Quick Links

CHFI Exam (312-49)

Credit Towards Certification

Computer Hacking Forensic Investigator v3

Exam Details

Number of Questions: 50

Passing Score: 70%

Test Duration: 2 Hours

Test Format: Multiple Choice

Test Delivery: Prometric Prime / Prometric APTC / VUE

Test Objectives v3

Module 01 Computer Forensics in Today's World

 Summarize the History of Forensics

 Summarize the basic concepts of Computer Forensics

o What is Computer Forensics?

o Why Computer Forensics is necessary?

o What are the different ways of Forensic Data Collection?

o Objectives of Computer Forensics

o Benefits of Forensic Readiness

o Categories of Forensics Data

 Identify Computer Forensics Flaws and Risks

 Summarize the basic concepts of Computer Facilitated Crimes

o Type of Computer Crimes

o Cyber Crime

o Modes of Attacks

o Examples of Cyber Crime

o Examples of Evidence

 Identify the Stages of Forensic Investigation in Tracking Cyber Criminals

o Key Steps in Forensics Investigations

o Rules of Computer Forensics

o Need for Forensic Investigator

o Accessing Computer Forensics Resources

 Identify the need and procedure to Maintain professional conduct

 Understand Corporate Investigations

 Define the term Digital Forensics

 Explain the term Enterprise Theory of Investigation (ETI)

 Where and when do you use Computer Forensics?

Module 02 Law and Computer Forensics

 What privacy issues are involved in investigations?

 Discuss the Fourth Amendment

 Explain about Interpol- Information Technology Crime Center

 Summarize Internet Laws and Statutes

 How the FBI Investigates Computer Crime?

o Federal Statutes Investigated by the FBI

 Explain about Scientific Working Group on Digital Evidence (SWGDE)

 Explain Federal Laws (Computer Crime)

 Summarize all the Intellectual Property Rights

 Summarize the laws about Cyber Stalking

 List all Crime Investigating Organizations

 National Infrastructure Protection Center

 Summarize the following acts and laws related to computer forensics:

o The USA Patriot Act of 2001

o The G8 Countries: Principles to Combat High-tech Crime

 The G8 Countries: Action Plan to Combat High-Tech Crime (International Aspects of Computer Crime)

o Crime Legislation of EU

o United Kingdom: Police and Justice Act 2006

o Australia: The Cybercrime Act 2001

o Belgium

o European Laws

o Austrian Laws

o Brazilian Laws

o Belgium Laws

o Canadian Laws

o France Laws

o Indian Laws

o German Laws

o Italian Laws

o Greece Laws

o Denmark Laws

o Norwegian Laws

o Netherlands Laws

 Give the brief idea about Internet Crime Schemes

o Why you should report cybercrime?

o What are the stages to report computer-related crimes?

o Which person is assigned to report the crime?

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o How to contact Federal Local Agents?

Module 03 Computer Investigation Process

 How to investigate computer crime?

 Explain the importance of securing computer evidence

 Discuss about investigating company policy violation

 What are the important things before the investigation?

 Explain Investigation Methodology

 Is there need of search warrant for investigation?

 How can you prepared for searches?

 Discuss about searching without warrant

 What do you mean by Warning Banners?

 How can you collect the evidence?

 Discuss Chain-of Evidence Form

 Explain Bit-stream copies

 How to examine digital evidence?

 Discuss the example of accessing policy violation case

 List down the steps important for computer forensic investigation

 Give the brief idea about investigation process

o Explain policy and procedure development

o Describe the following evidence assessment

 Case Assessment

 Processing Location Assessment

 Legal Considerations

 Evidence Assessment

o How to acquire evidence?

 Explain Imaging

 Describe write protection

 How to acquire the subject evidence?

o Explain in brief about evidence examination

 How can extract the evidence physically?

 How can you extract evidence logically?

 Describe the following analysis over extracted data

 Timeframe analysis

 Data hiding analysis

 Application and file analysis

 Describe about ownership and possession

o Explain documenting and reporting of evidence

 What should be in the final report?

o When to close the case?

 What are important factors to maintain professional conduct?

