CHFI Course

Course Description

The CHFI course will give participants the necessary skills to identify an intruder's footprints and to properly gather the necessary evidence to prosecute. Many of today's top tools of the forensic trade will be taught during this course, including software, hardware and specialized techniques. The need for businesses to become more efficient and integrated with one another, as well as the home user, has given way to a new type of criminal, the "cyber-criminal." It is no longer a matter of "will your organization be comprised (hacked)?" but, rather, "when?" Today's battles between corporations, governments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cyber-criminal, then this is the course for you.

Who Should Attend
Police and other law enforcement personnel, Defense and Military personnel, e-Business Security professionals, Systems administrators, Legal professionals, Banking, Insurance and other professionals, Government agencies, IT managers

Prerequisites
It is strongly recommended that you attend the CEH class before enrolling into CHFI program.

Duration:
5 days (9:00 – 5:00)

Certification
The CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the online Prometric exam to receive the CHFI certification.

Course Outline v3

Module 01: Computer Forensics in Today’s World

§ Ways of Forensic Data Collection

§ Objectives of Computer Forensics

§ Benefits of Forensic Readiness

§ Categories of Forensics Data

§ Computer Facilitated Crimes

o Type of Computer Crimes

o Examples of Evidence

§ Stages of Forensic Investigation in Tracking Cyber Criminals

§ Key Steps in Forensics Investigations

§ Need for Forensic Investigator

§ When An Advocate Contacts The Forensic Investigator, He Specifies How To Approach

§ Enterprise Theory of Investigation (ETI)

§ Where and when do you use Computer Forensics

§ Legal Issues

§ Reporting the Results

Module 02: Law and Computer Forensics

§ Privacy Issues Involved in Investigations

§ Fourth Amendment Definition

§ Interpol- Information Technology Crime Center

§ Internet Laws and Statutes

§ Intellectual Property Rights

§ Cyber Stalking

§ Crime Investigating Organizations

§ The G8 Countries: Principles to Combat High-tech Crime

o The G8 Countries: Action Plan to Combat High-Tech Crime (International Aspects of Computer Crime)

§ United Kingdom: Police and Justice Act 2006

§ Australia: The Cybercrime Act 2001

§ Belgium

§ European Laws

§ Austrian Laws

§ Brazilian Laws

§ Belgium Laws

§ Canadian Laws

§ France Laws

§ Indian Laws

§ German Laws

§ Italian Laws

§ Greece Laws

§ Denmark Laws

§ Norwegian Laws

§ Netherlands Laws

§ Internet Crime Schemes

o Why You Should Report Cybercrime

o Reporting Computer-related Crimes

o Person Assigned to Report the Crime

o When and How to Report an Incident?

o Who to Contact at the Law Enforcement?

o Federal Local Agents Contact

o More Contacts

o Cyberthreat Report Form

Module 03: Computer Investigation Process

§ Securing the Computer Evidence

§ Preparation for Searches

§ Chain-of Evidence Form

§ Accessing the Policy Violation Case: Example

§ 10 Steps to Prepare for a Computer Forensic Investigation

§ Investigation Process

o Policy and Procedure Development

o Evidence Assessment

· Case Assessment

· Processing Location Assessment

· Legal Considerations

· Evidence Assessment

o Evidence Acquisition

· Write Protection

· Acquire the Subject Evidence

o Evidence Examination

· Physical Extraction

· Logical Extraction

· Analysis of Extracted Data

· Timeframe Analysis

· Data Hiding Analysis

· Application and File Analysis

· Ownership and Possession

o Documenting and Reporting

· What Should be in the Final Report?

§ Maintaining Professional Conduct

Module 04: First Responder Procedure

§ Electronic Evidence

§ The Forensic Process

§ Types of Electronic Devices

o Electronic Devices: Types and Collecting Potential Evidence

§ Evidence Collecting Tools and Equipment

§ First Response Rule

§ Incident Response: Different Situations

o First Response for System Administrators

o First Response by Non-Laboratory Staff

o First Response by Laboratory Forensic Staff

§ Securing and Evaluating Electronic Crime Scene

§ Ask These Questions When A Client Calls A Forensic Investigator

§ Health and Safety Issues

§ Consent

§ Planning the Search and Seizure

o Initial Search of the Scene

o Witness Signatures

o Conducting Preliminary Interviews

· Initial Interviews

o Documenting Electronic Crime Scene

o Photographing the Scene

o Sketching the Scene

o Collecting and Preserving Electronic Evidence

· Evidence Bag Contents List

· Order of Volatility

· Dealing with Powered OFF Computers at Seizure Time

· Dealing with a Powered ON PC

· Computers and Servers

· Collecting and Preserving Electronic Evidence

· Seizing Portable Computers

· Switched ON Portables

· Packaging Electronic Evidence

· Exhibit Numbering

o Transporting Electronic Evidence

o Handling and Transportation to the Forensic Laboratory

§ ‘Chain of Custody’

§ Findings of Forensic Examination by Crime Category

Module 05 : CSIRT

§ How to Prevent an Incident?

§ Defining the Relationship between Incident Response, Incident Handling, and Incident Management

§ Incident Response Checklist

§ Incident Management

§ Why don’t Organizations Report Computer Crimes?

§ Estimating Cost of an Incident

§ Vulnerability Resources

§ Category of Incidents

o Category of Incidents: Low Level

o Category of Incidents: Mid Level

o Category of Incidents: High Level

§ CSIRT: Goals and Strategy

o Motivation behind CSIRTs

o Why an Organization needs an Incident Response Team?

o Who works in a CSIRT?

o Staffing your Computer Security Incident Response Team: What are the Basic Skills Needed?

o Team Models

o CSIRT Services can be Grouped into Three Categories:

o CSIRT Case Classification

o Types of Incidents and Level of Support

o Service Description Attributes

o Incident Specific Procedures

o How CSIRT handles Case: Steps

o US-CERT Incident Reporting System

· CSIRT Incident Report Form

· CERT(R) Coordination Center: Incident Reporting Form

o Limits to Effectiveness in CSIRTs

o Working Smarter by Investing in Automated Response Capability

§ World CERTs http://www.trusted-introducer.nl/teams/country.html

§ http://www.first.org/about/organization/teams/

§ IRTs Around the World

Module 06: Computer Forensic Lab

§ Ambience of a Forensics Lab: Ergonomics

§ Forensic Laboratory Requirements

o Paraben Forensics Hardware: Handheld First Responder Kit

o Paraben Forensics Hardware: Wireless StrongHold Bag

o Paraben Forensics Hardware: Remote Charger

o Paraben Forensics Hardware: Device Seizure Toolbox

o Paraben Forensics Hardware: Wireless StrongHold Tent

o Paraben Forensics Hardware: Passport StrongHold Bag

o Paraben Forensics Hardware: Project-a-Phone

o Paraben Forensics Hardware: SATA Adaptor Male/ Data cable for Nokia 7110/6210/6310/i

o Paraben Forensics Hardware: Lockdown

o Paraben Forensics Hardware: SIM Card Reader/ Sony Clie N & S Series Serial Data Cable

o Paraben Forensics Hardware: USB Serial DB9 Adapter

§ Portable Forensic Systems and Towers: Forensic Air-Lite VI MKII laptop

o Portable Forensic Systems and Towers: Original Forensic Tower II

o Portable Forensic Systems and Towers: Portable Forensic Workhorse V

o Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

o Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

o Portable Forensic Systems and Towers: Forensic Tower II

§ Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit

o Tableau T3u Forensic SATA Bridge Write Protection Kit

o Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

§ Power Supplies and Switches

§ DIBS® Mobile Forensic Workstation

o DIBS® Advanced Forensic Workstation

o DIBS® RAID: Rapid Action Imaging Device

§ Forensic Archive and Restore Robotic Devices: Forensic Archive and Restore (FAR Pro)

§ Forensic Workstations

§ Tools: LiveWire Investigator

§ Features of the Laboratory Imaging System

o Technical Specification of the Laboratory-based Imaging System

§ Computer Forensic Labs, Inc

o Procedures at Computer Forensic Labs (CFL), Inc

§ Data Destruction Industry Standards

Module 07: Understanding File Systems and Hard Disks

§ Types of Hard Disk Interfaces

o Types of Hard Disk Interfaces: SCSI

o Types of Hard Disk Interfaces: IDE/EIDE

o Types of Hard Disk Interfaces: USB

o Types of Hard Disk Interfaces: ATA

o Types of Hard Disk Interfaces: Fibre Channel

o Disk Capacity Calculation

o Evidor: The Evidence Collector

o WinHex

§ EFS Key

§ FAT vs. NTFS

§ Windows Boot Process (XP/2003)

§ http://www.bootdisk.com

Module 08: Understanding Digital Media Devices

§ Digital Storage Devices

§ Magnetic Tape

§ Floppy Disk

§ Compact Disk

§ CD-ROM

§ DVD

o DVD-R, DVD+R, and DVD+R(W)

o DVD-RW, DVD+RW

o DVD+R DL/ DVD-R DL/ DVD-RAM

o HD-DVD (High Definition DVD)

o HD-DVD

§ Blu-Ray

§ CD Vs DVD Vs Blu-Ray

§ HD-DVD vs. Blu-Ray

§ iPod

§ Zune

§ Flash Memory Cards

o Secure Digital (SD) Memory Card

o Compact Flash (CF) Memory Card

o Memory Stick (MS) Memory Card

o Multi Media Memory Card (MMC)

o xD-Picture Card (xD)

o SmartMedia Memory (SM) Card

§ USB Flash Drives

o USB Flash in a Pen

Module 09: Windows, Linux and Macintosh Boot Processes

§ Terminologies

§ Boot Loader

§ Boot Sector

§ Anatomy of MBR

§ Basic System Boot Process

§ MS-DOS Boot Process

§ Windows XP Boot Process

§ Common Startup Files in UNIX

§ List of Important Directories in UNIX

§ Linux Boot Process

§ Macintosh Forensic Software by BlackBag

o Directory Scan

o FileSpy