|
Overview
The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will be taught during this course, including software, hardware and specialized techniques. The need for businesses to become more efficient and integrated with one another, as well as the home user, has given way to a new type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization be comprised (hacked)?" but, rather, "when?" Today's battles between corporations, governments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for you.
Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Legal professionals, Banking, Insurance and other professionals, Government agencies, IT managers
The CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the online Prometric exam to receive the CHFI certification.
§
Ways of Forensic
Data Collection
§
Objectives of
Computer Forensics
§
Benefits of
Forensic Readiness
§
Categories of
Forensics Data
§
Computer
Facilitated Crimes
o
Type of Computer
Crimes
o
Examples of
Evidence
§
Stages of
Forensic Investigation in Tracking Cyber Criminals
§
Key Steps in
Forensics Investigations
§
Need for
Forensic Investigator
§
When An Advocate
Contacts The Forensic Investigator, He Specifies How To Approach
§
Enterprise
Theory of Investigation (ETI)
§
Where and when
do you use Computer Forensics
§
Legal Issues
§
Reporting the Results
Module 02: Law and Computer Forensics
§
Privacy Issues
Involved in Investigations
§
Fourth Amendment
Definition
§
Interpol-
Information Technology Crime Center
§
Internet Laws
and Statutes
§
Intellectual
Property Rights
§
Cyber Stalking
§
Crime
Investigating Organizations
§
The G8
Countries: Principles to Combat High-tech Crime
o
The G8
Countries: Action Plan to Combat High-Tech Crime (International Aspects of
Computer Crime)
§
United Kingdom:
Police and Justice Act 2006
§
Australia: The
Cybercrime Act 2001
§
Belgium
§
European Laws
§
Austrian Laws
§
Brazilian Laws
§
Belgium Laws
§
Canadian Laws
§
France Laws
§
Indian Laws
§
German Laws
§
Italian Laws
§
Greece Laws
§
Denmark Laws
§
Norwegian Laws
§
Netherlands Laws
§
Internet Crime
Schemes
o
Why You Should
Report Cybercrime
o
Reporting
Computer-related Crimes
o
Person Assigned
to Report the Crime
o
When and How to
Report an Incident?
o
Who to Contact
at the Law Enforcement?
o
Federal Local
Agents Contact
o
More Contacts
o
Cyberthreat Report Form
Module 03: Computer Investigation Process
§
Securing the
Computer Evidence
§
Preparation for
Searches
§
Chain-of
Evidence Form
§
Accessing the
Policy Violation Case: Example
§
10 Steps to
Prepare for a Computer Forensic Investigation
§
Investigation
Process
o
Policy and
Procedure Development
o
Evidence
Assessment
·
Case Assessment
·
Processing
Location Assessment
·
Legal
Considerations
·
Evidence
Assessment
o
Evidence
Acquisition
·
Write Protection
·
Acquire the
Subject Evidence
o
Evidence
Examination
·
Physical
Extraction
·
Logical
Extraction
·
Analysis of
Extracted Data
·
Timeframe
Analysis
·
Data Hiding
Analysis
·
Application and
File Analysis
·
Ownership and
Possession
o
Documenting and
Reporting
·
What Should be
in the Final Report?
§
Maintaining Professional Conduct
Module 04: First Responder Procedure
§
Electronic
Evidence
§
The Forensic
Process
§
Types of
Electronic Devices
o
Electronic
Devices: Types and Collecting Potential Evidence
§
Evidence
Collecting Tools and Equipment
§
First Response Rule
§
Incident Response: Different Situations
o
First Response for System Administrators
o
First Response by Non-Laboratory Staff
o
First Response by Laboratory Forensic Staff
§
Securing and
Evaluating Electronic Crime Scene
§
Ask These
Questions When A Client Calls A Forensic Investigator
§
Health and Safety Issues
§
Consent
§
Planning the Search and Seizure
o
Initial Search of the Scene
o
Witness Signatures
o
Conducting
Preliminary Interviews
·
Initial Interviews
o
Documenting
Electronic Crime Scene
o
Photographing the Scene
o
Sketching the Scene
o
Collecting and
Preserving Electronic Evidence
·
Evidence Bag Contents List
·
Order of Volatility
·
Dealing with Powered OFF Computers at Seizure Time
·
Dealing with a Powered ON PC
·
Computers and Servers
·
Collecting and
Preserving Electronic Evidence
·
Seizing Portable Computers
·
Switched ON Portables
·
Packaging
Electronic Evidence
·
Exhibit Numbering
o
Transporting
Electronic Evidence
o
Handling and Transportation to the Forensic Laboratory
§
?Chain of Custody?
§
Findings of
Forensic Examination by Crime Category
Module 05 : CSIRT
§
How to Prevent
an Incident?
§
Defining the
Relationship between Incident Response, Incident Handling, and Incident
Management
§
Incident
Response Checklist
§
Incident
Management
§
Why don?t
Organizations Report Computer Crimes?
§
Estimating Cost
of an Incident
§
Vulnerability
Resources
§
Category of
Incidents
o
Category of
Incidents: Low Level
o
Category of
Incidents: Mid Level
o
Category of
Incidents: High Level
§
CSIRT: Goals and
Strategy
o
Motivation
behind CSIRTs
o
Why an
Organization needs an Incident Response Team?
o
Who works in a
CSIRT?
o
Staffing your
Computer Security Incident Response Team: What are the Basic Skills Needed?
o
Team Models
o
CSIRT Services
can be Grouped into Three Categories:
o
CSIRT Case
Classification
o
Types of
Incidents and Level of Support
o
Service
Description Attributes
o
Incident
Specific Procedures
o
How CSIRT
handles Case: Steps
o
US-CERT Incident
Reporting System
·
CSIRT Incident
Report Form
·
CERT(R)
Coordination Center: Incident Reporting Form
o
Limits to
Effectiveness in CSIRTs
o
Working Smarter
by Investing in Automated Response Capability
§
World CERTs
http://www.trusted-introducer.nl/teams/country.html
§
http://www.first.org/about/organization/teams/
§
IRTs Around the World
Module 06: Computer Forensic Lab
§
Ambience of a
Forensics Lab: Ergonomics
§
Forensic
Laboratory Requirements
o
Paraben
Forensics Hardware: Handheld First Responder Kit
o
Paraben
Forensics Hardware: Wireless StrongHold Bag
o
Paraben
Forensics Hardware: Remote Charger
o
Paraben
Forensics Hardware: Device Seizure Toolbox
o
Paraben
Forensics Hardware: Wireless StrongHold Tent
o
Paraben Forensics Hardware: Passport StrongHold Bag
o
Paraben
Forensics Hardware: Project-a-Phone
o
Paraben
Forensics Hardware: SATA Adaptor Male/ Data cable for Nokia
7110/6210/6310/i
o
Paraben
Forensics Hardware: Lockdown
o
Paraben
Forensics Hardware: SIM Card Reader/ Sony Clie N & S Series Serial Data Cable
o
Paraben
Forensics Hardware: USB Serial DB9 Adapter
§
Portable
Forensic Systems and Towers: Forensic Air-Lite VI MKII laptop
o
Portable
Forensic Systems and Towers: Original Forensic Tower II
o
Portable
Forensic Systems and Towers: Portable Forensic Workhorse V
o
Portable
Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
o
Portable
Forensic Systems and Towers: Forensic Air-Lite IV MK II
o
Portable
Forensic Systems and Towers: Forensic Tower II
§
Forensic Write
Protection Devices and Kits: Ultimate Forensic Write Protection Kit
o
Tableau T3u
Forensic SATA Bridge Write Protection Kit
o
Tableau T8
Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media
Reader
§
Power Supplies
and Switches
§
DIBSŪ Mobile
Forensic Workstation
o
DIBSŪ Advanced
Forensic Workstation
o
DIBSŪ RAID:
Rapid Action Imaging Device
§
Forensic Archive
and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)
§
Forensic
Workstations
§
Tools: LiveWire
Investigator
§
Features of the
Laboratory Imaging System
o
Technical
Specification of the Laboratory-based Imaging System
§
Computer
Forensic Labs, Inc
o
Procedures at
Computer Forensic Labs (CFL), Inc
§
Data Destruction
Industry Standards
Module 07: Understanding File Systems and Hard Disks
§
Types of Hard
Disk Interfaces
o
Types of Hard
Disk Interfaces: SCSI
o
Types of Hard
Disk Interfaces: IDE/EIDE
o
Types of Hard
Disk Interfaces: USB
o
Types of Hard
Disk Interfaces: ATA
o
Types of Hard
Disk Interfaces: Fibre Channel
o
Disk Capacity
Calculation
o
Evidor: The
Evidence Collector
o
WinHex
§
EFS Key
§
FAT vs. NTFS
§
Windows Boot
Process (XP/2003)
§
http://www.bootdisk.com
Module 08: Understanding Digital Media Devices
§
Digital Storage
Devices
§
Magnetic Tape
§
Floppy Disk
§
Compact Disk
§
CD-ROM
§
DVD
o
DVD-R, DVD+R, and DVD+R(W)
o
DVD-RW, DVD+RW
o
DVD+R DL/ DVD-R DL/ DVD-RAM
o
HD-DVD (High
Definition DVD)
o
HD-DVD
§
Blu-Ray
§
CD Vs DVD Vs Blu-Ray
§
HD-DVD vs. Blu-Ray
§
iPod
§
Zune
§
Flash Memory
Cards
o
Secure Digital
(SD) Memory Card
o
Compact Flash
(CF) Memory Card
o
Memory Stick
(MS) Memory Card
o
Multi Media
Memory Card (MMC)
o
xD-Picture Card
(xD)
o
SmartMedia
Memory (SM) Card
§
USB Flash Drives
o
USB Flash in a Pen
Module 09: Windows, Linux and Macintosh Boot Processes
§
Terminologies
§
Boot Loader
§
Boot Sector
§
Anatomy of MBR
§
Basic System
Boot Process
§
MS-DOS Boot
Process
§
Windows XP Boot
Process
§
Common Startup
Files in UNIX
§
List of
Important Directories in UNIX
§
Linux Boot
Process
§
Macintosh
Forensic Software by BlackBag
o
Directory Scan
o
FileSpy
o
HeaderBuilder
§
Carbon Copy
Cloner (CCC)
§
MacDrive6
Module 10: Windows Forensics
§
Windows
Forensics Tool: Helix
o
Tools Present in
Helix CD for Windows Forensics
o
Helix Tool:
SecReport
o
Helix Tool:
Windows Forensic Toolchest (WFT)
§
MD5 Generator:
Chaos MD5
o
Secure Hash
Signature Generator
o
MD5 Generator:
Mat-MD5
o
MD5 Checksum
Verifier 2.1
§
Registry Viewer
Tool: RegScanner
§
Virtual Memory
|