Cyber Forensics

Course Overview

The term cyber-crime no longer refers only to hackers and other external attackers. Almost all every case of financial fraud or employee misuse involves a very strong element of computer-based evidence. The entire workshop is driven by hands-on exercises and case studies to ensure that all aspects have a real-life scenario-based approach.


This program addresses the key questions of:
  • What should one do when there is a suspicion of a computer-based crime?
  • What tools and techniques are most likely to yield the right set of clues?
  • Demonstration with the worlds’ leading forensics tool – Encase

Target Audience:

  • College Students
  • Auditors and financial fraud examiners
  • Chief Security Officers and Chief Technology Officers
  • Professionals seeking a career in computer forensics and Cyber Crime Investigations
  • Security and Network Administrators


  • Basic Knowledge of Computer and Internet

Course Length:

  • 40 hours

What will you learn?

Using practical scenarios based artifacts with the latest disk technologies, you will learn the following:
  • The principles and guidelines for computer and mobile forensic investigations
  • The process of evidence seizure and continuity
  • The forensic acquisition of an electronic device
  • How data is stored on electronic media
  • The core functionality of forensic examination software
  • How to identify platform specific forensic artifacts.
The course will also provide answers to many questions including:
  • What is Cyber Forensics?
  • How and where is data actually stored on a device?
  • What is the difference between forensic imaging and cloning?
  • Is keyword searching an effective way to identify data on a device?
  • How is hashing used in forensics?
  • What happens when a user deletes a file?
  • How can ‘Private’ web-browsing work?
  • Can data be recovered after a 7 pass overwrite?
  • Is there a backdoor to passwords and encryption?
  • Who was using a computer on a particular occasion?
  • How can I identify if and when a user edited or accessed a file?
  • How to perform cyber forensic examination in a legal manner?
  • Do we have any shortcuts to catch the attacker?
  • How to perform mobile, computer, network and cloud forensics?

Tools of trade:

  1. Encase
  2. FTK
  3. Blackdog
  4. UFED
  5. Taruntala
  6. Mobiledit
  7. Oxygen Forensic
  8. sleuth kit
  9. x-ways
  10. Passware kit forensics
  11. AD-Triage
  12. Easeus Data Recovery
  13. x1 social discovery toolkit
  14. Falcon Imager
  15. Foca
  16. Irecovery
  17. Wipe Master
  18. Drivespy
Note: These are a partial set of tools to be used and many lightweight tools will be used in the lab sessions for different purposes.

Module 1: Computer Forensics in Today’s World

  1. Define computer forensics
  2. Discuss the evolution of computer forensics
  3. Explain the objectives and benefits of computer forensics
  4. Discuss forensic readiness planning in detail
  5. Explain cyber crimes
  6. Examine various computer crimes
  7. What is cybercrime investigation?
  8. Explain the key steps and rules in forensic investigation
  9. What is the role of a forensics investigator?
  10. How to access computer forensics resources
  11. Describe the role of digital evidence in forensic investigation
  12. Understanding Corporate Investigations
  13. Explain the key concepts of Enterprise Theory of Investigation (ETI)
  14. Discuss various legal issues and reports related to computer forensic investigations

Module 2: Computer Forensics Investigation Process

  1. Provide an overview of computer crime investigation process
  2. Describe computer forensic investigation methodology
  3. Summarize the steps to prepare for a computer forensic investigation
  4. How to obtain a search warrant
  5. How to evaluate and secure a scene
  6. How to collect and secure the evidence in a forensically sound manner
  7. Explain the different techniques to acquire and analyze the data
  8. Summarize the importance of evidence and case assessment
  9. How to prepare the final investigation report
  10. Testify in the Court as an Expert Witness

Module 3: Searching and Seizing Computers

  1. How to searching and seize computers without a warrant
  2. Discuss the Fourth Amendment’s “Reasonable Expectation of Privacy”
  3. What is consent and discuss the scope of consent
  4. Summarize the steps involved in searching and seizing computers with a warrant
  5. Examine the basic strategies for executing computer searches
  6. Discuss the Privacy Protection Act
  7. Describe drafting the warrant and affidavit
  8. Explain the post-seizure issues
  9. Describe the Electronic Communications Privacy Act
  10. What is voluntary disclosure?
  11. Electronic Surveillance in Communications Networks
  12. Discuss how content is different from addressing information
  13. Provide an overview of evidence and authentication

Module 4: Digital Evidence

  1. Define digital evidence and explain its role in case of a computer security incident
  2. Discuss the characteristics of digital evidence
  3. What are the various types of digital data?
  4. What is best evidence rule?
  5. Discuss federal rules of evidence
  6. Summarize the international principles for computer evidence
  7. Discuss about the Scientific Working Group on Digital Evidence (SWGDE)
  8. What are the considerations for collecting digital evidence from electronic crime scenes?
  9. Provide an overview of digital evidence examination process and steps involved
  10. Explain electronic crime and digital evidence consideration by crime category

