Contact Us

 

Quick Links





 

CHFI Exam (312-49)

 

Credit Towards Certification
 
bullet Computer Hacking Forensic Investigator v3

Exam Details
 
bullet Number of Questions: 50
bullet Passing Score: 70%
bullet Test Duration: 2 Hours
bullet Test Format: Multiple Choice
bullet Test Delivery: Prometric Prime / Prometric APTC / VUE

Test Objectives v3 

Module 01 Computer Forensics in Today's World

Summarize the History of Forensics

Summarize the basic concepts of Computer Forensics

o What is Computer Forensics?

o Why Computer Forensics is necessary?

o What are the different ways of Forensic Data Collection?

o Objectives of Computer Forensics

o Benefits of Forensic Readiness

o Categories of Forensics Data

Identify Computer Forensics Flaws and Risks

Summarize the basic concepts of Computer Facilitated Crimes

o Type of Computer Crimes

o Cyber Crime

o Modes of Attacks

o Examples of Cyber Crime

o Examples of Evidence

Identify the Stages of Forensic Investigation in Tracking Cyber Criminals

o Key Steps in Forensics Investigations

o Rules of Computer Forensics

o Need for Forensic Investigator

o Accessing Computer Forensics Resources

Identify the need and procedure to Maintain professional conduct

Understand Corporate Investigations

Define the term Digital Forensics

Explain the term Enterprise Theory of Investigation (ETI)

Where and when do you use Computer Forensics?

Module 02 Law and Computer Forensics

What privacy issues are involved in investigations?

Discuss the Fourth Amendment

Explain about Interpol- Information Technology Crime Center

Summarize Internet Laws and Statutes

How the FBI Investigates Computer Crime?

o Federal Statutes Investigated by the FBI

Explain about Scientific Working Group on Digital Evidence (SWGDE)

Explain Federal Laws (Computer Crime)

Summarize all the Intellectual Property Rights

Summarize the laws about Cyber Stalking

List all Crime Investigating Organizations

National Infrastructure Protection Center

Summarize the following acts and laws related to computer forensics:

o The USA Patriot Act of 2001

o The G8 Countries: Principles to Combat High-tech Crime

The G8 Countries: Action Plan to Combat High-Tech Crime (International Aspects of Computer Crime)

o Crime Legislation of EU

o United Kingdom: Police and Justice Act 2006

o Australia: The Cybercrime Act 2001

o Belgium

o European Laws

o Austrian Laws

o Brazilian Laws

o Belgium Laws

o Canadian Laws

o France Laws

o Indian Laws

o German Laws

o Italian Laws

o Greece Laws

o Denmark Laws

o Norwegian Laws

o Netherlands Laws

Give the brief idea about Internet Crime Schemes

o Why you should report cybercrime?

o What are the stages to report computer-related crimes?

o Which person is assigned to report the crime?

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o How to contact Federal Local Agents?

Module 03 Computer Investigation Process

How to investigate computer crime?

Explain the importance of securing computer evidence

Discuss about investigating company policy violation

What are the important things before the investigation?

Explain Investigation Methodology

Is there need of search warrant for investigation?

How can you prepared for searches?

Discuss about searching without warrant

What do you mean by Warning Banners?

How can you collect the evidence?

Discuss Chain-of Evidence Form

Explain Bit-stream copies

How to examine digital evidence?

Discuss the example of accessing policy violation case

List down the steps important for computer forensic investigation

Give the brief idea about investigation process

o Explain policy and procedure development

o Describe the following evidence assessment

Case Assessment

Processing Location Assessment

Legal Considerations

Evidence Assessment

o How to acquire evidence?

Explain Imaging

Describe write protection

How to acquire the subject evidence?

o Explain in brief about evidence examination

How can extract the evidence physically?

How can you extract evidence logically?

Describe the following analysis over extracted data

Timeframe analysis

Data hiding analysis

Application and file analysis

Describe about ownership and possession

o Explain documenting and reporting of evidence

What should be in the final report?

o When to close the case?

What are important factors to maintain professional conduct?

Module 04 First Responder Procedure

Define Electronic Evidence

o Explain the forensic process

o Describe different types of Electronic Devices

o Discuss electronic devices and collecting potential evidence

o Summarize the features and basic attributes of evidence collecting tools and equipment

Describe First Response Rule

Explain Incident Response for following situations:

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensic Staff

How can you secure and evaluate electronic crime scene

Which questions should be asked to a client?

Discuss health and safety Issues

Explain Consent

Give the brief idea about Search and Seizure

o What is the planning for search and seizing?

o How to start initial search of the scene?

o Discuss the importance of witness signatures

o Give the overview of conducting preliminary interviews

Discuss the initial interviews

o Is there need of documenting electronic crime scene?

o What is the importance of photographing the scene?

o Describe sketching of the scene

o Discuss about collecting and preserving electronic evidence

What important data is present in evidence bag?

Explain order of volatility

Discuss about powered OFF computers at seizure time

Describe the condition with powered ON PC

Explain the role computers and servers

Which devices should be collected and preserved as electronic evidence?

What is the idea behind seizing the portable computers

Explain packaging electronic evidences

Describe exhibit numbering

o How can you transport electronic evidence?

o How can you handle and transport the devices to forensic laboratory?

Explain ‘Chain of Custody’

Give the brief overview for finding forensic examination by crime category

Module 05 CSIRT

Define of Vulnerability

Discuss vulnerability statistics

Give the brief idea about an Incident

o How to Identify an Incident?

o How to Prevent an Incident?

o What is the relationship between Incident Response, Incident Handling, and Incident Management

o Give the checklist for Incident Response

o How can you handle incidents

o Explain the following stages for handling incident:

Preparation

Identification

Containment

Eradication

Recovery

Follow-up

o Explain Incident Management

o Why don’t Organizations Report Computer Crimes?

o Describe about estimation of Incident cost

o Whom to Report an Incident?

o How to report an Incident?

o What are the different vulnerability resources

o Explain the following category of Incidents

Category of Incidents: Low Level

Category of Incidents: Mid Level

Category of Incidents: High Level

Explain in brief about CSIRT?

o What are the goals and strategy of CSIRT?

o Describe CSIRT Vision

Discuss building of CSIRT Vision

o Which are the motivations behind CSIRTs?

o Why an Organization needs an Incident Response Team?

o Who works in a CSIRT?

o Staffing your Computer Security Incident Response Team: What are the basic skills needed?

o Explain the team models

o What are the three categories of CSIRT Services?

o Discuss CSIRT case classification

o Explain types of Incidents and level of Support

o Describe the service attributes

o Explain Incident specific procedures

o How CSIRT handles case: Steps

o Describe US-CERT Incident Reporting System

Discuss CSIRT Incident Report Form

Explain CERT(R) Coordination Center: Incident Reporting Form

o Give the example of CSIRT

o Discuss the Best Practices for Creating a CSIRT

Step 1: Obtain Management Support and Buy-in

Step 2: Determine the CSIRT Development Strategic Plan

Step 3: Gather Relevant Information

Step 4: Design your CSIRT Vision

Step 5: Communicate the CSIRT Vision

Step 6: Begin CSIRT Implementation

Step 7: Announce the CSIRT

o What are the limits to effectiveness in CSIRTs?

o Give the overview of investing in Automated Response

List down the World CERTs http://www.trusted-introducer.nl/teams/country.html

Discuss about http://www.first.org/about/organization/teams/

Discuss IRTs Around the World

Module 06 Computer Forensic Lab

Explain budget allocation for a Forensics Lab

List down the physical location needs for a Forensic Lab

Describe about work area of a computer forensics Lab

Discuss about general configuration of a Forensic Lab

List down the equipment required in a Forensics Lab

Explains ambience of a forensics Lab

o Describe Ergonomics

What are the environmental conditions required for proper lab functioning?

What are the recommendations to avoid Eyestrain?

Discuss about the structural design of Lab

Explain about the electrical needs to lab

Give overview for communications factors

List down the basic workstation requirements in a forensic lab

What are the essential hardware peripherals should be stocked as a back-up?

Which are the Application Inventories and Operating System must be maintained?

How can you provide physical security to your forensic lab?

Explain Fire-Suppression systems

Give the general recommendation for evidence locker

What are the steps for auditing a computer forensics lab

o Auditing a Forensics Lab

Explain the licensing requirements for forensic lab

Summarize the features and basic attributes of following forensic laboratory requirements:

o Paraben Forensics Hardware requirements:

Handheld First Responder Kit

Wireless StrongHold Bag

Remote Charger

Device Seizure Toolbox

Wireless StrongHold Tent

Passport StrongHold Bag

Project-a-Phone

SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i

Lockdown

SIM Card Reader/ Sony Clie N & S Series Serial Data Cable

USB Serial DB9 Adapter

o Portable Forensic Systems and Towers:

Forensic Air-Lite VI MKII laptop

Original Forensic Tower II

Portable Forensic Systems and Towers: Portable Forensic Workhorse V

Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

Forensic Air-Lite IV MK II

Forensic Tower II

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

o Power Supplies and Switches

o Explain DIBS® Mobile Forensic Workstation

DIBS® Advanced Forensic Workstation

DIBS® RAID: Rapid Action Imaging Device

o Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

List down the different forensic workstations

Summarize the features and basic attributes of LiveWire Investigator tool

What are the features of Laboratory Imaging System?

o List down technical specification of the Laboratory-based Imaging System

Explain about the Computer Forensic Labs, Inc

o Discuss procedures at Computer Forensic Labs (CFL), Inc

List down Data Destruction Industry Standards

Module 07 Understanding File Systems and Hard Disks

Give the overview of Disk Drive

Explain in brief about Hard Disk

o Describe types of Hard Disk Interfaces:

SCSI

IDE/EIDE

USB

ATA

Fibre Channel

o What is Disk Platter?

Describe Tracks

Explain Tracks Numbering

o Give detail idea about Sector

Explain Sector Addressing

o Describe in details Cluster?

Cluster Size

What is Slack Space?

Discuss about lost Clusters

o Write more about Bad Sector

o How can you calculate Disk Capacity?

o Summarize the features of following forensic tools:

Evidor: The Evidence Collector

WinHex

Understanding File Systems

o Explain in details about file system:

Types of File System

List down the various disk file systems

List down Network file systems

List down special purpose file systems

List down the Linux file systems?

Explain Sun Solaris 10 File System: ZFS

List down the Mac OS X File System

List down Windows File systems

Explain CD-ROM / DVD File system

o Compare different file systems

o Explain Disk Partition

o Describe Master Boot Record

o Explain more about FAT

Describe Boot Sector

o Give the brief idea about NTFS

List down different NTFS System Files

Explain NTFS partition boot sector

Describe NTFS Master File Table (MFT)

Write down about Metadata File Table

Explain NTFS Attributes

Give an idea about NTFS Data Stream-I

Give the overview of NTFS Compressed Files

Explain in brief about NTFS Encrypted File Systems (EFS)

Discuss EFS File Structure

Describe EFS Recovery Key Agent

What is EFS Key?

How can you delete NTFS Files?

o What is Registry?

