unix Tools: Ltools and Mtools

o Password Recovery Tool:

 @Stake

 Decryption Collection Enterprise v2.5

 AIM Password Decoder

 MS Access Database Password Decoder

o Internet History Viewer:

 CookieView - Cookie Decoder

 Cookie Viewer

 Cache View

 FavURLView - Favourite Viewer

 NetAnalysis

o Multipurpose Tools:

 Maresware

 LC Technologies Software

 Winhex Specialist Edition

 Prodiscover DFT

o Toolkits:

 NTI Tools

 R-Tools-I

 Datalifter

 Toolkits: Accessdata

 FTK- Forensic Toolkit

 Image Master Solo and Fastbloc

 Encase

o Email Recovery Tool:

 E-mail Examiner

 Network E-mail Examiner

o Case Agent Companion

o Chat Examiner

o Forensic Replicator

o Registry Analyzer

o ASR Data’s SMART

o Oxygen Phone Manager

o SIM Card Seizure

o Text Searcher

o Autoruns

o Autostart Viewer

o Belkasoft RemovEx

o HashDig

o Inforenz Forager

o KaZAlyser

o DiamondCS OpenPorts

o Pasco

o Patchit

o PE Explorer

o Port Explorer

o PowerGREP

o Process Explorer

o PyFLAG

o Registry Analyzing Tool: Regmon

o Reverse Engineering Compiler

o SafeBack

o TapeCat

o Vision

Part II- Hardware Forensics Tools

 Summarize the features and advantages of following hardware computer forensic tools:

o Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock

o LockDown

o Write Protect Card Reader

o Drive Lock IDE

o Serial-ATA DriveLock Kit

o Wipe MASSter

o ImageMASSter Solo-3 IT

o ImageMASSter 4002i

o ImageMasster 3002SCSI

o Image MASSter 3004SATA

Module 14 Forensics Investigations Using Encase

 What is Evidence File

o Explain evidence file format

o How can you verifying file integrity

 Describe Hashing

 How can you acquiring image?

 Explain configuring of Encase and discuss following:

o Encase Options Screen

o Encase Screens

o View Menu

o Device Tab

o Viewing Files and Folders

o Bottom Pane

 Viewers in Bottom Pane

 Status Bar

 Explain in brief about searching ability of Encase

o Discuss about Keywords

 How to add Keywords?

 How can you group keywords?

 How can you add multiple Keywords?

o How to do Search?

o Discuss Search Hits tab

 Give the brief idea about Bookmark:

o What is Bookmarks?

o How to create Bookmarks?

o Discuss about adding Bookmarks

 Explain the procedure for recovering Deleted Files/folders in FAT Partition

o How can you recover folders in NTFS?

o Explain Master Boot Record(MBT)

o How to view Disk Geometry?

 Explain the recovery of deleted partitions

 Explain in brief about Hash Values?

o How to create Hash Sets

o Describe MD5 Hash

o How to create Hash?

 What do you mean by Viewers?

 Discuss Signature Analysis

 How can you view the results?

 Explain the process for copying files/folders

 Describe E-mail Recovery

 Discuss Reporting

 Explain Boot Disks in Encase

 What is IE Cache Images?

Module 15 Recovering Deleted Files and Deleted partitions

Part I: Recovering Deleted Files

 How can you delete the files?

 What happens when a File is Deleted in Windows?

 Give the brief idea about Recycle Bin in Windows

o Discuss the storage locations of Recycle Bin in FAT and NTFS system

o How The Recycle Bin Works?

o Explain damaged or deleted INFO File

o Describe damaged files in Recycled folder

o Give the overview of damaged Recycle folder

 How to Undelete a File?

