Computer Hacking Forensic Investigator

Computer Hacking Forensic Investig Investiga ator  1

EC-Council

Computer Forensics Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to  prevent future attacks. Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. CHFI investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted,

identication of evidence in computer related crime and abuse cases. This may range from tracing the tracks of a hacker through a client’s systems, to tracing the originator of defamatory emails, to recovering signs of  fraud. The CHFI course will provide participants the necessary skills to identify an intruder’s footprints footprints and to properly gather the necessary evidence to prosecute in the court of law. The CHFI course will benet:

encrypted, or damaged le information. • Police and other law enforcement personnel • Defense and Military personnel • e-Business Security professionals • Systems administrators • Legal professiona professionals ls • Banking, Insurance and other professionals • Government agencies

Securing and analyzing electronic evidence is a central theme in an ever-increasin ever-increasing g number of conict situations and criminal cases. Electronic evidence is critical in the following situations: • Disloyal employees • Computer break-ins • Possession of pornography • Breach of contract • Industrial espionage • E-mail Fraud • Bankruptcy • Disputed dismissals • Web page defacements

• IT managers

• Theft of company documents Computer forensics enables the systematic and careful

2

EC-Council

3

EC-Council

Computer Hacking Forensic Investigator  (CHFI)

§

 Assessing the Case

§

Planning Your Investigation

§

Securing Your Evidence

Course Outline v1

Module 1 Computer Forensics and Investigations as a Profession §

§

Understanding Computer Forensics §

§

§

Understanding Data-Recovery Workstations and Software

Comparing Denitions of Computer Forensics Exploring a Brief History of Computer Forensics

Setting Up Your Workstation for Computer Forensics

§

Executing an Investigation

§

Gathering the Evidence Copying the Evidence Disk 

§

Developing Computer Forensics Resources

§

§

Preparing for Computing Investigations

§

Understanding Enforcement Agency  Investigations

§

Completing the Case

§

Critiquing the Case

§

§

§

Understanding Corporate Investigations

Module 3 Working with Windows and DOS Systems

Maintaining Professional Conduct

Module 2 Understanding Computer  Investigations §

§

§

§

 Analyzing Your Digital Evidence

§

Understanding File Systems

§

Understanding the Boot Sequence

§

Examining Registry Data

§

Disk Drive Overview 

§

Exploring Microsoft File Structures

§

Disk Partition Concerns

Preparing a Computer Investigation Examining a Computer Crime Examining a Company-Policy Violation Taking a Systematic Approach

4

EC-Council

§

Boot Partition Concerns

§

Exploring Macintosh Boot Tasks

§

Examining FAT Disks

§

Examining UNIX and Linux Disk Structures

§

Examining NTFS Disks

§

UNIX and Linux Overview 

§

NTFS System Files

§

Understanding modes

§

NTFS Attributes

§

§

NTFS Data Streams §

Understanding UNIX and Linux Boot Processes Understanding Linux Loader

§

NTFS Compressed Files

§

NTFS Encrypted File Systems (EFS)

§

EFS Recovery Key Agent

§

Examining Compact Disc Data Structures

§

Deleting NTFS Files

§

Understanding Other Disk Structures

§

Understanding Microsoft Boot Tasks

§

Examining SCSI Disks

§

Examining IDE/EIDE Devices

§

§

 Windows XP, 2000, and NT Startup

§

 Windows XP System Files

§

Understanding MS-DOS Startup Tasks

§

Other DOS Operating Systems

Module 5 The Investigator’s Ofce and Laboratory §

Module 4 Macintosh and Linux Boot Processes and Disk Structures §

Understanding the Macintosh File Structure

§

Understanding Volumes

UNIX and Linux Drives and Partition Scheme

§

§

§

5

Understanding Forensic Lab Certication Requirements Identifying Duties of the Lab Manager and Staff  Balancing Costs and Needs  Acquiring Certication and Training

EC-Council

§

Determining the Physical Layout of a Computer Forensics Lab

§

Maintaining Operating Systems and  Application Software Inventories

§

Identifying Lab Security Needs

§

Using a Disaster Recovery Plan

§

Conducting High-Risk Investigations

§

Planning for Equipment Upgrades

§

Considering Ofce Ergonomics

§

Using Laptop Forensic Workstations

§

Environmental Conditions

§

§

Lighting

§

Structural Design Considerations

§

Electrical Needs

§

Communications

§

Fire-suppression Systems

§

Evidence Lockers

§

Facility Maintenance

§

Physical Security Needs

§

§

§

Computer Forensics Lab Floor Plan Ideas

§

Selecting a Basic Forensic Workstation

§

Selecting Workstations for Police Labs

§

Creating a Forensic Boot Floppy Disk   Assembling the Tools for a Forensic Boot Floppy Disk  Retrieving Evidence Data Using a Remote Network Connection

Module 6 Current Computer Forensics Tools §

 Auditing a Computer Forensics Lab

§

§

§

Building a Business Case for Developing a Forensics Lab

§

§

§

Selecting Workstations for Private and Corporate Labs Stocking Hardware Peripherals

6

Evaluating Your Computer Forensics Software Needs Using National Institute of Standards and Technology (NIST) Tools Using National Institute of Justice (NU) Methods  Validating Computer Forensics Tools

§

Using Command-Line Forensics Tools

§

Exploring NTI Tools

EC-Council

§

Exploring Ds2dump

§

Exploring DataLifter

§

Reviewing DriveSpy 

§

Exploring ASRData

§

Exploring PDBlock 

§

Exploring the Internet History Viewer

§

Exploring PDWipe

§

§

Reviewing Image

§

Exploring Part

§

Exploring SnapBack DatArrest

§

Exploring Byte Back 

§

Exploring MaresWare

§

Exploring DIGS Mycroft v3

Exploring Other Useful Computer Forensics Tools

§

Exploring LTOOLS

§

Exploring Mtools

§

Exploring R-Tools

§

Using Explore2fs

§

Exploring @stake

§

Exploring TCT and TCTUTILs

Exploring Graphical User Interface (GUI) Forensics Tools

§

Exploring ILook 

§

Exploring AccessData Programs

§

Exploring HashKeeper

§

Exploring Guidance Software EnCase

§

Using Graphic Viewers

§

Exploring Ontrack 

§

Exploring Hardware Tools

§

Using BIAProtect

§

Computing-Investigation Workstations

§

Using LC Technologies Software

§

Building Your Own Workstation

§

Exploring WinHex Specialist Edition

§

Using a Write-blocker

§

§

§

Exploring DIGS Analyzer Professional Forensic Software

§

Exploring ProDiscover DFT

§

7

Using LC Technology International Hardware Forensic Computers

EC-Council

§

DIGS

§

Documenting Evidence

§

Digital Intelligence

§

Obtaining a Digital Signature

§

Image MASSter Solo

§

FastBloc

§

§

§

Module 8 Processing Crime and Incident Scenes

 Acard §

Processing Private-Sector Incident Scenes

§

Processing Law Enforcement Crime Scenes

NoWrite  Wiebe Tech Forensic DriveDock  §

§

Recommendations for a Forensic  Workstation

Understanding Concepts and Terms Used in  Warrants

§

Preparing for a Search

§

Identifying the Nature of the Case

§

Identifying the Type of Computing System

Module 7 Digital Evidence Controls §

Identifying Digital Evidence §

§

§

Understanding Evidence Rules Securing Digital Evidence at an Incident Scene

§

Determining Whether You Can Seize a Computer Obtaining a Detailed Description of the Location

§

Cataloging Digital Evidence

§

Determining Who Is in Charge

§

Lab Evidence Considerations

§

Using Additional Technical Expertise

§

Processing and Handling Digital Evidence

§

Determining the Tools You Need

§

Storing Digital Evidence

§

Preparing the Investigation Team

§

Evidence Retention and Media Storage Needs

§

8

Securing a Computer Incident or Crime Scene

EC-Council

§

Seizing Digital Evidence at the Scene

§

Using Other Forensics Acquisition Tools

§

Processing a Major Incident or Crime Scene

§

Exploring SnapBack DatArrest

§

Exploring SafeBack 

§

Exploring EnCase

§

§

Processing Data Centers with an Array of  RAIDS Using a Technical Advisor at an Incident or Crime Scene

Module 10 Computer Forensic Analysis

§

Sample Civil Investigation

§

Sample Criminal Investigation

§

Understanding Computer Forensic Analysis

§

Collecting Digital Evidence

§

Rening the Investigation Plan

§

Using DriveSpy to Analyze Computer Data

§

DriveSpy Command Switches

Module 9 Data Acquisition §

Determining the Best Acquisition Method

§

DriveSpy Keyword Searching

§

Planning Data Recovery Contingencies

§

DriveSpy Scripts

§

Using MS-DOS Acquisition Tools

§

DriveSpy Data-Integrity Tools

Understanding How DriveSpy Accesses Sector Ranges

§

DriveSpy Residual Data Collection Tools

§

Other Useful DriveSpy Command Tools

§

§

Data Preservation Commands §

§

§

§

§

Using DriveSpy Data Manipulation Commands

Using Other Digital Intelligence Computer Forensics Tools

§

Using PDBlock and PDWipe

§

Using AccessData’s Forensic Toolkit

§

Performing a Computer Forensic Analysis

Using Windows Acquisition Tools  AccessData FTK Explorer  Acquiring Data on Linux Computers

9

EC-Council

§

§

Setting Up Your Forensic Workstation Performing Forensic Analysis on Microsoft File Systems

§

Copying an E-mail Message

§

Printing an E-mail Message

§ §

§

§

UNIX and Linux Forensic Analysis

§

Marking Bad Clusters

§

§

§

Examining an E-mail Header

§

Examining Additional E-mail Files

§

Tracing an E-mail Message

§

Using Network Logs Related to E-mail

§

Understanding E-mail Servers

§

Examining UNIX E-mail Server Logs

§

Examining Microsoft E-mail Server Logs

§

Examining Novell GroupWise E-mail Logs

§

Using Specialized E-mail Forensics Tools

 Addressing Data Hiding Techniques Hiding Partitions

§

§

Macintosh Investigations

§

 Viewing E-mail Headers

Bit-Shifting Using Steganography  Examining Encrypted Files Recovering Passwords

Module 11 E-mail Investigations Module 12 Recovering Image Files §

§

§

Understanding Internet Fundamentals §

Recognizing an Image File

§

Understanding Bitmap and Raster Images

§

Understanding Vector Images

Understanding Internet Protocols Exploring the Roles of the Client and Server in E-mail

§

Investigating E-mail Crimes and Violations

§

Metae Graphics

§

Identifying E-mail Crimes and Violations

§

Understanding Image File Formats

§

Examining E-mail Messages

§

Understanding Data Compression

10

EC-Council

§

Reviewing Lossless and Lossy Compression

§

§

Locating and Recovering Image Files

§

Providing Supporting Material

§

Identifying Image File Fragments

§

Formatting Consistently 

§

Repairing Damaged Headers

§

Explaining Methods

§

Reconstructing File Fragments

§

Data Collection

§

Identifying Unknown File Formats

§

Including Calculations

§

§

 Analyzing Image File Headers

§

Tools for Viewing Images

 Writing Clearly 

Providing for Uncertainty and Error  Analysis

§

Understanding Steganography in Image Files

Explaining Results

§

Discussing Results and Conclusions

§

Using Steganalysis Tools

§

Providing References

§

Identifying Copyright Issues with Graphics

§

Including Appendices

§

Providing Acknowledgments

§

Formal Report Format

§

Module 13 Writing Investigation Reports §

Understanding the Importance of Reports

§

§

Limiting the Report to Specics

§

§

Types of Reports

§

Expressing an Opinion

§

Designing the Layout and Presentation

§

Litigation Support Reports versus Technical Reports

§

§

 Writing the Report Using FTK Demo Version

Module 14 Becoming an Expert Witness

11

Comparing Technical and Scientic Testimony  Preparing for Testimony 

EC-Council

§

Documenting and Preparing Evidence

§

Understanding Prosecutorial Misconduct

§

Keeping Consistent Work Habits

§

Preparing for a Deposition

§

Processing Evidence

§

Guidelines for Testifying at a Deposition

§

Recognizing Deposition Problems

§

Public Release: Dealing with Reporters

§

Forming an Expert Opinion

§

Determining the Origin of a Floppy Disk 

§

§

§

Serving as a Consulting Expert or an Expert  Witness Creating and Maintaining Your CV  Preparing Technical Denitions

§

Testifying in Court

§

Understanding the Trial Process

§

Qualifying Your Testimony and Voir Dire

§

Module 15 Computer Security Incident Response Team

 Addressing Potential Problems

§

Incident Response Team

§

Testifying in General

§

Incident Reporting Process

§

Presenting Your Evidence

§

Low-level incidents

§

Using Graphics in Your Testimony 

§

Mid-level incidents

§

Helping Your Attorney 

§

High-level incidents

§

§

 Avoiding Testimony Problems

§

Testifying During Direct Examination

§

Using Graphics During Testimony 

§

Testifying During Cross-Examination

§

Exercising Ethics When Testifying

§

 Why would an organization need a CSIRT?

§

 What types of CSIRTs exist?

§

12

 What is a Computer Security Incident Response Team (CSIRT)?

Other Response Teams Acronyms

EC-Council

§

 What does a CSIRT do?

§

Passive Detection Methods

§

 What is Incident Handling?

§

Dump Event Log Tool (Dumpel.exe)

§

Need for CSIRT in Organizations

§

EventCombMT

§

Best Practices for Creating a CSIRT?

§

Event Collection

§

Scripting

§

Event Collection Tools

§

Forensic Tool: fwanalog

§

Elements of an End-to-End Forensic Trace

Module 16 Logle Analysis §

§

Secure Audit Logging  Audit Events

§

Syslog

§

Log Analysis and Correlation

§

Message File

§

TCPDump logs

§

Setting Up Remote Logging

§

Intrusion Detection Log (RealSecure)

§

Linux Process Tracking

§

Intrusion Detection Log (SNORT)

§

 Windows Logging

§

Remote Logging in Windows

§

ntsyslog

§

§

§

§

Module 17 Recovering Deleted Files

 Application Logging Extended Logging Monitoring for Intrusion and Security  Events

§

The Windows Recycle Bin

§

Digital evidence

§

Recycle Hidden Folder

§

How do I undelete a le?

§

e2undel

Importance of Time Synchronization

13

EC-Council

§

O&O UnErase

§

§

Restorer2000

§

§

BadCopy Pro

§

§

File Scavenger

§

Passware Kit

§

Mycroft v3

§

How to Bypass BIOS Passwords

§

PC ParaChute

§

BIOS Password Crackers

§

Search and Recover

§

Removing the CMOS Battery 

§

Stellar Phoenix Ext2,Ext3

§

Default Password Database

§

Zero Assumption Digital Image Recovery 

§

FileSaver

§

 APDFPR  Distributed Network Attack   Windows XP / 2000 / NT Key 

Module 19 Investigating E-Mail Crimes

 VirtualLab Data Recovery 

§

E-mail Crimes

§

R-Linux

§

Sending Fakemail

§

Drive & Data Recovery 

§

Sending E-mail using Telnet

§

Tracing an e-mail

§

Mail Headers

§

Reading Email Headers

§

 Active@ UNERASER - DATA Recovery 

Module 18 Application Password Crackers §

 Advanced Ofce XP Password Recovery 

§

Tracing Back 

§

 AOXPPR 

§

Tracing Back Web Based E-mail

§

 Accent Keyword Extractor

§

Microsoft Outlook Mail

§

 Advanced PDF Password Recovery 

§

Pst File Location

14

EC-Council

§

Tool: R-Mail

destination

§

Tool: FinaleMail

§

How to detect attacks on your server?

§

Searching E-mail Addresses

§

Investigating Log Files

§

E-mail Search Site

§

IIS Logs

§

abuse.net

§

Log le Codes

§

Network Abuse Clearing House

§

 Apache Logs

§

Handling Spam

§

 Access_log

§

Protecting your E-mail Address from Spam

§

Log Security 

§

Tool: Enkoder Form

§

Log File Information

§

Tool: eMailTrackerPro

§

Simple Request

§

Tool: SPAM Punisher

§

Time/Date Field

§

Mirrored Site Detection

§

Mirrored Site in IIS Logs

Module 20 Investigating Web Attacks

§

§

§

§

§

How to Tell an Attack is in Progress

§

 What to Do When You Are Under Attack?

§

Conducting the Investigation  Attempted Break-in

 Vulnerability Scanning Detection Example of Attack in Log le  Web Page Defacement

§

Defacement using DNS Compromise

§

Investigating DNS Poisoning

§

Step 1: Identing the System(s)

§

Investigating FTP Servers

§

Step 2: Trafc between source and

§

Example of FTP Compromise

15

EC-Council

§

FTP logs

§

§

SQL Injection Attacks

§

§

Investigating SQL Injection Attacks

§

DShield

§

Forensic Tools for Network Investigations

§

 Web Based Password Brute Force Attack 

Preventing DNS Spoong  VisualZone

§

Investigating IP Address

§

TCPDump

§

Tools for locating IP Address

§

Ethereal

§

Investigating Dynamic IP Address

§

NetAnalyst

§

Location of DHCP Server Logle

§

Ettercap

§

Ethereal

Module 21 Investigating Network Trafc §

Network Intrusions and Attacks

§

Direct vs. Distributed Attacks

Module 22 Investigating Router Attacks §

DoS Attacks

§

 Automated Attacks

§

Investigating DoS Attacks

§

 Accidental “Attacks”

§

Investigating Router Attacks

§

 Address Spoong

§

§

IP Spoong

Module 23 The Computer Forensics Process

 ARP Spoong

§

DNS Spoong

§

Preventing IP Spoong

§

Preventing ARP Spoong

16

§

Evidence Seizure Methodology 

§

Before the Investigation

§

Document Everything

EC-Council

§

Conscation of Computer Equipment

§

System State Backup

§

Forensic Tool: Back4Win

§

Forensic Tool: Registry Watch

§

System Processes

§

Process Monitors

Module 24 Data Duplication §

§

§

Tool: R-Drive Image Tool:  DriveLook Tool: DiskExplorer for NTFS §

Module 25 Windows Forensics

Default Processes in Windows NT, 2000, and XP

§

Process-Monitoring Programs

§

Gathering Evidence in Windows

§

Process Explorer

§

Collecting Data from Memory 

§

Look for Hidden Files

§

Collecting Evidence

§

§

Memory Dump

§

NTFS Streams

§

Manual Memory Dump (Windows 2000)

§

Detecting NTFS Streams

§

Manual Memory Dump (Windows XP)

§

Rootkits

§

PMDump

§

Detecting Rootkits

§

Sigverif 

§

 Windows Registry 

 Viewing Hidden Files in Windows

§

Registry Data

§

Detecting Trojans and Backdoors

§

Regmon utility 

§

Removing Trojans and Backdoors

§

Forensic Tool: InCntrl5

§

Port Numbers Used by Trojans

§

Backing Up of the entire Registry 

§

Examining the Windows Swap File

17

EC-Council

§

§

Swap le as evidence  Viewing the Contents of the Swap/Page File

§

LKM

§

Open Ports and Listening Applications

§

Recovering Evidence from the Web Browser

§

/proc le system

§

Locating Browser History Evidence

§

Log Files

§

Forensic Tool: Cache Monitor

§

Conguration Files

§

Print Spooler Files

§

Low Level Analysis

§

Steganography 

§

Log Messages

§

Forensic Tool: StegDetect

§

Running syslogd

§

Investigating User Accounts

§

Collecting an Evidential Image

§

File Auditing Tools

Module 26 Linux Forensics §

§

Performing Memory Dump on Unix Systems  Viewing Hidden Files

§

Executing Process

§

Create a Linux Forensic Toolkit

§

Module 27 Investigating PDA §

Paraben’s PDA Seizure

Collect Volatile Data Prior to Forensic Duplication Module 28 Enforcement Law and Prosecution

§

Executing a Trusted Shell

§

Determining Who is logged on to the System

§

§

Determining the Running Processes

§

§

Detecting Loadable Kernel Module Rootkits §

18

Freedom of Information Act Reporting Security Breaches to Law  Enforcement National Infrastructure Protection Center

EC-Council

§

Federal Computer Crimes and Laws

§

§

Federal Laws

§

Internet domain name

§

The USA Patriot Act of 2001

§

Trademark Infringement

§

Building the Cybercrime Case

§

Conducting a Trademark Search

§

How the FBI Investigates Computer Crime

§

Using Internet to Search for Trademarks

§

Cyber Crime Investigations

§

§

Computer-facilitated crime

§

FBI

§

Federal Statutes

§

Local laws

§

Federal Investigative Guidelines

§

Gather Proprietary Information

§

Contact law enforcement

§

Hiring a professional rm to conduct my  trademark search

§

Trademark Registrations

§

Benets of Trademark Registration

§

Copyright

§

How long does a copyright last?

§

Copyright Notice

§

Copyright “Fair Use” Doctrine

§

U.S. Copyright Ofce

§

How are copyrights enforced?

§

SCO vs IBM

To initiate an investigation

Module 29 Investigating Trademark and Copyright Infringement

 What is trade dress?

§

 What is Plagiarism?

§

Trademarks

§

Turnitin

§

Trademark Eligibility 

§

Plagiarism Detection Tools

§

 What is a service mark?

19

EC-Council

International Council of E-Commerce Consultants 67 Wall Street, 22nd Floor New York, NY 10005-3198 USA  Phone: 212.709.8253 Fax: 212.943.2300

© 2002 EC-Council. All rights reserved. This document is for informational purposes only. EC-Council MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY. EC-Council logo is registered trademarks or trademarks of EC-Council in the United States and/or other countries.

20

EC-Council