Module 04 First Responder Procedure

 Define Electronic Evidence

o Explain the forensic process

o Describe different types of Electronic Devices

o Discuss electronic devices and collecting potential evidence

o Summarize the features and basic attributes of evidence collecting tools and equipment

 Describe First Response Rule

 Explain Incident Response for following situations:

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensic Staff

 How can you secure and evaluate electronic crime scene

 Which questions should be asked to a client?

 Discuss health and safety Issues

 Explain Consent

 Give the brief idea about Search and Seizure

o What is the planning for search and seizing?

o How to start initial search of the scene?

o Discuss the importance of witness signatures

o Give the overview of conducting preliminary interviews

 Discuss the initial interviews

o Is there need of documenting electronic crime scene?

o What is the importance of photographing the scene?

o Describe sketching of the scene

o Discuss about collecting and preserving electronic evidence

 What important data is present in evidence bag?

 Explain order of volatility

 Discuss about powered OFF computers at seizure time

 Describe the condition with powered ON PC

 Explain the role computers and servers

 Which devices should be collected and preserved as electronic evidence?

 What is the idea behind seizing the portable computers

 Explain packaging electronic evidences

 Describe exhibit numbering

o How can you transport electronic evidence?

o How can you handle and transport the devices to forensic laboratory?

 Explain ‘Chain of Custody’

 Give the brief overview for finding forensic examination by crime category

Module 05 CSIRT

 Define of Vulnerability

 Discuss vulnerability statistics

 Give the brief idea about an Incident

o How to Identify an Incident?

o How to Prevent an Incident?

o What is the relationship between Incident Response, Incident Handling, and Incident Management

o Give the checklist for Incident Response

o How can you handle incidents

o Explain the following stages for handling incident:

 Preparation

 Identification

 Containment

 Eradication

 Recovery

 Follow-up

o Explain Incident Management

o Why don’t Organizations Report Computer Crimes?

o Describe about estimation of Incident cost

o Whom to Report an Incident?

o How to report an Incident?

o What are the different vulnerability resources

o Explain the following category of Incidents

 Category of Incidents: Low Level

 Category of Incidents: Mid Level

 Category of Incidents: High Level

 Explain in brief about CSIRT?

o What are the goals and strategy of CSIRT?

o Describe CSIRT Vision

 Discuss building of CSIRT Vision

o Which are the motivations behind CSIRTs?

o Why an Organization needs an Incident Response Team?

o Who works in a CSIRT?

o Staffing your Computer Security Incident Response Team: What are the basic skills needed?

o Explain the team models

o What are the three categories of CSIRT Services?

o Discuss CSIRT case classification

o Explain types of Incidents and level of Support

o Describe the service attributes

o Explain Incident specific procedures

o How CSIRT handles case: Steps

o Describe US-CERT Incident Reporting System

 Discuss CSIRT Incident Report Form

 Explain CERT(R) Coordination Center: Incident Reporting Form

o Give the example of CSIRT

o Discuss the Best Practices for Creating a CSIRT

 Step 1: Obtain Management Support and Buy-in

 Step 2: Determine the CSIRT Development Strategic Plan

 Step 3: Gather Relevant Information

 Step 4: Design your CSIRT Vision

 Step 5: Communicate the CSIRT Vision

 Step 6: Begin CSIRT Implementation

 Step 7: Announce the CSIRT

o What are the limits to effectiveness in CSIRTs?

o Give the overview of investing in Automated Response

 List down the World CERTs http://www.trusted-introducer.nl/teams/country.html

 Discuss about http://www.first.org/about/organization/teams/

 Discuss IRTs Around the World

Module 06 Computer Forensic Lab

 Explain budget allocation for a Forensics Lab

 List down the physical location needs for a Forensic Lab

 Describe about work area of a computer forensics Lab

 Discuss about general configuration of a Forensic Lab

 List down the equipment required in a Forensics Lab

 Explains ambience of a forensics Lab

o Describe Ergonomics

 What are the environmental conditions required for proper lab functioning?

 What are the recommendations to avoid Eyestrain?

 Discuss about the structural design of Lab

 Explain about the electrical needs to lab

 Give overview for communications factors

 List down the basic workstation requirements in a forensic lab

 What are the essential hardware peripherals should be stocked as a back-up?

