Cyber Forensics
Course Overview
The term cyber-crime no longer refers only to hackers and other external attackers. Almost all every case of financial fraud or employee misuse involves a very strong element of computer-based evidence. The entire workshop is driven by hands-on exercises and case studies to ensure that all aspects have a real-life scenario-based approach.
Benefits:
This program addresses the key questions of:
- What should one do when there is a suspicion of a computer-based crime?
- What tools and techniques are most likely to yield the right set of clues?
- Demonstration with the worlds’ leading forensics tool – Encase
Target Audience:
- College Students
- Auditors and financial fraud examiners
- Chief Security Officers and Chief Technology Officers
- Professionals seeking a career in computer forensics and Cyber Crime Investigations
- Security and Network Administrators
Prerequisites:
- Basic Knowledge of Computer and Internet
Course Length:
- 40 hours
What will you learn?
Using practical scenarios based artifacts with the latest disk technologies, you will learn the following:
- The principles and guidelines for computer and mobile forensic investigations
- The process of evidence seizure and continuity
- The forensic acquisition of an electronic device
- How data is stored on electronic media
- The core functionality of forensic examination software
- How to identify platform specific forensic artifacts.
The course will also provide answers to many questions including:
- What is Cyber Forensics?
- How and where is data actually stored on a device?
- What is the difference between forensic imaging and cloning?
- Is keyword searching an effective way to identify data on a device?
- How is hashing used in forensics?
- What happens when a user deletes a file?
- How can ‘Private’ web-browsing work?
- Can data be recovered after a 7 pass overwrite?
- Is there a backdoor to passwords and encryption?
- Who was using a computer on a particular occasion?
- How can I identify if and when a user edited or accessed a file?
- How to perform cyber forensic examination in a legal manner?
- Do we have any shortcuts to catch the attacker?
- How to perform mobile, computer, network and cloud forensics?
Tools of trade:
- Encase
- FTK
- Blackdog
- UFED
- Taruntala
- Mobiledit
- Oxygen Forensic
- sleuth kit
- x-ways
- Passware kit forensics
- AD-Triage
- Easeus Data Recovery
- x1 social discovery toolkit
- Falcon Imager
- Foca
- Irecovery
- Wipe Master
- Drivespy
Note: These are a partial set of tools to be used and many lightweight tools will be used in the lab sessions for different purposes.
Module 1: Computer Forensics in Today’s World
- Define computer forensics
- Discuss the evolution of computer forensics
- Explain the objectives and benefits of computer forensics
- Discuss forensic readiness planning in detail
- Explain cyber crimes
- Examine various computer crimes
- What is cybercrime investigation?
- Explain the key steps and rules in forensic investigation
- What is the role of a forensics investigator?
- How to access computer forensics resources
- Describe the role of digital evidence in forensic investigation
- Understanding Corporate Investigations
- Explain the key concepts of Enterprise Theory of Investigation (ETI)
- Discuss various legal issues and reports related to computer forensic investigations
Module 2: Computer Forensics Investigation Process
- Provide an overview of computer crime investigation process
- Describe computer forensic investigation methodology
- Summarize the steps to prepare for a computer forensic investigation
- How to obtain a search warrant
- How to evaluate and secure a scene
- How to collect and secure the evidence in a forensically sound manner
- Explain the different techniques to acquire and analyze the data
- Summarize the importance of evidence and case assessment
- How to prepare the final investigation report
- Testify in the Court as an Expert Witness
Module 3: Searching and Seizing Computers
- How to searching and seize computers without a warrant
- Discuss the Fourth Amendment’s “Reasonable Expectation of Privacy”
- What is consent and discuss the scope of consent
- Summarize the steps involved in searching and seizing computers with a warrant
- Examine the basic strategies for executing computer searches
- Discuss the Privacy Protection Act
- Describe drafting the warrant and affidavit
- Explain the post-seizure issues
- Describe the Electronic Communications Privacy Act
- What is voluntary disclosure?
- Electronic Surveillance in Communications Networks
- Discuss how content is different from addressing information
- Provide an overview of evidence and authentication
Module 4: Digital Evidence
- Define digital evidence and explain its role in case of a computer security incident
- Discuss the characteristics of digital evidence
- What are the various types of digital data?
- What is best evidence rule?
- Discuss federal rules of evidence
- Summarize the international principles for computer evidence
- Discuss about the Scientific Working Group on Digital Evidence (SWGDE)
- What are the considerations for collecting digital evidence from electronic crime scenes?
- Provide an overview of digital evidence examination process and steps involved
- Explain electronic crime and digital evidence consideration by crime category
Module 5: First Responder Procedures
- Define electronic evidence
- Who is first responder?
- Provide an overview on how to collect and store the electronic evidence
- Describe first responder tool kit and how to create it
- How to get first response from laboratory forensic staff
- Provide an overview on how to collect and secure the electronic evidence at crime scene
- Explain how to conduct preliminary interviews
- How to document electronic crime scene
- Explain how to collect and Preserve electronic evidence
- Explain how to package and transport electronic evidence in a forensically sound manner
- How to prepare report on crime scene
- Provide a checklist for the first responders
- Discuss the first responder’s common mistakes
Module 6: Computer Forensics Lab
- 1 How to set up a computer forensics lab
- Discuss the investigative services in computer forensics
- What are the basic hardware requirements in a forensics lab?
- List and summarize various hardware forensic
- Discuss the basic software requirements in a forensics lab
- Summarize various software forensic tools
Module 7: Understanding Hard Disks and File Systems
- What is a hard disk drive?
- Explain solid-state drive (SSD)
- Provide an overview of physical and logical structure of a hard disk
- Describe the various types of hard disk interfaces
- Examine the components of a hard disk
- What are disk partitions?
- Explain Windows and Macintosh boot process
- What are file systems?
- Explain various types of file systems
- Provide an overview of Windows, Linux, Mac OS X, and Sun Solaris 10 file systems
- Discuss about CD-ROM/DVD File System
- Explain about RAID storage system and RAID levels
- Explain file system analysis using the sleuth Kit
Module 8: Windows Forensics
- What is a volatile information?
- Explain what network and process information is
- Define non-volatile information
- Describe memory dump
- Parsing Process Memory
- Describe different techniques for collecting nonvolatile information such as registry settings and event logs
- Explain various processes involved in forensic investigation of a Windows system such as memory analysis, registry analysis, IE cache analysis, cookie analysis, MD5 calculation, Windows file analysis, and metadata investigation
- Provide an overview of IIS, FTP, and system firewall logs
- Discuss the importance of audit events and event logs in Windows forensics
- Explain the static and dynamic event log analysis techniques
- Discuss different Windows password security issues such as password cracking
- How to analyze restore point registry settings
- Provide an overview of cache, cookie, and history analysis
- How to evaluate account management events
- How to search with event viewer
- Discuss various forensics tools
Module 9: Data Acquisition and Duplication
- Define data acquisition and explain various types of data acquisition systems
- Explain various data acquisition formats and methods
- How to determine a best acquisition method
- What is contingency planning for image acquisitions?
- Describe static and live data acquisition
- Provide an overview of volatile data collection methodology
- Explain various types of volatile information
- What are the requirements of disk imaging tool
- How to validate data acquisitions
- Discuss Linux and Windows validation methods
- How to acquire RAID Disks
- Examine the best practices of acquisition
- List various data acquisition software and hardware tools
Module 10: Recovering Deleted Files and Deleted Partitions
- Explain how to recover files in Windows, MAC, and Linux
- Discuss file recovery tools for Windows, MAC and Linux
- How to identify creation date, last accessed date of a file, and deleted sub-directories
- How to recovering the deleted partitions and list partition recovery tools
Module 11: Forensics Investigations Using Access Data FTK
- What is Forensic Toolkit (FTK®) and discuss its various features
- Explain FTK installation steps
- Discuss about FTK Case Manager
- How to restore an image to a disk
- Explain FTK examiner user interface
- How to verify drive image integrity
- Discuss how to mount an image to a drive
- Summarize the steps involved in creating a case
- Discuss the functions of FTK interface tabs
- Explain the steps involved in adding evidence to a case
- 1How to acquire local live evidence
- Explain the steps involved in acquiring data remotely using remote device management system (RDMS)
- Discuss the steps involved in imaging drives
- How to mount and unmount a Device
- 11Explain the steps involved in conducting an index search and live search
- How to decrypt EFS Files and Folders
Module 12: Forensics Investigations Using EnCase
- Provide an overview of EnCase forensics
- Discuss EnCase, its uses, and functionality
- Discuss about EnCase forensics modules
- How to install EnCase forensic
- Explain how to configure EnCase
- Provide an overview of case structure
- What is case management?
- How to add a Device to a Case and how to acquire a Device
- Explain the verification process of evidence files
- What is a source processor?
