Computer Hacking

Forensic Investigator
1 EC-Council
 Computer Forensics
Computer hacking forensic investigation is the process
of detecting hacking attacks and properly extracting
evidence to report the crime and conduct audits to
prevent future attacks. Computer forensics is simply
the application of computer investigation and analysis
techniques in the interests of determining potential
legal evidence. Evidence might be sought in a wide
range of computer crime or misuse, including but not
limited to theft of trade secrets, theft of or destruction
of intellectual property, and fraud. CHFI investigators
can draw on an array of methods for discovering data
that resides in a computer system, or recovering deleted,
encrypted, or damaged file information.
Securing and analyzing electronic evidence is a
central theme in an ever-increasing number of conflict
situations and criminal cases. Electronic evidence is
critical in the following situations:
• Disloyal employees
• Computer break-ins
• Possession of pornography
• Breach of contract
• Industrial espionage
• E-mail Fraud
• Bankruptcy
• Disputed dismissals
• Web page defacements
• Theft of company documents
identification of evidence in computer related crime
and abuse cases. This may range from tracing the tracks
of a hacker through a client’s systems, to tracing the
originator of defamatory emails, to recovering signs of
fraud.
The CHFI course will provide participants the necessary
skills to identify an intruder’s footprints and to properly
gather the necessary evidence to prosecute in the court
of law.
The CHFI course will benefit:
• Police and other law enforcement personnel
• Defense and Military personnel
• e-Business Security professionals
• Systems administrators
• Legal professionals
• Banking, Insurance and other professionals
• Government agencies
• IT managers

Computer forensics enables the systematic and careful

2 EC-Council
3 EC-Council
 Computer Hacking Forensic Investigator
(CHFI)
Course Outline v1
Module 1 Computer Forensics and
Investigations as a Profession
§ Understanding Computer Forensics
§ Comparing Definitions of Computer
Forensics
§ Exploring a Brief History of Computer
Forensics
§ Developing Computer Forensics Resources
§ Preparing for Computing Investigations
§ Understanding Enforcement Agency
Investigations
§ Understanding Corporate Investigations
§ Maintaining Professional Conduct
Module 2 Understanding Computer
Investigations
§ Preparing a Computer Investigation
§ Examining a Computer Crime
§ Examining a Company-Policy Violation
§ Taking a Systematic Approach
4 EC-Council
§ Assessing the Case
§ Planning Your Investigation
§ Securing Your Evidence
§ Understanding Data-Recovery Workstations
and Software
§ Setting Up Your Workstation for Computer
Forensics
§ Executing an Investigation
§ Gathering the Evidence
§ Copying the Evidence Disk
§ Analyzing Your Digital Evidence
§ Completing the Case
§ Critiquing the Case
Module 3 Working with Windows and DOS
Systems
§ Understanding File Systems
§ Understanding the Boot Sequence
§ Examining Registry Data
§ Disk Drive Overview
§ Exploring Microsoft File Structures
§ Disk Partition Concerns
 § Boot Partition Concerns § Exploring Macintosh Boot Tasks

§ Examining FAT Disks § Examining UNIX and Linux Disk Structures

§ Examining NTFS Disks § UNIX and Linux Overview

§ NTFS System Files § Understanding modes

§ NTFS Attributes § Understanding UNIX and Linux Boot

Processes
§ NTFS Data Streams
§ Understanding Linux Loader
§ NTFS Compressed Files
§ UNIX and Linux Drives and Partition
§ NTFS Encrypted File Systems (EFS) Scheme

§ EFS Recovery Key Agent § Examining Compact Disc Data Structures

§ Deleting NTFS Files § Understanding Other Disk Structures

§ Understanding Microsoft Boot Tasks § Examining SCSI Disks

§ Windows XP, 2000, and NT Startup § Examining IDE/EIDE Devices

§ Windows XP System Files

§ Understanding MS-DOS Startup Tasks Module 5 The Investigator’s Office and

Laboratory
§ Other DOS Operating Systems
§ Understanding Forensic Lab Certification
Requirements
Module 4 Macintosh and Linux Boot § Identifying Duties of the Lab Manager and
Processes and Disk Structures Staff
§ Understanding the Macintosh File Structure § Balancing Costs and Needs
§ Understanding Volumes § Acquiring Certification and Training

5 EC-Council
§ Determining the Physical Layout of a
Computer Forensics Lab
§ Identifying Lab Security Needs
§ Conducting High-Risk Investigations
§ Considering Office Ergonomics
§ Environmental Conditions
§ Lighting
§ Structural Design Considerations
§ Electrical Needs
§ Communications
§ Fire-suppression Systems
§ Evidence Lockers
§ Facility Maintenance
§ Physical Security Needs
§ Auditing a Computer Forensics Lab
§ Computer Forensics Lab Floor Plan Ideas
§ Selecting a Basic Forensic Workstation
§ Selecting Workstations for Police Labs
§ Selecting Workstations for Private and
Corporate Labs
§ Stocking Hardware Peripherals
6 EC-Council
§ Maintaining Operating Systems and
Application Software Inventories
§ Using a Disaster Recovery Plan
§ Planning for Equipment Upgrades
§ Using Laptop Forensic Workstations
§ Building a Business Case for Developing a
Forensics Lab
§ Creating a Forensic Boot Floppy Disk
§ Assembling the Tools for a Forensic Boot
Floppy Disk
§ Retrieving Evidence Data Using a Remote
Network Connection
Module 6 Current Computer Forensics
Tools
§ Evaluating Your Computer Forensics
Software Needs
§ Using National Institute of Standards and
Technology (NIST) Tools
§ Using National Institute of Justice (NU)
Methods
§ Validating Computer Forensics Tools
§ Using Command-Line Forensics Tools
§ Exploring NTI Tools
§ Exploring Ds2dump § Exploring DataLifter

§ Reviewing DriveSpy § Exploring ASRData

§ Exploring PDBlock § Exploring the Internet History Viewer

§ Exploring PDWipe § Exploring Other Useful Computer Forensics

Tools
§ Reviewing Image
§ Exploring LTOOLS
§ Exploring Part
§ Exploring Mtools
§ Exploring SnapBack DatArrest
§ Exploring R-Tools
§ Exploring Byte Back
§ Using Explore2fs
§ Exploring MaresWare
§ Exploring @stake
§ Exploring DIGS Mycroft v3
§ Exploring TCT and TCTUTILs
§ Exploring Graphical User Interface (GUI)
Forensics Tools § Exploring ILook

§ Exploring AccessData Programs § Exploring HashKeeper

§ Exploring Guidance Software EnCase § Using Graphic Viewers

§ Exploring Ontrack § Exploring Hardware Tools

§ Using BIAProtect § Computing-Investigation Workstations

§ Using LC Technologies Software § Building Your Own Workstation

§ Exploring WinHex Specialist Edition § Using a Write-blocker

§ Exploring DIGS Analyzer Professional § Using LC Technology International

Forensic Software Hardware

§ Exploring ProDiscover DFT § Forensic Computers

7 EC-Council
 § DIGS
§ Digital Intelligence
§ Image MASSter Solo
§ FastBloc
§ Acard
§ NoWrite
§ Wiebe Tech Forensic DriveDock
§ Recommendations for a Forensic
Workstation
Module 7 Digital Evidence Controls
§ Identifying Digital Evidence
§ Understanding Evidence Rules
§ Securing Digital Evidence at an Incident
Scene
§ Cataloging Digital Evidence
§ Lab Evidence Considerations
§ Processing and Handling Digital Evidence
§ Storing Digital Evidence
§ Evidence Retention and Media Storage
Needs
8 EC-Council
§ Documenting Evidence
§ Obtaining a Digital Signature
Module 8 Processing Crime and Incident
Scenes
§ Processing Private-Sector Incident Scenes
§ Processing Law Enforcement Crime Scenes
§ Understanding Concepts and Terms Used in
Warrants
§ Preparing for a Search
§ Identifying the Nature of the Case
§ Identifying the Type of Computing System
§ Determining Whether You Can Seize a
Computer
§ Obtaining a Detailed Description of the
Location
§ Determining Who Is in Charge
§ Using Additional Technical Expertise
§ Determining the Tools You Need
§ Preparing the Investigation Team
§ Securing a Computer Incident or Crime
Scene
 § Seizing Digital Evidence at the Scene § Using Other Forensics Acquisition Tools

§ Processing a Major Incident or Crime Scene § Exploring SnapBack DatArrest

§ Processing Data Centers with an Array of § Exploring SafeBack

RAIDS
§ Exploring EnCase
§ Using a Technical Advisor at an Incident or
Crime Scene

§ Sample Civil Investigation Module 10 Computer Forensic Analysis

§ Sample Criminal Investigation § Understanding Computer Forensic Analysis

§ Collecting Digital Evidence § Refining the Investigation Plan

§ Using DriveSpy to Analyze Computer Data

Module 9 Data Acquisition § DriveSpy Command Switches

§ Determining the Best Acquisition Method § DriveSpy Keyword Searching

§ Planning Data Recovery Contingencies § DriveSpy Scripts

§ Using MS-DOS Acquisition Tools § DriveSpy Data-Integrity Tools

§ Understanding How DriveSpy Accesses § DriveSpy Residual Data Collection Tools

Sector Ranges
§ Other Useful DriveSpy Command Tools
§ Data Preservation Commands
§ Using Other Digital Intelligence Computer
§ Using DriveSpy Data Manipulation Forensics Tools
Commands
§ Using PDBlock and PDWipe
§ Using Windows Acquisition Tools
§ Using AccessData’s Forensic Toolkit
§ AccessData FTK Explorer
§ Performing a Computer Forensic Analysis
§ Acquiring Data on Linux Computers

9 EC-Council
 § Setting Up Your Forensic Workstation § Copying an E-mail Message

§ Performing Forensic Analysis on Microsoft § Printing an E-mail Message

File Systems
§ Viewing E-mail Headers
§ UNIX and Linux Forensic Analysis
§ Examining an E-mail Header
§ Macintosh Investigations
§ Examining Additional E-mail Files
§ Addressing Data Hiding Techniques
§ Tracing an E-mail Message
§ Hiding Partitions
§ Using Network Logs Related to E-mail
§ Marking Bad Clusters
§ Understanding E-mail Servers
§ Bit-Shifting
§ Examining UNIX E-mail Server Logs
§ Using Steganography
§ Examining Microsoft E-mail Server Logs
§ Examining Encrypted Files
§ Examining Novell GroupWise E-mail Logs
§ Recovering Passwords
§ Using Specialized E-mail Forensics Tools

Module 11 E-mail Investigations

Module 12 Recovering Image Files
§ Understanding Internet Fundamentals
§ Recognizing an Image File
§ Understanding Internet Protocols
§ Understanding Bitmap and Raster Images
§ Exploring the Roles of the Client and Server
in E-mail § Understanding Vector Images

§ Investigating E-mail Crimes and Violations § Metafle Graphics

§ Identifying E-mail Crimes and Violations § Understanding Image File Formats

§ Examining E-mail Messages § Understanding Data Compression

10 EC-Council
 § Reviewing Lossless and Lossy Compression § Writing Clearly

§ Locating and Recovering Image Files § Providing Supporting Material

§ Identifying Image File Fragments § Formatting Consistently

§ Repairing Damaged Headers § Explaining Methods

§ Reconstructing File Fragments § Data Collection

§ Identifying Unknown File Formats § Including Calculations

§ Analyzing Image File Headers § Providing for Uncertainty and Error

Analysis
§ Tools for Viewing Images
§ Explaining Results
§ Understanding Steganography in Image
Files § Discussing Results and Conclusions

§ Using Steganalysis Tools § Providing References

§ Identifying Copyright Issues with Graphics § Including Appendices

§ Providing Acknowledgments

Module 13 Writing Investigation Reports § Formal Report Format

§ Understanding the Importance of Reports § Writing the Report

§ Limiting the Report to Specifics § Using FTK Demo Version

§ Types of Reports

§ Expressing an Opinion Module 14 Becoming an Expert Witness

§ Designing the Layout and Presentation § Comparing Technical and Scientific

Testimony
§ Litigation Support Reports versus Technical
Reports § Preparing for Testimony

11 EC-Council
§ Documenting and Preparing Evidence § Understanding Prosecutorial Misconduct

§ Keeping Consistent Work Habits § Preparing for a Deposition

§ Processing Evidence § Guidelines for Testifying at a Deposition

§ Serving as a Consulting Expert or an Expert § Recognizing Deposition Problems

Witness
§ Public Release: Dealing with Reporters
§ Creating and Maintaining Your CV
§ Forming an Expert Opinion
§ Preparing Technical Definitions
§ Determining the Origin of a Floppy Disk
§ Testifying in Court

§ Understanding the Trial Process

Module 15 Computer Security Incident
§ Qualifying Your Testimony and Voir Dire Response Team

§ Addressing Potential Problems § Incident Response Team

§ Testifying in General § Incident Reporting Process

§ Presenting Your Evidence § Low-level incidents

§ Using Graphics in Your Testimony § Mid-level incidents

§ Helping Your Attorney § High-level incidents

§ Avoiding Testimony Problems § What is a Computer Security Incident

Response Team (CSIRT)?
§ Testifying During Direct Examination
§ Why would an organization need a CSIRT?
§ Using Graphics During Testimony
§ What types of CSIRTs exist?
§ Testifying During Cross-Examination
§ Other Response Teams Acronyms
§ Exercising Ethics When Testifying

12 EC-Council
 § What does a CSIRT do? § Passive Detection Methods

§ What is Incident Handling? § Dump Event Log Tool (Dumpel.exe)

§ Need for CSIRT in Organizations § EventCombMT

§ Best Practices for Creating a CSIRT? § Event Collection

§ Scripting

Module 16 Logfile Analysis § Event Collection Tools

§ Secure Audit Logging § Forensic Tool: fwanalog

§ Audit Events § Elements of an End-to-End Forensic Trace

§ Syslog § Log Analysis and Correlation

§ Message File § TCPDump logs

§ Setting Up Remote Logging § Intrusion Detection Log (RealSecure)

§ Linux Process Tracking § Intrusion Detection Log (SNORT)

§ Windows Logging

§ Remote Logging in Windows Module 17 Recovering Deleted Files

§ ntsyslog

§ Application Logging § The Windows Recycle Bin

§ Extended Logging § Digital evidence

§ Monitoring for Intrusion and Security § Recycle Hidden Folder

Events
§ How do I undelete a file?
§ Importance of Time Synchronization
§ e2undel

13 EC-Council
 § O&O UnErase § APDFPR

§ Restorer2000 § Distributed Network Attack

§ BadCopy Pro § Windows XP / 2000 / NT Key

§ File Scavenger § Passware Kit

§ Mycroft v3 § How to Bypass BIOS Passwords

§ PC ParaChute § BIOS Password Crackers

§ Search and Recover § Removing the CMOS Battery

§ Stellar Phoenix Ext2,Ext3 § Default Password Database

§ Zero Assumption Digital Image Recovery

§ FileSaver Module 19 Investigating E-Mail Crimes

§ VirtualLab Data Recovery § E-mail Crimes

§ R-Linux § Sending Fakemail

§ Drive & Data Recovery § Sending E-mail using Telnet

§ Active@ UNERASER - DATA Recovery § Tracing an e-mail

§ Mail Headers

Module 18 Application Password Crackers § Reading Email Headers

§ Advanced Office XP Password Recovery § Tracing Back

§ AOXPPR § Tracing Back Web Based E-mail

§ Accent Keyword Extractor § Microsoft Outlook Mail

§ Advanced PDF Password Recovery § Pst File Location

14 EC-Council
 § Tool: R-Mail destination

§ Tool: FinaleMail § How to detect attacks on your server?

§ Searching E-mail Addresses § Investigating Log Files

§ E-mail Search Site § IIS Logs

§ abuse.net § Log file Codes

§ Network Abuse Clearing House § Apache Logs

§ Handling Spam § Access_log

§ Protecting your E-mail Address from Spam § Log Security

§ Tool: Enkoder Form § Log File Information

§ Tool: eMailTrackerPro § Simple Request

§ Tool: SPAM Punisher § Time/Date Field

§ Mirrored Site Detection

Module 20 Investigating Web Attacks § Mirrored Site in IIS Logs

§ Vulnerability Scanning Detection

§ How to Tell an Attack is in Progress § Example of Attack in Log file

§ What to Do When You Are Under Attack? § Web Page Defacement

§ Conducting the Investigation § Defacement using DNS Compromise

§ Attempted Break-in § Investigating DNS Poisoning

§ Step 1: Identifing the System(s) § Investigating FTP Servers

§ Step 2: Traffic between source and § Example of FTP Compromise

15 EC-Council
 § FTP logs § Preventing DNS Spoofing

§ SQL Injection Attacks § VisualZone

§ Investigating SQL Injection Attacks § DShield

§ Web Based Password Brute Force Attack § Forensic Tools for Network Investigations

§ Investigating IP Address § TCPDump

§ Tools for locating IP Address § Ethereal

§ Investigating Dynamic IP Address § NetAnalyst

§ Location of DHCP Server Logfile § Ettercap

§ Ethereal

Module 21 Investigating Network Traffic

§ Network Intrusions and Attacks Module 22 Investigating Router Attacks

§ Direct vs. Distributed Attacks § DoS Attacks

§ Automated Attacks § Investigating DoS Attacks

§ Accidental “Attacks” § Investigating Router Attacks

§ Address Spoofing

§ IP Spoofing Module 23 The Computer Forensics

Process
§ ARP Spoofing
§ Evidence Seizure Methodology
§ DNS Spoofing
§ Before the Investigation
§ Preventing IP Spoofing
§ Document Everything
§ Preventing ARP Spoofing

16 EC-Council
 § Confiscation of Computer Equipment § System State Backup

§ Forensic Tool: Back4Win

Module 24 Data Duplication
§ Forensic Tool: Registry Watch
§ Tool: R-Drive Image
§ System Processes
§ Tool: DriveLook
§ Process Monitors
§ Tool: DiskExplorer for NTFS
§ Default Processes in Windows NT, 2000,
and XP

Module 25 Windows Forensics § Process-Monitoring Programs

§ Gathering Evidence in Windows § Process Explorer

§ Collecting Data from Memory § Look for Hidden Files

§ Collecting Evidence § Viewing Hidden Files in Windows

§ Memory Dump § NTFS Streams

§ Manual Memory Dump (Windows 2000) § Detecting NTFS Streams

§ Manual Memory Dump (Windows XP) § Rootkits

§ PMDump § Detecting Rootkits

§ Windows Registry § Sigverif

§ Registry Data § Detecting Trojans and Backdoors

§ Regmon utility § Removing Trojans and Backdoors

§ Forensic Tool: InCntrl5 § Port Numbers Used by Trojans

§ Backing Up of the entire Registry § Examining the Windows Swap File

17 EC-Council
 § Swap file as evidence § LKM

§ Viewing the Contents of the Swap/Page File § Open Ports and Listening Applications

§ Recovering Evidence from the Web Browser § /proc file system

§ Locating Browser History Evidence § Log Files

§ Forensic Tool: Cache Monitor § Configuration Files

§ Print Spooler Files § Low Level Analysis

§ Steganography § Log Messages

§ Forensic Tool: StegDetect § Running syslogd

§ Investigating User Accounts

Module 26 Linux Forensics § Collecting an Evidential Image

§ Performing Memory Dump on Unix Systems § File Auditing Tools

§ Viewing Hidden Files

§ Executing Process Module 27 Investigating PDA

§ Create a Linux Forensic Toolkit § Paraben’s PDA Seizure

§ Collect Volatile Data Prior to Forensic

Duplication
Module 28 Enforcement Law and
§ Executing a Trusted Shell Prosecution

§ Determining Who is logged on to the System § Freedom of Information Act

§ Determining the Running Processes § Reporting Security Breaches to Law

Enforcement
§ Detecting Loadable Kernel Module Rootkits
§ National Infrastructure Protection Center

18 EC-Council
 § Federal Computer Crimes and Laws § What is trade dress?

§ Federal Laws § Internet domain name

§ The USA Patriot Act of 2001 § Trademark Infringement

§ Building the Cybercrime Case § Conducting a Trademark Search

§ How the FBI Investigates Computer Crime § Using Internet to Search for Trademarks

§ Cyber Crime Investigations § Hiring a professional firm to conduct my

trademark search
§ Computer-facilitated crime
§ Trademark Registrations
§ FBI
§ Benefits of Trademark Registration
§ Federal Statutes
§ Copyright
§ Local laws
§ How long does a copyright last?
§ Federal Investigative Guidelines
§ Copyright Notice
§ Gather Proprietary Information
§ Copyright “Fair Use” Doctrine
§ Contact law enforcement
§ U.S. Copyright Office
§ To initiate an investigation
§ How are copyrights enforced?

§ SCO vs IBM
Module 29 Investigating Trademark and
Copyright Infringement § What is Plagiarism?

§ Trademarks § Turnitin

§ Trademark Eligibility § Plagiarism Detection Tools

§ What is a service mark?

19 EC-Council
International Council of E-Commerce Consultants
67 Wall Street, 22nd Floor
New York, NY 10005-3198
USA

Phone: 212.709.8253
Fax: 212.943.2300

© 2002 EC-Council. All rights reserved.

This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.

20 EC-Council