 Which are the Application Inventories and Operating System must be maintained?

 How can you provide physical security to your forensic lab?

 Explain Fire-Suppression systems

 Give the general recommendation for evidence locker

 What are the steps for auditing a computer forensics lab

o Auditing a Forensics Lab

 Explain the licensing requirements for forensic lab

 Summarize the features and basic attributes of following forensic laboratory requirements:

o Paraben Forensics Hardware requirements:

 Handheld First Responder Kit

 Wireless StrongHold Bag

 Remote Charger

 Device Seizure Toolbox

 Wireless StrongHold Tent

 Passport StrongHold Bag

 Project-a-Phone

 SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i

 Lockdown

 SIM Card Reader/ Sony Clie N & S Series Serial Data Cable

 USB Serial DB9 Adapter

o Portable Forensic Systems and Towers:

 Forensic Air-Lite VI MKII laptop

 Original Forensic Tower II

 Portable Forensic Systems and Towers: Portable Forensic Workhorse V

 Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

 Forensic Air-Lite IV MK II

 Forensic Tower II

o Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

o Power Supplies and Switches

o Explain DIBS® Mobile Forensic Workstation

 DIBS® Advanced Forensic Workstation

 DIBS® RAID: Rapid Action Imaging Device

o Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

 List down the different forensic workstations

 Summarize the features and basic attributes of LiveWire Investigator tool

 What are the features of Laboratory Imaging System?

o List down technical specification of the Laboratory-based Imaging System

 Explain about the Computer Forensic Labs, Inc

o Discuss procedures at Computer Forensic Labs (CFL), Inc

 List down Data Destruction Industry Standards

Module 07 Understanding File Systems and Hard Disks

 Give the overview of Disk Drive

 Explain in brief about Hard Disk

o Describe types of Hard Disk Interfaces:

 SCSI

 IDE/EIDE

 USB

 ATA

 Fibre Channel

o What is Disk Platter?

 Describe Tracks

 Explain Tracks Numbering

o Give detail idea about Sector

 Explain Sector Addressing

o Describe in details Cluster?

 Cluster Size

 What is Slack Space?

 Discuss about lost Clusters

o Write more about Bad Sector

o How can you calculate Disk Capacity?

o Summarize the features of following forensic tools:

 Evidor: The Evidence Collector

 WinHex

 Understanding File Systems

o Explain in details about file system:

 Types of File System

 List down the various disk file systems

 List down Network file systems

 List down special purpose file systems

 List down the Linux file systems?

 Explain Sun Solaris 10 File System: ZFS

 List down the Mac OS X File System

 List down Windows File systems

 Explain CD-ROM / DVD File system

o Compare different file systems

o Explain Disk Partition

o Describe Master Boot Record

o Explain more about FAT

 Describe Boot Sector

o Give the brief idea about NTFS

 List down different NTFS System Files

 Explain NTFS partition boot sector

 Describe NTFS Master File Table (MFT)

 Write down about Metadata File Table

 Explain NTFS Attributes

 Give an idea about NTFS Data Stream-I

 Give the overview of NTFS Compressed Files

 Explain in brief about NTFS Encrypted File Systems (EFS)

 Discuss EFS File Structure

 Describe EFS Recovery Key Agent

 What is EFS Key?

 How can you delete NTFS Files?

o What is Registry?

 How can you examine Registry Data

o Compare FAT and NTFS

o Describe Windows XP system files

o Write down the steps for booting Windows (XP/2003)

o Explain http://www.bootdisk.com

Module 08 Understanding Digital Media Devices

 Summarize features and basic attributes of following digital storage devices:

o Magnetic Tape

o Floppy Disk

o Compact Disk

o CD-ROM

o DVD

 DVD-R, DVD+R, and DVD+R(W)

 DVD-RW, DVD+RW

 DVD+R DL/ DVD-R DL/ DVD-RAM

 HD-DVD (High Definition DVD)

 HD-DVD

o Blu-Ray

o Compare the following:

 CD and DVD Vs Blu-Ray

 HD-DVD and Blu-Ray

o iPod

o Zune

o Explain in brief about different Flash Memory Cards

 Secure Digital (SD) Memory Card

 Compact Flash (CF) Memory Card

 Memory Stick (MS) Memory Card

 Multi Media Memory Card (MMC)

 xD-Picture Card (xD)