- How to set up case options
- Discuss how to analyze and search files
- Describe how to view file content
- Provide an overview on bookmarks
- How to create various types of bookmark
- Explain how to create a report using the report tab
- How to export a Report
Module 13: Steganography and Image File Forensics
- Summarize steganography and its types
- List the application of steganography
- Discuss various digital steganography techniques
- What is Steganalysis?
- How to Detect Steganography
- List various steganography detection tools
- Discuss about image file formats
- How to compress data
- How to process forensic image using MATLAB
- Explain how to locate and recover image files
- How to identify unknown file formats
- List picture viewer tools and image file forensic tools
Module 14: Application Password Crackers
- What are the terminologies used
- Explain the functionality of password crackers
- Summarize various types of passwords
- What is a password cracker?
- How Does a Password Cracker Work?
- Discuss various password cracking techniques
- List various types of password attacks
- List various system and application software password cracking
- What are default passwords?
- Discuss various password cracking tools
Module 15: Log Capturing and Event Correlation
- What are computer security logs?
- Discuss about logon event in Window
- What are IIS LOGS?
- How to view the DHCP logs
- What is ODBC LOGGING?
- Explain legality of using logs
- Explain log management
- Discuss various challenges in log management
- What is centralized logging
- Discuss about syslog
- Why Synchronize Computer Times?
- What is NTP?
- List various NIST time servers
- Discuss various event correlation approaches
- List various log capturing and analysis tools
Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic
- Summarize network forensics concepts
- Explain the network forensics analysis mechanism
- What are intrusion detection systems (IDS?)
- Define the terms firewall and honeypot
- Discuss various network vulnerabilities
- Explain various types of network attacks
- Explain new line injection attack and timestamp injection attack
- Where to Look for Evidence?
- How to handle logs as evidence
- Explain how to condense a log file
- Why to Investigate Network Traffic?
- How to acquire traffic using DNS poisoning techniques
- Explain how to gather from ARP table
- List various traffic capturing and analysis tools
Module 17: Investigating Wireless Attacks
- Discuss various advantages and disadvantages of wireless networks
- list different components of wireless networks
- What are the various types of wireless networks?
- List various types of wireless standards
- What is MAC FILTERING?
- What is a Service Set Identifier (SSID?)
- Discuss various types of wireless encryption
- List various types of wireless attacks
- How to investigate wireless attacks
- What are the requirements of a tool design and summarize the best practices for wireless forensics
- List various wireless forensics tools
Module 18: Investigating Web Attacks
- What are Web Applications?
- Explain Web application architecture
- Why Web servers are compromised
- Provide an overview of Web logs
- What are Internet Information Services (IIS) and apache Web server Logs
- Discuss various types of Web attacks
- How to investigate Web attacks
- Explain the investigation process of Web attacks in Windows-based servers
- Describe how to investigate IIS and Apache logs
- When does Web page defacement occur?
- Discuss various security strategies to Web applications
- List various Web attack detection tools
- Discuss about various tools for locating IP address
Module 19: Tracking Emails and Investigating Email Crimes
- Explain the terms Email system, Email Clients, Email Servers, and Email Message
- Discuss the importance of electronic records management
- Discuss various types of Email crimes
- Provide examples of Email header
- List Common Headers
- Why to Investigate Emails
- Discuss the steps involved in investigation of Email crimes
- List various Email forensics tools
- What are the different laws and acts against Email Crimes?
Module 20: Mobile Forensics
- List different mobile devices
- What are the hardware and software characteristics of mobile devices?
- What is a cellular network?
- Provide an overview of mobile operating system
- Discuss various types of mobile operating systems
- What a Criminal can do with Mobiles Phones?
- Describe various mobile forensics challenges
- Discuss various memory considerations in mobiles
- What are the different precautions to be taken before investigation?
- Explain the process involved in mobile forensics
- List various mobile forensic hardware and software Tools
Module 21: Investigative Reports
- Explain importance of reports and need of an investigative report
- Discuss the salient features of a good report
- Provide computer forensics report template
- How is a report classified?
- Provide layout of an investigative report
- What are the guidelines for writing a report?
- Provide an overview of investigative report format
- How to document a case report
- What are the best practices for investigators?
- How to write a report using FTK and ProDiscover
Module 22: Becoming an Expert Witness
- What is an Expert Witness?
- Explain the role of an expert witness
- Describe various types of expert witnesses
- What is the scope of expert witness testimony?
- Explain the differences between Technical Witness and Expert Witness
- What are the various steps involved in evidence processing
- How to prepare a report
- List the rules pertaining to an expert witness’ qualification
- How to testify in the court
- What are the general ethics while testifying?
- How to testify during direct and cross-examination
- How to find a computer forensic expert