How can you examine Registry Data

o Compare FAT and NTFS

o Describe Windows XP system files

o Write down the steps for booting Windows (XP/2003)

o Explain http://www.bootdisk.com

Module 08 Understanding Digital Media Devices

Summarize features and basic attributes of following digital storage devices:

o Magnetic Tape

o Floppy Disk

o Compact Disk

o CD-ROM

o DVD

DVD-R, DVD+R, and DVD+R(W)

DVD-RW, DVD+RW

DVD+R DL/ DVD-R DL/ DVD-RAM

HD-DVD (High Definition DVD)

HD-DVD

o Blu-Ray

o Compare the following:

CD and DVD Vs Blu-Ray

HD-DVD and Blu-Ray

o iPod

o Zune

o Explain in brief about different Flash Memory Cards

Secure Digital (SD) Memory Card

Compact Flash (CF) Memory Card

Memory Stick (MS) Memory Card

Multi Media Memory Card (MMC)

xD-Picture Card (xD)

SmartMedia Memory (SM) Card

o USB Flash Drives

USB Flash in a Pen

Module 09 Windows, Linux and Macintosh Boot Processes

Discuss the different terminologies

Give the brief idea about:

o Boot Loader

o Boot Sector

o Anatomy of MBR

Explain basic system boot process

Give the brief idea about MS-DOS Boot Process

Explain in details Windows XP Boot Process

Describe in brief Linux boot process

o Write down about common startup files in UNIX

o List down important directories present in UNIX

o Explain steps for Linux Boot Process:

Step 1: The Boot Manager

Step 2: init

Step 2.1: /etc/inittab

runlevels

Step 3: Services

Step 4: More inittab

Give brief idea about Mac OS X:

o Discuss Hidden Files in Mac OS X

o Describe booting in Mac OS X

o Explain Mac OS X Boot Options

o Write down the steps for booting Mac OS X

o How to install Mac OS X on Windows XP?

o Explain PearPC

o Describe MacQuisition Boot CD by BlackBag

o Summarize features of Macintosh Forensic Software by BlackBag

Directory Scan

FileSpy

HeaderBuilder

o Summarize the features of following Mac OS forensics tools:

Carbon Copy Cloner (CCC)

MacDrive6

Module 10 Windows Forensics

Where you can find the evidence on a Windows system?

How can you gathering volatile evidence?

Summarize the features and advantages of Windows forensics tools:

o Give brief idea about Helix

List down the tools present in Helix CD for Windows forensics

Discuss Helix Tool: SecReport

Explain Helix Tool: Windows Forensic Toolchest (WFT)

o MD5 Generator: Chaos MD5

Describe Secure Hash Signature Generator

Explain MD5 Generator: Mat-MD5

Explain MD5 Checksum Verifier 2.1

o Pslist

o fport

o Psloggedon

What is File Slack? How can you investigate Windows File Slack?

How to examine file systems?

Discuss about built-in tool: Sigverif

Discuss the Word Extractor forensic tool

How can you check Registry?

o Summarize features of following registry tools:

o Registry Viewer Tool: RegScanner

o Microsoft Security ID

Summarize features and importance of Memory Dump

o Pagefile.sys and PMDump

What is Virtual Memory?

o Discuss System Scanner

Explain Integrated Windows Forensics Software: X-Ways Forensics and its features

How can you investigate Internet Traces

Summarize the features of following Internet tracing tools:

o Traces Viewer

o IECookiesView

o IE History Viewer

o Cache Monitor

Give overview about Investigating ADS Streams

How can you create CD-ROM Bootable for Windows XP

o Bart PE (Bart Preinstalled Environment): Screenshot

o Ultimate Boot CD-ROM

o List down the tools present in UB CD-ROM

Module 11 Linux Forensics

Why use Linux for Forensics?

How to recognize partitions in Linux?

Explain file system in Linux

o Describe file system

Discuss mount Command

Discuss the Boot Sequence in Linux

Explain Linux Forensics

Discuss case example

o Explain Step-by-step approach to case

What are the challenges in disk forensics with Linux

Discuss Jason Smith Case

o Explain Step-by-step approach to case

Summarize the features of following Linux forensics tools:

o The Sleuth Kit

List down the tools present in “The Sleuth Kit”

o Autopsy

Describe evidence analysis techniques in Autopsy

o SMART for Linux

o Penguin Sleuth

List down the tools included in Penguin Sleuth Kit

o Forensix

o Maresware

List down the various programs present in Maresware

o Captain Nemo

o THE FARMER'S BOOT CD

Module 12 Data Acquisition and Duplication

What are the different acquisition methods?

Explain data recovery contingencies

What is the need of data duplication?

Explain features of MS-DOS Data Acquisition tool: DriveSpy

Give the overview of Windows Data Acquisition tools

o FTK Imager

Describe data acquiring in Linux

o Explain Dd Command

o How can you extract the MBR?

o Explain Netcat Command

Discuss dd Command (Windows XP Version)

Summarize the features of following data acquisition tools:

o Mount Image Pro

o Snapshot Tool

o Snapback DatArrest

o Data Acquisition Tool: SafeBack

o Hardware Tool: Image MASSter Solo-3 Forensic

o Hardware Tool: LinkMASSter-2 Forensic

o Hardware Tool: RoadMASSter-2

o Data Duplication Tool: R-drive Image

o Data Duplication Tool: DriveLook

o Data Duplication Tool: DiskExplorer

o Save-N-Sync

o Hardware Tool: ImageMASSter 6007SAS

o Hardware Tool: Disk Jockey IT

o SCSIPAK

o IBM DFSMSdss

o Tape Duplication System: QuickCopy

Module 13 Computer Forensic Tools

Part I- Software Forensics Tools

Summarize the features and advantages of following software forensics tools:

o Visual TimeAnalyzer

o X-Ways Forensics

o Evidor

o Slack Space & Data Recovery Tools: Ontrack

o Data Recovery Tools:

Device Seizure 1.0

Forensic Sorter v2.0.1

Directory Snoop

o Permanent Deletion of Files:

PDWipe

Darik's Boot and Nuke (DBAN)

o File Integrity Checker:

FileMon

File Date Time Extractor (FDTE)

Decode - Forensic Date/Time Decoder

o Disk Imaging Tools:

Snapback Datarrest

o Partition Managers: Partimage

o Linux/Unix Tools: Ltools and Mtools

o Password Recovery Tool:

@Stake

Decryption Collection Enterprise v2.5

AIM Password Decoder

MS Access Database Password Decoder

o Internet History Viewer:

CookieView - Cookie Decoder

Cookie Viewer

Cache View

FavURLView - Favourite Viewer

NetAnalysis

o Multipurpose Tools:

Maresware

LC Technologies Software

Winhex Specialist Edition

Prodiscover DFT

o Toolkits:

NTI Tools

R-Tools-I

Datalifter

Toolkits: Accessdata

FTK- Forensic Toolkit

Image Master Solo and Fastbloc

Encase

o Email Recovery Tool:

E-mail Examiner

Network E-mail Examiner

o Case Agent Companion

o Chat Examiner

o Forensic Replicator

o Registry Analyzer

o ASR Data’s SMART

o Oxygen Phone Manager

o SIM Card Seizure

o Text Searcher

o Autoruns

o Autostart Viewer

o Belkasoft RemovEx

o HashDig

o Inforenz Forager

o KaZAlyser

o DiamondCS OpenPorts

o Pasco

o Patchit

o PE Explorer

o Port Explorer

o PowerGREP

o Process Explorer

o PyFLAG

o Registry Analyzing Tool: Regmon

o Reverse Engineering Compiler

o SafeBack

o TapeCat

o Vision

Part II- Hardware Forensics Tools

Summarize the features and advantages of following hardware computer forensic tools:

o Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock

o LockDown

o Write Protect Card Reader

o Drive Lock IDE

o Serial-ATA DriveLock Kit

o Wipe MASSter

o ImageMASSter Solo-3 IT

o ImageMASSter 4002i

o ImageMasster 3002SCSI

o Image MASSter 3004SATA

 

 

Module 14 Forensics Investigations Using Encase

What is Evidence File

o Explain evidence file format

o How can you verifying file integrity

Describe Hashing

How can you acquiring image?

Explain configuring of Encase and discuss following:

o Encase Options Screen

o Encase Screens

o View Menu

o Device Tab

o Viewing Files and Folders

o Bottom Pane

Viewers in Bottom Pane

Status Bar

Explain in brief about searching ability of Encase

o Discuss about Keywords

How to add Keywords?

How can you group keywords?

How can you add multiple Keywords?

o How to do Search?

o Discuss Search Hits tab

Give the brief idea about Bookmark:

o What is Bookmarks?

o How to create Bookmarks?

o Discuss about adding Bookmarks

Explain the procedure for recovering Deleted Files/folders in FAT Partition

o How can you recover folders in NTFS?

o Explain Master Boot Record(MBT)

o How to view Disk Geometry?

Explain the recovery of deleted partitions

Explain in brief about Hash Values?

o How to create Hash Sets

o Describe MD5 Hash

o How to create Hash?

What do you mean by Viewers?

Discuss Signature Analysis

How can you view the results?

Explain the process for copying files/folders

Describe E-mail Recovery

Discuss Reporting

Explain Boot Disks in Encase

What is IE Cache Images?

Module 15 Recovering Deleted Files and Deleted partitions

Part I: Recovering Deleted Files

How can you delete the files?

What happens when a File is Deleted in Windows?

Give the brief idea about Recycle Bin in Windows

o Discuss the storage locations of Recycle Bin in FAT and NTFS system

o How The Recycle Bin Works?

o Explain damaged or deleted INFO File

o Describe damaged files in Recycled folder

o Give the overview of damaged Recycle folder

How to Undelete a File?

Explain Data Recovery in Linux

Summarize the features of following deleted files recovery tools:

o Search and Recover

o Zero Assumption Digital Image Recovery

o e2Undel

o R-linux

o O&O Unerase

o Restorer 2000

o Badcopy Pro

o File Scavenger

o Mycroft V3

o PC ParaChute

o Stellar Phoenix

o Filesaver

o Virtual Lab

o Drive and Data Recovery

o Active@ UNERASER - DATA Recovery

o Restoration

o PC Inspector File Recovery

o PC Inspector Smart Recovery

o Fundelete

o RecoverPlus Pro

o OfficeFIX

o Recover My Files

o Zero Assumption Recovery

o SuperFile Recover

o IsoBuster

o CDRoller

o DiskInternals Uneraser

o DiskInternal Flash Recovery

o DiskInternals NTFS Recovery

o Recover Lost/Deleted/Corrupted files on CDs and DVDs

o Undelete

o Active@ UNDELETE

o CD Data Rescue

o File Recover

o WinUndelete

o R-Undelete

o Image Recall

o eIMAGE Recovery

o File Scavenger

o Recover4all Professional

o eData Unerase

o Easy-Undelete

o InDisk Recovery

o Repair My Excel

o Repair Microsoft Word Files

o Zip Repair

o Canon RAW File Recovery Software

Part II: Recovering Deleted Partitions

Explain deletion of partition

How can you delete partition using Windows

How can you delete partition using command line

Describe recovery of deleted partition

Summarize the features of following deleted partition recovery tools:

o GetDataBack

o DiskInternals Partition Recovery

o Active@ Partition Recovery

o Handy Recovery

o Acronis Recovery Expert

o Active Disk Image

o TestDisk

o Recover It All!

o Scaven

o Partition Table Doctor

o NTFS Deleted Partition Recovery

Module 16 Image Files Forensics

Define the common terminologies

Give the brief idea about Image files

o What do you understand by vector images?

o Explain raster images?

o Discuss Metafile Graphics

o Summarize the structure, features and basic attributes of following Image file formats:

GIF (Graphics Interchange Format)

JPEG (Joint Photographic Experts Group)

JPEG 2000

BMP (Bitmap) File

PNG (Portable Network Graphics)

Tagged Image File Format (TIFF)

ZIP (Zone Information Protocol)

How file compression works?

Discuss data compression and its types

o Explain following data compression algorithms:

Huffman Coding Algorithm

Lempel-Ziv Coding Algorithm

What is mean Lossy Compression

o Explain Vector Quantization

Give the overview about locating and recovering image files

What is the importance of Image file headers?

How can you repair the damaged headers?