 Explain Data Recovery in Linux

 Summarize the features of following deleted files recovery tools:

o Search and Recover

o Zero Assumption Digital Image Recovery

o e2Undel

o R-linux

o O&O Unerase

o Restorer 2000

o Badcopy Pro

o File Scavenger

o Mycroft V3

o PC ParaChute

o Stellar Phoenix

o Filesaver

o Virtual Lab

o Drive and Data Recovery

o Active@ UNERASER - DATA Recovery

o Restoration

o PC Inspector File Recovery

o PC Inspector Smart Recovery

o Fundelete

o RecoverPlus Pro

o OfficeFIX

o Recover My Files

o Zero Assumption Recovery

o SuperFile Recover

o IsoBuster

o CDRoller

o DiskInternals Uneraser

o DiskInternal Flash Recovery

o DiskInternals NTFS Recovery

o Recover Lost/Deleted/Corrupted files on CDs and DVDs

o Undelete

o Active@ UNDELETE

o CD Data Rescue

o File Recover

o WinUndelete

o R-Undelete

o Image Recall

o eIMAGE Recovery

o File Scavenger

o Recover4all Professional

o eData Unerase

o Easy-Undelete

o InDisk Recovery

o Repair My Excel

o Repair Microsoft Word Files

o Zip Repair

o Canon RAW File Recovery Software

Part II: Recovering Deleted Partitions

 Explain deletion of partition

 How can you delete partition using Windows

 How can you delete partition using command line

 Describe recovery of deleted partition

 Summarize the features of following deleted partition recovery tools:

o GetDataBack

o DiskInternals Partition Recovery

o Active@ Partition Recovery

o Handy Recovery

o Acronis Recovery Expert

o Active Disk Image

o TestDisk

o Recover It All!

o Scaven

o Partition Table Doctor

o NTFS Deleted Partition Recovery

Module 16 Image Files Forensics

 Define the common terminologies

 Give the brief idea about Image files

o What do you understand by vector images?

o Explain raster images?

o Discuss Metafile Graphics

o Summarize the structure, features and basic attributes of following Image file formats:

 GIF (Graphics Interchange Format)

 JPEG (Joint Photographic Experts Group)

 JPEG 2000

 BMP (Bitmap) File

 PNG (Portable Network Graphics)

 Tagged Image File Format (TIFF)

 ZIP (Zone Information Protocol)

 How file compression works?

 Discuss data compression and its types

o Explain following data compression algorithms:

 Huffman Coding Algorithm

 Lempel-Ziv Coding Algorithm

 What is mean Lossy Compression

o Explain Vector Quantization

 Give the overview about locating and recovering image files

 What is the importance of Image file headers?

 How can you repair the damaged headers?

 Explain reconstruction of file fragments

 Identify and discuss unknown file formats

o Summarize the features of following tools to identify unknown file formats:

 http://www.filext.com

 Picture Viewer: Ifran View

 Picture Viewer: ACDsee

 Picture Viewer: Thumbsplus

 Picture Viewer: AD

 Picture Viewer: Max

 FastStone Image Viewer

 XnView

 Faces – Sketch Software

 Describe Steganography in image files

 Define the term Steganalysis

o Summarize the features of following steganalysis tools:

 Steganalysis Tool: Hex Workshop

 Steganalysis Tool: S-tools

 Steganalysis Tool: Stegdetect

 Summarize the features and advantages of following Image File Forensic tools:

o GFE Stealth (Graphics File Extractor)

o Tool: ILook v8

o Tool: P2 eXplorer

 Explain the copyright issues on graphics

Module 17 Steganography

 What do mean by Steganography?

 Discuss the history of Steganography

 Explain evolution of Steganography

 How the Steganography is classified?

 Is the Steganography and Cryptography are same terms?

 Explain the model of Stegosystem and Cryptosystem

 Give the brief idea about Image Steganography

o Explain different Steganography techniques?

 Least Significant Bit Insertion in Image Files

 Masking and Filtering on Image Files

 Algorithms and Transformation

 Write in short about Stego-Forensics

o Describe the important terms in Stego-Forensics?

o What are the different categories of Steganography in forensics?

