Course Description

With content-rich modules and the supplementary practical sessions, this course teaches the
intricacies of gathering the essential evidence helpful in prosecution of a cyber-criminal. Cyber-
crimes typically refer to any criminal activity that involves a computer and/or a network. In these
crimes, the computer may or may not have a part for the commissioning of the crime. Witnessing
the recent cyber war fares spread among nations rather than merely corporate, it is wise to accept
the growing strength of cybercriminals and prepare the defenses/security accordingly. Today the
discussion is more over the timing of hacking rather than the possibility of the hack. Equipped with
state-of-the-art tools used by the professionals in the real-time scenarios, this Training provides all
the skills necessary to identify, track and prosecute the cyber criminal.

Course Outline

1. Computer Forensics in Today’s World

2. Computer Forensics Investigation Process

3. Understanding Hard Disks and File Systems

4. Data Acquisition and Duplication

5. Defeating anti-forensics techniques

6. Operating system forensics

7. Network forensics

8. Investigating web attacks

9. Database forensic

10. Cloud forensic

11. Malware forensic

12. Investigating email crimes

13. Mobile Forensics

14. Forensics report writing and presentation

Course Overview
Computer hacking forensic investigation is the process of detecting hacking attacks and
properly extracting evidence to report the crime and conduct audits to prevent future attacks.
Computer crime in today’s cyber world is on the rise. Computer Investigation techniques are
being used by police, government and corporate entities globally and many of them turn to
EC-Council for our Computer Hacking Forensic Investigator CHFI Certification Program.

Computer Security and Computer investigations are changing terms. More tools are invented
daily for conducting Computer Investigations, be it computer crime, digital forensics,
computer investigations, or even standard computer data recovery. The tools and techniques
 covered in EC-Council’s CHFI program will prepare the student to conduct computer
investigations using groundbreaking digital forensics technologies.

Computer forensics is simply the application of computer investigation and analysis

techniques in the interests of determining potential legal evidence. Evidence might be sought
in a wide range of computer crime or misuse, including but not limited to theft of trade
secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can
draw on an array of methods for discovering data that resides in a computer system, or
recovering deleted, encrypted, or damaged file information known as computer data recovery.
Why Attend this Course?
This course helps learners to excel in digital evidence acquisition,handling and analysis in a
forensically sound manner. Acceptable in a court of law, these skills will lead to successful
prosecutions in various types of security incidents such as data breaches, corporate espionage,
insider threats and other intricate cases involving computer systems.
What you will Learn?

A CHFI certified professional will be able to:

 Perform incident response and forensics
 Perform electronic evidence collections
 Perform digital forensic acquisitions
 Perform bit-stream Imaging/acquiring of the digital media seized during the process of
investigation.
 Examine and analyze text, graphics, multimedia, and digital images
 Conduct thorough examinations of computer hard disk drives, and other electronic data
storage media
 Recover information and electronic data from computer hard drives and other data storage
devices
 Follow strict data and evidence handling procedures
 Maintain audit trail (i.e., chain of custody) and evidence integrity
 Work on technical examination, analysis and reporting of computer-based evidence
 Prepare and maintain case files
 Utilize forensic tools and investigative methods to find electronic data, including Internet use
history, word processing documents, images and other files
 Gather volatile and non-volatile information from Windows, MAC and Linux
 Recover deleted files and partitions in Windows, Mac OS X, and Linux
 Perform keyword searches including using target words or phrases
 Investigate events for evidence of insider threats or attacks
 Support the generation of incident reports and other collateral
 Investigate and analyze all response activities related to cyber incidents
 Plan, coordinate and direct recovery activities and incident analysis tasks
 Examine all available information and supporting evidence or artefacts related to an incident
or event
 Collect data using forensic technology methods in accordance with evidence handling
procedures, including collection of hard copy and electronic documents
 Conduct reverse engineering for known and suspected malware files
 Perform detailed evaluation of the data and any evidence of activity in order to analyze the
full circumstances and implications of the event
 Identify data, images and/or activity which may be the target of an internal investigation
 Establish threat intelligence and key learning points to support pro-active profiling and
scenario modelling
 Search file slack space where PC type technologies are employed
 File MAC times (Modified, Accessed, and Create dates and times) as evidence of access and
event sequences
 Examine file type and file header information
 Review e-mail communications including web mail and Internet Instant Messaging programs
 Examine the Internet browsing history
 Generate reports which detail the approach, and an audit trail which documents actions taken
to support the integrity of the internal investigation process
 Recover active, system and hidden files with date/time stamp information
 Crack (or attempt to crack) password protected files
 Perform anti-forensics detection
 Maintain awareness and follow laboratory evidence handling, evidence examination,
laboratory safety, and laboratory security policy and procedures
 Play a role of first responder by securing and evaluating a cybercrime scene, conducting
preliminary interviews, documenting crime scene, collecting and preserving electronic
evidence, packaging and transporting electronic evidence, reporting of the crime scene
 Perform post-intrusion analysis of electronic and digital media to determine the who, where,
what, when, and how the intrusion occurred
 Apply advanced forensic tools and techniques for attack reconstruction
 Perform fundamental forensic activities and form a base for advanced forensics
 Identify and check the possible source/incident origin
 Perform event co-relation
 Extract and analyze logs from various devices such as proxies, firewalls, IPSes, IDSes,
Desktops, laptops, servers, SIM tools, routers, switches, AD servers, DHCP servers, Access
Control Systems, etc.
 Ensure that reported incident or suspected weaknesses, malfunctions and deviations are
handled with confidentiality
 Assist in the preparation of search and seizure warrants, court orders, and subpoenas
 Provide expert witness testimony in support of forensic examinations conducted by the
examiner

Cyber security as a profession has seen tremendous growth over the past 10 years and EC-
Council has been on the leading edge of this profession. Practices in Network Defense,
Ethical Hacking, and Penetration Testing have proven to be the pillars of cyber security
teams across the globe and Digital Forensics is no exception. Whether you operate a team of
2 or 2,000 to tackle Cyber issues facing your organization, digital forensics must be a part of
the equation as a critical skill and daily practice.

Upon completion of this course, you will be able to:

* The process of investigating cyber-crime, laws involved, and the details in obtaining a
search warrant
* Different types of digital evidence, rules of evidence, digital evidence examination process,
and electronic crime and digital evidence consideration by crime category
* Roles of first responder, first responder toolkit, securing and evaluating electronic crime
scene, conducting preliminary interviews, documenting electronic crime scene, collecting and
preserving electronic
* The process of investigating cyber-crime, laws involved, and the details in obtaining a
search warrant.
* Different types of digital evidence, rules of evidence, digital evidence examination process,
and electronic crime and digital evidence consideration by crime category
* Roles of first responder, first responder toolkit, securing and evaluating electronic crime
scene, conducting preliminary interviews, documenting electronic crime scene, collecting and
preserving electronic evidence, packaging and transporting electronic evidence, reporting the
crime scene
* How to recover deleted files and deleted partitions in Windows, Mac OS X, and Linux
* The process involved in forensic investigation using Access Data FTK and Encase
Steganography and its techniques, Steganalysis, and image file forensics
* Password Cracking Concepts, tools, types of password attacks and how to investigate
password protected file breach
* Different types of log capturing techniques, log management, time synchronization, log
capturing tools
* How to investigate logs, network traffic, wireless attacks, and web attacks
* How to track e-mails and investigate e-mail crimes and many more.
Prerequisites
It is strongly recommended that you attend the CEH class before enrolling into CHFI
program.