Explain reconstruction of file fragments

Identify and discuss unknown file formats

o Summarize the features of following tools to identify unknown file formats:

http://www.filext.com

Picture Viewer: Ifran View

Picture Viewer: ACDsee

Picture Viewer: Thumbsplus

Picture Viewer: AD

Picture Viewer: Max

FastStone Image Viewer

XnView

Faces – Sketch Software

Describe Steganography in image files

Define the term Steganalysis

o Summarize the features of following steganalysis tools:

Steganalysis Tool: Hex Workshop

Steganalysis Tool: S-tools

Steganalysis Tool: Stegdetect

Summarize the features and advantages of following Image File Forensic tools:

o GFE Stealth (Graphics File Extractor)

o Tool: ILook v8

o Tool: P2 eXplorer

Explain the copyright issues on graphics

Module 17 Steganography

What do mean by Steganography?

Discuss the history of Steganography

Explain evolution of Steganography

How the Steganography is classified?

Is the Steganography and Cryptography are same terms?

Explain the model of Stegosystem and Cryptosystem

Give the brief idea about Image Steganography

o Explain different Steganography techniques?

Least Significant Bit Insertion in Image Files

Masking and Filtering on Image Files

Algorithms and Transformation

Write in short about Stego-Forensics

o Describe the important terms in Stego-Forensics?

o What are the different categories of Steganography in forensics?

Explain in brief the concept of Watermarking

o What is Watermarking?

o Compare Steganography and Watermarking

o How the Watermarking can be classified?

o Describe the various attacks on Watermarking

o List down the applications of Watermarking?

o Explain Digimarc's Digital Watermarking

o Discuss the Mosaic Attack on watermarking

Mosaic Attack – Javascript code

Give the overview of 2Mosaic – Watermark breaking Tool

Define Steganalysis

o Explain Steganalysis Methods/Attacks on Steganography

List down the real world uses of Steganography?

Discuss about Steganography in the future

Where the Steganography can be used unethically?

Describe information hiding in audio files:

o Low-bit Encoding

o Phase Coding

o Spread Spectrum

o Echo Data Hiding

Explain information hiding in DNA

Give the overview of TEMPSET

Describe the concept of Van Eck phreaking

What do you mean by Printer Forensics?

o Is Your Printer Spying On You?

o Explain DocuColor Tracking Dot Decoding

Summarize the features and uses of following Steganography tools:

o Fort Knox

o Blindside

o S- Tools

o Steghide

o Image Hide

o Mp3Stego

o Snow

o Camera/Shy

o Steganos

o Pretty Good Envelop

o Gifshuffle

o Refugee

o JPHIDE and JPSEEK

o wbStego

o OutGuess

o Invisible Secrets 4

o Masker

o Data Stash

o Hydan

o Cloak

o StegaNote

o Stegomagic

o Hermetic Stego

List down the application of Steganography

How to Detect Steganography?

o Explain Steganography detection

o Summarize the features of following Steganography detection tools:

Stego Suite

Stego Watch

StegSpy 

Module: 18 Application Password Crackers

Describe the terminology of Password

What is a Password Cracker?

How Does a Password Cracker Work?

Summarize the various password cracking methods:

o Brute Force Attack

o Dictionary Attack

o Syllable Attack

o Rule-based Attack

o Hybrid Attack

o Password Guessing

o Rainbow Attack

How can you classify the cracking software?

o Explain System Level Password Cracking

o Describe CMOS Level Password Cracking

Summarize the features of following tools:

CmosPwd

ERD Commander

Active Password Changer

o Explain application software password cracker

o What is Distributed Network Attack (DNA)?

o Discuss Passware Kit

o Explain Accent Keyword Extractor

o Give the overview of advanced zip password recovery

Explain default password database and summarize the features of following default password database organizations

o http://phenoelit.darklab.org/

o http://www.defaultpassword.com/

o http://www.cirt.net/cgi-bin/passwd.pl

o http://www.virus.org/index.php?

Summarize the features of Pdf Password Crackers

Summarize the features and advantages of following password cracking tools:

o Tool: Cain & Abel

o Tool: LCP

o Tool: SID&User

o Tool: Ophcrack 2

o Tool: John the Ripper

o Tool: DJohn

o Tool: Crack

o Tool: Brutus

o Tool: Access PassView

o Tool: RockXP

o Tool: Magical Jelly Bean Keyfinder

o Tool: PstPassword

o Tool: Protected Storage PassView

o Tool: Network Password Recovery

o Tool: Mail PassView

o Tool: Asterisk Key

o Tool: Messenger Key

o Tool: MessenPass

o Tool: Password Spectator Pro

o Tool: SniffPass

o Tool: Asterisk Logger

o Tool: Dialupass

o Tool: Mail Password Recovery

o Tool: Database Password Sleuth

o Tool: CHAOS Generator

o Tool: PicoZip Recovery

o Tool: Netscapass

What are the common recommendations for improving password security?

Discuss some advices for standard password

Module 19 Network Forensics and Investigating Logs

Define Network Forensics in brief

o Discuss the Hacking Process

o Discuss the Intrusion Process

Where to look for evidences?

Describe End-to End forensic investigation

Is a log file act as evidence?

Describe records of regularly conducted activity

Explain the legality of using logs

What is the importance of maintaining credible IIS Log files?

Discuss the accuracy of Log File

What do you mean by Log Everything?

Explain the importance of keeping time in network forensics

o UTC Time

Can you use multiple logs as evidence?

Give the overview about authenticity of Log File

What do you mean by work with copies?

Describe the access control of log files

Explain Chain of Custody

Explain the importance of Audit Logs

o Give the brief idea about Syslog:

What is Syslog?

Describe Remote Logging

Write down about Central Logging Design

List down the steps to implement Central Logging

Give an idea of Centralized Syslog Server

Discuss the features and working Syslog-ng: Security Tool

o Give the overview IIS Centralized Binary Logging

o Explain ODBC Logging

o Summarize the features of following log analysis tools:

IISLogger: Development tool

Socklog: IDS Log Analysis Tool

KiwiSysLog Tool

Microsoft Log Parser: Forensic Analysis Tool

Firewall Analyzer: Log Analysis Tool

Adaptive Security Analyzer (ASA) Pro: Log Analysis Tool

GFI EventsManager

How does GFI EventsManager work?

o Describe the functioning of Activeworx Security Center

Explain Linux Process Accounting

Give the idea about configuring Windows Logging

o How to set up Remote Logging in Windows?

o Summarize the features of following Windows centralized logging tools:

o Ntsyslog

o Eventreporter

Discuss the features and working of EventLog Analyzer

Explain extended logging in IIS server

Give the overview of examining Intrusion and Security Events

Why Synchronize Computer Times?

What is NTP Protocol?

o Describe NTP Stratum Levels

List down the various NIST Time Servers

Write down the steps for configuring Windows Time Service 

Module 20 Investigating Network Traffic

Describe network addressing schemes

Give the overview of Network Protocols

Give the brief idea about Physical and Data-link Layer of the OSI Model

o How can you gather evidence at the Physical Layer?

o Summarize the features and advantages of following evidence gathering tools:

Tcpdump

Windump

NetIntercept

Ethereal

CommView

Softperfect Network Sniffer

HTTP Sniffer

EtherDetect Packet Sniffer

OmniPeek

Iris Network Traffic Analyzer

SmartSniff

NetSetMan Tool

o How can you gather evidences at the Data-link Layer

Explain the evidence gathering at Data-link Layer using DHCP database

Give the brief idea about Network and Transport Layer of the OSI Model

o How can you gather evidences at Network and Transport Layer?

o Describe the evidence gathering on a Network

Write down the features of GPRS Network Sniffer: Nokia LIG

Summarize the features, working and goals of Siemens Monitoring Center

Summarize the features and advantages of following network information gathering tools:

o NetWitness

o Netresident Tool

o McAffee Infinistream Security Forensics

o eTrust Network Forensics

o Give the brief idea about snort intrusion detection system

Explain placement of Snort IDS

Describe IDS Policy Manager for writing snort rules(http://www.activeworx.org)

How to write the documents over evidences gathered on a Network?

Describe the evidence reconstruction for investigation 

Module 21 Investigating Wireless Attacks

Describe the association of Wireless AP and Device

Explain search warrant for Wireless Networks

List down the points to remember while conducting a penetration test

Write down the points that should not be overlooked while testing the Wireless Network

Discuss the methods to access a Wireless Access Point

o Direct-connect to the Wireless Access Point

Describe the features of Nmap

How can you scan Wireless Access Points using Nmap?

Explain Rogue Access Point

o “Sniffing” Traffic Between the Access Point and Associated Devices

How can you scan using Airodump?

How do you collect information using MAC Address?

List down the points that are to be remembered during Airodump scanning

Write down for additional devices

o How can you reconnect associated devices?

How can you check for MAC filtering?

o Can you change the MAC Address?

Explain Passive Attack

Describe Active Attacks on Wireless Networks

How can you investigate Wireless Attacks? 

Module 22 Investigating Web Attacks

What are the different indications of Web Attack?

Summarize the different types of web attacks and procedure to investigate them:

o Cross-Site Scripting (XSS)

How to investigate Cross-Site Scripting (XSS)?

o Cross-Site Request Forgery (CSRF)

Explain the anatomy of CSRF Attack

Write down the pen-testing of CSRF Validation Fields

o SQL Injection Attacks

How to investigate SQL Injection Attack?

o Code Injection Attack

How to investigate Code Injection Attack?

o Command Injection Attack

o Parameter Tampering

o Cookie Poisoning

How to investigate Cookie Poisoning Attack?

o Buffer Overflow/Cookie Snooping

How to investigate Buffer Overflow attack?

o DMZ Protocol Attack, Zero Day Attack

Write down the steps for responding to a Web Attack

Describe the Web Logs

Give the brief idea about FTP investigation:

o Example of FTP Compromise

o How to investigate FTP Logs?

o Write down about investigation of FTP Servers

How to investigate the following:

o Investigating IIS Logs

o Investigating Apache Logs

o Investigating DHCP Server Logfile

Describe Mirrored Sites

Summarize the features of following web vulnerability scanner:

o N-Stealth

o Acunetix Web Vulnerability Scanner

Write in brief about investigation of Static and Dynamic IP address

o Summarize the features and uses of IP address locating tools:

Nslookup

Traceroute

NeoTrace (Now McAfee Visual Trace)

Whois

Hide Real IP

www.whatismyip.com

IP Detective Suite

Enterprise IP – Address Manager

Explain web page defacement

o Describe the defacement using DNS compromise

o How to investigate DNS Poisoning

Describe Intrusion Detection

Summarize the features and benefits of CounterStorm-1: Defense against Known, Zero Day and Targeted Attacks 

Module 23 Router Forensics

Give brief idea about router:

o What is a Router?

o Explain the functioning of a Router

o Describe the role of router in an OSI Model

o Explain the routing table and its components

o Write in short about router architecture

o Discuss the role of Routing Information Protocol(RIP)

Explain the implications of a Router Attack

How the routers can be hacked?

Describe the various types of Router Attacks:

o Router Attack Topology

o Denial of Service(DoS) Attacks

o Packet “Mistreating” Attacks

o Routing Table Poisoning

o Compare Hit-and-run Attacks and Persistent Attacks

Compare Router Forensics and Traditional Forensics

Give the brief idea about investigation of Routers

o What is mean by Chain of Custody?

Sample Chain Of Custody (COC) Form

o Explain the Incident Response

o How can you recording your session?

o What precaution should be taken while accessing the Router?

o Describe volatile evidence gathering

Write down the steps for investigating Router

What is the importance of Router Logs?

Summarize the features and uses of the following router logs:

NETGEAR Router Logs

Link Logger

Write down the features and uses of Sawmill: Linksys Router Log Analyzer

o How can you analyze the intrusion?