 SmartMedia Memory (SM) Card

o USB Flash Drives

 USB Flash in a Pen

Module 09 Windows, Linux and Macintosh Boot Processes

 Discuss the different terminologies

 Give the brief idea about:

o Boot Loader

o Boot Sector

o Anatomy of MBR

 Explain basic system boot process

 Give the brief idea about MS-DOS Boot Process

 Explain in details Windows XP Boot Process

 Describe in brief Linux boot process

o Write down about common startup files in UNIX

o List down important directories present in UNIX

o Explain steps for Linux Boot Process:

 Step 1: The Boot Manager

 Step 2: init

 Step 2.1: /etc/inittab

 runlevels

 Step 3: Services

 Step 4: More inittab

 Give brief idea about Mac OS X:

o Discuss Hidden Files in Mac OS X

o Describe booting in Mac OS X

o Explain Mac OS X Boot Options

o Write down the steps for booting Mac OS X

o How to install Mac OS X on Windows XP?

o Explain PearPC

o Describe MacQuisition Boot CD by BlackBag

o Summarize features of Macintosh Forensic Software by BlackBag

 Directory Scan

 FileSpy

 HeaderBuilder

o Summarize the features of following Mac OS forensics tools:

 Carbon Copy Cloner (CCC)

 MacDrive6

Module 10 Windows Forensics

 Where you can find the evidence on a Windows system?

 How can you gathering volatile evidence?

 Summarize the features and advantages of Windows forensics tools:

o Give brief idea about Helix

 List down the tools present in Helix CD for Windows forensics

 Discuss Helix Tool: SecReport

 Explain Helix Tool: Windows Forensic Toolchest (WFT)

o MD5 Generator: Chaos MD5

 Describe Secure Hash Signature Generator

 Explain MD5 Generator: Mat-MD5

 Explain MD5 Checksum Verifier 2.1

o Pslist

o fport

o Psloggedon

 What is File Slack? How can you investigate Windows File Slack?

 How to examine file systems?

 Discuss about built-in tool: Sigverif

 Discuss the Word Extractor forensic tool

 How can you check Registry?

o Summarize features of following registry tools:

o Registry Viewer Tool: RegScanner

o Microsoft Security ID

 Summarize features and importance of Memory Dump

o Pagefile.sys and PMDump

 What is Virtual Memory?

o Discuss System Scanner

 Explain Integrated Windows Forensics Software: X-Ways Forensics and its features

 How can you investigate Internet Traces

 Summarize the features of following Internet tracing tools:

o Traces Viewer

o IECookiesView

o IE History Viewer

o Cache Monitor

 Give overview about Investigating ADS Streams

 How can you create CD-ROM Bootable for Windows XP

o Bart PE (Bart Preinstalled Environment): Screenshot

o Ultimate Boot CD-ROM

o List down the tools present in UB CD-ROM

Module 11 Linux Forensics

 Why use Linux for Forensics?

 How to recognize partitions in Linux?

 Explain file system in Linux

o Describe file system

 Discuss mount Command

 Discuss the Boot Sequence in Linux

 Explain Linux Forensics

 Discuss case example

o Explain Step-by-step approach to case

 What are the challenges in disk forensics with Linux

 Discuss Jason Smith Case

o Explain Step-by-step approach to case

 Summarize the features of following Linux forensics tools:

o The Sleuth Kit

 List down the tools present in “The Sleuth Kit”

o Autopsy

 Describe evidence analysis techniques in Autopsy

o SMART for Linux

o Penguin Sleuth

 List down the tools included in Penguin Sleuth Kit

o Forensix

o Maresware

 List down the various programs present in Maresware

o Captain Nemo

o THE FARMER'S BOOT CD

Module 12 Data Acquisition and Duplication

 What are the different acquisition methods?

 Explain data recovery contingencies

 What is the need of data duplication?

 Explain features of MS-DOS Data Acquisition tool: DriveSpy

 Give the overview of Windows Data Acquisition tools

o FTK Imager

 Describe data acquiring in Linux

o Explain Dd Command

o How can you extract the MBR?

o Explain Netcat Command

 Discuss dd Command (Windows XP Version)

 Summarize the features of following data acquisition tools:

o Mount Image Pro

o Snapshot Tool

o Snapback DatArrest

o Data Acquisition Tool: SafeBack

o Hardware Tool: Image MASSter Solo-3 Forensic

o Hardware Tool: LinkMASSter-2 Forensic

o Hardware Tool: RoadMASSter-2

o Data Duplication Tool: R-drive Image

o Data Duplication Tool: DriveLook

o Data Duplication Tool: DiskExplorer

o Save-N-Sync

o Hardware Tool: ImageMASSter 6007SAS

o Hardware Tool: Disk Jockey IT

o SCSIPAK

o IBM DFSMSdss

o Tape Duplication System: QuickCopy

Module 13 Computer Forensic Tools

Part I- Software Forensics Tools

 Summarize the features and advantages of following software forensics tools:

o Visual TimeAnalyzer

o X-Ways Forensics

o Evidor

o Slack Space & Data Recovery Tools: Ontrack

o Data Recovery Tools:

 Device Seizure 1.0

 Forensic Sorter v2.0.1

 Directory Snoop

o Permanent Deletion of Files:

 PDWipe

 Darik's Boot and Nuke (DBAN)

o File Integrity Checker:

 FileMon

 File Date Time Extractor (FDTE)

 Decode - Forensic Date/Time Decoder

o Disk Imaging Tools:

 Snapback Datarrest

o Partition Managers: Partimage

o Linux/Unix Tools: Ltools and Mtools

o Password Recovery Tool:

 @Stake

 Decryption Collection Enterprise v2.5

 AIM Password Decoder

 MS Access Database Password Decoder

o Internet History Viewer:

 CookieView - Cookie Decoder

 Cookie Viewer

 Cache View

 FavURLView - Favourite Viewer

 NetAnalysis

o Multipurpose Tools:

 Maresware

 LC Technologies Software

 Winhex Specialist Edition

 Prodiscover DFT

o Toolkits:

 NTI Tools

 R-Tools-I

 Datalifter

 Toolkits: Accessdata

 FTK- Forensic Toolkit

 Image Master Solo and Fastbloc

 Encase

o Email Recovery Tool:

 E-mail Examiner

 Network E-mail Examiner

o Case Agent Companion

o Chat Examiner

o Forensic Replicator

o Registry Analyzer

o ASR Data’s SMART

o Oxygen Phone Manager

o SIM Card Seizure

o Text Searcher

o Autoruns

o Autostart Viewer

o Belkasoft RemovEx

o HashDig

o Inforenz Forager

o KaZAlyser

o DiamondCS OpenPorts

o Pasco

o Patchit

o PE Explorer

o Port Explorer

o PowerGREP

o Process Explorer

o PyFLAG

o Registry Analyzing Tool: Regmon

o Reverse Engineering Compiler

o SafeBack

o TapeCat

o Vision

Part II- Hardware Forensics Tools

 Summarize the features and advantages of following hardware computer forensic tools:

o Hard Disk Write Protection Tools: Nowrite & Firewire Drivedock

o LockDown

o Write Protect Card Reader

o Drive Lock IDE

o Serial-ATA DriveLock Kit

o Wipe MASSter

o ImageMASSter Solo-3 IT

o ImageMASSter 4002i

o ImageMasster 3002SCSI

o Image MASSter 3004SATA

Module 14 Forensics Investigations Using Encase

 What is Evidence File

o Explain evidence file format

o How can you verifying file integrity

 Describe Hashing

 How can you acquiring image?

 Explain configuring of Encase and discuss following:

o Encase Options Screen

o Encase Screens

o View Menu

o Device Tab

o Viewing Files and Folders

o Bottom Pane

 Viewers in Bottom Pane

 Status Bar

 Explain in brief about searching ability of Encase

o Discuss about Keywords

 How to add Keywords?

 How can you group keywords?

 How can you add multiple Keywords?

o How to do Search?

o Discuss Search Hits tab

 Give the brief idea about Bookmark:

o What is Bookmarks?

o How to create Bookmarks?

o Discuss about adding Bookmarks

 Explain the procedure for recovering Deleted Files/folders in FAT Partition

o How can you recover folders in NTFS?

o Explain Master Boot Record(MBT)

o How to view Disk Geometry?

