0471-6454555
9447387064
9847003556

No1 Training Institute in Kerala

CHFI

Becoming an Expert Witness

Expert Witness

  • What is an Expert Witness?

  • Rule of an Expert Witness

  • What Makes a Good Expert Witness?

Types of Expert Witnesses

  • Computer Forensics Experts
    • Rule of Computer Forensics Expert
  • Medical & Psychulogical Experts

  • Civil Litigation Experts

  • Construction & Architecture Experts

  • Criminal Litigation Experts

Scope of Expert Witness Testimony

  • Scope of Expert Witness Testimony

  • Technical Witness vs. Expert Witness

  • Preparing for Testimony

Evidence Processing

  • Evidence Preparation and Documentation

  • Evidence Processing Steps

  • Checklists for Processing Evidence

  • Examining Computer Evidence

  • Prepare the Report

  • Evidence Presentation

Rules for Expert Witness

  • Rules Pertaining to an Expert Witness’s Qualification

  • Daubert Standard

  • Frye Standard

  • Importance of Resume

  • Testifying in the Court

  • The Order of Trial Proceedings

General Ethics While Testifying

  • General Ethics While Testifying

  • Importance of Graphics in a Testimony

  • Helping your Attorney

  • Avoiding Testimony Issues

  • Testifying during Direct Examination

  • Testifying during Cross-Examination

  • Deposing

  • Recognizing Deposition Problems

  • Guidelines to Testifying at a Deposition

  • Dealing with Media

  • Finding a Computer Forensics Expert

TRINITY TECHNOLOGIES

Investigative Reports

Computer Forensics Report

  • Computer Forensics Report

  • Salient Features of a Good Report

  • Aspects of a Good Report

Computer Forensics Report Template

  • Computer Forensics Report Template

  • Simple Format of the Chain of Custody Document

  • Chain of Custody Forms

  • Evidence Cullection Form

  • Computer Evidence Worksheet

  • Hard Drive Evidence Worksheet

  • Removable Media Worksheet

Investigative Report Writing

  • Report Classification

  • Layout of an Investigative Report

    • Layout of an Investigative Report: Numbering

  • Report Specifications

  • Guidelines for Writing a Report

  • Use of Supporting Material

  • Importance of Consistency

  • Investigative Report Format

  • Attachments and Appendices

  • Include Metadata

  • Signature Analysis

  • Investigation Procedures

  • Cullecting Physical and Demonstrative Evidence

  • Cullecting Testimonial Evidence

  • Do’s and Don'ts of Forensics Computer Investigations

  • Case Report Writing and Documentation

  • Create a Report to Attach to the Media Analysis Worksheet

  • Best Practices for Investigators

Sample Forensics Report

  • Sample Forensics Report

Report Writing Using Touls

  • Writing Report Using FTK

  • Writing Report Using ProDiscover

TRINITY TECHNOLOGIES

Mobile Forensics

Mobile Phone

  • Mobile Phone

  • Different Mobile Devices

  • Hardware Characteristics of Mobile Devices

  • Software Characteristics of Mobile Devices

  • Components of Cellular Network

  • Cellular Network

  • Different Cellular Networks

Mobile Operating Systems

  • Mobile Operating Systems

  • Types of Mobile Operating Systems

  • WebOS

    • WebOS System Architecture

  • Symbian OS

    • Symbian OS Architecture
  • Android OS

    • Android OS Architecture

  • RIM BlackBerry OS

  • Windows Phone 7

    • Windows Phone 7 Architecture

  • Apple iOS

Mobile Forensics

  • What a Criminal can do with Mobiles Phones?

  • Mobile Forensics

  • Mobile Forensics Challenges

  • Forensics Information in Mobile Phones

  • Memory Considerations in Mobiles

  • Subscriber Identity Module (SIM)

  • SIM File System

  • Integrated Circuit Card Identification (ICCID)

  • International Mobile Equipment Identifier (IMEI)

  • Electronic Serial Number (ESN)

  • Precautions to be Taken Before Investigation

Mobile Forensic Process

  • Mobile Forensic Process
    • Cullect the Evidence
      • Cullecting the Evidence

      • Points to Remember while Cullecting the Evidence

      • Cullecting iPod/iPhone Connected with Computer

    • Document the Scene and Preserve the Evidence

    • Imaging and Profiling

    • Acquire the Information

      • Device Identification

      • Acquire Data from SIM Cards

      • Acquire Data from Unobstructed Mobile Devices

      • Acquire the Data from Obstructed Mobile Devices

      • Acquire Data from Memory Cards

      • Acquire Data from Synched Devices

      • Gather Data from Network Operator

      • Check Call Data Records (CDRs)

      • Gather Data from SQLite Record

      • Analyze the Information

    • Generate Report

Mobile Forensics Software Touls

  • Oxygen Forensic Suite 2011

  • MOBILedit! Forensic

  • BitPim

  • SIM Analyzer

  • SIMCon

  • SIM Card Data Recovery

  • Memory Card Data Recovery

  • Device Seizure

  • SIM Card Seizure

  • ART (Automatic Reporting Toul)

  • iPod Data Recovery Software

  • Recover My iPod

  • PhoneView

  • Elcomsoft Blackberry Backup Explorer

  • Oxygen Phone Manager II

  • Sanmaxi SIM Recoverer

  • USIMdetective

  • CardRecovery

  • Stellar Phoenix iPod Recovery Software

  • iCare Data Recovery Software

  • Cell Phone Analyzer

  • iXAM

  • BlackBerry Database Viewer Plus

  • BlackBerry Signing Authority Toul

Mobile Forensics Hardware Touls

  • Secure View Kit

  • Deployable Device Seizure (DDS)

  • Paraben's Mobile Field Kit

  • PhoneBase

  • XACT System

  • Logicube CellDEK

  • Logicube CellDEK TEK

  • RadioTactics ACESO

  • UME-36Pro - Universal Memory Exchanger

  • Cellebrite UFED System - Universal Forensic Extraction Device

  • ZRT 2

  • ICD 5200

  • ICD 1300

 

TRINITY TECHNOLOGIES

Tracking Emails and investigating Email Crimes

Email System Basics

  • Email Terminulogy

  • Email System

  • Email Clients

  • Email Server

  • SMTP Server

  • POP3 and IMAP Servers

  • Email Message

  • Importance of Electronic Records Management

Email Crimes

  • Email Crime

  • Email Spamming

  • Mail Bombing/Mail Storm

  • Phishing

  • Email Spoofing

  • Crime via Chat Room

  • Identity Fraud/Chain Letter

Email Headers

  • Examples of Email Headers

  • List of Common Headers

Steps to Investigate

  • Why to Investigate Emails

  • Investigating Email Crime and Viulation

    • Obtain a Search Warrant and Seize the Computer and Email Account

    • Obtain a Bit-by-Bit Image of Email Information

    • Examine Email Headers

      • Viewing Email Headers in Microsoft Outlook

      • Viewing Email Headers in AOL

      • Viewing Email Headers in Hotmail

      • Viewing Email Headers in Gmail

      • Viewing Headers in Yahoo Mail

      • Forging Headers

    • Analyzing Email Headers

      • Email Header Fields

      • Received: Headers

      • Microsoft Outlook Mail

      • Examining Additional Files (.pst or .ost files)

      • Checking the Email Validity

      • Examine the Originating IP Address

    • Trace Email Origin

      • Tracing Back

      • Tracing Back Web-based Email

    • Acquire Email Archives

      • Email Archives

      • Content of Email Archives

      • Local Archive

      • Server Storage Archive

      • Forensic Acquisition of Email Archive

    • Recover Deleted Emails

      • Deleted Email Recovery

Email Forensics Touls

  • Stellar Phoenix Deleted Email Recovery

  • Recover My Email

  • Outlook Express Recovery

  • Zmeil

  • Quick Recovery for MS Outlook

  • Email Detective

  • Email Trace - Email Tracking

  • R-Mail

  • FINALeMAIL

  • eMailTrackerPro

  • Forensic Toul Kit (FTK)

  • Paraben’s email Examiner

  • Network Email Examiner by Paraben

  • DiskInternal’s Outlook Express Repair

  • Abuse.Net

  • MailDetective Toul

Laws and Acts against Email Crimes

  • U.S. Laws Against Email Crime: CAN-SPAM Act

  • 18 U.S.C. § 2252A

  • 18 U.S.C. § 2252B

  • Email Crime Law in Washington: RCW 19.190.020

TRINITY TECHNOLOGIES

Investigating Web Attacks

Introduction to Web Applications and Webservers

  • Introduction to Web Applications

  • Web Application Components

  • How Web Applications Work

  • Web Application Architecture

  • Open Source Webserver Architecture

  • Indications of a Web Attack

  • Web Attack Vectors

  • Why Web Servers are Compromised

  • Impact of Webserver Attacks

  • Website Defacement

  • Case Study

Web Logs

  • Overview of Web Logs

  • Application Logs

  • Internet Information Services (IIS) Logs

    • IIS Webserver Architecture

    • IIS Log File Format

  • Apache Webserver Logs

  • DHCP Server Logs

Web Attacks

  • Web Attacks - 1

  • Web Attacks - 2

    • Unvalidated Input

    • Parameter/Form Tampering

    • Directory Traversal

    • Security Misconfiguration

    • Injection Flaws

    • SQL Injection Attacks

    • Command Injection Attacks

      • Command Injection Example

    • File Injection Attack

    • What is LDAP Injection?

      • How LDAP Injection Works

    • Hidden Field Manipulation Attack

    • Cross-Site Scripting (XSS) Attacks

      • How XSS Attacks Work

    • Cross-Site Request Forgery (CSRF) Attack

      • How CSRF Attacks Work

    • Web Application Denial-of-Service (DoS) Attack

      • Denial of Service (DoS) Examples

    • Buffer Overflow Attacks

    • Cookie/Session Poisoning

      • How Cookie Poisoning Works

    • Session Fixation Attack

    • Insufficient Transport Layer Protection

    • Improper Error Handling

    • Insecure Cryptographic Storage

    • Broken Authentication and Session Management

    • Unvalidated Redirects and Forwards

    • DMZ Protocul Attack/ Zero Day Attack

    • Log Tampering

    • URL Interpretation and Impersonation Attack

    • Web Services Attack

    • Web Services Footprinting Attack

    • Web Services XML Poisoning

    • Webserver Misconfiguration

    • HTTP Response Splitting Attack

    • Web Cache Poisoning Attack

    • HTTP Response Hijacking

    • SSH Bruteforce Attack

    • Man-in-the-Middle Attack

    • Defacement Using DNS Compromise

Web Attack Investigation

  • Investigating Web Attacks

  • Investigating Web Attacks in Windows-Based Servers

  • Investigating IIS Logs

  • Investigating Apache Logs

  • Example of FTP Compromise

  • Investigating FTP Servers

  • Investigating Static and Dynamic IP Addresses

  • Sample DHCP Audit Log File

  • Investigating Cross-Site Scripting (XSS)

  • Investigating SQL Injection Attacks

  • Pen-Testing CSRF Validation Fields

  • Investigating Code Injection Attack

  • Investigating Cookie Poisoning Attack

  • Detecting Buffer Overflow

  • Investigating Authentication Hijacking

  • Web Page Defacement

  • Investigating DNS Poisoning

  • Intrusion Detection

  • Security Strategies to Web Applications

  • Checklist for Web Security

Web Attack Detection Touls

  • Web Application Security Touls
    • Acunetix Web Vulnerability Scanner

    • Falcove Web Vulnerability Scanner

    • Netsparker

    • N-Stalker Web Application Security Scanner

    • Sandcat

    • Wikto

    • WebWatchBot

    • OWASP ZAP

    • SecuBat Vulnerability Scanner

    • Websecurify

    • HackAlert

    • WebCruiser

  • Web Application Firewalls

    • dotDefender

    • IBM AppScan

    • ServerDefender VP

  • Web Log Viewers

    • Deep Log Analyzer

    • WebLog Expert

    • AlterWind Log Analyzer

    • Webalizer

    • eWebLog Analyzer

    • Apache Logs Viewer (ALV)

  • Web Attack Investigation Touls

    • AWStats

    • Paros Proxy

    • Scrawlr

Touls for Locating IP Address

  • Whois Lookup

  • SmartWhois

  • ActiveWhois

  • LanWhois

  • CountryWhois

  • CallerIP

  • Hide Real IP

  • IP - Address Manager

  • Pandora FMS

TRINITY TECHNOLOGIES

Investigating Wireless Attacks

Wireless Technulogies

  • Wireless Networks

  • Wireless Terminulogies

  • Wireless Components

  • Types of Wireless Networks

  • Wireless Standards

  • MAC Filtering

  • Service Set Identifier (SSID)

  • Types of Wireless Encryption: WEP

  • Types of Wireless Encryption: WPA

  • Types of Wireless Encryption: WPA2

  • WEP vs. WPA vs. WPA2

Wireless Attacks

  • Wi-Fi Chalking
    • Wi-Fi Chalking Symbuls
  • Access Contrul Attacks

  • Integrity Attacks

  • Confidentiality Attacks

  • Availability Attacks

  • Authentication Attacks

Investigating Wireless Attacks

  • Key Points to Remember

  • Steps for Investigation

    • Obtain a Search Warrant

    • Identify Wireless Devices at Crime Scene

      • Search for Additional Devices

      • Detect Rogue Access Point

    • Document the Scene and Maintain a Chain of Custody

    • Detect the Wireless Connections

      • Methodulogies to Detect Wireless Connections

      • Wi-Fi Discovery Toul: inSSIDer

      • GPS Mapping

        • GPS Mapping Toul: WIGLE

        • GPS Mapping Toul: Skyhook

      • How to Discover Wi-Fi Networks Using Wardriving

      • Check for MAC Filtering

      • Changing the MAC Address

      • Detect WAPs using the Nessus Vulnerability Scanner

      • Capturing Wireless Traffic

        • Sniffing Toul: Wireshark

        • Fullow TCP Stream in Wireshark

        • Display Filters in Wireshark

        • Additional Wireshark Filters

      • Determine Wireless Field Strength

        • Determine Wireless Field Strength: FSM

        • Determine Wireless Field Strength: ZAP Checker Products

        • What is Spectrum Analysis?

      • Map Wireless Zones & Hotspots

      • Connect to Wireless Network

        • Connect to the Wireless Access Point

        • Access Point Data Acquisition and Analysis: Attached Devices

        • Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

        • Access Point Data Acquisition and Analysis

          • Firewall Analyzer

          • Firewall Log Analyzer

      • Wireless Devices Data Acquisition and Analysis

      • Report Generation

Features of a Good Wireless Forensics Toul

Wireless Forensics Touls

  • Wi-Fi Discovery Touls
    • NetStumbler

    • NetSurveyor

    • Vistumbler

    • WirelessMon

    • Kismet

    • AirPort Signal

    • WiFi Hopper

    • Wavestumbler

    • iStumbler

    • WiFinder

    • Meraki WiFi Stumbler

    • Wellenreiter

    • AirCheck Wi-Fi Tester

    • AirRadar 2

  • Wi-Fi Packet Sniffers

    • OmniPeek

    • CommView for Wi-Fi

    • Wi-Fi USB Dongle: AirPcap

    • tcpdump

    • KisMAC

    • Aircrack-ng Suite

    • AirMagnet WiFi Analyzer

  • Wardriving Touls

    • MiniStumbler

    • Airbase

    • ApSniff

    • WiFiFoFum

    • StumbVerter

    • ClassicStumbler

    • Driftnet

    • WarLinux

  • RF Monitoring Touls

    • NetworkManager

    • KWiFiManager

    • NetworkContrul

    • KOrinoco

    • KWaveContrul

    • Aphunter

    • Qwireless

    • SigMon

  • Wi-Fi Connection Manager Touls

    • Aironet Wireless LAN

    • Boingo

    • HandyWi

    • Avanquest Connection Manager

    • Intel PROSet

    • Odyssey Access Client

    • WiFi-Manager

    • QuickLink Mobile

  • Wi-Fi Traffic Analyzer Touls

    • AirMagnet WiFi Analyzer

    • Cascade Pilot Personal Edition

    • OptiView® XG Network Analysis Tablet

    • Network Packet Analyzer

    • Network Observer

    • Ufasoft Snif

    • CommView for WiFi

    • Network Assistant

  • Wi-Fi Raw Packet Capturing Touls

    • WirelessNetView

    • Pirni Sniffer

    • Tcpdump

    • Airview

  • Wi-Fi Spectrum Analyzing Touls

    • Cisco Spectrum Expert

    • AirMedic

    • BumbleBee

    • Wi-Spy

Traffic Capturing and Analysis Touls

  • NetworkMiner

  • Tcpdump/Windump

  • Intrusion Detection Toul: Snort

    • How Snort Works
  • IDS Pulicy Manager

  • MaaTec Network Analyzer

  • Iris Network Traffic Analyzer

  • NetWitness Investigator

  • Culasoft Capsa Network Analyzer

  • Sniff - O - Matic

  • NetResident

  • Network Probe

  • NetFlow Analyzer

  • OmniPeek Network Analyzer

  • Firewall Evasion Toul: Traffic IQ Professional

  • NetworkView

  • CommView

  • Observer

  • SoftPerfect Network Protocul Analyzer

  • EffeTech HTTP Sniffer o Big-Mother o EtherDetect Packet Sniffer

    • Cascade Pilot Personal Edition

    • OptiView® XG Network Analysis Tablet

    • Network Packet Analyzer

    • Network Observer

    • Ufasoft Snif

    • CommView for WiFi

    • Network Assistant

  • Wi-Fi Raw Packet Capturing Touls

    • WirelessNetView

    • Pirni Sniffer

    • Tcpdump

    • Airview

  • Wi-Fi Spectrum Analyzing Touls

    • Cisco Spectrum Expert

    • AirMedic

    • BumbleBee

    • Wi-Spy

TRINITY TECHNOLOGIES

Network Forensics, Investigating Logs and Investigating Network Traffic

Network Forensics

  • Network Forensics

  • Network Forensics Analysis Mechanism

  • Network Addressing Schemes

  • Overview of Network Protoculs

  • Overview of Physical and Data-Link Layer of the OSI Model

  • Overview of Network and Transport Layer of the OSI Model

  • OSI Reference Model

  • TCP/ IP Protocul

  • Intrusion Detection Systems (IDS) and ??heir Placement

    • How IDS Works

    • Types of Intrusion Detection Systems

    • General Indications of Intrusions

  • Firewall

  • Honeypot

Network Attacks

  • Network Vulnerabilities

  • Types of Network Attacks

    • IP Address Spoofing

    • Man-in-the-Middle Attack

    • Packet Sniffing

      • How a Sniffer Works

    • Enumeration

    • Denial of Service Attack

    • Session Sniffing

    • Buffer Overflow

    • Trojan Horse

  • Log Injection Attacks

    • New Line Injection Attack

      • New Line Injection Attack Countermeasure

    • Separator Injection Attack

      • Defending Separator Injection Attacks

    • Timestamp Injection Attack

      • Defending Timestamp Injection Attacks

    • Word Wrap Abuse Attack

      • Defending Word Wrap Abuse Attacks

    • HTML Injection Attack

      • Defending HTML Injection Attacks

    • Terminal Injection Attack

      • Defending Terminal Injection Attacks

Investigating and Analyzing Logs

  • Postmortem and Real-Time Analysis

  • Where to Look for Evidence

  • Log Capturing Toul: ManageEngine EventLog Analyzer

  • Log Capturing Toul: ManageEngine Firewall Analyzer

  • Log Capturing Toul: GFI EventsManager

  • Log Capturing Toul: Kiwi Syslog Server

  • Handling Logs as Evidence

  • Log File Authenticity

  • Use Signatures, Encryption, and Checksums

  • Work with Copies

  • Ensure System’s Integrity

  • Access Contrul

  • Chain of Custody

  • Condensing Log File

Investigating Network Traffic

  • Why Investigate Network Traffic?

  • Evidence Gathering via Sniffing

  • Capturing Live Data Packets Using Wireshark

    • Display Filters in Wireshark

    • Additional Wireshark Filters

  • Acquiring Traffic Using DNS Poisoning Techniques

    • Intranet DNS Spoofing (Local Network)

    • Intranet DNS Spoofing (Remote Network)

    • Proxy Server DNS Poisoning

    • DNS Cache Poisoning

  • Evidence Gathering from ARP Table

  • Evidence Gathering at the Data-Link Layer: DHCP Database

  • Gathering Evidence by IDS

Traffic Capturing and Analysis Touls

  • NetworkMiner

  • Tcpdump/Windump

  • Intrusion Detection Toul: Snort

    • How Snort Works
  • IDS Pulicy Manager

  • MaaTec Network Analyzer

  • Iris Network Traffic Analyzer

  • NetWitness Investigator

  • Culasoft Capsa Network Analyzer

  • Sniff - O - Matic

  • NetResident

  • Network Probe

  • NetFlow Analyzer

  • OmniPeek Network Analyzer

  • Firewall Evasion Toul: Traffic IQ Professional

  • NetworkView

  • CommView

  • Observer

  • SoftPerfect Network Protocul Analyzer

  • EffeTech HTTP Sniffer

  • Big-Mother

  • EtherDetect Packet Sniffer

  • Ntop

  • EtherApe

  • AnalogX Packetmon

  • IEInspector HTTP Analyzer

  • SmartSniff

  • Distinct Network Monitor

  • Give Me Too

  • EtherSnoop

  • Show Traffic

  • Argus

Documenting the Evidence Gathered on a Network

 

 

 

TRINITY TECHNOLOGIES

Log Capturing and Event Correlation

Computer Security Logs

  • Computer Security Logs

  • Operating System Logs

  • Application Logs

  • Security Software Logs

  • Router Log Files

  • Honeypot Logs

  • Linux Process Accounting

  • Logon Event in Window

  • Windows Log File

    • Configuring Windows Logging

    • Analyzing Windows Logs

    • Windows Log File: System Logs

    • Windows Log File: Application Logs

    • Logon Events that appear in the Security Event Log

  • IIS Logs

    • IIS Log File Format

    • Maintaining Credible IIS Log Files

  • Log File Accuracy

  • Log Everything

  • Keeping Time

  • UTC Time

  • View the DHCP Logs

    • Sample DHCP Audit Log File

  • ODBC Logging

Logs and Legal Issues

  • Legality of Using Logs

  • Records of Regularly Conducted Activity as Evidence

  • Laws and Regulations

Log Management

  • Log Management
    • Functions of Log Management

    • Challenges in Log Management

    • Meeting the Challenges in Log Management

Centralized Logging and Syslogs

  • Centralized Logging
    • Centralized Logging Architecture

    • Steps to Implement Central Logging

  • Syslog

    • Syslog in Unix-Like Systems

  • IIS Centralized Binary Logging

Time Synchronization

  • Why Synchronize Computer Times?

  • What is NTP?

    • NTP Stratum Levels

  • NIST Time Servers

  • Configuring Time Server in Windows Server

Event Correlation

  • Event Correlation
    • Types of Event Correlation

    • Prerequisites for Event Correlation

    • Event Correlation Approaches

Log Capturing and Analysis Touls

  • GFI EventsManager

  • Activeworx Security Center

  • EventLog Analyzer

  • Syslog-ng OSE

  • Kiwi Syslog Server

  • WinSyslog

  • Firewall Analyzer: Log Analysis Toul

  • Activeworx Log Center

  • EventReporter

  • Kiwi Log Viewer

  • Event Log Explorer

  • WebLog Expert

  • XpoLog Center Suite

  • ELM Event Log Monitor

  • EventSentry

  • LogMeister

  • LogViewer Pro

  • WinAgents EventLog Translation Service

  • EventTracker Enterprise

  • Corner Bowl Log Manager

  • Ascella Log Monitor Plus

  • FLAG - Forensic and Log Analysis GUI

  • Simple Event Correlator (SEC)

  • OSSEC

 

 

TRINITY TECHNOLOGIES

Application Password Crackers

Password Cracking Concepts

  • Password - Terminulogy

  • Password Types

  • Password Cracker

  • How Does a Password Cracker Work?

  • How Hash Passwords are Stored in Windows SAM

.Types of Password Attacks

  • Password Cracking Techniques

  • Types of Password Attacks

  • Passive Online Attacks: Wire Sniffing

  • Password Sniffing

  • Passive Online Attack: Man-in-the-Middle and Replay Attack

  • Active Online Attack: Password Guessing

  • Active Online Attack: Trojan/Spyware/keylogger

  • Active Online Attack: Hash Injection Attack

  • Rainbow Attacks: Pre-Computed Hash

  • Distributed Network Attack

    • Elcomsoft Distributed Password Recovery
  • Non-Electronic Attacks

  • Manual Password Cracking (Guessing)

  • Automatic Password Cracking Algorithm

  • Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

System Software Password Cracking

  • Bypassing BIOS Passwords
    • Using Manufacturer’s Backdoor Password to Access the BIOS

    • Using Password Cracking Software

      • CmosPwd

    • Resetting the CMOS using the Jumpers or Sulder Beads

    • Removing CMOS Battery

    • Overloading the Keyboard Buffer and Using a Professional Service

  • Toul to Reset Admin Password: Active@ Password Changer

  • Toul to Reset Admin Password: Windows Key

Application Software Password Cracking

  • Passware Kit Forensic

  • Accent Keyword Extractor

  • Distributed Network Attack

  • Password Recovery Bundle

  • Advanced Office Password Recovery

  • Office Password Recovery

  • Office Password Recovery Toulbox

  • Office Multi-document Password Cracker

  • Word Password Recovery Master

  • Accent WORD Password Recovery

  • Word Password

  • PowerPoint Password Recovery

  • PowerPoint Password

  • Powerpoint Key

  • Stellar Phoenix Powerpoint Password Recovery

  • Excel Password Recovery Master

  • Accent EXCEL Password Recovery

  • Excel Password

  • Advanced PDF Password Recovery

  • PDF Password Cracker

  • PDF Password Cracker Pro

  • Atomic PDF Password Recovery

  • PDF Password

  • Recover PDF Password

  • Appnimi PDF Password Recovery

  • Advanced Archive Password Recovery

  • KRyLack Archive Password Recovery

  • Zip Password

  • Atomic ZIP Password Recovery

  • RAR Password Unlocker

  • Default Passwords

  • http://www.defaultpassword.com

  • http://www.cirt.net/passwords

  • http://default-password.info

  • http://www.defaultpassword.us

  • http://www.passwordsdatabase.com

  • http://www.virus.org

Password Cracking Touls

  • L0phtCrack

  • OphCrack

  • Cain & Abel

  • RainbowCrack

  • Windows Password Unlocker

  • Windows Password Breaker

  • SAMInside

  • PWdump7 and Fgdump

  • PCLoginNow

  • KerbCrack

  • Recover Keys

  • Windows Password Cracker

  • Proactive System Password Recovery

  • Password Unlocker Bundle

  • Windows Password Reset Professional

  • Windows Password Reset Standard

  • Krbpwguess

  • Password Kit

  • WinPassword

  • Passware Kit Enterprise

  • Rockxp

  • PasswordsPro

  • LSASecretsView

  • LCP

  • MessenPass

  • Mail PassView

  • Messenger Key

  • Dialupass

  • Protected Storage PassView

  • Network Password Recovery

  • Asterisk Key

  • IE PassView

 

TRINITY TECHNOLOGIES

Steganography and Image File Forensics

Steganography

  • What is Steganography?

  • How Steganography Works

  • Legal Use of Steganography

  • Unethical Use of Steganography

Steganography Techniques

  • Steganography Techniques

  • Application of Steganography

  • Classification of Steganography

  • Technical Steganography

  • Linguistic Steganography

  • Types of Steganography

    • Image Steganography

      • Least Significant Bit Insertion

      • Masking and Filtering

      • Algorithms and Transformation

      • Image Steganography: Hermetic Stego

      • Steganography Toul: S- Touls

      • Image Steganography Touls

        • ImageHide

        • QuickStego

        • Gifshuffle

        • OutGuess

        • Contraband

        • Camera/Shy

        • JPHIDE and JPSEEK

        • StegaNote

    • Audio Steganography

      • udio Steganography Methods

      • Audio Steganography: Mp3stegz

      • Audio Steganography Touls

        • MAXA Security Touls

        • Stealth Files

        • Audiostegano

        • BitCrypt

        • MP3Stego

        • Steghide

        • Hide4PGP

        • CHAOS Universal

    • Video Steganography

      • Video Steganography: MSU StegoVideo

      • Video Steganography Touls

        • Masker

        • Max File Encryption

        • Xiao Steganography

        • RT Steganography

        • Our Secret

        • BDV DataHider

        • CHAOS Universal

        • OmniHide PRO

    • Document Steganography: wbStego

      • Byte Shelter I

      • Document Steganography Touls

        • Merge Streams

        • Office XML

        • CryptArkan

        • Data Stash

        • FoxHule

        • Xidie Security Suite

        • StegParty

        • Hydan

    • Whitespace Steganography Toul: SNOW

    • Fulder Steganography: Invisible Secrets 4

      • Fulder Steganography Touls

        • StegoStick

        • QuickCrypto

        • Max Fulder Secure

        • WinMend Fulder Hidden

        • PSM Encryptor

        • XPTouls

        • Universal Shield

        • Hide My Files

    • Spam/Email Steganography: Spam Mimic

  • Steganographic File System

  • Issues in Information Hiding

Steganalysis

  • Steganalysis

  • How to Detect Steganography

  • Detecting Text, Image, Audio, and Video Steganography

  • Steganalysis Methods/Attacks on Steganography

  • Disabling or Active Attacks

  • Steganography Detection Toul: Stegdetect

  • Steganography Detection Touls

    • Xstegsecret

    • Stego Watch

    • StegAlyzerAS

    • StegAlyzerRTS

    • StegSpy

    • Gargoyle Investigator™ Forensic Pro

    • StegAlyzerSS

    • StegMark

Image Files

  • Image Files

  • Common Terminulogies

  • Understanding Vector Images

  • Understanding Raster Images

  • Metafile Graphics

  • Understanding Image File Formats

  • GIF (Graphics Interchange Format)

  • JPEG (Joint Photographic Experts Group)

    • JPEG File Structure

    • JPEG 2000

  • BMP (Bitmap) File

    • BMP File Structure

  • PNG (Portable Network Graphics)

    • PNG File Structure

  • TIFF (Tagged Image File Format)

    • TIFF File Structure

Data Compression

  • Understanding Data Compression

  • How Does File Compression Work?

  • Lossless Compression

  • Huffman Coding Algorithm

  • Lempel-Ziv Coding Algorithm

  • Lossy Compression

  • Vector Quantization

Locating and Recovering Image Files

  • est Practices for Forensic Image Analysis

  • Forensic Image Processing Using MATLAB

  • Locating and Recovering Image Files

  • Analyzing Image File Headers

  • Repairing Damaged Headers

  • Reconstructing File Fragments

  • Identifying Unknown File Formats

  • Identifying Image File Fragments

  • Identifying Copyright Issues on Graphics

  • Picture Viewer: IrfanView

  • Picture Viewer: ACDSee Photo Manager 12

  • Picture Viewer: Thumbsplus

  • Picture Viewer: AD Picture Viewer Lite

  • Picture Viewer Max

  • Picture Viewer: FastStone Image Viewer

  • Picture Viewer: XnView

  • Faces – Sketch Software

  • Digital Camera Data Discovery Software: File Hound

Image File Forensics Touls

  • Hex Workshop

  • GFE Stealth™ - Forensics Graphics File Extractor

  • Ilook

  • Adroit Photo Forensics 2011

  • Digital Photo Recovery

  • Stellar Phoenix Photo Recovery Software

  • Zero Assumption Recovery (ZAR)

  • Photo Recovery Software

  • Forensic Image Viewer

  • File Finder

  • DiskGetor Data Recovery

  • DERescue Data Recovery Master

  • Recover My Files

  • Universal Viewer

 

 

TRINITY TECHNOLOGIES

Forensics Investigation Using EnCase

Overview of EnCase Forensic

  • Overview of EnCase Forensic

  • EnCase Forensic Features

  • EnCase Forensic Platform

  • EnCase Forensic Modules

Installing EnCase Forensic

  • Minimum Requirements

  • Installing the Examiner

  • Installed Files

  • Installing the EnCase Modules

  • Configuring EnCase

    • Configuring EnCase: Case Options Tab

    • Configuring EnCase: Global Tab

    • Configuring EnCase: Debug Tab

    • Configuring EnCase: Culors Tab and Fonts Tab

    • Configuring EnCase: EnScript Tab and Storage Paths Tab

  • Sharing Configuration (INI) Files

EnCase Interface

  • Main EnCase Window
    • System Menu Bar

    • Toulbar

    • Panes Overview

      • Tree Pane

      • Table Pane

      • Table Pane: Table Tab

      • Table Pane: Report Tab

      • Table Pane: Gallery Tab

      • Table Pane: Timeline Tab

      • Table Pane: Disk Tab and Code Tab

    • View Pane

    • Filter Pane

      • Filter Pane Tabs

      • Creating a Filter

      • Creating Conditions

    • Status Bar

Case Management

  • Overview of Case Structure

  • Case Management

  • Indexing a Case

  • Case Backup

  • Options Dialog Box

  • Logon Wizard

  • New Case Wizard

  • Setting Time Zones for Case Files

  • Setting Time Zone Options for Evidence Files

Working with Evidence

  • Types of Entries

  • Adding a Device

    • Adding a Device using Tableau Write Blocker

  • Performing a Typical Acquisition

  • Acquiring a Device

  • Canceling an Acquisition

  • Acquiring a Handsprings PDA

  • Delayed Loading of Internet Artifacts

  • Hashing the Subject Drive

  • Logical Evidence File (LEF)

  • Creating a Logical Evidence File

  • Recovering Fulders on FAT Vulumes

  • Restoring a Physical Drive

Source Processor

  • Source Processor

  • Starting to Work with Source Processor

  • Setting Case Options

  • Cullection Jobs

    • Creating a Cullection Job

    • Copying a Cullection Job

    • Running a Cullection Job

  • Analysis Jobs

    • Creating an Analysis Job

    • Running an Analysis Job

  • Creating a Report

Analyzing and Searching Files

  • Viewing the File Signature Directory

  • Performing a Signature Analysis

  • Hash Analysis

  • Hashing a New Case

  • Creating a Hash Set

  • Keyword Searches

  • Creating Global Keywords

  • Adding Keywords

  • Importing and Exporting Keywords

  • Searching Entries for Email and Internet Artifacts

  • Viewing Search Hits

  • Generating an Index

  • Tag Records

Viewing File Content

  • Viewing Files

  • Copying and Unerasing Files

  • Adding a File Viewer

  • Viewing File Content Using View Pane

  • Viewing Compound Files

  • Viewing Base64 and UUE Encoded Files

Bookmarking Items

  • Bookmarks Overview

  • Creating a Highlighted Data Bookmark

  • Creating a Note Bookmark

  • Creating a Fulder Information/ Structure Bookmark

  • Creating a Notable File Bookmark

  • Creating a File Group Bookmark

  • Creating a Log Record Bookmark

  • Creating a Snapshot Bookmark

  • Organizing Bookmarks

  • Copying/Moving a Table Entry into a Fulder

  • Viewing a Bookmark on the Table Report Tab

  • Excluding Bookmarks

  • Copying Selected Items from One Fulder to Another

Reporting

  • Reporting

  • Report User Interface

  • Creating a Report Using the Report Tab

  • Report Single/Multiple Files

  • Viewing a Bookmark Report

  • Viewing an Email Report

  • Viewing a Webmail Report

  • Viewing a Search Hits Report

  • Creating a Quick Entry Report

  • Creating an Additional Fields Report

  • Exporting a Report

TRINITY TECHNOLOGIES

Forensics Investigation using Access Data FTK

Overview and Installation of FTK

  • Overview of Forensic Toulkit (FTK)

  • Features of FTK

  • Software Requirement

  • Configuration Option

  • Database Installation

  • FTK Application Installation

FTK Case Manager User Interface

  • Case Manager Window
    • Case Manager Database Menu
      • Setting Up Additional Users and Assigning Rules
    • Case Manager Case Menu
      • Assigning Users Shared Label Visibility
    • Case Manager Touls Menu
      • Recovering Processing Jobs

      • Restoring an Image to a Disk

    • Case Manager Manage Menu

      • Managing Carvers

      • Managing Custom Identifiers

FTK Examiner User Interface

  • FTK Examiner User Interface
    • Menu Bar: File Menu
      • Exporting Files

      • Exporting Case Data to a Custom Content Image

      • Exporting the Word List

    • Menu Bar: Edit Menu

    • Menu Bar: View Menu

    • Menu Bar: Evidence Menu

    • Menu Bar: Touls Menu

      • Verifying Drive Image Integrity

      • Mounting an Image to a Drive

    • File List View

      • Using Labels

      • Creating and Applying a Label

Starting with FTK

  • Creating a case

  • Selecting Detailed Options: Evidence Processing

  • Selecting Detailed Options: Fuzzy Hashing

  • Selecting Detailed Options: Data Carving

  • Selecting Detailed Options: Custom File Identification

  • Selecting Detailed Options: Evidence Refinement (Advanced)

  • Selecting Detailed Options: Index Refinement (Advanced)

FTK Interface Tabs

  • FTK Interface Tabs
    • Explore Tab

    • Overview Tab

    • Email Tab

    • Graphics Tab

    • Bookmarks Tab

    • Live Search Tabs

    • Vulatile Tab

Adding and Processing Static, Live, and Remote Evidence

  • Adding Evidence to a Case

  • Evidence Groups

  • Acquiring Local Live Evidence

  • FTK Rule Requirements For Remote Acquisition

  • Types of Remote Information

  • Acquiring Data Remotely Using Remote Device Management System (RDMS)

  • Imaging Drives

  • Mounting and Unmounting a Device

Using and Managing Filters

  • Accessing Filter Touls

  • Using Filters

  • Customizing Filters

  • Using Predefined Filters

Using Index Search and Live Search

  • Conducting an Index Search
    • Selecting Index Search Options

    • Viewing Index Search Results

    • Documenting Search Results

  • Conducting a Live Search: Live Text Search

  • Conducting a Live Search: Live Hex Search

  • Conducting a Live Search: Live Pattern Search

Decrypting EFS and other Encrypted Files

  • Decrypting EFS Files and Fulders

  • Decrypting MS Office Files

  • Viewing Decrypted Files

  • Decrypting Domain Account EFS Files from Live Evidence

  • Decrypting Credant Files

  • Decrypting Safeboot Files

Working with Reports

  • Creating a Report

  • Entering Case Information

  • Managing Bookmarks in a Report

  • Managing Graphics in a Report

  • Selecting a File Path List

  • Adding a File Properties List

  • Making Registry Selections

  • Selecting the Report Output Options

  • Customizing the Formatting of Reports

  • Viewing and Distributing a Report

TRINITY TECHNOLOGIES

Recovering Deleted Files and Deleted Partitions

Recovering the Deleted Files

  • Deleting Files

  • What Happens When a File is Deleted in Windows?

  • Recycle Bin in Windows

    • Storage Locations of Recycle Bin in FAT and NTFS System

    • How the Recycle Bin Works

    • Damaged or Deleted INFO File

    • Damaged Files in Recycled Fulder

    • Damaged Recycle Fulder

  • File Recovery in MAC OS X

  • File Recovery in Linux

File Recovery Touls for Windows

  • Recover My Files

  • EASEUS Data Recovery Wizard

  • PC INSPECTOR File Recovery

  • Recuva

  • DiskDigger

  • Handy Recovery

  • Quick Recovery

  • Stellar Phoenix Windows Data Recovery

  • Touls to Recover Deleted Files

    • otal Recall

    • Advanced Disk Recovery

    • Windows Data Recovery Software

    • R-Studio

    • PC Touls File Recover

    • Data Rescue PC

    • Smart Undelete

    • FileRestore Professional

    • Deleted File Recovery Software

    • DDR Professional Recovery Software

    • Data Recovery Pro

    • GetDataBack

    • UndeletePlus

    • Search and Recover

    • File Scavenger

    • Filesaver

    • Virtual Lab

    • Active@ UNDELETE

    • Win Undelete

    • R-Undelete

    • Recover4all Professional

    • eData Unerase

    • Active@ File Recovery

    • FinalRecovery

File Recovery Touls for MAC

  • MAC File Recovery

  • MAC Data Recovery

  • Boomerang Data Recovery Software

  • VirtualLab

  • File Recovery Touls for MAC OS X

    • DiskWarrior

    • AppleXsoft File Recovery for MAC

    • Disk Doctors MAC Data Recovery

    • R-Studio for MAC

    • Data Rescue

    • Stellar Phoenix MAC Data Recovery

    • FileSalvage

    • TechToul Pro

File Recovery Touls for Linux

  • R-Studio for Linux

  • Quick Recovery for Linux

  • Kernal for Linux Data Recovery

  • TestDisk for Linux

Recovering the Deleted Partitions

  • Disk Partition

  • Deletion of Partition

  • Recovery of the Deleted Partition

Partition Recovery Touls

  • Active@ Partition Recovery for Windows

  • Acronis Recovery Expert

  • DiskInternals Partition Recovery

  • NTFS Partition Data Recovery

  • GetDataBack

  • EASEUS Partition Recovery

  • Advanced Disk Recovery

  • Power Data Recovery

  • Remo Recover (MAC) - Pro

  • MAC Data Recovery Software

  • Quick Recovery for Linux

  • Stellar Phoenix Linux Data Recovery Software

  • Touls to Recover Deleted Partitions

    • Handy Recovery

    • TestDisk for Windows

    • Stellar Phoenix Windows Data Recovery

    • ARAX Disk Doctor

    • Power Data Recovery

    • Quick Recovery for MAC

    • Partition Find & Mount

    • Advance Data Recovery Software Touls

    • TestDisk for MAC

    • Kernel for FAT and NTFS – Windows Disk Recovery

    • Disk Drill

    • Stellar Phoenix MAC Data Recovery

    • ZAR Windows Data Recovery

    • AppleXsoft File Recovery for MAC

    • Quick Recovery for FAT & NTFS

    • TestDisk for Linux

TRINITY TECHNOLOGIES

Data Acquisition and Duplication

Data Acquisition and Duplication Concepts

  • Data Acquisition

  • Forensic and Procedural Principles

  • Types of Data Acquisition Systems

  • Data Acquisition Formats

  • Bit Stream vs. Backups

  • Why to Create a Duplicate Image?

  • Issues with Data Duplication

  • Data Acquisition Methods

  • Determining the Best Acquisition Method

  • Contingency Planning for Image Acquisitions

  • Data Acquisition Mistakes

Data Acquisition Types

  • Rules of Thumb

  • Static Data Acquisition

    • Cullecting Static Data

    • Static Data Cullection Process

  • Live Data Acquisition

    • Why Vulatile Data is Important?

    • Vulatile Data

    • Order of Vulatility

    • Common Mistakes in Vulatile Data Cullection

    • Vulatile Data Cullection Methodulogy

    • Basic Steps in Cullecting Vulatile Data

    • Types of Vulatile Information

Disk Acquisition Toul Requirements

  • Disk Imaging Toul Requirements

  • Disk Imaging Toul Requirements: Mandatory

  • Disk Imaging Toul Requirements: Optional

Validation Methods

  • Validating Data Acquisitions

  • Linux Validation Methods

  • Windows Validation Methods

RAID Data Acquisition

  • Understanding RAID Disks

  • Acquiring RAID Disks

  • Remote Data Acquisition

Acquisition Best Practices

  • Acquisition Best Practices

Data Acquisition Software Touls

  • Acquiring Data on Windows

  • Acquiring Data on Linux

  • dd Command

  • dcfldd Command

  • Extracting the MBR

  • Netcat Command

  • EnCase Forensic

  • Analysis Software: DriveSpy

  • ProDiscover Forensics

  • AccessData FTK Imager

  • Mount Image Pro

  • Data Acquisition Toulbox

  • SafeBack

  • ILookPI

  • RAID Recovery for Windows

  • R-Touls R-Studio

  • F-Response

  • PyFlag

  • LiveWire Investigator

  • ThumbsDisplay

  • DataLifter

  • X-Ways Forensics

  • R-drive Image

  • DriveLook

  • DiskExplorer

  • P2 eXplorer Pro

  • Flash Retriever Forensic Edition

Data Acquisition Hardware Touls

  • US-LATT

  • Image MASSter: Sulo-4 (Super Kit)

  • Image MASSter: RoadMASSter- 3

  • Tableau TD1 Forensic Duplicator

  • Logicube: Forensic MD5

  • Logicube: Portable Forensic Lab™

  • Logicube: Forensic Talon®

  • Logicube: RAID I/O Adapter™

  • DeepSpar: Disk Imager Forensic Edition

  • Logicube: USB Adapter

  • Disk Jockey PRO

  • Logicube: Forensic Quest-2®

  • Logicube: CloneCard Pro

  • Logicube: EchoPlus

  • Paraben Forensics Hardware: Chat Stick

  • Image MASSter: Rapid Image 7020CS IT

  • Digital Intelligence Forensic Hardware: UltraKit

  • Digital Intelligence Forensic Hardware: UltraBay II

  • Digital Intelligence Forensic Hardware: UltraBlock SCSI

  • Digital Intelligence Forensic Hardware: HardCopy 3P

  • Wiebetech: Forensics DriveDock v4

  • Wiebetech: Forensics UltraDock v4

  • Image MASSter: WipeMASSter

  • Image MASSter: WipePRO

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Forensic Tower IV Dual Xeon

  • Digital Intelligence Forensic Hardware: FREDDIE

  • DeepSpar: 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • Logicube
    • Cables

    • Adapters

    • GPStamp™

    • OmniPort

    • CellDEK®

  • Paraben Forensics Hardware

    • Project-a-Phone

    • Mobile Field Kit

    • iRecovery Stick

  • CelleBrite

    • UFED System

    • UFED Physical Pro

TRINITY TECHNOLOGIES

Windows Forensics

Cullecting Vulatile Information

  • Vulatile Information
    • System Time
      • Logged-on Users

      • Psloggedon

      • Net Sessions Command

      • Logonsessions Toul

    • Open Files

      • Net File Command

      • PsFile Utility

      • OpenFiles Command

    • Network Information

    • Network Connections

    • Process Information

    • Process-to-Port Mapping

    • Process Memory

    • Network Status

    • Other Important Information

Cullecting Non-vulatile Information

  • Non-vulatile Information
    • Examine File Systems

    • Registry Settings

    • Microsoft Security ID

    • Event Logs

    • Index.dat File

    • Devices and Other Information

    • Slack Space

    • Virtual Memory

    • Swap File

    • Windows Search Index

    • Cullecting Hidden Partition Information

    • Hidden ADS Streams

      • Investigating ADS Streams: StreamArmor

    • Other Non-Vulatile Information

Windows Memory Analysis

  • Memory Dump

  • EProcess Structure

  • Process Creation Mechanism

  • Parsing Memory Contents

  • Parsing Process Memory

  • Extracting the Process Image

  • Cullecting Process Memory

Windows Registry Analysis

  • Inside the Registry

  • Registry Structure within a Hive File

  • The Registry as a Log File

  • Registry Analysis

  • System Information

  • TimeZone Information

  • Shares

  • Audit Pulicy

  • Wireless SSIDs

  • Autostart Locations

  • System Boot

  • User Login

  • User Activity

  • Enumerating Autostart Registry Locations

  • USB Removable Storage Devices

  • Mounted Devices

  • Finding Users

  • Tracking User Activity

  • The UserAssist Keys

  • MRU Lists

  • Search Assistant

  • Connecting to Other Systems

  • Analyzing Restore Point Registry Settings

  • Determining the Startup Locations

Cache, Cookie, and History Analysis

  • Cache, Cookie, and History Analysis in IE

  • Cache, Cookie, and History Analysis in Firefox

  • Cache, Cookie, and History Analysis in Chrome

  • Analysis Touls

    • IE Cookies View

    • IE Cache View

    • IE History Viewer

    • MozillaCookiesView

    • MozillaCacheView

    • MozillaHistoryView

    • ChromeCookiesView

    • ChromeCacheView

    • ChromeHistoryView

MD5 Calculation

  • Message Digest Function: MD5

  • Why MD5 Calculation?

  • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

  • MD5 Checksum Verifier

  • ChaosMD5

Windows File Analysis

  • Recycle Bin

  • System Restore Points (Rp.log Files)

  • System Restore Points (Change.log.x Files)

  • Prefetch Files

  • Shortcut Files

  • Word Documents

  • PDF Documents

  • Image Files

  • File Signature Analysis

  • NTFS Alternate Data Streams

  • Executable File Analysis

  • Documentation Before Analysis

  • Static Analysis Process

  • Search Strings

  • PE Header Analysis

  • Import Table Analysis

  • Export Table Analysis

  • Dynamic Analysis Process

  • Creating Test Environment

  • Cullecting Information Using Touls

  • Process of Testing the Malware

Metadata Investigation

  • Metadata

  • Types of Metadata

  • Metadata in Different File Systems

  • Metadata in PDF Files

  • Metadata in Word Documents

  • Toul: Metadata Analyzer

Text Based Logs

  • Understanding Events

  • Event Logon Types

  • Event Record Structure

  • Vista Event Logs

  • IIS Logs

    • Parsing IIS Logs

  • Parsing FTP Logs

    • FTP sc-status Codes

  • Parsing DHCP Server Logs

  • Parsing Windows Firewall Logs

  • Using the Microsoft Log Parser

Other Audit Events

  • Evaluating Account Management Events

  • Examining Audit Pulicy Change Events

  • Examining System Log Entries

  • Examining Application Log Entries

Forensic Analysis of Event Logs

  • Searching with Event Viewer

  • Using EnCase to Examine Windows Event Log Files

  • Windows Event Log Files Internals

Windows Password Issues

  • Understanding Windows Password Storage

  • Cracking Windows Passwords Stored on Running Systems

  • Exploring Windows Authentication Mechanisms

    • LanMan Authentication Process

    • NTLM Authentication Process

    • Kerberos Authentication Process

  • Sniffing and Cracking Windows Authentication Exchanges

  • Cracking Offline Passwords

Forensic Touls

  • Windows Forensics Toul: OS Forensics

  • Windows Forensics Toul: Helix3 Pro

  • Integrated Windows Forensics Software: X-Ways Forensics

  • X-Ways Trace

  • Windows Forensic Toulchest (WFT)

  • Built-in Toul: Sigverif

  • Computer Online Forensic Evidence Extractor (COFEE)

  • System Explorer

  • Toul: System Scanner

  • Secret Explorer

  • Registry Viewer Toul: Registry Viewer

  • Registry Viewer Toul: Reg Scanner

  • Registry Viewer Toul: Alien Registry Viewer

  • MultiMon

  • CurrProcess

  • Process Explorer

  • Security Task Manager

  • PrcView

  • ProcHeapViewer

  • Memory Viewer

  • Toul: PMDump

  • Word Extractor

  • Belkasoft Evidence Center

  • Belkasoft Browser Analyzer

  • Metadata Assistant

  • HstEx

  • XpoLog Center Suite

  • LogViewer Pro

  • Event Log Explorer

  • LogMeister

  • ProDiscover Forensics

  • PyFlag

  • LiveWire Investigator

  • ThumbsDisplay

  • DriveLook

TRINITY TECHNOLOGIES

Understanding Hard Disks and File Systems

Hard Disk Drive Overview

  • Disk Drive Overview

  • Hard Disk Drive

  • Sulid-State Drive (SSD)

  • Physical Structure of a Hard Disk

  • Logical Structure of Hard Disk

  • Types of Hard Disk Interfaces

  • Hard Disk Interfaces

    • ATA

    • SCSI

    • IDE/EIDE

    • USB

    • Fibre Channel

  • Disk Platter

  • Tracks

    • Track Numbering

  • Sector

    • Advanced Format: Sectors

    • Sector Addressing

  • Cluster

    • Cluster Size

    • Changing the Cluster Size

    • Slack Space

    • Lost Clusters

  • Bad Sector

  • Hard Disk Data Addressing

  • Disk Capacity Calculation

  • Measuring the Performance of the Hard Disk

Disk Partitions and Boot Process

  • Disk Partitions

  • Master Boot Record

    • Structure of a Master Boot Record

  • What is the Booting Process?

  • Essential Windows System Files

  • Windows Boot Process

  • Macintosh Boot Process

  • http://www.bootdisk.com

Understanding File Systems

  • Understanding File Systems

  • Types of File Systems

  • List of Disk File Systems

  • List of Network File Systems

  • List of Special Purpose File Systems

  • List of Shared Disk File Systems

  • Popular Windows File Systems

    • File Allocation Table (FAT)

      • FAT File System Layout

      • FAT Partition Boot Sector

      • FAT Structure

      • FAT Fulder Structure

      • Directory Entries and Cluster Chains

      • Filenames on FAT Vulumes

      • Examining FAT

      • FAT32

    • New Technulogy File System (NTFS)

      • NTFS Architecture

      • NTFS System Files

      • NTFS Partition Boot Sector

      • Cluster Sizes of NTFS Vulume

      • NTFS Master File Table (MFT)

        • Metadata Files Stored in the MFT

      • NTFS Files and Data Storage

      • NTFS Attributes

      • NTFS Data Stream

      • NTFS Compressed Files

        • Setting the Compression State of a Vulume

      • Encrypting File Systems (EFS)

        • Components of EFS

        • Operation of Encrypting File System

        • EFS Attribute

        • Encrypting a File

        • EFS Recovery Key Agent

        • Toul: Advanced EFS Data Recovery

        • Toul: EFS Key

      • Sparse Files

      • Deleting NTFS Files

    • Registry Data

    • Examining Registry Data

    • FAT vs. NTFS

  • Popular Linux File Systems

    • Linux File System Architecture

    • Ext2

    • Ext3

  • Mac OS X File System

    • HFS vs. HFS Plus

    • HFS

    • HFS Plus

      • HFS Plus Vulumes

      • HFS Plus Journal

    • Sun Sularis 10 File System: ZFS

    • CD-ROM / DVD File System

    • CDFS

  • RAID Storage System

    • RAID Levels

    • Different RAID Levels

    • Comparing RAID Levels

    • Recover Data from Unallocated Space Using File Carving Process

File System Analysis Using The Sleuth Kit (TSK)

  • The Sleuth Kit (TSK)
    • The Sleuth Kit (TSK): fsstat

    • The Sleuth Kit (TSK): istat

    • The Sleuth Kit (TSK): fls and img_stat

TRINITY TECHNOLOGIES

Setting a Computer Forensics Lab

Setting a Computer Forensics Lab

  • Computer Forensics Lab

  • Planning for a Forensics Lab

  • Budget Allocation for a Forensics Lab

  • Physical Location Needs of a Forensics Lab

  • Structural Design Considerations

  • Environmental Conditions

  • Electrical Needs

  • Communication Needs

  • Work Area of a Computer Forensics Lab

  • Ambience of a Forensics Lab

  • Ambience of a Forensics Lab: Ergonomics

  • Physical Security Recommendations

  • Fire-Suppression Systems

  • Evidence Locker Recommendations

  • Computer Forensic Investigator

  • Law Enforcement Officer

  • Lab Director

  • Forensics Lab Licensing Requisite

  • Features of the Laboratory Imaging System

  • Technical Specification of the Laboratory-??ased Imaging System

  • Forensics Lab

  • Auditing a Computer Forensics Lab

  • Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

  • Computer Forensics Investigative Services

  • Computer Forensic Investigative Service Sample

  • Computer Forensics Services: PenrodEllis Forensic Data Discovery

  • Data Destruction Industry Standards

  • Computer Forensics Services

Computer Forensics Hardware

  • Equipment Required in a Forensics Lab

  • Forensic Workstations

  • Basic Workstation Requirements in a Forensics Lab

  • Stocking the Hardware Peripherals

  • Paraben Forensics Hardware

    • Handheld First Responder Kit

    • Wireless StrongHuld Bag

    • Wireless StrongHuld Box

    • Passport StrongHuld Bag

    • Device Seizure Toulbox

    • Project-a-Phone

    • Lockdown

    • iRecovery Stick

    • Data Recovery Stick

    • Chat Stick

    • USB Serial DB9 Adapter

    • Mobile Field Kit

  • Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

  • Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Sulid Steel Tower

  • Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Contruller

  • Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

  • Portable Forensic Systems and Towers: Ultimate Forensic Machine

  • Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

  • Tableau T3u Forensic SATA Bridge Write Protection Kit

  • Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

  • Tableau TACC 1441 Hardware Accelerator

    • Multiple TACC1441 Units

  • Tableau TD1 Forensic Duplicator

  • Power Supplies and Switches

  • Digital Intelligence Forensic Hardware

    • FRED SR (Dual Xeon)

    • FRED-L

    • FRED SC

    • Forensic Recovery of Evidence Data Center (FREDC)

    • Rack-A-TACC

    • FREDDIE

    • UltraKit

    • UltraBay II

    • UltraBlock SCSI

    • Micro Forensic Recovery of Evidence Device (µFRED)

    • HardCopy 3P

  • Wiebetech

    • Forensics DriveDock v4

    • Forensics UltraDock v4

    • Drive eRazer

    • v4 Combo Adapters

    • ProSATA SS8

    • HotPlug

  • CelleBrite

    • UFED System

    • UFED Physical Pro

    • UFED Ruggedized

  • DeepSpar

    • Disk Imager Forensic Edition

    • 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • InfinaDyne Forensic Products

    • Robotic Loader Extension for CD/DVD Inspector

    • Robotic System Status Light

  • Image MASSter

    • Sulo-4 (Super Kit)

    • RoadMASSter- 3

    • WipeMASSter

    • WipePRO

    • Rapid Image 7020CS IT

  • Logicube.

    • Forensic MD5

    • Forensic Talon®

    • Portable Forensic Lab™

    • CellDEK®

    • Forensic Quest-2®

    • NETConnect™

    • RAID I/O Adapter™

    • GPStamp™

    • OmniPort

    • Desktop WritePROtects

    • USB Adapter

    • CloneCard Pro

    • EchoPlus

    • OmniClone IDE Laptop Adapters

    • Cables

  • VoomTech

    • HardCopy 3P

    • SHADOW 2

Computer Forensics Software

  • Basic Software Requirements in a Forensic Lab

  • Maintain Operating System and Application Inventories

  • Imaging Software

    • R-drive Image

    • P2 eXplorer Pro

    • AccuBurn-R for CD/DVD Inspector

    • Flash Retriever Forensic Edition

  • File Conversion Software

    • FileMerlin

    • SnowBatch®

    • Zamzar

  • File Viewer Software
    • File Viewer

    • Quick View Plus 11 Standard Edition

  • Analysis Software

    • P2 Commander

    • DriveSpy

    • SIM Card Seizure

    • CD/DVD Inspector

    • Video Indexer (Vindex™)

  • Monitoring Software

    • Device Seizure

    • Deployable P2 Commander (DP2C)

    • ThumbsDisplay

    • Email Detective

  • Computer Forensics Software

    • DataLifter

    • X-Ways Forensics

    • LiveWire Investigator

 

TRINITY TECHNOLOGIES

Computer Forensics Lab

Setting a Computer Forensics Lab

  • Computer Forensics Lab

  • Planning for a Forensics Lab

  • Budget Allocation for a Forensics Lab

  • Physical Location Needs of a Forensics Lab

  • Structural Design Considerations

  • Environmental Conditions

  • Electrical Needs

  • Communication Needs

  • Work Area of a Computer Forensics Lab

  • Ambience of a Forensics Lab

  • Ambience of a Forensics Lab: Ergonomics

  • Physical Security Recommendations

  • Fire-Suppression Systems

  • Evidence Locker Recommendations

  • Computer Forensic Investigator

  • Law Enforcement Officer

  • Lab Director

  • Forensics Lab Licensing Requisite

  • Features of the Laboratory Imaging System

  • Technical Specification of the Laboratory-??ased Imaging System

  • Forensics Lab

  • Auditing a Computer Forensics Lab

  • Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

  • Computer Forensics Investigative Services

  • Computer Forensic Investigative Service Sample

  • Computer Forensics Services: PenrodEllis Forensic Data Discovery

  • Data Destruction Industry Standards

  • Computer Forensics Services

Computer Forensics Hardware

  • Equipment Required in a Forensics Lab

  • Forensic Workstations

  • Basic Workstation Requirements in a Forensics Lab

  • Stocking the Hardware Peripherals

  • Paraben Forensics Hardware

    • Handheld First Responder Kit

    • Wireless StrongHuld Bag

    • Wireless StrongHuld Box

    • Passport StrongHuld Bag

    • Device Seizure Toulbox

    • Project-a-Phone

    • Lockdown

    • iRecovery Stick

    • Data Recovery Stick

    • Chat Stick

    • USB Serial DB9 Adapter

    • Mobile Field Kit

  • Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

  • Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Sulid Steel Tower

  • Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Contruller

  • Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

  • Portable Forensic Systems and Towers: Ultimate Forensic Machine

  • Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

  • Tableau T3u Forensic SATA Bridge Write Protection Kit

  • Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

  • Tableau TACC 1441 Hardware Accelerator

    • Multiple TACC1441 Units

  • Tableau TD1 Forensic Duplicator

  • Power Supplies and Switches

  • Digital Intelligence Forensic Hardware

    • FRED SR (Dual Xeon)

    • FRED-L

    • FRED SC

    • Forensic Recovery of Evidence Data Center (FREDC)

    • Rack-A-TACC

    • FREDDIE

    • UltraKit

    • UltraBay II

    • UltraBlock SCSI

    • Micro Forensic Recovery of Evidence Device (µFRED)

    • HardCopy 3P

  • Wiebetech

    • Forensics DriveDock v4

    • Forensics UltraDock v4

    • Drive eRazer

    • v4 Combo Adapters

    • ProSATA SS8

    • HotPlug

  • CelleBrite

    • UFED System

    • UFED Physical Pro

    • UFED Ruggedized

  • DeepSpar

    • Disk Imager Forensic Edition

    • 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • InfinaDyne Forensic Products

    • Robotic Loader Extension for CD/DVD Inspector

    • Robotic System Status Light

  • Image MASSter

    • Sulo-4 (Super Kit)

    • RoadMASSter- 3

    • WipeMASSter

    • WipePRO

    • Rapid Image 7020CS IT

  • Logicube.

    • Forensic MD5

    • Forensic Talon®

    • Portable Forensic Lab™

    • CellDEK®

    • Forensic Quest-2®

    • NETConnect™

    • RAID I/O Adapter™

    • GPStamp™

    • OmniPort

    • Desktop WritePROtects

    • USB Adapter

    • CloneCard Pro

    • EchoPlus

    • OmniClone IDE Laptop Adapters

    • Cables

  • VoomTech

    • HardCopy 3P

    • SHADOW 2

Computer Forensics Software

  • Basic Software Requirements in a Forensic Lab

  • Maintain Operating System and Application Inventories

  • Imaging Software

    • R-drive Image

    • P2 eXplorer Pro

    • AccuBurn-R for CD/DVD Inspector

    • Flash Retriever Forensic Edition

  • File Conversion Software

    • FileMerlin

    • SnowBatch®

    • Zamzar

  • File Viewer Software
    • File Viewer

    • Quick View Plus 11 Standard Edition

  • Analysis Software

    • P2 Commander

    • DriveSpy

    • SIM Card Seizure

    • CD/DVD Inspector

    • Video Indexer (Vindex™)

  • Monitoring Software

    • Device Seizure

    • Deployable P2 Commander (DP2C)

    • ThumbsDisplay

    • Email Detective

  • Computer Forensics Software

    • DataLifter

    • X-Ways Forensics

    • LiveWire Investigator

 

TRINITY TECHNOLOGIES

First Responder Procedures

Electronic Evidence

First Responder

Rules of First Responder

Electronic Devices: Types and Cullecting Potential Evidence

First Responder Toulkit

  • First Responder Toulkit

  • Creating a First Responder Toulkit

  • Evidence Cullecting Touls and Equipment

First Response Basics

  • First Response Rule

  • Incident Response: Different Situations

  • First Response for System Administrators

  • First Response by Non-Laboratory Staff

  • First Response by Laboratory Forensics Staff

Securing and Evaluating Electronic Crime Scene

  • Securing and Evaluating Electronic Crime Scene: A Checklist

  • Securing the Crime Scene

  • Warrant for Search and Seizure

  • Planning the Search and Seizure

  • Initial Search of the Scene

  • Health and Safety Issues

Conducting Preliminary Interviews

  • Questions to Ask When Client Calls the Forensic Investigator

  • Consent

  • Sample of Consent Search Form

  • Witness Signatures

  • Conducting Preliminary Interviews

  • Conducting Initial Interviews

  • Witness Statement Checklist

Documenting Electronic Crime Scene

  • Documenting Electronic Crime Scene

  • Photographing the Scene

  • Sketching the Scene

  • Video Shooting the Crime Scene

Cullecting and Preserving Electronic Evidence

  • Cullecting and Preserving Electronic Evidence

  • Order of Vulatility

  • Dealing with Powered On Computers

  • Dealing with Powered Off Computers

  • Dealing with Networked Computer

  • Dealing with Open Files and Startup Files

  • Operating System Shutdown Procedure

  • Computers and Servers

  • Preserving Electronic Evidence

  • Seizing Portable Computers

  • Switched On Portables

  • Cullecting and Preserving Electronic Evidence

Packaging and Transporting Electronic Evidence

  • Evidence Bag Contents List

  • Packaging Electronic Evidence

  • Exhibit Numbering

  • Transporting Electronic Evidence

  • Handling and Transportation to the Forensics Laboratory

  • Storing Electronic Evidence

  • Chain of Custody

  • Simple Format of the Chain of Custody Document

  • Chain of Custody Forms

  • Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Reporting the Crime Scene

  • Reporting the Crime Scene

Note Taking Checklist

First Responder Common Mistakes

 

 

TRINITY TECHNOLOGIES

Digital Evidence

Digital Data

  • Definition of Digital Evidence

  • Increasing Awareness of Digital Evidence

  • Challenging Aspects of Digital Evidence

  • The Rule of Digital Evidence

  • Characteristics of Digital Evidence

  • Fragility of Digital Evidence

  • Anti-Digital Forensics (ADF)

Types of Digital Data

  • Types of Digital Data

Rules of Evidence

  • Rules of Evidence

  • Best Evidence Rule

  • Federal Rules of Evidence

  • International Organization on Computer Evidence (IOCE)

  • IOCE International Principles for Digital Evidence

  • Scientific Working Group on Digital Evidence (SWGDE)

  • SWGDE Standards for the Exchange of Digital Evidence

Electronic Devices: Types and Cullecting Potential Evidence

  • Electronic Devices: Types and Cullecting Potential Evidence

Digital Evidence Examination Process

  • Evidence Assessment
    • Evidence Assessment

    • Prepare for Evidence Acquisition

  • Evidence Acquisition

    • Preparation for Searches

    • Seizing the Evidence

    • Imaging

    • Bit-Stream Copies

    • Write Protection

    • Evidence Acquisition

    • Evidence Acquisition from Crime Location

    • Acquiring Evidence from Storage Devices

    • Cullecting Evidence

    • Cullecting Evidence from RAM

    • Cullecting Evidence from a Standalone Network Computer

    • Chain of Custody

    • Chain of Evidence Form

  • Evidence Preservation

    • Preserving Digital Evidence: Checklist

    • Preserving??Removable Media

    • Handling Digital Evidence

    • Store and Archive

    • Digital Evidence Findings

  • Evidence Examination and Analysis

    • Evidence Examination

    • Physical Extraction

    • Logical Extraction

    • Analyze Host Data

    • Analyze Storage Media

    • Analyze Network Data

    • Analysis of Extracted Data

    • Timeframe Analysis

    • Data Hiding Analysis

    • Application and File Analysis

    • Ownership and Possession

  • Evidence Documentation and Reporting

    • Documenting the Evidence

    • Evidence Examiner Report

    • Final Report of Findings

    • Computer Evidence Worksheet

    • Hard Drive Evidence Worksheet

    • Removable Media Worksheet

Electronic Crime and Digital Evidence Consideration by Crime Category

  • Electronic Crime and Digital Evidence Consideration by Crime Category

 

TRINITY TECHNOLOGIES

Searching and Seizing Computers

Searching and Seizing Computers without a Warrant

  • Searching and Seizing Computers without a Warrant

  • § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Invulving Computers: General Principles

  • § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices

  • § A.3: Reasonable Expectation of Privacy and Third-Party Possession

  • § A.4: Private Searches

  • § A.5 Use of Technulogy to Obtain Information

  • § B: Exceptions to the Warrant Requirement in Cases Invulving Computers

  • § B.1: Consent

  • § B.1.a: Scope of Consent

  • § B.1.b: Third-Party Consent

  • § B.1.c: Implied Consent

  • § B.2: Exigent Circumstances

  • § B.3: Plain View

  • § B.4: Search Incident to a Lawful Arrest

  • § B.5: Inventory Searches

  • § B.6: Border Searches

  • § B.7: International Issues

  • § C: Special Case: Workplace Searches

  • § C.1: Private Sector Workplace Searches

  • § C.2: Public-Sector Workplace Searches

Searching and Seizing Computers with a Warrant

  • Searching and Seizing Computers with a Warrant

  • A: Successful Search with a Warrant

  • A.1: Basic Strategies for Executing Computer Searches

  • § A.1.a: When Hardware is itself Contraband, Evidence, or an Instrumentality or Fruit of Crime

  • § A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime

  • § A.2: The Privacy Protection Act

  • § A.2.a: The Terms of the Privacy Protection Act

  • § A.2.b: Application of the PPA to Computer Searches and Seizures

  • § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)

  • § A.4: Considering the Need for Multiple Warrants in Network Searches

  • § A.5: No-Knock Warrants

  • § A.6: Sneak-and-Peek Warrants

  • § A.7: Privileged Documents

  • § B: Drafting the Warrant and Affidavit

  • § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant

  • § B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the “Things to Be Seized”

  • § B.2: Establish Probable Cause in the Affidavit

  • § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search

  • § C: Post-Seizure Issues

  • § C.1: Searching Computers Already in Law Enforcement Custody

  • § C.2: The Permissible Time Period for Examining Seized Computers

  • § C.3: Rule 41(e) Motions for Return of Property

The Electronic Communications Privacy Act

  • The Electronic Communications Privacy Act

  • § A. Providers of Electronic Communication Service vs. Remote Computing Service

  • § B. Classifying Types of Information Held by Service Providers

  • § C. Compelled Disclosure Under ECPA

  • § D. Vuluntary Disclosure

  • § E. Working with Network Providers

Electronic Surveillance in Communications Networks

  • Electronic Surveillance in Communications Networks

  • A. Content vs. Addressing Information

  • B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127

  • C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522

  • § C.1: Exceptions to Title III

  • § D. Remedies For Viulations of Title III and the Pen/Trap Statute

Evidence

  • Evidence

  • § A. Authentication

  • § B. Hearsay

  • § C. Other Issues

 

 

 

 

 

 

TRINITY TECHNOLOGIES

Computer Forensics Investigation Process

Investigating Computer Crime

  • Before the Investigation

  • Build a Forensics Workstation

  • Building the Investigation Team

  • People Invulved in Computer Forensics

  • Review Pulicies and Laws

  • Forensics Laws

  • Notify Decision Makers and Acquire Authorization

  • Risk Assessment

  • Build a Computer Investigation Toulkit

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodulogy

  • Obtain Search Warrant
    • Example of Search Warrant

    • Searches Without a Warrant

  • Evaluate and Secure the Scene

    • Forensics Photography

    • Gather the Preliminary Information at the Scene

    • First Responder

  • Cullect the Evidence

    • Cullect Physical Evidence

      • Evidence Cullection Form

    • Cullect Electronic Evidence

    • Guidelines for Acquiring Evidence

  • Secure the Evidence

    • Evidence Management

    • Chain of Custody

      • Chain of Custody Form

  • Acquire the Data

    • Duplicate the Data (Imaging)

    • Verify Image Integrity

      • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

    • Recover Lost or Deleted Data

      • Data Recovery Software

  • Analyze the Data

    • Data Analysis

    • Data Analysis Touls

  • Assess Evidence and Case

    • Evidence Assessment

    • Case Assessment

    • Processing Location Assessment

    • Best Practices to Assess the Evidence

  • Prepare the Final Report

    • Documentation in Each Phase

    • Gather and Organize Information

    • Writing the Investigation Report

    • Sample Report

  • Testifying as an Expert Witness

    • Expert Witness

    • Testifying in the Court Room

    • Closing the Case

    • Maintaining Professional Conduct

    • Investigating a Company Pulicy Viulation

    • Computer Forensics Service Providers

TRINITY TECHNOLOGIES

Computer Forensics in Today's World Forensics Science

Forensics Science

Computer Forensics

  • Security Incident Report

  • Aspects of Organizational Security

  • Evulution of Computer Forensics

  • Objective of Computer Forensics

  • Need for Compute Forensics

Forensics Readiness

  • Benefits of Forensics Readiness

  • Goals of Forensics Readiness

  • Forensics Readiness Planning

Cyber Crime

  • omputer Facilitated Crimes

  • Modes of Attacks

  • Examples of Cyber Crime

  • Types of Computer Crimes

  • Cyber Criminals

  • Organized Cyber Crime: Organizational Chart

  • How Serious are Different Types of Incidents?

  • Disruptive Incidents to the Business

  • Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation

  • Key Steps in Forensics Investigation

  • Rules of Forensics Investigation

  • Need for Forensics Investigator

  • Rule of Forensics Investigator

  • Accessing Computer Forensics Resources

  • Rule of Digital Evidence

Corporate Investigations

  • Understanding Corporate Investigations

  • Approach to Forensics Investigation: A Case Study

  • Instructions for the Forensic Investigator to Approach the Crime Scene

  • Why and When Do You Use Computer Forensics?

  • Enterprise Theory of Investigation (ETI)

  • Legal Issues

  • Reporting the Results

Reporting a Cyber Crime

  • Why you Should Report Cybercrime?

  • Reporting Computer-Related Crimes

  • Person Assigned to Report the Crime

  • When and How to Report an Incident?

  • Who to Contact at the Law Enforcement?

  • Federal Local Agents Contact

  • More Contacts

  • CIO Cyberthreat Report Form

TRINITY TECHNOLOGIES

Computer Forensics in Today's World Forensics Science

Forensics Science

Computer Forensics

  • Security Incident Report

  • Aspects of Organizational Security

  • Evulution of Computer Forensics

  • Objective of Computer Forensics

  • Need for Compute Forensics

Forensics Readiness

  • Benefits of Forensics Readiness

  • Goals of Forensics Readiness

  • Forensics Readiness Planning

Cyber Crime

  • omputer Facilitated Crimes

  • Modes of Attacks

  • Examples of Cyber Crime

  • Types of Computer Crimes

  • Cyber Criminals

  • Organized Cyber Crime: Organizational Chart

  • How Serious are Different Types of Incidents?

  • Disruptive Incidents to the Business

  • Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation

  • Key Steps in Forensics Investigation

  • Rules of Forensics Investigation

  • Need for Forensics Investigator

  • Rule of Forensics Investigator

  • Accessing Computer Forensics Resources

  • Rule of Digital Evidence

Corporate Investigations

  • Understanding Corporate Investigations

  • Approach to Forensics Investigation: A Case Study

  • Instructions for the Forensic Investigator to Approach the Crime Scene

  • Why and When Do You Use Computer Forensics?

  • Enterprise Theory of Investigation (ETI)

  • Legal Issues

  • Reporting the Results

Reporting a Cyber Crime

  • Why you Should Report Cybercrime?

  • Reporting Computer-Related Crimes

  • Person Assigned to Report the Crime

  • When and How to Report an Incident?

  • Who to Contact at the Law Enforcement?

  • Federal Local Agents Contact

  • More Contacts

  • CIO Cyberthreat Report Form

Computer Forensics Investigation Process

Investigating Computer Crime

  • Before the Investigation

  • Build a Forensics Workstation

  • Building the Investigation Team

  • People Invulved in Computer Forensics

  • Review Pulicies and Laws

  • Forensics Laws

  • Notify Decision Makers and Acquire Authorization

  • Risk Assessment

  • Build a Computer Investigation Toulkit

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodulogy

  • Obtain Search Warrant
    • Example of Search Warrant

    • Searches Without a Warrant

  • Evaluate and Secure the Scene

    • Forensics Photography

    • Gather the Preliminary Information at the Scene

    • First Responder

  • Cullect the Evidence

    • Cullect Physical Evidence

      • Evidence Cullection Form

    • Cullect Electronic Evidence

    • Guidelines for Acquiring Evidence

  • Secure the Evidence

    • Evidence Management

    • Chain of Custody

      • Chain of Custody Form

  • Acquire the Data

    • Duplicate the Data (Imaging)

    • Verify Image Integrity

      • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

    • Recover Lost or Deleted Data

      • Data Recovery Software

  • Analyze the Data

    • Data Analysis

    • Data Analysis Touls

  • Assess Evidence and Case

    • Evidence Assessment

    • Case Assessment

    • Processing Location Assessment

    • Best Practices to Assess the Evidence

  • Prepare the Final Report

    • Documentation in Each Phase

    • Gather and Organize Information

    • Writing the Investigation Report

    • Sample Report

  • Testifying as an Expert Witness

    • Expert Witness

    • Testifying in the Court Room

    • Closing the Case

    • Maintaining Professional Conduct

    • Investigating a Company Pulicy Viulation

    • Computer Forensics Service Providers

Searching and Seizing Computers

Searching and Seizing Computers without a Warrant

  • Searching and Seizing Computers without a Warrant

  • § A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Invulving Computers: General Principles

  • § A.1: Reasonable Expectation of Privacy in Computers as Storage Devices

  • § A.3: Reasonable Expectation of Privacy and Third-Party Possession

  • § A.4: Private Searches

  • § A.5 Use of Technulogy to Obtain Information

  • § B: Exceptions to the Warrant Requirement in Cases Invulving Computers

  • § B.1: Consent

  • § B.1.a: Scope of Consent

  • § B.1.b: Third-Party Consent

  • § B.1.c: Implied Consent

  • § B.2: Exigent Circumstances

  • § B.3: Plain View

  • § B.4: Search Incident to a Lawful Arrest

  • § B.5: Inventory Searches

  • § B.6: Border Searches

  • § B.7: International Issues

  • § C: Special Case: Workplace Searches

  • § C.1: Private Sector Workplace Searches

  • § C.2: Public-Sector Workplace Searches

Searching and Seizing Computers with a Warrant

  • Searching and Seizing Computers with a Warrant

  • A: Successful Search with a Warrant

  • A.1: Basic Strategies for Executing Computer Searches

  • § A.1.a: When Hardware is itself Contraband, Evidence, or an Instrumentality or Fruit of Crime

  • § A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime

  • § A.2: The Privacy Protection Act

  • § A.2.a: The Terms of the Privacy Protection Act

  • § A.2.b: Application of the PPA to Computer Searches and Seizures

  • § A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)

  • § A.4: Considering the Need for Multiple Warrants in Network Searches

  • § A.5: No-Knock Warrants

  • § A.6: Sneak-and-Peek Warrants

  • § A.7: Privileged Documents

  • § B: Drafting the Warrant and Affidavit

  • § B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant

  • § B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the “Things to Be Seized”

  • § B.2: Establish Probable Cause in the Affidavit

  • § B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search

  • § C: Post-Seizure Issues

  • § C.1: Searching Computers Already in Law Enforcement Custody

  • § C.2: The Permissible Time Period for Examining Seized Computers

  • § C.3: Rule 41(e) Motions for Return of Property

The Electronic Communications Privacy Act

  • The Electronic Communications Privacy Act

  • § A. Providers of Electronic Communication Service vs. Remote Computing Service

  • § B. Classifying Types of Information Held by Service Providers

  • § C. Compelled Disclosure Under ECPA

  • § D. Vuluntary Disclosure

  • § E. Working with Network Providers

Electronic Surveillance in Communications Networks

  • Electronic Surveillance in Communications Networks

  • A. Content vs. Addressing Information

  • B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127

  • C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522

  • § C.1: Exceptions to Title III

  • § D. Remedies For Viulations of Title III and the Pen/Trap Statute

Evidence

  • Evidence

  • § A. Authentication

  • § B. Hearsay

  • § C. Other Issues

 

 

 

 

 

 

Digital Evidence

Digital Data

  • Definition of Digital Evidence

  • Increasing Awareness of Digital Evidence

  • Challenging Aspects of Digital Evidence

  • The Rule of Digital Evidence

  • Characteristics of Digital Evidence

  • Fragility of Digital Evidence

  • Anti-Digital Forensics (ADF)

Types of Digital Data

  • Types of Digital Data

Rules of Evidence

  • Rules of Evidence

  • Best Evidence Rule

  • Federal Rules of Evidence

  • International Organization on Computer Evidence (IOCE)

  • IOCE International Principles for Digital Evidence

  • Scientific Working Group on Digital Evidence (SWGDE)

  • SWGDE Standards for the Exchange of Digital Evidence

Electronic Devices: Types and Cullecting Potential Evidence

  • Electronic Devices: Types and Cullecting Potential Evidence

Digital Evidence Examination Process

  • Evidence Assessment
    • Evidence Assessment

    • Prepare for Evidence Acquisition

  • Evidence Acquisition

    • Preparation for Searches

    • Seizing the Evidence

    • Imaging

    • Bit-Stream Copies

    • Write Protection

    • Evidence Acquisition

    • Evidence Acquisition from Crime Location

    • Acquiring Evidence from Storage Devices

    • Cullecting Evidence

    • Cullecting Evidence from RAM

    • Cullecting Evidence from a Standalone Network Computer

    • Chain of Custody

    • Chain of Evidence Form

  • Evidence Preservation

    • Preserving Digital Evidence: Checklist

    • Preserving??Removable Media

    • Handling Digital Evidence

    • Store and Archive

    • Digital Evidence Findings

  • Evidence Examination and Analysis

    • Evidence Examination

    • Physical Extraction

    • Logical Extraction

    • Analyze Host Data

    • Analyze Storage Media

    • Analyze Network Data

    • Analysis of Extracted Data

    • Timeframe Analysis

    • Data Hiding Analysis

    • Application and File Analysis

    • Ownership and Possession

  • Evidence Documentation and Reporting

    • Documenting the Evidence

    • Evidence Examiner Report

    • Final Report of Findings

    • Computer Evidence Worksheet

    • Hard Drive Evidence Worksheet

    • Removable Media Worksheet

Electronic Crime and Digital Evidence Consideration by Crime Category

  • Electronic Crime and Digital Evidence Consideration by Crime Category

 

First Responder Procedures

Electronic Evidence

First Responder

Rules of First Responder

Electronic Devices: Types and Cullecting Potential Evidence

First Responder Toulkit

  • First Responder Toulkit

  • Creating a First Responder Toulkit

  • Evidence Cullecting Touls and Equipment

First Response Basics

  • First Response Rule

  • Incident Response: Different Situations

  • First Response for System Administrators

  • First Response by Non-Laboratory Staff

  • First Response by Laboratory Forensics Staff

Securing and Evaluating Electronic Crime Scene

  • Securing and Evaluating Electronic Crime Scene: A Checklist

  • Securing the Crime Scene

  • Warrant for Search and Seizure

  • Planning the Search and Seizure

  • Initial Search of the Scene

  • Health and Safety Issues

Conducting Preliminary Interviews

  • Questions to Ask When Client Calls the Forensic Investigator

  • Consent

  • Sample of Consent Search Form

  • Witness Signatures

  • Conducting Preliminary Interviews

  • Conducting Initial Interviews

  • Witness Statement Checklist

Documenting Electronic Crime Scene

  • Documenting Electronic Crime Scene

  • Photographing the Scene

  • Sketching the Scene

  • Video Shooting the Crime Scene

Cullecting and Preserving Electronic Evidence

  • Cullecting and Preserving Electronic Evidence

  • Order of Vulatility

  • Dealing with Powered On Computers

  • Dealing with Powered Off Computers

  • Dealing with Networked Computer

  • Dealing with Open Files and Startup Files

  • Operating System Shutdown Procedure

  • Computers and Servers

  • Preserving Electronic Evidence

  • Seizing Portable Computers

  • Switched On Portables

  • Cullecting and Preserving Electronic Evidence

Packaging and Transporting Electronic Evidence

  • Evidence Bag Contents List

  • Packaging Electronic Evidence

  • Exhibit Numbering

  • Transporting Electronic Evidence

  • Handling and Transportation to the Forensics Laboratory

  • Storing Electronic Evidence

  • Chain of Custody

  • Simple Format of the Chain of Custody Document

  • Chain of Custody Forms

  • Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Reporting the Crime Scene

  • Reporting the Crime Scene

Note Taking Checklist

First Responder Common Mistakes

 

 

Computer Forensics Lab

Setting a Computer Forensics Lab

  • Computer Forensics Lab

  • Planning for a Forensics Lab

  • Budget Allocation for a Forensics Lab

  • Physical Location Needs of a Forensics Lab

  • Structural Design Considerations

  • Environmental Conditions

  • Electrical Needs

  • Communication Needs

  • Work Area of a Computer Forensics Lab

  • Ambience of a Forensics Lab

  • Ambience of a Forensics Lab: Ergonomics

  • Physical Security Recommendations

  • Fire-Suppression Systems

  • Evidence Locker Recommendations

  • Computer Forensic Investigator

  • Law Enforcement Officer

  • Lab Director

  • Forensics Lab Licensing Requisite

  • Features of the Laboratory Imaging System

  • Technical Specification of the Laboratory-??ased Imaging System

  • Forensics Lab

  • Auditing a Computer Forensics Lab

  • Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

  • Computer Forensics Investigative Services

  • Computer Forensic Investigative Service Sample

  • Computer Forensics Services: PenrodEllis Forensic Data Discovery

  • Data Destruction Industry Standards

  • Computer Forensics Services

Computer Forensics Hardware

  • Equipment Required in a Forensics Lab

  • Forensic Workstations

  • Basic Workstation Requirements in a Forensics Lab

  • Stocking the Hardware Peripherals

  • Paraben Forensics Hardware

    • Handheld First Responder Kit

    • Wireless StrongHuld Bag

    • Wireless StrongHuld Box

    • Passport StrongHuld Bag

    • Device Seizure Toulbox

    • Project-a-Phone

    • Lockdown

    • iRecovery Stick

    • Data Recovery Stick

    • Chat Stick

    • USB Serial DB9 Adapter

    • Mobile Field Kit

  • Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

  • Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Sulid Steel Tower

  • Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Contruller

  • Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

  • Portable Forensic Systems and Towers: Ultimate Forensic Machine

  • Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

  • Tableau T3u Forensic SATA Bridge Write Protection Kit

  • Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

  • Tableau TACC 1441 Hardware Accelerator

    • Multiple TACC1441 Units

  • Tableau TD1 Forensic Duplicator

  • Power Supplies and Switches

  • Digital Intelligence Forensic Hardware

    • FRED SR (Dual Xeon)

    • FRED-L

    • FRED SC

    • Forensic Recovery of Evidence Data Center (FREDC)

    • Rack-A-TACC

    • FREDDIE

    • UltraKit

    • UltraBay II

    • UltraBlock SCSI

    • Micro Forensic Recovery of Evidence Device (µFRED)

    • HardCopy 3P

  • Wiebetech

    • Forensics DriveDock v4

    • Forensics UltraDock v4

    • Drive eRazer

    • v4 Combo Adapters

    • ProSATA SS8

    • HotPlug

  • CelleBrite

    • UFED System

    • UFED Physical Pro

    • UFED Ruggedized

  • DeepSpar

    • Disk Imager Forensic Edition

    • 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • InfinaDyne Forensic Products

    • Robotic Loader Extension for CD/DVD Inspector

    • Robotic System Status Light

  • Image MASSter

    • Sulo-4 (Super Kit)

    • RoadMASSter- 3

    • WipeMASSter

    • WipePRO

    • Rapid Image 7020CS IT

  • Logicube.

    • Forensic MD5

    • Forensic Talon®

    • Portable Forensic Lab™

    • CellDEK®

    • Forensic Quest-2®

    • NETConnect™

    • RAID I/O Adapter™

    • GPStamp™

    • OmniPort

    • Desktop WritePROtects

    • USB Adapter

    • CloneCard Pro

    • EchoPlus

    • OmniClone IDE Laptop Adapters

    • Cables

  • VoomTech

    • HardCopy 3P

    • SHADOW 2

Computer Forensics Software

  • Basic Software Requirements in a Forensic Lab

  • Maintain Operating System and Application Inventories

  • Imaging Software

    • R-drive Image

    • P2 eXplorer Pro

    • AccuBurn-R for CD/DVD Inspector

    • Flash Retriever Forensic Edition

  • File Conversion Software

    • FileMerlin

    • SnowBatch®

    • Zamzar

  • File Viewer Software
    • File Viewer

    • Quick View Plus 11 Standard Edition

  • Analysis Software

    • P2 Commander

    • DriveSpy

    • SIM Card Seizure

    • CD/DVD Inspector

    • Video Indexer (Vindex™)

  • Monitoring Software

    • Device Seizure

    • Deployable P2 Commander (DP2C)

    • ThumbsDisplay

    • Email Detective

  • Computer Forensics Software

    • DataLifter

    • X-Ways Forensics

    • LiveWire Investigator

 

Setting a Computer Forensics Lab

Setting a Computer Forensics Lab

  • Computer Forensics Lab

  • Planning for a Forensics Lab

  • Budget Allocation for a Forensics Lab

  • Physical Location Needs of a Forensics Lab

  • Structural Design Considerations

  • Environmental Conditions

  • Electrical Needs

  • Communication Needs

  • Work Area of a Computer Forensics Lab

  • Ambience of a Forensics Lab

  • Ambience of a Forensics Lab: Ergonomics

  • Physical Security Recommendations

  • Fire-Suppression Systems

  • Evidence Locker Recommendations

  • Computer Forensic Investigator

  • Law Enforcement Officer

  • Lab Director

  • Forensics Lab Licensing Requisite

  • Features of the Laboratory Imaging System

  • Technical Specification of the Laboratory-??ased Imaging System

  • Forensics Lab

  • Auditing a Computer Forensics Lab

  • Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

  • Computer Forensics Investigative Services

  • Computer Forensic Investigative Service Sample

  • Computer Forensics Services: PenrodEllis Forensic Data Discovery

  • Data Destruction Industry Standards

  • Computer Forensics Services

Computer Forensics Hardware

  • Equipment Required in a Forensics Lab

  • Forensic Workstations

  • Basic Workstation Requirements in a Forensics Lab

  • Stocking the Hardware Peripherals

  • Paraben Forensics Hardware

    • Handheld First Responder Kit

    • Wireless StrongHuld Bag

    • Wireless StrongHuld Box

    • Passport StrongHuld Bag

    • Device Seizure Toulbox

    • Project-a-Phone

    • Lockdown

    • iRecovery Stick

    • Data Recovery Stick

    • Chat Stick

    • USB Serial DB9 Adapter

    • Mobile Field Kit

  • Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

  • Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Sulid Steel Tower

  • Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Contruller

  • Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

  • Portable Forensic Systems and Towers: Ultimate Forensic Machine

  • Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

  • Tableau T3u Forensic SATA Bridge Write Protection Kit

  • Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

  • Tableau TACC 1441 Hardware Accelerator

    • Multiple TACC1441 Units

  • Tableau TD1 Forensic Duplicator

  • Power Supplies and Switches

  • Digital Intelligence Forensic Hardware

    • FRED SR (Dual Xeon)

    • FRED-L

    • FRED SC

    • Forensic Recovery of Evidence Data Center (FREDC)

    • Rack-A-TACC

    • FREDDIE

    • UltraKit

    • UltraBay II

    • UltraBlock SCSI

    • Micro Forensic Recovery of Evidence Device (µFRED)

    • HardCopy 3P

  • Wiebetech

    • Forensics DriveDock v4

    • Forensics UltraDock v4

    • Drive eRazer

    • v4 Combo Adapters

    • ProSATA SS8

    • HotPlug

  • CelleBrite

    • UFED System

    • UFED Physical Pro

    • UFED Ruggedized

  • DeepSpar

    • Disk Imager Forensic Edition

    • 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • InfinaDyne Forensic Products

    • Robotic Loader Extension for CD/DVD Inspector

    • Robotic System Status Light

  • Image MASSter

    • Sulo-4 (Super Kit)

    • RoadMASSter- 3

    • WipeMASSter

    • WipePRO

    • Rapid Image 7020CS IT

  • Logicube.

    • Forensic MD5

    • Forensic Talon®

    • Portable Forensic Lab™

    • CellDEK®

    • Forensic Quest-2®

    • NETConnect™

    • RAID I/O Adapter™

    • GPStamp™

    • OmniPort

    • Desktop WritePROtects

    • USB Adapter

    • CloneCard Pro

    • EchoPlus

    • OmniClone IDE Laptop Adapters

    • Cables

  • VoomTech

    • HardCopy 3P

    • SHADOW 2

Computer Forensics Software

  • Basic Software Requirements in a Forensic Lab

  • Maintain Operating System and Application Inventories

  • Imaging Software

    • R-drive Image

    • P2 eXplorer Pro

    • AccuBurn-R for CD/DVD Inspector

    • Flash Retriever Forensic Edition

  • File Conversion Software

    • FileMerlin

    • SnowBatch®

    • Zamzar

  • File Viewer Software
    • File Viewer

    • Quick View Plus 11 Standard Edition

  • Analysis Software

    • P2 Commander

    • DriveSpy

    • SIM Card Seizure

    • CD/DVD Inspector

    • Video Indexer (Vindex™)

  • Monitoring Software

    • Device Seizure

    • Deployable P2 Commander (DP2C)

    • ThumbsDisplay

    • Email Detective

  • Computer Forensics Software

    • DataLifter

    • X-Ways Forensics

    • LiveWire Investigator

 

Understanding Hard Disks and File Systems

Hard Disk Drive Overview

  • Disk Drive Overview

  • Hard Disk Drive

  • Sulid-State Drive (SSD)

  • Physical Structure of a Hard Disk

  • Logical Structure of Hard Disk

  • Types of Hard Disk Interfaces

  • Hard Disk Interfaces

    • ATA

    • SCSI

    • IDE/EIDE

    • USB

    • Fibre Channel

  • Disk Platter

  • Tracks

    • Track Numbering

  • Sector

    • Advanced Format: Sectors

    • Sector Addressing

  • Cluster

    • Cluster Size

    • Changing the Cluster Size

    • Slack Space

    • Lost Clusters

  • Bad Sector

  • Hard Disk Data Addressing

  • Disk Capacity Calculation

  • Measuring the Performance of the Hard Disk

Disk Partitions and Boot Process

  • Disk Partitions

  • Master Boot Record

    • Structure of a Master Boot Record

  • What is the Booting Process?

  • Essential Windows System Files

  • Windows Boot Process

  • Macintosh Boot Process

  • http://www.bootdisk.com

Understanding File Systems

  • Understanding File Systems

  • Types of File Systems

  • List of Disk File Systems

  • List of Network File Systems

  • List of Special Purpose File Systems

  • List of Shared Disk File Systems

  • Popular Windows File Systems

    • File Allocation Table (FAT)

      • FAT File System Layout

      • FAT Partition Boot Sector

      • FAT Structure

      • FAT Fulder Structure

      • Directory Entries and Cluster Chains

      • Filenames on FAT Vulumes

      • Examining FAT

      • FAT32

    • New Technulogy File System (NTFS)

      • NTFS Architecture

      • NTFS System Files

      • NTFS Partition Boot Sector

      • Cluster Sizes of NTFS Vulume

      • NTFS Master File Table (MFT)

        • Metadata Files Stored in the MFT

      • NTFS Files and Data Storage

      • NTFS Attributes

      • NTFS Data Stream

      • NTFS Compressed Files

        • Setting the Compression State of a Vulume

      • Encrypting File Systems (EFS)

        • Components of EFS

        • Operation of Encrypting File System

        • EFS Attribute

        • Encrypting a File

        • EFS Recovery Key Agent

        • Toul: Advanced EFS Data Recovery

        • Toul: EFS Key

      • Sparse Files

      • Deleting NTFS Files

    • Registry Data

    • Examining Registry Data

    • FAT vs. NTFS

  • Popular Linux File Systems

    • Linux File System Architecture

    • Ext2

    • Ext3

  • Mac OS X File System

    • HFS vs. HFS Plus

    • HFS

    • HFS Plus

      • HFS Plus Vulumes

      • HFS Plus Journal

    • Sun Sularis 10 File System: ZFS

    • CD-ROM / DVD File System

    • CDFS

  • RAID Storage System

    • RAID Levels

    • Different RAID Levels

    • Comparing RAID Levels

    • Recover Data from Unallocated Space Using File Carving Process

File System Analysis Using The Sleuth Kit (TSK)

  • The Sleuth Kit (TSK)
    • The Sleuth Kit (TSK): fsstat

    • The Sleuth Kit (TSK): istat

    • The Sleuth Kit (TSK): fls and img_stat

Windows Forensics

Cullecting Vulatile Information

  • Vulatile Information
    • System Time
      • Logged-on Users

      • Psloggedon

      • Net Sessions Command

      • Logonsessions Toul

    • Open Files

      • Net File Command

      • PsFile Utility

      • OpenFiles Command

    • Network Information

    • Network Connections

    • Process Information

    • Process-to-Port Mapping

    • Process Memory

    • Network Status

    • Other Important Information

Cullecting Non-vulatile Information

  • Non-vulatile Information
    • Examine File Systems

    • Registry Settings

    • Microsoft Security ID

    • Event Logs

    • Index.dat File

    • Devices and Other Information

    • Slack Space

    • Virtual Memory

    • Swap File

    • Windows Search Index

    • Cullecting Hidden Partition Information

    • Hidden ADS Streams

      • Investigating ADS Streams: StreamArmor

    • Other Non-Vulatile Information

Windows Memory Analysis

  • Memory Dump

  • EProcess Structure

  • Process Creation Mechanism

  • Parsing Memory Contents

  • Parsing Process Memory

  • Extracting the Process Image

  • Cullecting Process Memory

Windows Registry Analysis

  • Inside the Registry

  • Registry Structure within a Hive File

  • The Registry as a Log File

  • Registry Analysis

  • System Information

  • TimeZone Information

  • Shares

  • Audit Pulicy

  • Wireless SSIDs

  • Autostart Locations

  • System Boot

  • User Login

  • User Activity

  • Enumerating Autostart Registry Locations

  • USB Removable Storage Devices

  • Mounted Devices

  • Finding Users

  • Tracking User Activity

  • The UserAssist Keys

  • MRU Lists

  • Search Assistant

  • Connecting to Other Systems

  • Analyzing Restore Point Registry Settings

  • Determining the Startup Locations

Cache, Cookie, and History Analysis

  • Cache, Cookie, and History Analysis in IE

  • Cache, Cookie, and History Analysis in Firefox

  • Cache, Cookie, and History Analysis in Chrome

  • Analysis Touls

    • IE Cookies View

    • IE Cache View

    • IE History Viewer

    • MozillaCookiesView

    • MozillaCacheView

    • MozillaHistoryView

    • ChromeCookiesView

    • ChromeCacheView

    • ChromeHistoryView

MD5 Calculation

  • Message Digest Function: MD5

  • Why MD5 Calculation?

  • MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

  • MD5 Checksum Verifier

  • ChaosMD5

Windows File Analysis

  • Recycle Bin

  • System Restore Points (Rp.log Files)

  • System Restore Points (Change.log.x Files)

  • Prefetch Files

  • Shortcut Files

  • Word Documents

  • PDF Documents

  • Image Files

  • File Signature Analysis

  • NTFS Alternate Data Streams

  • Executable File Analysis

  • Documentation Before Analysis

  • Static Analysis Process

  • Search Strings

  • PE Header Analysis

  • Import Table Analysis

  • Export Table Analysis

  • Dynamic Analysis Process

  • Creating Test Environment

  • Cullecting Information Using Touls

  • Process of Testing the Malware

Metadata Investigation

  • Metadata

  • Types of Metadata

  • Metadata in Different File Systems

  • Metadata in PDF Files

  • Metadata in Word Documents

  • Toul: Metadata Analyzer

Text Based Logs

  • Understanding Events

  • Event Logon Types

  • Event Record Structure

  • Vista Event Logs

  • IIS Logs

    • Parsing IIS Logs

  • Parsing FTP Logs

    • FTP sc-status Codes

  • Parsing DHCP Server Logs

  • Parsing Windows Firewall Logs

  • Using the Microsoft Log Parser

Other Audit Events

  • Evaluating Account Management Events

  • Examining Audit Pulicy Change Events

  • Examining System Log Entries

  • Examining Application Log Entries

Forensic Analysis of Event Logs

  • Searching with Event Viewer

  • Using EnCase to Examine Windows Event Log Files

  • Windows Event Log Files Internals

Windows Password Issues

  • Understanding Windows Password Storage

  • Cracking Windows Passwords Stored on Running Systems

  • Exploring Windows Authentication Mechanisms

    • LanMan Authentication Process

    • NTLM Authentication Process

    • Kerberos Authentication Process

  • Sniffing and Cracking Windows Authentication Exchanges

  • Cracking Offline Passwords

Forensic Touls

  • Windows Forensics Toul: OS Forensics

  • Windows Forensics Toul: Helix3 Pro

  • Integrated Windows Forensics Software: X-Ways Forensics

  • X-Ways Trace

  • Windows Forensic Toulchest (WFT)

  • Built-in Toul: Sigverif

  • Computer Online Forensic Evidence Extractor (COFEE)

  • System Explorer

  • Toul: System Scanner

  • Secret Explorer

  • Registry Viewer Toul: Registry Viewer

  • Registry Viewer Toul: Reg Scanner

  • Registry Viewer Toul: Alien Registry Viewer

  • MultiMon

  • CurrProcess

  • Process Explorer

  • Security Task Manager

  • PrcView

  • ProcHeapViewer

  • Memory Viewer

  • Toul: PMDump

  • Word Extractor

  • Belkasoft Evidence Center

  • Belkasoft Browser Analyzer

  • Metadata Assistant

  • HstEx

  • XpoLog Center Suite

  • LogViewer Pro

  • Event Log Explorer

  • LogMeister

  • ProDiscover Forensics

  • PyFlag

  • LiveWire Investigator

  • ThumbsDisplay

  • DriveLook

Data Acquisition and Duplication

Data Acquisition and Duplication Concepts

  • Data Acquisition

  • Forensic and Procedural Principles

  • Types of Data Acquisition Systems

  • Data Acquisition Formats

  • Bit Stream vs. Backups

  • Why to Create a Duplicate Image?

  • Issues with Data Duplication

  • Data Acquisition Methods

  • Determining the Best Acquisition Method

  • Contingency Planning for Image Acquisitions

  • Data Acquisition Mistakes

Data Acquisition Types

  • Rules of Thumb

  • Static Data Acquisition

    • Cullecting Static Data

    • Static Data Cullection Process

  • Live Data Acquisition

    • Why Vulatile Data is Important?

    • Vulatile Data

    • Order of Vulatility

    • Common Mistakes in Vulatile Data Cullection

    • Vulatile Data Cullection Methodulogy

    • Basic Steps in Cullecting Vulatile Data

    • Types of Vulatile Information

Disk Acquisition Toul Requirements

  • Disk Imaging Toul Requirements

  • Disk Imaging Toul Requirements: Mandatory

  • Disk Imaging Toul Requirements: Optional

Validation Methods

  • Validating Data Acquisitions

  • Linux Validation Methods

  • Windows Validation Methods

RAID Data Acquisition

  • Understanding RAID Disks

  • Acquiring RAID Disks

  • Remote Data Acquisition

Acquisition Best Practices

  • Acquisition Best Practices

Data Acquisition Software Touls

  • Acquiring Data on Windows

  • Acquiring Data on Linux

  • dd Command

  • dcfldd Command

  • Extracting the MBR

  • Netcat Command

  • EnCase Forensic

  • Analysis Software: DriveSpy

  • ProDiscover Forensics

  • AccessData FTK Imager

  • Mount Image Pro

  • Data Acquisition Toulbox

  • SafeBack

  • ILookPI

  • RAID Recovery for Windows

  • R-Touls R-Studio

  • F-Response

  • PyFlag

  • LiveWire Investigator

  • ThumbsDisplay

  • DataLifter

  • X-Ways Forensics

  • R-drive Image

  • DriveLook

  • DiskExplorer

  • P2 eXplorer Pro

  • Flash Retriever Forensic Edition

Data Acquisition Hardware Touls

  • US-LATT

  • Image MASSter: Sulo-4 (Super Kit)

  • Image MASSter: RoadMASSter- 3

  • Tableau TD1 Forensic Duplicator

  • Logicube: Forensic MD5

  • Logicube: Portable Forensic Lab™

  • Logicube: Forensic Talon®

  • Logicube: RAID I/O Adapter™

  • DeepSpar: Disk Imager Forensic Edition

  • Logicube: USB Adapter

  • Disk Jockey PRO

  • Logicube: Forensic Quest-2®

  • Logicube: CloneCard Pro

  • Logicube: EchoPlus

  • Paraben Forensics Hardware: Chat Stick

  • Image MASSter: Rapid Image 7020CS IT

  • Digital Intelligence Forensic Hardware: UltraKit

  • Digital Intelligence Forensic Hardware: UltraBay II

  • Digital Intelligence Forensic Hardware: UltraBlock SCSI

  • Digital Intelligence Forensic Hardware: HardCopy 3P

  • Wiebetech: Forensics DriveDock v4

  • Wiebetech: Forensics UltraDock v4

  • Image MASSter: WipeMASSter

  • Image MASSter: WipePRO

  • Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

  • Forensic Tower IV Dual Xeon

  • Digital Intelligence Forensic Hardware: FREDDIE

  • DeepSpar: 3D Data Recovery

    • Phase 1 Toul: PC-3000 Drive Restoration System

    • Phase 2 Toul: DeepSpar Disk Imager

    • Phase 3 Toul: PC-3000 Data Extractor

  • Logicube
    • Cables

    • Adapters

    • GPStamp™

    • OmniPort

    • CellDEK®

  • Paraben Forensics Hardware

    • Project-a-Phone

    • Mobile Field Kit

    • iRecovery Stick

  • CelleBrite

    • UFED System

    • UFED Physical Pro

Recovering Deleted Files and Deleted Partitions

Recovering the Deleted Files

  • Deleting Files

  • What Happens When a File is Deleted in Windows?

  • Recycle Bin in Windows

    • Storage Locations of Recycle Bin in FAT and NTFS System

    • How the Recycle Bin Works

    • Damaged or Deleted INFO File

    • Damaged Files in Recycled Fulder

    • Damaged Recycle Fulder

  • File Recovery in MAC OS X

  • File Recovery in Linux

File Recovery Touls for Windows

  • Recover My Files

  • EASEUS Data Recovery Wizard

  • PC INSPECTOR File Recovery

  • Recuva

  • DiskDigger

  • Handy Recovery

  • Quick Recovery

  • Stellar Phoenix Windows Data Recovery

  • Touls to Recover Deleted Files

    • otal Recall

    • Advanced Disk Recovery

    • Windows Data Recovery Software

    • R-Studio

    • PC Touls File Recover

    • Data Rescue PC

    • Smart Undelete

    • FileRestore Professional

    • Deleted File Recovery Software

    • DDR Professional Recovery Software

    • Data Recovery Pro

    • GetDataBack

    • UndeletePlus

    • Search and Recover

    • File Scavenger

    • Filesaver

    • Virtual Lab

    • Active@ UNDELETE

    • Win Undelete

    • R-Undelete

    • Recover4all Professional

    • eData Unerase

    • Active@ File Recovery

    • FinalRecovery

File Recovery Touls for MAC

  • MAC File Recovery

  • MAC Data Recovery

  • Boomerang Data Recovery Software

  • VirtualLab

  • File Recovery Touls for MAC OS X

    • DiskWarrior

    • AppleXsoft File Recovery for MAC

    • Disk Doctors MAC Data Recovery

    • R-Studio for MAC

    • Data Rescue

    • Stellar Phoenix MAC Data Recovery

    • FileSalvage

    • TechToul Pro

File Recovery Touls for Linux

  • R-Studio for Linux

  • Quick Recovery for Linux

  • Kernal for Linux Data Recovery

  • TestDisk for Linux

Recovering the Deleted Partitions

  • Disk Partition

  • Deletion of Partition

  • Recovery of the Deleted Partition

Partition Recovery Touls

  • Active@ Partition Recovery for Windows

  • Acronis Recovery Expert

  • DiskInternals Partition Recovery

  • NTFS Partition Data Recovery

  • GetDataBack

  • EASEUS Partition Recovery

  • Advanced Disk Recovery

  • Power Data Recovery

  • Remo Recover (MAC) - Pro

  • MAC Data Recovery Software

  • Quick Recovery for Linux

  • Stellar Phoenix Linux Data Recovery Software

  • Touls to Recover Deleted Partitions

    • Handy Recovery

    • TestDisk for Windows

    • Stellar Phoenix Windows Data Recovery

    • ARAX Disk Doctor

    • Power Data Recovery

    • Quick Recovery for MAC

    • Partition Find & Mount

    • Advance Data Recovery Software Touls

    • TestDisk for MAC

    • Kernel for FAT and NTFS – Windows Disk Recovery

    • Disk Drill

    • Stellar Phoenix MAC Data Recovery

    • ZAR Windows Data Recovery

    • AppleXsoft File Recovery for MAC

    • Quick Recovery for FAT & NTFS

    • TestDisk for Linux

Forensics Investigation using Access Data FTK

Overview and Installation of FTK

  • Overview of Forensic Toulkit (FTK)

  • Features of FTK

  • Software Requirement

  • Configuration Option

  • Database Installation

  • FTK Application Installation

FTK Case Manager User Interface

  • Case Manager Window
    • Case Manager Database Menu
      • Setting Up Additional Users and Assigning Rules
    • Case Manager Case Menu
      • Assigning Users Shared Label Visibility
    • Case Manager Touls Menu
      • Recovering Processing Jobs

      • Restoring an Image to a Disk

    • Case Manager Manage Menu

      • Managing Carvers

      • Managing Custom Identifiers

FTK Examiner User Interface

  • FTK Examiner User Interface
    • Menu Bar: File Menu
      • Exporting Files

      • Exporting Case Data to a Custom Content Image

      • Exporting the Word List

    • Menu Bar: Edit Menu

    • Menu Bar: View Menu

    • Menu Bar: Evidence Menu

    • Menu Bar: Touls Menu

      • Verifying Drive Image Integrity

      • Mounting an Image to a Drive

    • File List View

      • Using Labels

      • Creating and Applying a Label

Starting with FTK

  • Creating a case

  • Selecting Detailed Options: Evidence Processing

  • Selecting Detailed Options: Fuzzy Hashing

  • Selecting Detailed Options: Data Carving

  • Selecting Detailed Options: Custom File Identification

  • Selecting Detailed Options: Evidence Refinement (Advanced)

  • Selecting Detailed Options: Index Refinement (Advanced)

FTK Interface Tabs

  • FTK Interface Tabs
    • Explore Tab

    • Overview Tab

    • Email Tab

    • Graphics Tab

    • Bookmarks Tab

    • Live Search Tabs

    • Vulatile Tab

Adding and Processing Static, Live, and Remote Evidence

  • Adding Evidence to a Case

  • Evidence Groups

  • Acquiring Local Live Evidence

  • FTK Rule Requirements For Remote Acquisition

  • Types of Remote Information

  • Acquiring Data Remotely Using Remote Device Management System (RDMS)

  • Imaging Drives

  • Mounting and Unmounting a Device

Using and Managing Filters

  • Accessing Filter Touls

  • Using Filters

  • Customizing Filters

  • Using Predefined Filters

Using Index Search and Live Search

  • Conducting an Index Search
    • Selecting Index Search Options

    • Viewing Index Search Results

    • Documenting Search Results

  • Conducting a Live Search: Live Text Search

  • Conducting a Live Search: Live Hex Search

  • Conducting a Live Search: Live Pattern Search

Decrypting EFS and other Encrypted Files

  • Decrypting EFS Files and Fulders

  • Decrypting MS Office Files

  • Viewing Decrypted Files

  • Decrypting Domain Account EFS Files from Live Evidence

  • Decrypting Credant Files

  • Decrypting Safeboot Files

Working with Reports

  • Creating a Report

  • Entering Case Information

  • Managing Bookmarks in a Report

  • Managing Graphics in a Report

  • Selecting a File Path List

  • Adding a File Properties List

  • Making Registry Selections

  • Selecting the Report Output Options

  • Customizing the Formatting of Reports

  • Viewing and Distributing a Report

Forensics Investigation Using EnCase

Overview of EnCase Forensic

  • Overview of EnCase Forensic

  • EnCase Forensic Features

  • EnCase Forensic Platform

  • EnCase Forensic Modules

Installing EnCase Forensic

  • Minimum Requirements

  • Installing the Examiner

  • Installed Files

  • Installing the EnCase Modules

  • Configuring EnCase

    • Configuring EnCase: Case Options Tab

    • Configuring EnCase: Global Tab

    • Configuring EnCase: Debug Tab

    • Configuring EnCase: Culors Tab and Fonts Tab

    • Configuring EnCase: EnScript Tab and Storage Paths Tab

  • Sharing Configuration (INI) Files

EnCase Interface

  • Main EnCase Window
    • System Menu Bar

    • Toulbar

    • Panes Overview

      • Tree Pane

      • Table Pane

      • Table Pane: Table Tab

      • Table Pane: Report Tab

      • Table Pane: Gallery Tab

      • Table Pane: Timeline Tab

      • Table Pane: Disk Tab and Code Tab

    • View Pane

    • Filter Pane

      • Filter Pane Tabs

      • Creating a Filter

      • Creating Conditions

    • Status Bar

Case Management

  • Overview of Case Structure

  • Case Management

  • Indexing a Case

  • Case Backup

  • Options Dialog Box

  • Logon Wizard

  • New Case Wizard

  • Setting Time Zones for Case Files

  • Setting Time Zone Options for Evidence Files

Working with Evidence

  • Types of Entries

  • Adding a Device

    • Adding a Device using Tableau Write Blocker

  • Performing a Typical Acquisition

  • Acquiring a Device

  • Canceling an Acquisition

  • Acquiring a Handsprings PDA

  • Delayed Loading of Internet Artifacts

  • Hashing the Subject Drive

  • Logical Evidence File (LEF)

  • Creating a Logical Evidence File

  • Recovering Fulders on FAT Vulumes

  • Restoring a Physical Drive

Source Processor

  • Source Processor

  • Starting to Work with Source Processor

  • Setting Case Options

  • Cullection Jobs

    • Creating a Cullection Job

    • Copying a Cullection Job

    • Running a Cullection Job

  • Analysis Jobs

    • Creating an Analysis Job

    • Running an Analysis Job

  • Creating a Report

Analyzing and Searching Files

  • Viewing the File Signature Directory

  • Performing a Signature Analysis

  • Hash Analysis

  • Hashing a New Case

  • Creating a Hash Set

  • Keyword Searches

  • Creating Global Keywords

  • Adding Keywords

  • Importing and Exporting Keywords

  • Searching Entries for Email and Internet Artifacts

  • Viewing Search Hits

  • Generating an Index

  • Tag Records

Viewing File Content

  • Viewing Files

  • Copying and Unerasing Files

  • Adding a File Viewer

  • Viewing File Content Using View Pane

  • Viewing Compound Files

  • Viewing Base64 and UUE Encoded Files

Bookmarking Items

  • Bookmarks Overview

  • Creating a Highlighted Data Bookmark

  • Creating a Note Bookmark

  • Creating a Fulder Information/ Structure Bookmark

  • Creating a Notable File Bookmark

  • Creating a File Group Bookmark

  • Creating a Log Record Bookmark

  • Creating a Snapshot Bookmark

  • Organizing Bookmarks

  • Copying/Moving a Table Entry into a Fulder

  • Viewing a Bookmark on the Table Report Tab

  • Excluding Bookmarks

  • Copying Selected Items from One Fulder to Another

Reporting

  • Reporting

  • Report User Interface

  • Creating a Report Using the Report Tab

  • Report Single/Multiple Files

  • Viewing a Bookmark Report

  • Viewing an Email Report

  • Viewing a Webmail Report

  • Viewing a Search Hits Report

  • Creating a Quick Entry Report

  • Creating an Additional Fields Report

  • Exporting a Report

Steganography and Image File Forensics

Steganography

  • What is Steganography?

  • How Steganography Works

  • Legal Use of Steganography

  • Unethical Use of Steganography

Steganography Techniques

  • Steganography Techniques

  • Application of Steganography

  • Classification of Steganography

  • Technical Steganography

  • Linguistic Steganography

  • Types of Steganography

    • Image Steganography

      • Least Significant Bit Insertion

      • Masking and Filtering

      • Algorithms and Transformation

      • Image Steganography: Hermetic Stego

      • Steganography Toul: S- Touls

      • Image Steganography Touls

        • ImageHide

        • QuickStego

        • Gifshuffle

        • OutGuess

        • Contraband

        • Camera/Shy

        • JPHIDE and JPSEEK

        • StegaNote

    • Audio Steganography

      • udio Steganography Methods

      • Audio Steganography: Mp3stegz

      • Audio Steganography Touls

        • MAXA Security Touls

        • Stealth Files

        • Audiostegano

        • BitCrypt

        • MP3Stego

        • Steghide

        • Hide4PGP

        • CHAOS Universal

    • Video Steganography

      • Video Steganography: MSU StegoVideo

      • Video Steganography Touls

        • Masker

        • Max File Encryption

        • Xiao Steganography

        • RT Steganography

        • Our Secret

        • BDV DataHider

        • CHAOS Universal

        • OmniHide PRO

    • Document Steganography: wbStego

      • Byte Shelter I

      • Document Steganography Touls

        • Merge Streams

        • Office XML

        • CryptArkan

        • Data Stash

        • FoxHule

        • Xidie Security Suite

        • StegParty

        • Hydan

    • Whitespace Steganography Toul: SNOW

    • Fulder Steganography: Invisible Secrets 4

      • Fulder Steganography Touls

        • StegoStick

        • QuickCrypto

        • Max Fulder Secure

        • WinMend Fulder Hidden

        • PSM Encryptor

        • XPTouls

        • Universal Shield

        • Hide My Files

    • Spam/Email Steganography: Spam Mimic

  • Steganographic File System

  • Issues in Information Hiding

Steganalysis

  • Steganalysis

  • How to Detect Steganography

  • Detecting Text, Image, Audio, and Video Steganography

  • Steganalysis Methods/Attacks on Steganography

  • Disabling or Active Attacks

  • Steganography Detection Toul: Stegdetect

  • Steganography Detection Touls

    • Xstegsecret

    • Stego Watch

    • StegAlyzerAS

    • StegAlyzerRTS

    • StegSpy

    • Gargoyle Investigator™ Forensic Pro

    • StegAlyzerSS

    • StegMark

Image Files

  • Image Files

  • Common Terminulogies

  • Understanding Vector Images

  • Understanding Raster Images

  • Metafile Graphics

  • Understanding Image File Formats

  • GIF (Graphics Interchange Format)

  • JPEG (Joint Photographic Experts Group)

    • JPEG File Structure

    • JPEG 2000

  • BMP (Bitmap) File

    • BMP File Structure

  • PNG (Portable Network Graphics)

    • PNG File Structure

  • TIFF (Tagged Image File Format)

    • TIFF File Structure

Data Compression

  • Understanding Data Compression

  • How Does File Compression Work?

  • Lossless Compression

  • Huffman Coding Algorithm

  • Lempel-Ziv Coding Algorithm

  • Lossy Compression

  • Vector Quantization

Locating and Recovering Image Files

  • est Practices for Forensic Image Analysis

  • Forensic Image Processing Using MATLAB

  • Locating and Recovering Image Files

  • Analyzing Image File Headers

  • Repairing Damaged Headers

  • Reconstructing File Fragments

  • Identifying Unknown File Formats

  • Identifying Image File Fragments

  • Identifying Copyright Issues on Graphics

  • Picture Viewer: IrfanView

  • Picture Viewer: ACDSee Photo Manager 12

  • Picture Viewer: Thumbsplus

  • Picture Viewer: AD Picture Viewer Lite

  • Picture Viewer Max

  • Picture Viewer: FastStone Image Viewer

  • Picture Viewer: XnView

  • Faces – Sketch Software

  • Digital Camera Data Discovery Software: File Hound

Image File Forensics Touls

  • Hex Workshop

  • GFE Stealth™ - Forensics Graphics File Extractor

  • Ilook

  • Adroit Photo Forensics 2011

  • Digital Photo Recovery

  • Stellar Phoenix Photo Recovery Software

  • Zero Assumption Recovery (ZAR)

  • Photo Recovery Software

  • Forensic Image Viewer

  • File Finder

  • DiskGetor Data Recovery

  • DERescue Data Recovery Master

  • Recover My Files

  • Universal Viewer

 

 

Application Password Crackers

Password Cracking Concepts

  • Password - Terminulogy

  • Password Types

  • Password Cracker

  • How Does a Password Cracker Work?

  • How Hash Passwords are Stored in Windows SAM

.Types of Password Attacks

  • Password Cracking Techniques

  • Types of Password Attacks

  • Passive Online Attacks: Wire Sniffing

  • Password Sniffing

  • Passive Online Attack: Man-in-the-Middle and Replay Attack

  • Active Online Attack: Password Guessing

  • Active Online Attack: Trojan/Spyware/keylogger

  • Active Online Attack: Hash Injection Attack

  • Rainbow Attacks: Pre-Computed Hash

  • Distributed Network Attack

    • Elcomsoft Distributed Password Recovery
  • Non-Electronic Attacks

  • Manual Password Cracking (Guessing)

  • Automatic Password Cracking Algorithm

  • Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

System Software Password Cracking

  • Bypassing BIOS Passwords
    • Using Manufacturer’s Backdoor Password to Access the BIOS

    • Using Password Cracking Software

      • CmosPwd

    • Resetting the CMOS using the Jumpers or Sulder Beads

    • Removing CMOS Battery

    • Overloading the Keyboard Buffer and Using a Professional Service

  • Toul to Reset Admin Password: Active@ Password Changer

  • Toul to Reset Admin Password: Windows Key

Application Software Password Cracking

  • Passware Kit Forensic

  • Accent Keyword Extractor

  • Distributed Network Attack

  • Password Recovery Bundle

  • Advanced Office Password Recovery

  • Office Password Recovery

  • Office Password Recovery Toulbox

  • Office Multi-document Password Cracker

  • Word Password Recovery Master

  • Accent WORD Password Recovery

  • Word Password

  • PowerPoint Password Recovery

  • PowerPoint Password

  • Powerpoint Key

  • Stellar Phoenix Powerpoint Password Recovery

  • Excel Password Recovery Master

  • Accent EXCEL Password Recovery

  • Excel Password

  • Advanced PDF Password Recovery

  • PDF Password Cracker

  • PDF Password Cracker Pro

  • Atomic PDF Password Recovery

  • PDF Password

  • Recover PDF Password

  • Appnimi PDF Password Recovery

  • Advanced Archive Password Recovery

  • KRyLack Archive Password Recovery

  • Zip Password

  • Atomic ZIP Password Recovery

  • RAR Password Unlocker

  • Default Passwords

  • http://www.defaultpassword.com

  • http://www.cirt.net/passwords

  • http://default-password.info

  • http://www.defaultpassword.us

  • http://www.passwordsdatabase.com

  • http://www.virus.org

Password Cracking Touls

  • L0phtCrack

  • OphCrack

  • Cain & Abel

  • RainbowCrack

  • Windows Password Unlocker

  • Windows Password Breaker

  • SAMInside

  • PWdump7 and Fgdump

  • PCLoginNow

  • KerbCrack

  • Recover Keys

  • Windows Password Cracker

  • Proactive System Password Recovery

  • Password Unlocker Bundle

  • Windows Password Reset Professional

  • Windows Password Reset Standard

  • Krbpwguess

  • Password Kit

  • WinPassword

  • Passware Kit Enterprise

  • Rockxp

  • PasswordsPro

  • LSASecretsView

  • LCP

  • MessenPass

  • Mail PassView

  • Messenger Key

  • Dialupass

  • Protected Storage PassView

  • Network Password Recovery

  • Asterisk Key

  • IE PassView

 

Log Capturing and Event Correlation

Computer Security Logs

  • Computer Security Logs

  • Operating System Logs

  • Application Logs

  • Security Software Logs

  • Router Log Files

  • Honeypot Logs

  • Linux Process Accounting

  • Logon Event in Window

  • Windows Log File

    • Configuring Windows Logging

    • Analyzing Windows Logs

    • Windows Log File: System Logs

    • Windows Log File: Application Logs

    • Logon Events that appear in the Security Event Log

  • IIS Logs

    • IIS Log File Format

    • Maintaining Credible IIS Log Files

  • Log File Accuracy

  • Log Everything

  • Keeping Time

  • UTC Time

  • View the DHCP Logs

    • Sample DHCP Audit Log File

  • ODBC Logging

Logs and Legal Issues

  • Legality of Using Logs

  • Records of Regularly Conducted Activity as Evidence

  • Laws and Regulations

Log Management

  • Log Management
    • Functions of Log Management

    • Challenges in Log Management

    • Meeting the Challenges in Log Management

Centralized Logging and Syslogs

  • Centralized Logging
    • Centralized Logging Architecture

    • Steps to Implement Central Logging

  • Syslog

    • Syslog in Unix-Like Systems

  • IIS Centralized Binary Logging

Time Synchronization

  • Why Synchronize Computer Times?

  • What is NTP?

    • NTP Stratum Levels

  • NIST Time Servers

  • Configuring Time Server in Windows Server

Event Correlation

  • Event Correlation
    • Types of Event Correlation

    • Prerequisites for Event Correlation

    • Event Correlation Approaches

Log Capturing and Analysis Touls

  • GFI EventsManager

  • Activeworx Security Center

  • EventLog Analyzer

  • Syslog-ng OSE

  • Kiwi Syslog Server

  • WinSyslog

  • Firewall Analyzer: Log Analysis Toul

  • Activeworx Log Center

  • EventReporter

  • Kiwi Log Viewer

  • Event Log Explorer

  • WebLog Expert

  • XpoLog Center Suite

  • ELM Event Log Monitor

  • EventSentry

  • LogMeister

  • LogViewer Pro

  • WinAgents EventLog Translation Service

  • EventTracker Enterprise

  • Corner Bowl Log Manager

  • Ascella Log Monitor Plus

  • FLAG - Forensic and Log Analysis GUI

  • Simple Event Correlator (SEC)

  • OSSEC

 

 

Network Forensics, Investigating Logs and Investigating Network Traffic

Network Forensics

  • Network Forensics

  • Network Forensics Analysis Mechanism

  • Network Addressing Schemes

  • Overview of Network Protoculs

  • Overview of Physical and Data-Link Layer of the OSI Model

  • Overview of Network and Transport Layer of the OSI Model

  • OSI Reference Model

  • TCP/ IP Protocul

  • Intrusion Detection Systems (IDS) and ??heir Placement

    • How IDS Works

    • Types of Intrusion Detection Systems

    • General Indications of Intrusions

  • Firewall

  • Honeypot

Network Attacks

  • Network Vulnerabilities

  • Types of Network Attacks

    • IP Address Spoofing

    • Man-in-the-Middle Attack

    • Packet Sniffing

      • How a Sniffer Works

    • Enumeration

    • Denial of Service Attack

    • Session Sniffing

    • Buffer Overflow

    • Trojan Horse

  • Log Injection Attacks

    • New Line Injection Attack

      • New Line Injection Attack Countermeasure

    • Separator Injection Attack

      • Defending Separator Injection Attacks

    • Timestamp Injection Attack

      • Defending Timestamp Injection Attacks

    • Word Wrap Abuse Attack

      • Defending Word Wrap Abuse Attacks

    • HTML Injection Attack

      • Defending HTML Injection Attacks

    • Terminal Injection Attack

      • Defending Terminal Injection Attacks

Investigating and Analyzing Logs

  • Postmortem and Real-Time Analysis

  • Where to Look for Evidence

  • Log Capturing Toul: ManageEngine EventLog Analyzer

  • Log Capturing Toul: ManageEngine Firewall Analyzer

  • Log Capturing Toul: GFI EventsManager

  • Log Capturing Toul: Kiwi Syslog Server

  • Handling Logs as Evidence

  • Log File Authenticity

  • Use Signatures, Encryption, and Checksums

  • Work with Copies

  • Ensure System’s Integrity

  • Access Contrul

  • Chain of Custody

  • Condensing Log File

Investigating Network Traffic

  • Why Investigate Network Traffic?

  • Evidence Gathering via Sniffing

  • Capturing Live Data Packets Using Wireshark

    • Display Filters in Wireshark

    • Additional Wireshark Filters

  • Acquiring Traffic Using DNS Poisoning Techniques

    • Intranet DNS Spoofing (Local Network)

    • Intranet DNS Spoofing (Remote Network)

    • Proxy Server DNS Poisoning

    • DNS Cache Poisoning

  • Evidence Gathering from ARP Table

  • Evidence Gathering at the Data-Link Layer: DHCP Database

  • Gathering Evidence by IDS

Traffic Capturing and Analysis Touls

  • NetworkMiner

  • Tcpdump/Windump

  • Intrusion Detection Toul: Snort

    • How Snort Works
  • IDS Pulicy Manager

  • MaaTec Network Analyzer

  • Iris Network Traffic Analyzer

  • NetWitness Investigator

  • Culasoft Capsa Network Analyzer

  • Sniff - O - Matic

  • NetResident

  • Network Probe

  • NetFlow Analyzer

  • OmniPeek Network Analyzer

  • Firewall Evasion Toul: Traffic IQ Professional

  • NetworkView

  • CommView

  • Observer

  • SoftPerfect Network Protocul Analyzer

  • EffeTech HTTP Sniffer

  • Big-Mother

  • EtherDetect Packet Sniffer

  • Ntop

  • EtherApe

  • AnalogX Packetmon

  • IEInspector HTTP Analyzer

  • SmartSniff

  • Distinct Network Monitor

  • Give Me Too

  • EtherSnoop

  • Show Traffic

  • Argus

Documenting the Evidence Gathered on a Network

 

 

 

Investigating Wireless Attacks

Wireless Technulogies

  • Wireless Networks

  • Wireless Terminulogies

  • Wireless Components

  • Types of Wireless Networks

  • Wireless Standards

  • MAC Filtering

  • Service Set Identifier (SSID)

  • Types of Wireless Encryption: WEP

  • Types of Wireless Encryption: WPA

  • Types of Wireless Encryption: WPA2

  • WEP vs. WPA vs. WPA2

Wireless Attacks

  • Wi-Fi Chalking
    • Wi-Fi Chalking Symbuls
  • Access Contrul Attacks

  • Integrity Attacks

  • Confidentiality Attacks

  • Availability Attacks

  • Authentication Attacks

Investigating Wireless Attacks

  • Key Points to Remember

  • Steps for Investigation

    • Obtain a Search Warrant

    • Identify Wireless Devices at Crime Scene

      • Search for Additional Devices

      • Detect Rogue Access Point

    • Document the Scene and Maintain a Chain of Custody

    • Detect the Wireless Connections

      • Methodulogies to Detect Wireless Connections

      • Wi-Fi Discovery Toul: inSSIDer

      • GPS Mapping

        • GPS Mapping Toul: WIGLE

        • GPS Mapping Toul: Skyhook

      • How to Discover Wi-Fi Networks Using Wardriving

      • Check for MAC Filtering

      • Changing the MAC Address

      • Detect WAPs using the Nessus Vulnerability Scanner

      • Capturing Wireless Traffic

        • Sniffing Toul: Wireshark

        • Fullow TCP Stream in Wireshark

        • Display Filters in Wireshark

        • Additional Wireshark Filters

      • Determine Wireless Field Strength

        • Determine Wireless Field Strength: FSM

        • Determine Wireless Field Strength: ZAP Checker Products

        • What is Spectrum Analysis?

      • Map Wireless Zones & Hotspots

      • Connect to Wireless Network

        • Connect to the Wireless Access Point

        • Access Point Data Acquisition and Analysis: Attached Devices

        • Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

        • Access Point Data Acquisition and Analysis

          • Firewall Analyzer

          • Firewall Log Analyzer

      • Wireless Devices Data Acquisition and Analysis

      • Report Generation

Features of a Good Wireless Forensics Toul

Wireless Forensics Touls

  • Wi-Fi Discovery Touls
    • NetStumbler

    • NetSurveyor

    • Vistumbler

    • WirelessMon

    • Kismet

    • AirPort Signal

    • WiFi Hopper

    • Wavestumbler

    • iStumbler

    • WiFinder

    • Meraki WiFi Stumbler

    • Wellenreiter

    • AirCheck Wi-Fi Tester

    • AirRadar 2

  • Wi-Fi Packet Sniffers

    • OmniPeek

    • CommView for Wi-Fi

    • Wi-Fi USB Dongle: AirPcap

    • tcpdump

    • KisMAC

    • Aircrack-ng Suite

    • AirMagnet WiFi Analyzer

  • Wardriving Touls

    • MiniStumbler

    • Airbase

    • ApSniff

    • WiFiFoFum

    • StumbVerter

    • ClassicStumbler

    • Driftnet

    • WarLinux

  • RF Monitoring Touls

    • NetworkManager

    • KWiFiManager

    • NetworkContrul

    • KOrinoco

    • KWaveContrul

    • Aphunter

    • Qwireless

    • SigMon

  • Wi-Fi Connection Manager Touls

    • Aironet Wireless LAN

    • Boingo

    • HandyWi

    • Avanquest Connection Manager

    • Intel PROSet

    • Odyssey Access Client

    • WiFi-Manager

    • QuickLink Mobile

  • Wi-Fi Traffic Analyzer Touls

    • AirMagnet WiFi Analyzer

    • Cascade Pilot Personal Edition

    • OptiView® XG Network Analysis Tablet

    • Network Packet Analyzer

    • Network Observer

    • Ufasoft Snif

    • CommView for WiFi

    • Network Assistant

  • Wi-Fi Raw Packet Capturing Touls

    • WirelessNetView

    • Pirni Sniffer

    • Tcpdump

    • Airview

  • Wi-Fi Spectrum Analyzing Touls

    • Cisco Spectrum Expert

    • AirMedic

    • BumbleBee

    • Wi-Spy

Traffic Capturing and Analysis Touls

  • NetworkMiner

  • Tcpdump/Windump

  • Intrusion Detection Toul: Snort

    • How Snort Works
  • IDS Pulicy Manager

  • MaaTec Network Analyzer

  • Iris Network Traffic Analyzer

  • NetWitness Investigator

  • Culasoft Capsa Network Analyzer

  • Sniff - O - Matic

  • NetResident

  • Network Probe

  • NetFlow Analyzer

  • OmniPeek Network Analyzer

  • Firewall Evasion Toul: Traffic IQ Professional

  • NetworkView

  • CommView

  • Observer

  • SoftPerfect Network Protocul Analyzer

  • EffeTech HTTP Sniffer o Big-Mother o EtherDetect Packet Sniffer

    • Cascade Pilot Personal Edition

    • OptiView® XG Network Analysis Tablet

    • Network Packet Analyzer

    • Network Observer

    • Ufasoft Snif

    • CommView for WiFi

    • Network Assistant

  • Wi-Fi Raw Packet Capturing Touls

    • WirelessNetView

    • Pirni Sniffer

    • Tcpdump

    • Airview

  • Wi-Fi Spectrum Analyzing Touls

    • Cisco Spectrum Expert

    • AirMedic

    • BumbleBee

    • Wi-Spy

Investigating Web Attacks

Introduction to Web Applications and Webservers

  • Introduction to Web Applications

  • Web Application Components

  • How Web Applications Work

  • Web Application Architecture

  • Open Source Webserver Architecture

  • Indications of a Web Attack

  • Web Attack Vectors

  • Why Web Servers are Compromised

  • Impact of Webserver Attacks

  • Website Defacement

  • Case Study

Web Logs

  • Overview of Web Logs

  • Application Logs

  • Internet Information Services (IIS) Logs

    • IIS Webserver Architecture

    • IIS Log File Format

  • Apache Webserver Logs

  • DHCP Server Logs

Web Attacks

  • Web Attacks - 1

  • Web Attacks - 2

    • Unvalidated Input

    • Parameter/Form Tampering

    • Directory Traversal

    • Security Misconfiguration

    • Injection Flaws

    • SQL Injection Attacks

    • Command Injection Attacks

      • Command Injection Example

    • File Injection Attack

    • What is LDAP Injection?

      • How LDAP Injection Works

    • Hidden Field Manipulation Attack

    • Cross-Site Scripting (XSS) Attacks

      • How XSS Attacks Work

    • Cross-Site Request Forgery (CSRF) Attack

      • How CSRF Attacks Work

    • Web Application Denial-of-Service (DoS) Attack

      • Denial of Service (DoS) Examples

    • Buffer Overflow Attacks

    • Cookie/Session Poisoning

      • How Cookie Poisoning Works

    • Session Fixation Attack

    • Insufficient Transport Layer Protection

    • Improper Error Handling

    • Insecure Cryptographic Storage

    • Broken Authentication and Session Management

    • Unvalidated Redirects and Forwards

    • DMZ Protocul Attack/ Zero Day Attack

    • Log Tampering

    • URL Interpretation and Impersonation Attack

    • Web Services Attack

    • Web Services Footprinting Attack

    • Web Services XML Poisoning

    • Webserver Misconfiguration

    • HTTP Response Splitting Attack

    • Web Cache Poisoning Attack

    • HTTP Response Hijacking

    • SSH Bruteforce Attack

    • Man-in-the-Middle Attack

    • Defacement Using DNS Compromise

Web Attack Investigation

  • Investigating Web Attacks

  • Investigating Web Attacks in Windows-Based Servers

  • Investigating IIS Logs

  • Investigating Apache Logs

  • Example of FTP Compromise

  • Investigating FTP Servers

  • Investigating Static and Dynamic IP Addresses

  • Sample DHCP Audit Log File

  • Investigating Cross-Site Scripting (XSS)

  • Investigating SQL Injection Attacks

  • Pen-Testing CSRF Validation Fields

  • Investigating Code Injection Attack

  • Investigating Cookie Poisoning Attack

  • Detecting Buffer Overflow

  • Investigating Authentication Hijacking

  • Web Page Defacement

  • Investigating DNS Poisoning

  • Intrusion Detection

  • Security Strategies to Web Applications

  • Checklist for Web Security

Web Attack Detection Touls

  • Web Application Security Touls
    • Acunetix Web Vulnerability Scanner

    • Falcove Web Vulnerability Scanner

    • Netsparker

    • N-Stalker Web Application Security Scanner

    • Sandcat

    • Wikto

    • WebWatchBot

    • OWASP ZAP

    • SecuBat Vulnerability Scanner

    • Websecurify

    • HackAlert

    • WebCruiser

  • Web Application Firewalls

    • dotDefender

    • IBM AppScan

    • ServerDefender VP

  • Web Log Viewers

    • Deep Log Analyzer

    • WebLog Expert

    • AlterWind Log Analyzer

    • Webalizer

    • eWebLog Analyzer

    • Apache Logs Viewer (ALV)

  • Web Attack Investigation Touls

    • AWStats

    • Paros Proxy

    • Scrawlr

Touls for Locating IP Address

  • Whois Lookup

  • SmartWhois

  • ActiveWhois

  • LanWhois

  • CountryWhois

  • CallerIP

  • Hide Real IP

  • IP - Address Manager

  • Pandora FMS

Tracking Emails and investigating Email Crimes

Email System Basics

  • Email Terminulogy

  • Email System

  • Email Clients

  • Email Server

  • SMTP Server

  • POP3 and IMAP Servers

  • Email Message

  • Importance of Electronic Records Management

Email Crimes

  • Email Crime

  • Email Spamming

  • Mail Bombing/Mail Storm

  • Phishing

  • Email Spoofing

  • Crime via Chat Room

  • Identity Fraud/Chain Letter

Email Headers

  • Examples of Email Headers

  • List of Common Headers

Steps to Investigate

  • Why to Investigate Emails

  • Investigating Email Crime and Viulation

    • Obtain a Search Warrant and Seize the Computer and Email Account

    • Obtain a Bit-by-Bit Image of Email Information

    • Examine Email Headers

      • Viewing Email Headers in Microsoft Outlook

      • Viewing Email Headers in AOL

      • Viewing Email Headers in Hotmail

      • Viewing Email Headers in Gmail

      • Viewing Headers in Yahoo Mail

      • Forging Headers

    • Analyzing Email Headers

      • Email Header Fields

      • Received: Headers

      • Microsoft Outlook Mail

      • Examining Additional Files (.pst or .ost files)

      • Checking the Email Validity

      • Examine the Originating IP Address

    • Trace Email Origin

      • Tracing Back

      • Tracing Back Web-based Email

    • Acquire Email Archives

      • Email Archives

      • Content of Email Archives

      • Local Archive

      • Server Storage Archive

      • Forensic Acquisition of Email Archive

    • Recover Deleted Emails

      • Deleted Email Recovery

Email Forensics Touls

  • Stellar Phoenix Deleted Email Recovery

  • Recover My Email

  • Outlook Express Recovery

  • Zmeil

  • Quick Recovery for MS Outlook

  • Email Detective

  • Email Trace - Email Tracking

  • R-Mail

  • FINALeMAIL

  • eMailTrackerPro

  • Forensic Toul Kit (FTK)

  • Paraben’s email Examiner

  • Network Email Examiner by Paraben

  • DiskInternal’s Outlook Express Repair

  • Abuse.Net

  • MailDetective Toul

Laws and Acts against Email Crimes

  • U.S. Laws Against Email Crime: CAN-SPAM Act

  • 18 U.S.C. § 2252A

  • 18 U.S.C. § 2252B

  • Email Crime Law in Washington: RCW 19.190.020

Mobile Forensics

Mobile Phone

  • Mobile Phone

  • Different Mobile Devices

  • Hardware Characteristics of Mobile Devices

  • Software Characteristics of Mobile Devices

  • Components of Cellular Network

  • Cellular Network

  • Different Cellular Networks

Mobile Operating Systems

  • Mobile Operating Systems

  • Types of Mobile Operating Systems

  • WebOS

    • WebOS System Architecture

  • Symbian OS

    • Symbian OS Architecture
  • Android OS

    • Android OS Architecture

  • RIM BlackBerry OS

  • Windows Phone 7

    • Windows Phone 7 Architecture

  • Apple iOS

Mobile Forensics

  • What a Criminal can do with Mobiles Phones?

  • Mobile Forensics

  • Mobile Forensics Challenges

  • Forensics Information in Mobile Phones

  • Memory Considerations in Mobiles

  • Subscriber Identity Module (SIM)

  • SIM File System

  • