Transcription
Computer Hacking Forensic Investigator v4Exam 312-49 CHFIComputer Hacking Forensic InvestigatorTraining ProgramCourse DescriptionComputer forensics enables the systematic and careful identification of evidence in computer relatedcrime and abuse cases. This may range from tracing the tracks of a hacker through a client’s systems, totracing the originator of defamatory emails, to recovering signs of fraud.The CHFI course will give participants the necessary skills to identify an intruder's footprints andproperly gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will betaught during this course, including software, hardware and specialized techniques. The need forbusinesses to become more efficient and integrated with one another, as well as the home user, has givenway to a new type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization becomprised (hacked)?" but, rather, "when?" Today's battles between corporations, governments, andcountries are no longer fought only in the typical arenas of boardrooms or battlefields using physicalforce. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life.If you or your organization requires the knowledge or skills to identify, track, and prosecute the cybercriminal, then this is the course for you.The CHFI is a very advanced security-training program. Proper preparation is required before conductingthe CHFI class.Who Should Attend Police and other law enforcement personnel Defense and Military personnel e-Business Security professionals Systems administrators Legal professionals Banking, Insurance and other professionals Government agencies IT managersPrerequisitesIt is strongly recommended that you attend the CEH class before enrolling into CHFI program.Duration:5 days (9:00 – 5:00)Exam TitleComputer Hacking Forensic Investigator v4Page 1Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4Exam 312-49 CHFICertificationThe CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the onlinePrometric exam to receive the CHFI certification.Exam Availability Locations Prometric Prime Prometric APTC VUEExam CodeThe exam code varies when taken at different testing centers. Prometric Prime: 312-49 Prometric APTC: EC0-349 VUE: 312-49Number of questions50Duration2 hoursPassing score70%Page 2Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4Exam 312-49 CHFICourse Outline CHFI v4Module 01: Computer Forensics in Today’s World Forensic Science Computer Forensics Page 3oSecurity Incident ReportoAspects of Organizational SecurityoEvolution of Computer ForensicsoObjectives of Computer ForensicsoNeed for Computer ForensicsoBenefits of Forensic ReadinessoGoals of Forensic ReadinessoForensic Readiness PlanningCyber CrimeoCybercrimeoComputer Facilitated CrimesoModes of AttacksoExamples of Cyber CrimeoTypes of Computer CrimesoHow Serious were Different Types of Incident?oDisruptive Incidents to the BusinessoTime Spent Responding to the Security IncidentoCost Expenditure Responding to the Security IncidentCyber Crime InvestigationoCyber Crime InvestigationoKey Steps in Forensic InvestigationoRules of Forensics InvestigationoNeed for Forensic InvestigatoroRole of Forensics InvestigatoroAccessing Computer Forensics ResourcesoRole of Digital EvidenceoUnderstanding Corporate InvestigationsoApproach to Forensic Investigation: A Case StudyoWhen an Advocate Contacts the Forensic Investigator, He Specifies How to Approach theCrime SceneoWhere and When do you Use Computer ForensicsEnterprise Theory of Investigation (ETI)Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Legal Issues Reporting the ResultsExam 312-49 CHFIModule 02: Computer Forensics Investigation Process Investigating Computer CrimeoBefore the InvestigationoBuild a Forensics WorkstationoBuilding Investigating TeamoPeople Involved in Performing Computer ForensicsoReview Policies and LawsoForensics LawsoNotify Decision Makers and Acquire AuthorizationoRisk AssessmentoBuild a Computer Investigation ToolkitComputer Forensic Investigation MethodologyoSteps to Prepare for a Computer Forensic InvestigationoObtain Search Warrantoo Example of Search Warrant Searches Without a WarrantEvaluate and Secure the Scene Forensic Photography Gather the Preliminary Information at Scene First ResponderCollect the Evidence Collect Physical Evidence oooPage 4Evidence Collection Form Collect Electronic Evidence Guidelines in Acquiring EvidencesSecure the Evidence Evidence Management Chain of CustodyAcquire the Data Duplicate the Data (Imaging) Verify Image Integrity Recover Lost or Deleted DataAnalyze the DataComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4ooo Data Analysis Data Analysis ToolsExam 312-49 CHFIAssess Evidence and Case Evidence Assessment Case Assessment Processing Location Assessment Best PracticesPrepare the Final Report Documentation in Each Phase Gather and Organize Information Writing the Investigation Report Sample ReportTestify in the Court as an Expert Witness Expert Witness Testifying in the Court Room Closing the Case Maintaining Professional Conduct Investigating a Company Policy Violation Computer Forensics Service ProvidersModule 03: Searching and Seizing of Computers Page 5Searching and Seizing Computers without a WarrantoSearching and Seizing Computers without a Warranto§ A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases InvolvingComputers: General Principleso§ A.1: Reasonable Expectation of Privacy in Computers as Storage Deviceso§ A.3: Reasonable Expectation of Privacy and Third-Party Possessiono§ A.4: Private Searcheso§ A.5 Use of Technology to Obtain Informationo§ B: Exceptions to the Warrant Requirement in Cases Involving Computerso§ B.1: Consento§ B.1.a: Scope of Consento§ B.1.b: Third-Party Consento§ B.1.c: Implied Consento§ B.2: Exigent Circumstanceso§ B.3: Plain Viewo§ B.4: Search Incident to a Lawful ArrestComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 6Exam 312-49 CHFIo§ B.5: Inventory Searcheso§ B.6: Border Searcheso§ B.7: International Issueso§ C: Special Case: Workplace Searcheso§ C.1: Private Sector Workplace Searcheso§ C.2: Public-Sector Workplace SearchesSearching and Seizing Computers with a WarrantoSearching and Seizing Computers with a WarrantoA: Successful Search with a WarrantoA.1: Basic Strategies for Executing Computer Searcheso§ A.1.a: When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit ofCrimeo§ A.1.b: When Hardware is Merely a Storage Device for Evidence of Crimeo§ A.2: The Privacy Protection Acto§ A.2.a: The Terms of the Privacy Protection Acto§ A.2.b: Application of the PPA to Computer Searches and Seizureso§ A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)o§ A.4: Considering the Need for Multiple Warrants in Network Searcheso§ A.5: No-Knock Warrantso§ A.6: Sneak-and-Peek Warrantso§ A.7: Privileged Documentso§ B: Drafting the Warrant and Affidavito§ B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/orAttachments to the Warranto§ B.1.a: Defending Computer Search Warrants Against Challenges Based on the Descriptionof the “Things to be Seized”o§ B.2: Establish Probable Cause in the Affidavito§ B.3: In the Affidavit Supporting the Warrant, Include an Explanation of the Search Strategyas Well as the Practical & Legal Considerations That Will Govern the Execution of the Searcho§ C: Post-Seizure Issueso§ C.1: Searching Computers Already in Law Enforcement Custodyo§ C.2: The Permissible Time Period for Examining Seized Computerso§ C.3: Rule 41(e) Motions for Return of PropertyThe Electronic Communications Privacy Acto§ The Electronic Communications Privacy Acto§ A. Providers of Electronic Communication Service vs. Remote Computing Serviceo§ B. Classifying Types of Information Held by Service Providerso§ C. Compelled Disclosure Under ECPAo§ D. Voluntary DisclosureComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4o Exam 312-49 CHFI§ E. Working with Network ProvidersElectronic Surveillance in Communications NetworksoElectronic Surveillance in Communications Networkso§ A. Content vs. Addressing InformationoB. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127oC. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522o§ C.1: Exceptions to Title IIIo§ D. Remedies For Violations of Title III and the Pen/Trap StatuteEvidenceoEvidenceo§ A. Authenticationo§ B. Hearsayo§ C. Other IssuesoEnd NoteModule 04: Digital Evidence Digital DataoDefinition of Digital EvidenceoIncreasing Awareness of Digital EvidenceoChallenging Aspects of Digital EvidenceoThe Role of Digital EvidenceoCharacteristics of Digital EvidenceoFragility of Digital EvidenceoAnti-Digital Forensics (ADF)oTypes of Digital DataoRules of EvidenceoBest Evidence RuleoFederal Rules of EvidenceoInternational Organization on Computer Evidence (IOCE)ohttp://www.ioce.org/oIOCE International Principles for Digital EvidencesoSWGDE Standards for the Exchange of Digital EvidenceElectronic Devices: Types and Collecting Potential Evidenceo Page 7Electronic Devices: Types and Collecting Potential EvidenceEvidence AssessmentoDigital Evidence Examination ProcessoEvidence AssessmentComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4o Page 8Exam 312-49 CHFIPrepare for Evidence AcquisitionEvidence AcquisitionoPreparation for SearchesoSeizing the EvidencesoImagingoBit-stream CopiesoWrite ProtectionoEvidence AcquisitionoAcquiring Evidence from Storage DevicesoCollecting the EvidenceoCollecting the Evidence from RAMoCollecting Evidence from Stand-Alone Network ComputeroChain of CustodyoChain of Evidence FormEvidence PreservationoPreserving Digital Evidence: ChecklistoPreserving Floppy and Other Removable MediaoHandling Digital EvidenceoStore and ArchiveoDigital Evidence FindingsEvidence Examination and AnalysisoEvidence ExaminationoPhysical ExtractionoLogical ExtractionoAnalyze Host DataoAnalyze Storage MediaoAnalyze Network DataoAnalysis of Extracted DataoTimeframe AnalysisoData Hiding AnalysisoApplication and File AnalysisoOwnership and PossessionEvidence Documentation and ReportingoDocumenting the EvidenceoEvidence Examiner ReportoFinal Report of FindingsoComputer Evidence WorksheetComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 oHard Drive Evidence WorksheetoRemovable Media WorksheetExam 312-49 CHFIElectronic Crime and Digital Evidence Consideration by Crime CategoryModule 05: First Responder Procedures Electronic Evidence First Responder Role of First Responder Electronic Devices: Types and Collecting Potential Evidence First Responder Toolkit Page 9oFirst Responder ToolkitoCreating a First Responder ToolkitoEvidence Collecting Tools and EquipmentFirst Response BasicsoFirst Responder RuleoIncident Response: Different SituationsoFirst Response for System AdministratorsoFirst Response by Non-Laboratory StaffoFirst Response by Laboratory Forensic StaffSecuring and Evaluating Electronic Crime SceneoSecuring and Evaluating Electronic Crime Scene: A Check-listoWarrant for Search & SeizureoPlanning the Search & SeizureoInitial Search of the SceneoHealth and Safety IssuesConducting Preliminary InterviewsoQuestions to ask When Client Calls the Forensic InvestigatoroConsentoSample of Consent Search FormoWitness SignaturesoConducting Preliminary InterviewsoConducting Initial InterviewsoWitness Statement ChecklistDocumenting Electronic Crime SceneoDocumenting Electronic Crime SceneoPhotographing the SceneComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4o Exam 312-49 CHFISketching the SceneCollecting and Preserving Electronic EvidenceoCollecting and Preserving Electronic EvidenceoOrder of VolatilityoDealing with Powered OFF Computers at Seizure TimeoDealing with Powered ON Computers at Seizure TimeoDealing with Networked ComputeroDealing with Open Files and Startup FilesoOperating System Shutdown ProcedureoComputers and ServersoPreserving Electronic EvidenceoSeizing Portable ComputersoSwitched ON PortablesPackaging and Transporting Electronic EvidenceoEvidence Bag Contents ListoPackaging Electronic EvidenceoExhibit NumberingoTransporting Electronic EvidenceoHandling and Transportation to the Forensics LaboratoryoStoring Electronic EvidenceoChain of Custody Reporting the Crime Scene Note Taking Checklist First Responder Common MistakesModule 06: Incident Handling What is an Incident? Security Incidents Category of IncidentsoCategory of Incidents: Low LeveloCategory of Incidents: Mid LeveloCategory of Incidents: High Level Issues in Present Security Scenario How to identify an Incident? How to prevent an Incident? Defining the Relationship between Incident Response, Incident Handling, and IncidentManagement Incident ManagementPage 10Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 11oIncident ManagementoThreat Analysis and AssessmentoVulnerability AnalysisoEstimating Cost of an IncidentoChange ControlExam 312-49 CHFIIncident ReportingoIncident ReportingoComputer Incident ReportingoWhom to Report an Incident?oReport a Privacy or Security ViolationoPreliminary Information Security Incident Reporting FormoWhy don’t Organizations Report Computer Crimes?Incident ResponseoRespond to a Security IncidentoSecurity Incident Response (Detailed Form)oIncident response policiesoIncident Response ChecklistoResponse Handling RolesoIncident Response: Roles and Responsibilities SSM ISSM ISSOoContingency/Continuity of Operations PlanningoBudget/Resource AllocationIncident HandlingoHandling IncidentsoProcedure for Handling adicationoRecoveryoFollow-upoPost-Incident ActivityoEducation, Training, and AwarenessoPost Incident ReportoProcedural and Technical CountermeasuresComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4o Vulnerability ResourcesCSIRToWhat is CSIRT?oCSIRT: Goals and StrategyoCSIRT VisionoMotivation behind CSIRTsoWhy does an Organization need an Incident Response Team?oWho works in a CSIRT?oStaffing your Computer Security Incident Response Team: What are the Basic Skills Needed?oTeam Models Page 12Exam 312-49 CHFIDelegation of AuthorityoCSIRT Services can be Grouped into Three Categories:oCSIRT Case ClassificationoTypes of Incidents and Level of SupportoService Description AttributesoIncident Specific Procedures-I (Virus and Worm Incidents)oIncident Specific Procedures-II (Hacker Incidents)oIncident Specific Procedures-III (Social Incidents, Physical Incidents)oHow CSIRT handles Case: StepsoUS-CERT Incident Reporting SystemoCSIRT Incident Report FormoCERT(R) Coordination Center: Incident Reporting FormoExample of CSIRToBest Practices for Creating a CSIRT Step 1: Obtain Management Support and Buy-in Step 2: Determine the CSIRT Development Strategic Plan Step 3: Gather Relevant Information Step 4: Design your CSIRT Vision Step 5: Communicate the CSIRT Vision Step 6: Begin CSIRT Implementation Step 7: Announce the CSIRToLimits to Effectiveness in CSIRTsoWorking Smarter by Investing in Automated Response CapabilityWorld CERTsoWorld CERTsoAustralia CERT (AUSCERT)oHong Kong CERT (HKCERT/CC)Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4Exam 312-49 CHFIoIndonesian CSIRT (ID-CERT)oJapan CERT-CC (JPCERT/CC)oSingapore CERT (SingCERT)oTaiwan CERT (TWCERT)oChina CERT (CNCERT/CC)oCERT-CCoUS-CERToCanadian CertoForum of Incident Response and Security TeamsoCAISoNIC BR Security Office Brazilian CERToEuroCERToFUNET structure/members.htmloIRTs Around the WorldModule 07: Computer Forensics Lab Page 13Setting a Computer Forensics LaboComputer Forensics LaboPlanning for a Forensics LaboBudget Allocation for a Forensics LaboPhysical Location Needs of a Forensic LaboStructural Design ConsiderationsoEnvironmental ConditionsoElectrical NeedsoCommunication NeedsoWork Area of a Computer Forensics LaboAmbience of a Forensic LaboAmbience of a Forensic Lab: ErgonomicsoPhysical Security RecommendationsoFire-Suppression SystemsoEvidence Locker RecommendationsoComputer Forensics InvestigatoroLaw Enforcement OfficerComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 oForensic Lab Licensing RequisiteoFeatures of the Laboratory Imaging SystemoTechnical Specification of the Laboratory-based Imaging SystemoForensics LaboAuditing a Computer Forensics LaboRecommendations to Avoid EyestrainoComputer Forensic Labs, IncoProcedures at Computer Forensic Labs (CFL), IncoData Destruction Industry StandardsoCase Study: San Diego Regional Computer Forensics Laboratory (RCFL)Hardware RequirementsoEquipment Required in a Forensics LaboForensic WorkstationsoBasic Workstation Requirements in a Forensic LaboStocking the Hardware Peripherals oPage 14Exam 312-49 CHFIParaben Forensics Hardware Handheld First Responder Kit Wireless StrongHold Bag Remote Charger Device Seizure Toolbox Wireless StrongHold Tent Passport StrongHold Bag Project-a-Phone SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i Lockdown SIM Card Reader/ Sony Client N & S Series Serial Data Cable CSI Stick Portable USB Serial DB9 AdapterPortable Forensic Systems and Towers Forensic Air-Lite VI MKII laptop Portable Forensic Systems and Towers: Original Forensic Tower II Portable Forensic Systems and Towers: Portable Forensic Workhorse V Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II Portable Forensic Systems and Towers: Forensic Tower IIoForensic Write Protection Devices and Kits: Ultimate Forensic Write Protection KitoTableau T3u Forensic SATA Bridge Write Protection KitComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4oTableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 FlashMedia ReaderoTableau TACC 1441 Hardware AccleeratoroMultiple TACC1441 UnitsoDigital Intelligence Forensic Hardwareo FRED SR (Dual Xeon) FRED-L Forensic Recovery of Evidence Data Center (FREDC) Rack-A-TACC FREDDIE UltraKit UltraBay UltraBlock Micro Forensic Recovery of Evidence Device (µFRED)Wiebetech Forensics DriveDock Forensics UltraDock v4 Drive eRazer v4 Combo Adapters ProSATA SS8 HotPlugoCelleBrite UFED SystemoDeepSpar:oPage 15Exam 312-49 CHFI Disk Imager Forensic Edition 3D Data Recovery Phase 1 Tool: PC-3000 Drive Restoration system: Phase 2 Tool: DeepSpar Disk Imager Phase 3 Tool: PC-3000 Data ExtractorInfinaDyne Forensic Products Robotic Loader Extension for CD/DVD Inspector Rimage Evidence Disc SystemoCD DVD Forensic Disc Analyzer with Robotic Disc LoaderoImage MASSter RoadMASSter- 3 Image MASSter --Solo-3 Forensic Image MASSter –WipeMASSterComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4o Image MASSter –DriveLock Image MASSter: Serial-ATA DriveLock Kit USB/1394B Image MASSter: DriveLock Firewire/USB Image MASSter: DriveLock IDE Image MASSter: DriveLock In BayLogicube: Forensic MD5 Forensic Talon RAID I/O Adapter GPStamp Portable Forensic Lab CellDEK Omniport Desktop write PROtects USB adapters Adapters CablesoPower Supplies and SwitchesoDIBS Mobile Forensic WorkstationoDIBS Advanced Forensic WorkstationoDIBS RAID: Rapid Action Imaging DeviceoForensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)Software RequirementsoBasic Software Requirements in a Forensic LaboMaintain Operating System and Application InventoriesoParaben Forensics Software: Device SeizureoParaben Hard Drive Forensics: P2 CommanderoCrucial VisionoParaben Hard Drive Forensics: P2 eXploreroInfinaDyne Forensic Productso CD/DVD Inspector AccuBurn-R for CD/DVD Inspector Flash Retriever Forensic Edition ThumbsDisplayTEEL Technologies SIM Tools Page 16Exam 312-49 CHFISIMISComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 SIMulate SIMgenoLiveDiscover Forensic EditionoTools: LiveWire InvestigatorExam 312-49 CHFIModule 08: Understanding Hard Disks and File Systems Hard DiskoDisk Drive OverviewoPhysical Structure of Hard DiskoLogical Structure of Hard DiskoTypes of Hard Disk InterfacesTypes of Hard Disk Interfaces: SCSI Types of Hard Disk Interfaces: IDE/EIDE Types of Hard Disk Interfaces: USB Types of Hard Disk Interfaces: ATA Types of Hard Disk Interfaces: Fibre ChanneloDisk PlatteroTracksoTracks NumberingoSectoroSector AddressingoCluster Cluster Size Slack Space Lost Clusters Bad Sector Disk Capacity Calculation Measuring the Performance of Hard DiskDisk PartitionsoDisk PartitionsoMaster Boot RecordBoot ProcessoWindows XP System FilesoWindows Boot Process (XP/2003)ohttp://www.bootdisk.comFile SystemsoPage 17 Understanding File SystemsComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 18Exam 312-49 CHFIoTypes of File SystemsoList of Disk File SystemsoList of Network File SystemsoList of Special Purpose File SystemsoPopular Linux File SystemsoSun Solaris 10 File System: ZFSoMac OS X File SystemoWindows File SystemsoCD-ROM / DVD File SystemoComparison of File SystemsFAT32oFAToFAT StructureoFAT32NTFSoNTFSoNTFS ArchitectureoNTFS System FilesoNTFS Partition Boot SectoroNTFS Master File Table (MFT)oNTFS Metadata File Table (MFT)oCluster Sizes of NTFS VolumeoNTFS Files and Data StorageoNTFS AttributesoNTFS Data StreamoNTFS Compressed FilesoNTFS Encrypted File Systems (EFS)oEFS File StructureoEFS Recovery Key AgentoEFS KeyoDeleting NTFS FilesoRegistry DataoExamining Registry DataoFAT vs. NTFSExt3oExt2oExt3Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Exam 312-49 CHFIHFS and CDFSoHFSoCDFSRAID Storage SystemoRAID Storage SystemoRAID LevelsoRecover Data from Unallocated Space using File Carving ProcessHard Disk Evidence Collector ToolsoEvidoroWinHexoLogicube: Echo PLUSoLogicube: SonixoLogicube: OmniClone XioLogicube: OmniWipeoLogicube: CloneCard ProoImageMASSter: ImageMASSter 40008ioeDR Solutions: Hard Disk CrusherModule 09: Digital Media Devices Page 19Digital Storage DevicesoDigital Storage DevicesoMagnetic TapeoFloppy DiskoCompact DiskoCD-ROMoDVDoDVD-R, DVD R, and DVD R(W)oDVD-RW, DVD RWoDVD R DL/ DVD-R DL/ DVD-RAMoBlu-RayoNetwork Attached Storage (NAS)oIPodoZuneoFlash Memory CardsoSecure Digital (SD) Memory CardoSecure Digital High Capacity (SDHC) CardoSecure Digital Input Output (SDIO) CardComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Exam 312-49 CHFIoCompact Flash (CF) Memory CardoMemory Stick (MS) Memory CardoMulti Media Memory Card (MMC)oxD-Picture Card (xD)oSmartMedia Memory (SM) CardoSolid state drivesoTape Libraries and AutoloadersoBarracuda Hard DrivesoHybrid Hard DriveoHolographic Data StorageoExpressCardoUSB Flash DrivesoUSB Flash in a PenoE-ball Futuristic ComputerDifferent Models of Digital DevicesoDifferent Types of Pocket Hard DrivesoDifferent Types of Network-Attached Storage DevicesoDifferent Types of Digital Camera DevicesoDifferent Types of Mini Digital CamerasoDifferent Types of Digital Video CamerasoDifferent Types of Mobile DevicesoMobile Devices in the FutureoDifferent Types of Digital Audio PlayersoDifferent Types of Digital Video PlayersoDifferent Types of Laptop computersoSolar Powered Concept for Laptop GadgetoDifferent Types of Bluetooth DevicesoDifferent Types of USB DrivesModule 10: CD/DVD Forensics Compact Disk Types of CDs Digital Versatile Disk (DVD) DVD-R and DVD R DVD-RW and DVD RW DVD R DL, DVD-R DL, DVD-RAM HD-DVD (High Definition DVD)Page 20Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4Exam 312-49 CHFI HD-DVD Blu-Ray SID Code How Criminal uses CD/DVD for Crime Pre-Requisite for CD/DVD Forensics Steps for CD ForensicsoCollect the CD/DVD EvidencesoPrecautions while Collecting the EvidencesoDocument the SceneoPreserve the EvidencesoCreate Image of CD/DVDoRecover Data from Damaged or Corrupted CDs/DVDsoData Analysis Identify Pirated CD/DVDs Original and Pirated CD/DVDs CD/DVD Imaging Tools oUltraISOoMagicISOoCdmageoAlcoholoNeroCD/DVD Data Recovery ToolsoCDRolleroBadcopy ProoMulti Data RescueoInDisk RecoveryoStellar Phoenix -CD Data Recovery SoftwareoCD Recovery ToolboxoIsoBusteroCD/DVD InspectoroAcodisc CD & DVD Data Recovery ServicesModule 11: Windows Linux Macintosh Boot Process Terminologies Boot Loader Boot Sector Anatomy of MBRPage 21Computer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Windows Boot Sequence Linux Boot Sequence Macintosh Boot Sequence Windows XP Boot Processo Windows XP Boot ProcessLinux Boot ProcessoCommon Startup Files in UNIXoList of Important Directories in UNIXLinux Boot Process StepsoStep 1: The Boot Manager oGRUB: Boot LoaderStep 2: init Step 2.1: /etc/inittab Run Levels The Run Level Scripts How Processes in Runlevels Start The Run Level ActionsoStep 3: ServicesoStep 4: More inittab Exam 312-49 CHFIOperating ModesMacintosh Boot ProcessoMac OS XoMac OS X Hidden FilesoBooting Mac OS XoMac OS X Boot OptionsoThe Mac OS X Boot ProcessModule 12: Windows Forensics I Volatile Information Non-volatile Information Collecting Volatile InformationPage 22oSystem TimeoLogged-on-UsersoOpen FilesoNet file CommandoPsfile TooloOpenfiles CommandComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 23oNetBIOS Name Table CacheoNetwork ConnectionsoNetstat with the –ano SwitchExam 312-49 CHFINetstat with the –r SwitchoProcess InformationoTlist TooloTasklist CommandoPslist TooloListdlls TooloHandle TooloProcess-to-Port MappingoNetstat CommandoFport TooloOpenports TooloNetwork StatusoIpconfig CommandoPromiscdetect TooloPromqry TooloOther Important InformationCollecting Nonvolatile InformationoCollecting Nonvolatile InformationoExamining File SystemsoRegistry SettingsoMicrosoft Security IDoEvent LogsoIndex.dat FileoDevices and Other InformationoSlack SpaceoVirtual MemoryoTool: DriveSpyoSwap FileoWindows Search IndexoTool: Search Index ExamineroCollecting Hidden Partition InformationoHidden ADS StreamsoInvestigating ADS StreamsWindows Memory AnalysisComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 24oWindows Memory AnalysisoImportance of Memory DumpoEProcess StructureoProcess Creation MechanismoParsing Memory ContentsoParsing Process MemoryoExtracting the Process ImageoCollecting Process MemoryExam 312-49 CHFIWindows Registry AnalysisoInside the RegistryoRegistry ContentsoRegistry Structure within a Hive FileoRegistry AnalysisoSystem InformationoTime Zone InformationoSharesoAudit PolicyoWireless SSIDsoAutostart LocationsoSystem BootoUser LoginoUser ActivityoEnumerating Autostart Registry LocationsoUSB Removable Storage DevicesoMounted DevicesoFinding UsersoTracking User ActivityoThe UserAssist KeysoMRU ListsoSearch AssistantoConnecting to Other SystemsoAnalyzing Restore Point Registry SettingsoDetermining the Startup LocationsCache, Cookie and History AnalysisoCache, Cookie and History Analysis in IEoCache, Cookie and History Analysis in Firefox/NetscapeoBrowsing Analysis Tool: PascoComputer Hacking Forensic Investigator Copyright by EC-CouncilAll Rights Reserved. Reproduction Is Strictly Prohibited.
Computer Hacking Forensic Investigator v4 Page 25oIE Cache ViewoForensic Tool: Cache MonitoroTool - IE History VieweroIE Cookie AnalysisoInvestigating Internet TracesoTool – IECookiesViewoTool- IE SnifferExam 312-49 CHFIMD5 CalculationoMD5 CalculationoMD5 AlgorithmoMD5 PseudocodeoMD5 Generator: Chaos MD5oSecure Hash Signature GeneratoroMD5 Generator: Mat-MD5oMD5 Checksum Verifier 2.1Wi
It is strongly recommended that you attend the CEH class before en rolling into CHFI program. Duration: 5 days (9:00 - 5:00) Exam Title . . A Case Study o When an Advocate Contacts the Forensic Investigator, He Specifies How to Approach the Crime Scene