 Explain in brief the concept of Watermarking

o What is Watermarking?

o Compare Steganography and Watermarking

o How the Watermarking can be classified?

o Describe the various attacks on Watermarking

o List down the applications of Watermarking?

o Explain Digimarc's Digital Watermarking

o Discuss the Mosaic Attack on watermarking

 Mosaic Attack – Javascript code

 Give the overview of 2Mosaic – Watermark breaking Tool

 Define Steganalysis

o Explain Steganalysis Methods/Attacks on Steganography

 List down the real world uses of Steganography?

 Discuss about Steganography in the future

 Where the Steganography can be used unethically?

 Describe information hiding in audio files:

o Low-bit Encoding

o Phase Coding

o Spread Spectrum

o Echo Data Hiding

 Explain information hiding in DNA

 Give the overview of TEMPSET

 Describe the concept of Van Eck phreaking

 What do you mean by Printer Forensics?

o Is Your Printer Spying On You?

o Explain DocuColor Tracking Dot Decoding

 Summarize the features and uses of following Steganography tools:

o Fort Knox

o Blindside

o S- Tools

o Steghide

o Image Hide

o Mp3Stego

o Snow

o Camera/Shy

o Steganos

o Pretty Good Envelop

o Gifshuffle

o Refugee

o JPHIDE and JPSEEK

o wbStego

o OutGuess

o Invisible Secrets 4

o Masker

o Data Stash

o Hydan

o Cloak

o StegaNote

o Stegomagic

o Hermetic Stego

 List down the application of Steganography

 How to Detect Steganography?

o Explain Steganography detection

o Summarize the features of following Steganography detection tools:

 Stego Suite

 Stego Watch

 StegSpy　

Module: 18 Application Password Crackers

 Describe the terminology of Password

 What is a Password Cracker?

 How Does a Password Cracker Work?

 Summarize the various password cracking methods:

o Brute Force Attack

o Dictionary Attack

o Syllable Attack

o Rule-based Attack

o Hybrid Attack

o Password Guessing

o Rainbow Attack

 How can you classify the cracking software?

o Explain System Level Password Cracking

o Describe CMOS Level Password Cracking

 Summarize the features of following tools:

 CmosPwd

 ERD Commander

 Active Password Changer

o Explain application software password cracker

o What is Distributed Network Attack (DNA)?

o Discuss Passware Kit

o Explain Accent Keyword Extractor

o Give the overview of advanced zip password recovery

 Explain default password database and summarize the features of following default password database organizations

o http://phenoelit.darklab.org/

o http://www.defaultpassword.com/

o http://www.cirt.net/cgi-bin/passwd.pl

o http://www.virus.org/index.php?

 Summarize the features of Pdf Password Crackers

 Summarize the features and advantages of following password cracking tools:

o Tool: Cain & Abel

o Tool: LCP

o Tool: SID&User

o Tool: Ophcrack 2

o Tool: John the Ripper

o Tool: DJohn

o Tool: Crack

o Tool: Brutus

o Tool: Access PassView

o Tool: RockXP

o Tool: Magical Jelly Bean Keyfinder

o Tool: PstPassword

o Tool: Protected Storage PassView

o Tool: Network Password Recovery

o Tool: Mail PassView

o Tool: Asterisk Key

o Tool: Messenger Key

o Tool: MessenPass

o Tool: Password Spectator Pro

o Tool: SniffPass

o Tool: Asterisk Logger

o Tool: Dialupass

o Tool: Mail Password Recovery

o Tool: Database Password Sleuth

o Tool: CHAOS Generator

o Tool: PicoZip Recovery

o Tool: Netscapass

 What are the common recommendations for improving password security?

 Discuss some advices for standard password

Module 19 Network Forensics and Investigating Logs

 Define Network Forensics in brief

o Discuss the Hacking Process

o Discuss the Intrusion Process

 Where to look for evidences?

 Describe End-to End forensic investigation

 Is a log file act as evidence?

 Describe records of regularly conducted activity

 Explain the legality of using logs

 What is the importance of maintaining credible IIS Log files?

 Discuss the accuracy of Log File

 What do you mean by Log Everything?

 Explain the importance of keeping time in network forensics

o UTC Time

 Can you use multiple logs as evidence?

 Give the overview about authenticity of Log File

 What do you mean by work with copies?

 Describe the access control of log files

 Explain Chain of Custody

 Explain the importance of Audit Logs

o Give the brief idea about Syslog:

 What is Syslog?

 Describe Remote Logging

 Write down about Central Logging Design

 List down the steps to implement Central Logging

 Give an idea of Centralized Syslog Server

 Discuss the features and working Syslog-ng: Security Tool

o Give the overview IIS Centralized Binary Logging

o Explain ODBC Logging

o Summarize the features of following log analysis tools:

 IISLogger: Development tool

 Socklog: IDS Log Analysis Tool

 KiwiSysLog Tool

 Microsoft Log Parser: Forensic Analysis Tool

 Firewall Analyzer: Log Analysis Tool

 Adaptive Security Analyzer (ASA) Pro: Log Analysis Tool

 GFI EventsManager

 How does GFI EventsManager work?

o Describe the functioning of Activeworx Security Center

 Explain Linux Process Accounting

 Give the idea about configuring Windows Logging

o How to set up Remote Logging in Windows?

o Summarize the features of following Windows centralized logging tools:

o Ntsyslog

o Eventreporter

 Discuss the features and working of EventLog Analyzer

 Explain extended logging in IIS server

 Give the overview of examining Intrusion and Security Events

 Why Synchronize Computer Times?

 What is NTP Protocol?

o Describe NTP Stratum Levels

 List down the various NIST Time Servers

 Write down the steps for configuring Windows Time Service　

Module 20 Investigating Network Traffic

 Describe network addressing schemes

 Give the overview of Network Protocols

 Give the brief idea about Physical and Data-link Layer of the OSI Model

o How can you gather evidence at the Physical Layer?

o Summarize the features and advantages of following evidence gathering tools:

 Tcpdump

 Windump

 NetIntercept

 Ethereal

 CommView

 Softperfect Network Sniffer

 HTTP Sniffer

 EtherDetect Packet Sniffer

 OmniPeek

 Iris Network Traffic Analyzer

 SmartSniff

 NetSetMan Tool

o How can you gather evidences at the Data-link Layer

 Explain the evidence gathering at Data-link Layer using DHCP database

 Give the brief idea about Network and Transport Layer of the OSI Model

o How can you gather evidences at Network and Transport Layer?

o Describe the evidence gathering on a Network

 Write down the features of GPRS Network Sniffer: Nokia LIG

 Summarize the features, working and goals of Siemens Monitoring Center

 Summarize the features and advantages of following network information gathering tools:

o NetWitness

o Netresident Tool

o McAffee Infinistream Security Forensics

o eTrust Network Forensics

o Give the brief idea about snort intrusion detection system

 Explain placement of Snort IDS

 Describe IDS Policy Manager for writing snort rules(http://www.activeworx.org)

 How to write the documents over evidences gathered on a Network?

 Describe the evidence reconstruction for investigation　

Module 21 Investigating Wireless Attacks

 Describe the association of Wireless AP and Device

 Explain search warrant for Wireless Networks

 List down the points to remember while conducting a penetration test

 Write down the points that should not be overlooked while testing the Wireless Network

 Discuss the methods to access a Wireless Access Point

o Direct-connect to the Wireless Access Point

 Describe the features of Nmap

 How can you scan Wireless Access Points using Nmap?

 Explain Rogue Access Point

o “Sniffing” Traffic Between the Access Point and Associated Devices

 How can you scan using Airodump?

 How do you collect information using MAC Address?

 List down the points that are to be remembered during Airodump scanning

 Write down for additional devices

o How can you reconnect associated devices?

 How can you check for MAC filtering?

o Can you change the MAC Address?

 Explain Passive Attack

 Describe Active Attacks on Wireless Networks

 How can you investigate Wireless Attacks?　

Module 22 Investigating Web Attacks

 What are the different indications of Web Attack?

 Summarize the different types of web attacks and procedure to investigate them:

o Cross-Site Scripting (XSS)

 How to investigate Cross-Site Scripting (XSS)?

o Cross-Site Request Forgery (CSRF)

 Explain the anatomy of CSRF Attack

 Write down the pen-testing of CSRF Validation Fields

o SQL Injection Attacks

 How to investigate SQL Injection Attack?

o Code Injection Attack

 How to investigate Code Injection Attack?

o Command Injection Attack

o Parameter Tampering

o Cookie Poisoning

 How to investigate Cookie Poisoning Attack?

o Buffer Overflow/Cookie Snooping

 How to investigate Buffer Overflow attack?

o DMZ Protocol Attack, Zero Day Attack

 Write down the steps for responding to a Web Attack

 Describe the Web Logs

 Give the brief idea about FTP investigation:

o Example of FTP Compromise

o How to investigate FTP Logs?

o Write down about investigation of FTP Servers

 How to investigate the following:

o Investigating IIS Logs

o Investigating Apache Logs

o Investigating DHCP Server Logfile

 Describe Mirrored Sites

 Summarize the features of following web vulnerability scanner:

o N-Stealth

o Acunetix Web Vulnerability Scanner

 Write in brief about investigation of Static and Dynamic IP address

o Summarize the features and uses of IP address locating tools:

 Nslookup

 Traceroute

 NeoTrace (Now McAfee Visual Trace)

 Whois

 Hide Real IP

 www.whatismyip.com

 IP Detective Suite

 Enterprise IP – Address Manager

 Explain web page defacement

o Describe the defacement using DNS compromise

o How to investigate DNS Poisoning

 Describe Intrusion Detection

 Summarize the features and benefits of CounterStorm-1: Defense against Known, Zero Day and Targeted Attacks　

Module 23 Router Forensics

 Give brief idea about router:

o What is a Router?

o Explain the functioning of a Router

o Describe the role of router in an OSI Model

o Explain the routing table and its components

o Write in short about router architecture

o Discuss the role of Routing Information Protocol(RIP)

 Explain the implications of a Router Attack

 How the routers can be hacked?

 Describe the various types of Router Attacks:

o Router Attack Topology

o Denial of Service(DoS) Attacks

o Packet “Mistreating” Attacks

o Routing Table Poisoning

o Compare Hit-and-run Attacks and Persistent Attacks

 Compare Router Forensics and Traditional Forensics

 Give the brief idea about investigation of Routers

o What is mean by Chain of Custody?

 Sample Chain Of Custody (COC) Form

o Explain the Incident Response

o How can you recording your session?

o What precaution should be taken while accessing the Router?

o Describe volatile evidence gathering

 Write down the steps for investigating Router

 What is the importance of Router Logs?

 Summarize the features and uses of the following router logs:

 NETGEAR Router Logs

 Link Logger

 Write down the features and uses of Sawmill: Linksys Router Log Analyzer

o How can you analyze the intrusion?

 Describe the various types of Logging

 Explain incident forensics

o How can you handle a direct compromise incident?

o Write in short about other incidents

 Describe Real Time Forensics

 Summarize the features and uses of Router Audit Tool (RAT)

Module 24 Investigating DoS Attacks

 Define DoS Attacks

 Summarize the different types of DoS Attacks:

o Ping of Death Attack

o Teardrop Attack

o SYN Flooding

o Land

o Smurf

o Fraggle

o Snork

o WINDOWS OUT-OF-BAND (OOB) Attack

 Give the brief idea about DDoS Attack

o Explain the working of DDoS Attacks (FIG)

o Describe the classification of DDoS Attack

 Describe the different DoS Attack modes?