Module 5: First Responder Procedures

  1. Define electronic evidence
  2. Who is first responder?
  3. Provide an overview on how to collect and store the electronic evidence
  4. Describe first responder tool kit and how to create it
  5. How to get first response from laboratory forensic staff
  6. Provide an overview on how to collect and secure the electronic evidence at crime scene
  7. Explain how to conduct preliminary interviews
  8. How to document electronic crime scene
  9. Explain how to collect and Preserve electronic evidence
  10. Explain how to package and transport electronic evidence in a forensically sound manner
  11. How to prepare report on crime scene
  12. Provide a checklist for the first responders
  13. Discuss the first responder’s common mistakes

Module 6: Computer Forensics Lab

  1. 1 How to set up a computer forensics lab
  2. Discuss the investigative services in computer forensics
  3. What are the basic hardware requirements in a forensics lab?
  4. List and summarize various hardware forensic
  5. Discuss the basic software requirements in a forensics lab
  6. Summarize various software forensic tools

Module 7: Understanding Hard Disks and File Systems

  1. What is a hard disk drive?
  2. Explain solid-state drive (SSD)
  3. Provide an overview of physical and logical structure of a hard disk
  4. Describe the various types of hard disk interfaces
  5. Examine the components of a hard disk
  6. What are disk partitions?
  7. Explain Windows and Macintosh boot process
  8. What are file systems?
  9. Explain various types of file systems
  10. Provide an overview of Windows, Linux, Mac OS X, and Sun Solaris 10 file systems
  11. Discuss about CD-ROM/DVD File System
  12. Explain about RAID storage system and RAID levels
  13. Explain file system analysis using the sleuth Kit

Module 8: Windows Forensics

  1. What is a volatile information?
  2. Explain what network and process information is
  3. Define non-volatile information
  4. Describe memory dump
  5. Parsing Process Memory
  6. Describe different techniques for collecting nonvolatile information such as registry settings and event logs
  7. Explain various processes involved in forensic investigation of a Windows system such as memory analysis, registry analysis, IE cache analysis, cookie analysis, MD5 calculation, Windows file analysis, and metadata investigation
  8. Provide an overview of IIS, FTP, and system firewall logs
  9. Discuss the importance of audit events and event logs in Windows forensics
  10. Explain the static and dynamic event log analysis techniques
  11. Discuss different Windows password security issues such as password cracking
  12. How to analyze restore point registry settings
  13. Provide an overview of cache, cookie, and history analysis
  14. How to evaluate account management events
  15. How to search with event viewer
  16. Discuss various forensics tools

Module 9: Data Acquisition and Duplication

  1. Define data acquisition and explain various types of data acquisition systems
  2. Explain various data acquisition formats and methods
  3. How to determine a best acquisition method
  4. What is contingency planning for image acquisitions?
  5. Describe static and live data acquisition
  6. Provide an overview of volatile data collection methodology
  7. Explain various types of volatile information
  8. What are the requirements of disk imaging tool
  9. How to validate data acquisitions
  10. Discuss Linux and Windows validation methods
  11. How to acquire RAID Disks
  12. Examine the best practices of acquisition
  13. List various data acquisition software and hardware tools

Module 10: Recovering Deleted Files and Deleted Partitions

  1. Explain how to recover files in Windows, MAC, and Linux
  2. Discuss file recovery tools for Windows, MAC and Linux
  3. How to identify creation date, last accessed date of a file, and deleted sub-directories
  4. How to recovering the deleted partitions and list partition recovery tools

Module 11: Forensics Investigations Using Access Data FTK

  1. What is Forensic Toolkit (FTK®) and discuss its various features
  2. Explain FTK installation steps
  3. Discuss about FTK Case Manager
  4. How to restore an image to a disk
  5. Explain FTK examiner user interface
  6. How to verify drive image integrity
  7. Discuss how to mount an image to a drive
  8. Summarize the steps involved in creating a case
  9. Discuss the functions of FTK interface tabs
  10. Explain the steps involved in adding evidence to a case
  11. 1How to acquire local live evidence
  12. Explain the steps involved in acquiring data remotely using remote device management system (RDMS)
  13. Discuss the steps involved in imaging drives
  14. How to mount and unmount a Device
  15. 11Explain the steps involved in conducting an index search and live search
  16. How to decrypt EFS Files and Folders

Module 12: Forensics Investigations Using EnCase

  1. Provide an overview of EnCase forensics
  2. Discuss EnCase, its uses, and functionality
  3. Discuss about EnCase forensics modules
  4. How to install EnCase forensic
  5. Explain how to configure EnCase
  6. Provide an overview of case structure
  7. What is case management?
  8. How to add a Device to a Case and how to acquire a Device
  9. Explain the verification process of evidence files
  10. What is a source processor?
  11. How to set up case options
  12. Discuss how to analyze and search files
  13. Describe how to view file content
  14. Provide an overview on bookmarks
  15. How to create various types of bookmark
  16. Explain how to create a report using the report tab
  17. How to export a Report