Course Description
Course Outline
Module 01: Computer Forensics in Today’s World
* Forensics Science
* Computer Forensics
* Forensics Readiness
* Cyber Crime
* Cyber Crime Investigation
* Corporate Investigations
* Reporting a Cyber Crime
Module 02: Computer Forensics Investigation Process
* Investigating Computer Crime
* Steps to Prepare for a Computer Forensics Investigation
* Computer Forensics Investigation Methodology
Module 03: Searching and Seizing Computers
* Searching and Seizing Computers without a Warrant
* Searching and Seizing Computers with a Warrant
* The Electronic Communications Privacy Act
* Electronic Surveillance in Communications Networks
* Evidence
Module 04: Digital Evidence
* Digital Data
* Types of Digital Data
* Rules of Evidence
* Electronic Devices: Types and Collecting Potential Evidence
* Digital Evidence Examination Process
* Electronic Crime and Digital Evidence Consideration by Crime Category
Module 05: First Responder Procedures
* Electronic Evidence
* First Responder
* Roles of First Responder
* Electronic Devices: Types and Collecting Potential Evidence
* First Responder Toolkit
* First Response Basics
* Securing and Evaluating Electronic Crime Scene
* Conducting Preliminary Interviews
* Documenting Electronic Crime Scene
* Collecting and Preserving Electronic Evidence
* Packaging and Transporting Electronic Evidence
* Reporting the Crime Scene
* Note Taking Checklist
* First Responder Common Mistakes
Module 06: Computer Forensics Lab
* Setting a Computer Forensics Lab
* Investigative Services in Computer Forensics
* Computer Forensics Hardware
* Computer Forensics Software
Module 07: Understanding Hard Disks and File Systems
* Hard Disk Drive Overview
* Disk Partitions and Boot Process
* Understanding File Systems
* RAID Storage System
* File System Analysis Using The Sleuth Kit (TSK)
Module 08: Windows Forensics
* Collecting Volatile Information
* Collecting Non-Volatile Information
* Windows Memory Analysis
* Windows Registry Analysis
* Cache, Cookie, and History Analysis
* MD5 Calculation
* Windows File Analysis
* Metadata Investigation
* Text Based Logs
* Other Audit Events
* Forensic Analysis of Event Logs
* Windows Password Issues
* Forensic Tools
Module 09: Data Acquisition and Duplication
* Data Acquisition and Duplication Concepts
* Data Acquisition Types
* Disk Acquisition Tool Requirements
* Validation Methods
* RAID Data Acquisition
* Acquisition Best Practices
* Data Acquisition Software Tools
* Data Acquisition Hardware Tools
Module 10: Recovering Deleted Files and Deleted Partitions
* Recovering the Deleted Files
* File Recovery Tools for Windows
* File Recovery Tools for MAC
* File Recovery Tools for Linux
* Recovering the Deleted Partitions
* Partition Recovery Tools

Module 11: Forensics Investigation using AccessData FTK

* Overview and Installation of FTK
* FTK Case Manager User Interface
* FTK Examiner User Interface
* Starting with FTK
* FTK Interface Tabs
* Adding and Processing Static, Live, and Remote Evidence
* Using and Managing Filters
* Using Index Search and Live Search
* Decrypting EFS and other Encrypted Files
* Working with Reports
Module 12: Forensics Investigation Using EnCase
* Overview of Encase Forensic
* Installing EnCase Forensic
* EnCase Interface
* Case Management
* Working with Evidence
* Source Processor
* Analyzing and Searching Files
* Viewing File Content
* Bookmarking Items
* Reporting
Module 13: Steganography and Image File Forensics
* Steganography
* Steganography Techniques
* Steganalysis
* Image Files
* Data Compression
* Locating and Recovering Image Files
* Image File Forensics Tools
Module 14: Application Password Crackers
* Password Cracking Concepts
* Types of Password Attacks
* Classification of Cracking Software
* Systems Software vs. Applications Software
* System Software Password Cracking
* Application Software Password Cracking
* Password Cracking Tools
Module 15: Log Capturing and Event Correlation
* Computer Security Logs
* Logs and Legal Issues
* Log Management
* Centralized Logging and Syslogs
* Time Synchronization
* Event Correlation
* Log Capturing and Analysis Tools
Module 16: Network Forensics, Investigating Logs and Investigating Network
Traffic
* Network Forensics
* Network Attacks
* Log Injection Attacks
* Investigating and Analyzing Logs
* Investigating Network Traffic
* Traffic Capturing and Analysis Tools
* Documenting the Evidence Gathered on a Network
Module 17: Investigating Wireless Attacks
* Wireless Technologies
* Wireless Attacks
* Investigating Wireless Attacks
* Features of a Good Wireless Forensics Tool
* Wireless Forensics Tools
Module 18: Investigating Web Attacks
* Introduction to Web Applications and Webservers
* Web Logs
* Web Attacks
* Web Attack Investigation
* Web Attack Detection Tools
* Tools for Locating IP Address
Module 19: Tracking Emails and Investigating Email Crimes
* Email System Basics
* Email Crimes
* Email Headers
* Steps to Investigate
* Email Forensics Tools
* Laws and Acts against Email Crimes
Module 20: Mobile Forensics
* Mobile Phone
* Mobile Operating Systems
* Mobile Forensics
* Mobile Forensic Process
* Mobile Forensics Software Tools
* Mobile Forensics Hardware Tools
Module 21: Investigative Reports
* Computer Forensics Report
* Computer Forensics Report Template
* Investigative Report Writing
* Sample Forensics Report
* Report Writing Using Tools
Module 22: Becoming an Expert Witness
* Expert Witness
* Types of Expert Witnesses
* Scope of Expert Witness Testimony
* Evidence Processing
* Rules for Expert Witness
* General Ethics While Testifying
 Upon Completion of this Course, you will accomplish following:-