 What are the indications of a DoS/DDoS Attack?

 Summarize the working of different techniques to detect DoS Attack:

o Activity Profiling

o Sequential Change-Point Detection

o Wavelet-based Signal Analysis

 Discuss the challenges in detection of DoS attack

Module 25 Investigating Internet Crimes

 Define Internet Crimes

 What is mean by Internet Forensics?

o Why Internet Forensics?

 Describe about IP Address

 Give brief idea about Domain Name System (DNS)

o Explain DNS Record manipulation

o Write down about DNS Lookup

 What type of information E-mail headers provide?

o Explain the procedure for Email headers forging

o How can you trace back spam mails?

 Give an idea about witch URL redirection:

o Sample Javascript for Page-based Redirection

o Embedded JavaScript

 How can you recover information from Web Pages

o How can you download a Single Page or an Entire Web Site

o Summarize the features and uses of following tools which are used to save an entire web sites:

 Grab-a-Site

 SurfOffline 1.4

 My Offline Browser 1.0 www.newprosoft.com

 WayBack Machine

 Explain in brief about HTTP Headers

o How can you view the header information?

 What type of information you examine in cookies?

o Write down the steps to view cookies in Firefox

 How can you trace the geographical location of a URL?

o DNS Lookup Result: centralops.net

 Summarize the features and advantages of following tools:

o NetScanTools Pro

o Tool: Privoxy http://www.privoxy.org/　

Module 26 Tracking E-mails and Investigating E-mail Crimes

 Explain about the roles of the Client and Server in E-mail:

o How the E-mail client works?

o How the E-mail Server works?

o Describe the real E-mail system

 Give the brief idea about E-mail Crimes:

o What is mean by Spamming?

o Explain the term Mail Bombing/Mail Storm

o What happens in Chat Rooms?

o Describe Identity Fraud/Chain Letter

o Discuss about Sending fakemail

 Write in brief about investigating E-mail Crime and Violation:

o Describe viewing E-mail Headers

 How can you examine an E-mail Header?

 Describe the following:

o Received: Headers

o Forging Headers

 List down the different common headers

 How can you view the header in Microsoft Outlook?

 How can you view the header in AOL?

 How can you view the header in Hotmail?

 Explain examining of additional files (.pst or .ost files)

 Describe Microsoft Outlook Mail

 Where is the Pst File located?

 List down the organizations to trace an E-mail Message

 How can you trace the e-mail message using Network Logs (Firewall Log)?

 Summarize the features and functions of following E-mail tracking tools:

o Exchange Message Tracking Center

o MailDetective Tool

 Summarize the features and functions of following E-mail Forensic Tools:

o Forensic ToolKit (FTK)

o Tool:FINALeMAIL

o Tool: R-Mail

o Tool: E-Mail Detective

o E-Mail Examiner by Paraben

o Network E-Mail Examiner by Paraben

o Recover My Email for Outlook

o Diskinternals – Outlook Recovery

 Explain the e-mail tracing back

o How can you trace back web based E-mail?

 List down the various organizations that provide E-mail searching services

o How can you handle the Spam?

o Summarize the goals and working of Abuse.Net

 Summarize the features and functions of following tools:

o eMailTrackerPro

o Tool: SPAM Punisher

o Tool: SpamArrest

o Tool: ID Protect - www.enom.com

 Summarize the following laws and Acts related to E-mail crime:

o U.S. Laws Against Email Crime: CAN-SPAM Act

o U.S.C. § 2252A

o U.S.C. § 2252B

o Email crime law in Washington: RCW 19.190.020 　

Module 27 Investigating Corporate Espionage

 Define the Corporate Espionage

 Explain the motives behind Corporate Espionage

 What type of information that corporate spies seek?

 Describe the Corporate Espionage threats.

 Summarize the various techniques of Spying

 Discuss the various techniques to secure from corporate Spying

 Explain Netspionage

 How to investigate corporate espionage cases?

 Summarize the features and functions of following tools:

o Employee Monitoring: Activity Monitor

o Spy Tool: SpyBuddy　

Module 28 Investigating Trademark and Copyright Infringement

 Define Trademark

o Explain the various characteristics of Trademarks

o What are the benefits of registering Trademark

o Describe the terms:

 Service Marks

 Trade Dress

o Write a note on Trademark Infringement

 Give the brief idea about the term Copyright

o Write the note on Investigating Copyright Status

o How Long Does a Copyright Last?

o Discuss the mission of U.S Copyright Office

o Explain doctrine of “Fair Use”

o How is Copyrights Enforced?

o Describe the term Copyright Infringement: Plagiarism

 Describe the various plagiarism detection factors

 Summarize the features and functions of following plagiarism detection tools:

 Turnitin

 CopyCatch

 Copy Protection System (COPS)

 SCAM (Stanford Copy Analysis Mechanism)

 CHECK

 Jplag

 VAST

 SIM

 PLAGUE

 YAP

 SPlaT

 Sherlock

 Urkund

 PRAISE

 FreestylerIII

 SafeAssignment

 Give the brief idea about Patent

o Explain Patent Infringement

o Describe the strategy for Patent search

 Summarize the features http://www.ip.com

o How it works?

 Explain the term Domain Name Infringement

o How to Check for Domain Name Infringement?

 Write a note on Investigating Intellectual Property

 Summarize the following laws related to Trademark and Copyright:

o US Laws

o Indian Laws

o Japanese Laws

o Australia Laws

o UK Laws 　

Module 29 Investigating sexually harassment incidents

 Define the term Sexual Harassment

 Summarize the different types of Sexual Harassment

 Discuss the consequences of Sexual Harassment

 What are the different responsibilities should be taken by Supervisors to prevent sexual harassment?

 Explain the responsibilities of employees

 Discuss the process for complaint against Sexual harassment

 Explain the investigation process:

o How do you investigate the Sexual Harassment?

 Discuss the Sexual Harassment Policies

 List down the several preventive steps

 Summarize the following acts and laws related to sexual Harassment:

o U.S Laws on Sexual Harassment

o Title VII of the 1964 Civil Rights Act

o The Civil Rights Act of 1991

o Equal Protection Clause of the 14th Amendment

o Common Law Torts

o State and Municipal Laws　

Module 30 Investigating Child Pornography

 Define Child Pornography

 What are the motives of people behind Child Pornography?

 Discuss about the people involved in Child Pornography

 Describe the role of Internet in promoting Child Pornography

 Explain the effects of Child Pornography on children

 Identify and describe the measures to prevent dissemination of Child Pornography

 Describe the various challenges in controlling Child Pornography

 Summarize the guidelines for investigating Child Pornography cases

 What are the different sources of digital evidence?

 Summarize the features, working and goals of Antichildporn.org:

o How to Report Antichildporn.org about Child Pornography Cases

o Describe the Report format of Antichildporn.org

 Summarize the features, working and uses of anti-child pornographic tools:

o Reveal

o iProtectYou

o Child Exploitation Tracking System (CETS)

 Summarize features, working and goals of anti-child pornography organizations:

o http://www.projectsafechildhood.gov/

o Innocent Images National Initiative

o Internet Crimes Against Children (ICAC)

 Describe the report on Child Pornography in various countries

 Summarize the following laws related to Child Pornography:

o U.S. Laws

o Australia Laws

o Austria Laws

o Belgium Laws

o Cyprus Laws

o Japan Laws

Module 31 PDA Forensics

 Give the brief idea about PDA:

o What is Personal Digital Assistant (PDA)?