Module 13: Steganography and Image File Forensics

  1. Summarize steganography and its types
  2. List the application of steganography
  3. Discuss various digital steganography techniques
  4. What is Steganalysis?
  5. How to Detect Steganography
  6. List various steganography detection tools
  7. Discuss about image file formats
  8. How to compress data
  9. How to process forensic image using MATLAB
  10. Explain how to locate and recover image files
  11. How to identify unknown file formats
  12. List picture viewer tools and image file forensic tools

Module 14: Application Password Crackers

  1. What are the terminologies used
  2. Explain the functionality of password crackers
  3. Summarize various types of passwords
  4. What is a password cracker?
  5. How Does a Password Cracker Work?
  6. Discuss various password cracking techniques
  7. List various types of password attacks
  8. List various system and application software password cracking
  9. What are default passwords?
  10. Discuss various password cracking tools

Module 15: Log Capturing and Event Correlation

  1. What are computer security logs?
  2. Discuss about logon event in Window
  3. What are IIS LOGS?
  4. How to view the DHCP logs
  5. What is ODBC LOGGING?
  6. Explain legality of using logs
  7. Explain log management
  8. Discuss various challenges in log management
  9. What is centralized logging
  10. Discuss about syslog
  11. Why Synchronize Computer Times?
  12. What is NTP?
  13. List various NIST time servers
  14. Discuss various event correlation approaches
  15. List various log capturing and analysis tools

Module 16: Network Forensics, Investigating Logs and Investigating Network Traffic

  1. Summarize network forensics concepts
  2. Explain the network forensics analysis mechanism
  3. What are intrusion detection systems (IDS?)
  4. Define the terms firewall and honeypot
  5. Discuss various network vulnerabilities
  6. Explain various types of network attacks
  7. Explain new line injection attack and timestamp injection attack
  8. Where to Look for Evidence?
  9. How to handle logs as evidence
  10. Explain how to condense a log file
  11. Why to Investigate Network Traffic?
  12. How to acquire traffic using DNS poisoning techniques
  13. Explain how to gather from ARP table
  14. List various traffic capturing and analysis tools

Module 17: Investigating Wireless Attacks

  1. Discuss various advantages and disadvantages of wireless networks
  2. list different components of wireless networks
  3. What are the various types of wireless networks?
  4. List various types of wireless standards
  5. What is MAC FILTERING?
  6. What is a Service Set Identifier (SSID?)
  7. Discuss various types of wireless encryption
  8. List various types of wireless attacks
  9. How to investigate wireless attacks
  10. What are the requirements of a tool design and summarize the best practices for wireless forensics
  11. List various wireless forensics tools

Module 18: Investigating Web Attacks

  1. What are Web Applications?
  2. Explain Web application architecture
  3. Why Web servers are compromised
  4. Provide an overview of Web logs
  5. What are Internet Information Services (IIS) and apache Web server Logs
  6. Discuss various types of Web attacks
  7. How to investigate Web attacks
  8. Explain the investigation process of Web attacks in Windows-based servers
  9. Describe how to investigate IIS and Apache logs
  10. When does Web page defacement occur?
  11. Discuss various security strategies to Web applications
  12. List various Web attack detection tools
  13. Discuss about various tools for locating IP address

Module 19: Tracking Emails and Investigating Email Crimes

  1. Explain the terms Email system, Email Clients, Email Servers, and Email Message
  2. Discuss the importance of electronic records management
  3. Discuss various types of Email crimes
  4. Provide examples of Email header
  5. List Common Headers
  6. Why to Investigate Emails
  7. Discuss the steps involved in investigation of Email crimes
  8. List various Email forensics tools
  9. What are the different laws and acts against Email Crimes?

Module 20: Mobile Forensics

  1. List different mobile devices
  2. What are the hardware and software characteristics of mobile devices?
  3. What is a cellular network?
  4. Provide an overview of mobile operating system
  5. Discuss various types of mobile operating systems
  6. What a Criminal can do with Mobiles Phones?
  7. Describe various mobile forensics challenges
  8. Discuss various memory considerations in mobiles
  9. What are the different precautions to be taken before investigation?
  10. Explain the process involved in mobile forensics
  11. List various mobile forensic hardware and software Tools

Module 21: Investigative Reports

  1. Explain importance of reports and need of an investigative report
  2. Discuss the salient features of a good report
  3. Provide computer forensics report template
  4. How is a report classified?
  5. Provide layout of an investigative report
  6. What are the guidelines for writing a report?
  7. Provide an overview of investigative report format
  8. How to document a case report
  9. What are the best practices for investigators?
  10. How to write a report using FTK and ProDiscover

Module 22: Becoming an Expert Witness

  1. What is an Expert Witness?
  2. Explain the role of an expert witness
  3. Describe various types of expert witnesses
  4. What is the scope of expert witness testimony?
  5. Explain the differences between Technical Witness and Expert Witness
  6. What are the various steps involved in evidence processing
  7. How to prepare a report
  8. List the rules pertaining to an expert witness’ qualification
  9. How to testify in the court
  10. What are the general ethics while testifying?
  11. How to testify during direct and cross-examination
  12. How to find a computer forensic expert