 Explain the recovery of deleted partitions

 Explain in brief about Hash Values?

o How to create Hash Sets

o Describe MD5 Hash

o How to create Hash?

 What do you mean by Viewers?

 Discuss Signature Analysis

 How can you view the results?

 Explain the process for copying files/folders

 Describe E-mail Recovery

 Discuss Reporting

 Explain Boot Disks in Encase

 What is IE Cache Images?

Module 15 Recovering Deleted Files and Deleted partitions

Part I: Recovering Deleted Files

 How can you delete the files?

 What happens when a File is Deleted in Windows?

 Give the brief idea about Recycle Bin in Windows

o Discuss the storage locations of Recycle Bin in FAT and NTFS system

o How The Recycle Bin Works?

o Explain damaged or deleted INFO File

o Describe damaged files in Recycled folder

o Give the overview of damaged Recycle folder

 How to Undelete a File?

 Explain Data Recovery in Linux

 Summarize the features of following deleted files recovery tools:

o Search and Recover

o Zero Assumption Digital Image Recovery

o e2Undel

o R-linux

o O&O Unerase

o Restorer 2000

o Badcopy Pro

o File Scavenger

o Mycroft V3

o PC ParaChute

o Stellar Phoenix

o Filesaver

o Virtual Lab

o Drive and Data Recovery

o Active@ UNERASER - DATA Recovery

o Restoration

o PC Inspector File Recovery

o PC Inspector Smart Recovery

o Fundelete

o RecoverPlus Pro

o OfficeFIX

o Recover My Files

o Zero Assumption Recovery

o SuperFile Recover

o IsoBuster

o CDRoller

o DiskInternals Uneraser

o DiskInternal Flash Recovery

o DiskInternals NTFS Recovery

o Recover Lost/Deleted/Corrupted files on CDs and DVDs

o Undelete

o Active@ UNDELETE

o CD Data Rescue

o File Recover

o WinUndelete

o R-Undelete

o Image Recall

o eIMAGE Recovery

o File Scavenger

o Recover4all Professional

o eData Unerase

o Easy-Undelete

o InDisk Recovery

o Repair My Excel

o Repair Microsoft Word Files

o Zip Repair

o Canon RAW File Recovery Software

Part II: Recovering Deleted Partitions

 Explain deletion of partition

 How can you delete partition using Windows

 How can you delete partition using command line

 Describe recovery of deleted partition

 Summarize the features of following deleted partition recovery tools:

o GetDataBack

o DiskInternals Partition Recovery

o Active@ Partition Recovery

o Handy Recovery

o Acronis Recovery Expert

o Active Disk Image

o TestDisk

o Recover It All!

o Scaven

o Partition Table Doctor

o NTFS Deleted Partition Recovery

Module 16 Image Files Forensics

 Define the common terminologies

 Give the brief idea about Image files

o What do you understand by vector images?

o Explain raster images?

o Discuss Metafile Graphics

o Summarize the structure, features and basic attributes of following Image file formats:

 GIF (Graphics Interchange Format)

 JPEG (Joint Photographic Experts Group)

 JPEG 2000

 BMP (Bitmap) File

 PNG (Portable Network Graphics)

 Tagged Image File Format (TIFF)

 ZIP (Zone Information Protocol)

 How file compression works?

 Discuss data compression and its types

o Explain following data compression algorithms:

 Huffman Coding Algorithm

 Lempel-Ziv Coding Algorithm

 What is mean Lossy Compression

o Explain Vector Quantization

 Give the overview about locating and recovering image files

 What is the importance of Image file headers?

 How can you repair the damaged headers?

 Explain reconstruction of file fragments

 Identify and discuss unknown file formats

o Summarize the features of following tools to identify unknown file formats:

 http://www.filext.com

 Picture Viewer: Ifran View

 Picture Viewer: ACDsee

 Picture Viewer: Thumbsplus

 Picture Viewer: AD

 Picture Viewer: Max

 FastStone Image Viewer

 XnView

 Faces – Sketch Software

 Describe Steganography in image files

 Define the term Steganalysis