o Explain the various features of PDA

o Describe the various PDA components

 Summarize the PDA Forensics Steps:

o Investigative Methods

o PDA Forensics – Examination

o PDA Forensics – Identification

o PDA Forensics - Collection

o PDA Forensics - Documentation

 Discuss the points to remember while conducting investigation

 Summarize the features and functions of PDA forensics tools:

o PDA Secure – Forensic Tool

o PDA Seizure

o EnCase – Forensic Tool

Module 32 iPod Forensics

 Summarize the features and basic attributes of iPod

o iPod

o iPod as Operating System

 Describe Apple HFS+ and FAT32 file system and application formats in iPod

 Discuss the various misuses of iPod

 Summarize the stages for iPod Investigation

o Mac Connected iPods

o Windows Connected iPods

o Storage

o Lab Analysis

o Remove Device From Packaging

 How will you test Mac Version

 Explain the Full System Restore as Described in the Users’ Manual

 How will you test Windows Version

o User Account

o Calendar and Contact Entries

 Summarize features and uses of EnCase

 Registry Key Containing the iPod’s USB/Firewire Serial Number

 Summarize the features and functions of iPod forensic tools:

o DiskInternals Music Recovery

o Recover My iPod　

Module 33 Blackberry Forensics

 Explain in brief about Blackberry:

o Blackberry: Introduction

o What are the different functions of BlackBerry?

o Describe BlackBerry as Operating System

o Summarize the working of BlackBerry

o Explain BlackBerry serial protocol

o Discuss the BlackBerry security

o Describe the wireless security for BlackBerry

 BlackBerry Security for Wireless Data

 Security for Stored Data

 Identify and describe Forensics and Acquisition of Blackberry

 Summarize the methods for collecting evidence from Blackberry

o Collecting Evidence from Blackberry: Gathering Logs

o Collecting Evidence from Blackberry: Imaging and Profiling

 Discuss the various Blackberry attacks

 How do you protect stored data in Blackberry?

 Identify and describe data hiding in BlackBerry

 Summarize the features and uses of BlackBerry Signing Authority Tool

Module 34 Investigative Reports

 Discuss the importance of Reports

 Explain the need of an investigative report

 Identify and describe the requirements for investigating Report

 Describe the Report Classification

 Identify and describe the layout of an investigative Report

 Describe sample forensic Report

 Write down the guidelines for writing Reports

 What is the importance of Consistency?

 Summarize the features and aspects of a Good Report

o Explain the investigative Report Format

 Discuss Dos and Don'ts of Forensic Computer Investigations

 Identify and describe case report writing and documentation

o Create a Report to Attach to the Media Analysis Worksheet

 Summarize the investigative procedures:

o Collecting Physical and Demonstrative Evidence

o Collecting Testimonial Evidence

 Explain the best practices for Investigators

 Describe the report writing using FTK

Module 35 Becoming an Expert Witness

 What is Expert Witness?

 Who Is an Expert Witness?

 Discuss the role of an Expert Witness

 Summarize the various types of Expert Witnesses:

o Computer Forensics Experts

o Medical & Psychological Experts

o Civil Litigation Experts

o Construction & Architecture Experts

o Criminal Litigation Experts

 Discuss the scope of Expert Witness Testimony in various areas of expertise

o Compare the terms Technical Testimony and Expert Testimony

 Summarize the steps for Evidence processing

o Write down the checklists for processing Evidence

o How do you examine Computer Evidence?

 Discuss the rules pertaining to an Expert Witness’ qualification

 Explain the importance of Resumé

 Explain in brief about testifying an Expert witness in Court:

o What is the order of trial proceedings?

o Write down the general ethics while testifying

o How do you represent your evidence?

o Explain the importance of graphics in a testimony

o How can you help to your Attorney?

o Discuss about avoiding testimony issues

o Describe about testifying during Direct Examination

o Describe testifying during Cross Examination

 Give the brief idea about deposing:

o What is the purpose of deposing?

o How do you recognizing deposing problems?

o List down the guidelines to testify at a deposing