Describe the various types of Logging

Explain incident forensics

o How can you handle a direct compromise incident?

o Write in short about other incidents

Describe Real Time Forensics

Summarize the features and uses of Router Audit Tool (RAT)

Module 24 Investigating DoS Attacks

Define DoS Attacks

Summarize the different types of DoS Attacks:

o Ping of Death Attack

o Teardrop Attack

o SYN Flooding

o Land

o Smurf

o Fraggle

o Snork

o WINDOWS OUT-OF-BAND (OOB) Attack

Give the brief idea about DDoS Attack

o Explain the working of DDoS Attacks (FIG)

o Describe the classification of DDoS Attack

Describe the different DoS Attack modes?

What are the indications of a DoS/DDoS Attack?

Summarize the working of different techniques to detect DoS Attack:

o Activity Profiling

o Sequential Change-Point Detection

o Wavelet-based Signal Analysis

Discuss the challenges in detection of DoS attack

Module 25 Investigating Internet Crimes

Define Internet Crimes

What is mean by Internet Forensics?

o Why Internet Forensics?

Describe about IP Address

Give brief idea about Domain Name System (DNS)

o Explain DNS Record manipulation

o Write down about DNS Lookup

What type of information E-mail headers provide?

o Explain the procedure for Email headers forging

o How can you trace back spam mails?

Give an idea about witch URL redirection:

o Sample Javascript for Page-based Redirection

o Embedded JavaScript

How can you recover information from Web Pages

o How can you download a Single Page or an Entire Web Site

o Summarize the features and uses of following tools which are used to save an entire web sites:

Grab-a-Site

SurfOffline 1.4

My Offline Browser 1.0 www.newprosoft.com

WayBack Machine

Explain in brief about HTTP Headers

o How can you view the header information?

What type of information you examine in cookies?

o Write down the steps to view cookies in Firefox

How can you trace the geographical location of a URL?

o DNS Lookup Result: centralops.net

Summarize the features and advantages of following tools:

o NetScanTools Pro

o Tool: Privoxy http://www.privoxy.org/ 

Module 26 Tracking E-mails and Investigating E-mail Crimes

Explain about the roles of the Client and Server in E-mail:

o How the E-mail client works?

o How the E-mail Server works?

o Describe the real E-mail system

Give the brief idea about E-mail Crimes:

o What is mean by Spamming?

o Explain the term Mail Bombing/Mail Storm

o What happens in Chat Rooms?

o Describe Identity Fraud/Chain Letter

o Discuss about Sending fakemail

Write in brief about investigating E-mail Crime and Violation:

o Describe viewing E-mail Headers

How can you examine an E-mail Header?

Describe the following:

o Received: Headers

o Forging Headers

List down the different common headers

How can you view the header in Microsoft Outlook?

How can you view the header in AOL?

How can you view the header in Hotmail?

Explain examining of additional files (.pst or .ost files)

Describe Microsoft Outlook Mail

Where is the Pst File located?

List down the organizations to trace an E-mail Message

How can you trace the e-mail message using Network Logs (Firewall Log)?

Summarize the features and functions of following E-mail tracking tools:

o Exchange Message Tracking Center

o MailDetective Tool

Summarize the features and functions of following E-mail Forensic Tools:

o Forensic ToolKit (FTK)

o Tool:FINALeMAIL

o Tool: R-Mail

o Tool: E-Mail Detective

o E-Mail Examiner by Paraben

o Network E-Mail Examiner by Paraben

o Recover My Email for Outlook

o Diskinternals – Outlook Recovery

Explain the e-mail tracing back

o How can you trace back web based E-mail?

List down the various organizations that provide E-mail searching services

o How can you handle the Spam?

o Summarize the goals and working of Abuse.Net

Summarize the features and functions of following tools:

o eMailTrackerPro

o Tool: SPAM Punisher

o Tool: SpamArrest

o Tool: ID Protect - www.enom.com

Summarize the following laws and Acts related to E-mail crime:

o U.S. Laws Against Email Crime: CAN-SPAM Act

o U.S.C. § 2252A

o U.S.C. § 2252B

o Email crime law in Washington: RCW 19.190.020  

Module 27 Investigating Corporate Espionage

Define the Corporate Espionage

Explain the motives behind Corporate Espionage

What type of information that corporate spies seek?

Describe the Corporate Espionage threats.

Summarize the various techniques of Spying

Discuss the various techniques to secure from corporate Spying

Explain Netspionage

How to investigate corporate espionage cases?

Summarize the features and functions of following tools:

o Employee Monitoring: Activity Monitor

o Spy Tool: SpyBuddy 

Module 28 Investigating Trademark and Copyright Infringement

Define Trademark

o Explain the various characteristics of Trademarks

o What are the benefits of registering Trademark

o Describe the terms:

Service Marks

Trade Dress

o Write a note on Trademark Infringement

Give the brief idea about the term Copyright

o Write the note on Investigating Copyright Status

o How Long Does a Copyright Last?

o Discuss the mission of U.S Copyright Office

o Explain doctrine of “Fair Use”

o How is Copyrights Enforced?

o Describe the term Copyright Infringement: Plagiarism

Describe the various plagiarism detection factors

Summarize the features and functions of following plagiarism detection tools:

Turnitin

CopyCatch

Copy Protection System (COPS)

SCAM (Stanford Copy Analysis Mechanism)

CHECK

Jplag

VAST

SIM

PLAGUE

YAP

SPlaT

Sherlock

Urkund

PRAISE

FreestylerIII

SafeAssignment

Give the brief idea about Patent

o Explain Patent Infringement

o Describe the strategy for Patent search

Summarize the features http://www.ip.com

o How it works?

Explain the term Domain Name Infringement

o How to Check for Domain Name Infringement?