 Finding out about various kinds of cyber laws for investigating cyber-crimes.
 Analyzing digital evidence through rules of evidence by considering crime category.
 Roles of the first responder, first responder toolkit, securing and assessing electronic crime scene, directing
preliminary interviews, archiving electronic crime scene, gathering and safeguarding electronic proof,
bundling and transporting electronic crime scene, and detailing electronic crime scene.
 Setting up the computer forensics lab and creating investigation reports.
 Steganography, Steganalysis and image forensics.
 Kinds of log capturing, log management, Investigation logs, network traffic, wireless attacks, and web
assaults.
 Gathering volatile and non-volatile data from Windows and recouping erased documents from Windows,
Mac OS X, and Linux. Researching password secured documents by utilizing password cracking concepts
and tools
Overview

The CHFI V9 course is the most extensive and propelled accreditation program that summarizes the
essential knowledge of digital forensic techniques and standard forensic tools to collect the intruder's
footprints necessary for his investigation.

The course delivers a few methodological ways to deal with digital forensics, including seizing, chain of
custody, acquisition preservation, analysis and presentation of digital evidence. CHFI participants will be
trained to lead successful procedures in different sorts of security incidents, for example, information
ruptures, corporate secret activities, and other intricate cases involving computer systems. The certification
will cover the different types of computer forensics programs that helps in detecting hacking attacks and
properly extracting evidence to report the crime and conduct detailed audits for preventing future attacks.

Audience: The CHFI program is meant for professionals who are involved with information system security,
computer forensics, and incident response:
 Computer Forensic Analyst
 Computer Network Defense (CND) Forensic Analyst
 Digital Forensic Examiner
 Forensic Analyst and technician
 Network Forensic Examiner
 Computer Crime Investigator
 Special Agent
  Digital forensic practices stem from forensic science, the science of collecting and
examining evidence or materials. Digital or computer forensics focuses on the digital
domain including computer forensics
  network forensics, and mobile forensics. As the cyber security profession evolves,
organizations are learning the importance of employing digital forensic practices into
their everyday activities.
  Computer forensic practices can help investigate attacks, system anomalies, or even
help System administrators detect a problem by defining what is normal functional
specifications and validating system information for irregular behaviors.

  In the event of a cyber-attack or incident, it is critical investigations be carried out

in a manner that is forensically sound to preserve evidence in the event of a breach of
the law.
  Far too many cyber-attacks are occurring across the globe where laws are clearly
broken and due to improper or non-existent forensic investigations, the cyber
criminals go either unidentified, undetected, or are simply not prosecuted.

  Cyber Security professionals who acquire a firm grasp on the principles of digital
forensics can become invaluable members of Incident Handling and Incident response
teams.
  The Computer Hacking Forensic Investigator course provides a strong baseline
knowledge of key concepts and practices in the digital forensic domains relevant to
today’s organizations. CHFI provides its attendees a firm grasp on the domains of
digital forensics.