Write a note on Investigating Intellectual Property

Summarize the following laws related to Trademark and Copyright:

o US Laws

o Indian Laws

o Japanese Laws

o Australia Laws

o UK Laws  

Module 29 Investigating sexually harassment incidents

Define the term Sexual Harassment

Summarize the different types of Sexual Harassment

Discuss the consequences of Sexual Harassment

What are the different responsibilities should be taken by Supervisors to prevent sexual harassment?

Explain the responsibilities of employees

Discuss the process for complaint against Sexual harassment

Explain the investigation process:

o How do you investigate the Sexual Harassment?

Discuss the Sexual Harassment Policies

List down the several preventive steps

Summarize the following acts and laws related to sexual Harassment:

o U.S Laws on Sexual Harassment

o Title VII of the 1964 Civil Rights Act

o The Civil Rights Act of 1991

o Equal Protection Clause of the 14th Amendment

o Common Law Torts

o State and Municipal Laws 

Module 30 Investigating Child Pornography

Define Child Pornography

What are the motives of people behind Child Pornography?

Discuss about the people involved in Child Pornography

Describe the role of Internet in promoting Child Pornography

Explain the effects of Child Pornography on children

Identify and describe the measures to prevent dissemination of Child Pornography

Describe the various challenges in controlling Child Pornography

Summarize the guidelines for investigating Child Pornography cases

What are the different sources of digital evidence?

Summarize the features, working and goals of Antichildporn.org:

o How to Report Antichildporn.org about Child Pornography Cases

o Describe the Report format of Antichildporn.org

Summarize the features, working and uses of anti-child pornographic tools:

o Reveal

o iProtectYou

o Child Exploitation Tracking System (CETS)

Summarize features, working and goals of anti-child pornography organizations:

o http://www.projectsafechildhood.gov/

o Innocent Images National Initiative

o Internet Crimes Against Children (ICAC)

Describe the report on Child Pornography in various countries

Summarize the following laws related to Child Pornography:

o U.S. Laws

o Australia Laws

o Austria Laws

o Belgium Laws

o Cyprus Laws

o Japan Laws

Module 31 PDA Forensics

Give the brief idea about PDA:

o What is Personal Digital Assistant (PDA)?

o Explain the various features of PDA

o Describe the various PDA components

Summarize the PDA Forensics Steps:

o Investigative Methods

o PDA Forensics – Examination

o PDA Forensics – Identification

o PDA Forensics - Collection

o PDA Forensics - Documentation

Discuss the points to remember while conducting investigation

Summarize the features and functions of PDA forensics tools:

o PDA Secure – Forensic Tool

o PDA Seizure

o EnCase – Forensic Tool

Module 32 iPod Forensics

Summarize the features and basic attributes of iPod

o iPod

o iPod as Operating System

Describe Apple HFS+ and FAT32 file system and application formats in iPod

Discuss the various misuses of iPod

Summarize the stages for iPod Investigation

o Mac Connected iPods

o Windows Connected iPods

o Storage

o Lab Analysis

o Remove Device From Packaging

How will you test Mac Version

Explain the Full System Restore as Described in the Users’ Manual

How will you test Windows Version

o User Account

o Calendar and Contact Entries

Summarize features and uses of EnCase

Registry Key Containing the iPod’s USB/Firewire Serial Number

Summarize the features and functions of iPod forensic tools:

o DiskInternals Music Recovery

o Recover My iPod 

Module 33 Blackberry Forensics

Explain in brief about Blackberry:

o Blackberry: Introduction

o What are the different functions of BlackBerry?

o Describe BlackBerry as Operating System

o Summarize the working of BlackBerry

o Explain BlackBerry serial protocol

o Discuss the BlackBerry security

o Describe the wireless security for BlackBerry

BlackBerry Security for Wireless Data

Security for Stored Data

Identify and describe Forensics and Acquisition of Blackberry

Summarize the methods for collecting evidence from Blackberry

o Collecting Evidence from Blackberry: Gathering Logs

o Collecting Evidence from Blackberry: Imaging and Profiling

Discuss the various Blackberry attacks

How do you protect stored data in Blackberry?

Identify and describe data hiding in BlackBerry

Summarize the features and uses of BlackBerry Signing Authority Tool

Module 34 Investigative Reports

Discuss the importance of Reports

Explain the need of an investigative report

Identify and describe the requirements for investigating Report

Describe the Report Classification

Identify and describe the layout of an investigative Report

Describe sample forensic Report

Write down the guidelines for writing Reports

What is the importance of Consistency?

Summarize the features and aspects of a Good Report

o Explain the investigative Report Format

Discuss Dos and Don'ts of Forensic Computer Investigations

Identify and describe case report writing and documentation

o Create a Report to Attach to the Media Analysis Worksheet

Summarize the investigative procedures:

o Collecting Physical and Demonstrative Evidence

o Collecting Testimonial Evidence

Explain the best practices for Investigators

Describe the report writing using FTK

Module 35 Becoming an Expert Witness

What is Expert Witness?

Who Is an Expert Witness?

Discuss the role of an Expert Witness

Summarize the various types of Expert Witnesses:

o Computer Forensics Experts

o Medical & Psychological Experts

o Civil Litigation Experts

o Construction & Architecture Experts

o Criminal Litigation Experts

Discuss the scope of Expert Witness Testimony in various areas of expertise

o Compare the terms Technical Testimony and Expert Testimony

Summarize the steps for Evidence processing

o Write down the checklists for processing Evidence

o How do you examine Computer Evidence?

Discuss the rules pertaining to an Expert Witness’ qualification

Explain the importance of Resumé

Explain in brief about testifying an Expert witness in Court:

o What is the order of trial proceedings?

o Write down the general ethics while testifying

o How do you represent your evidence?

o Explain the importance of graphics in a testimony

o How can you help to your Attorney?

o Discuss about avoiding testimony issues

o Describe about testifying during Direct Examination

o Describe testifying during Cross Examination

Give the brief idea about deposing:

o What is the purpose of deposing?

o How do you recognizing deposing problems?

o List down the guidelines to testify at a deposing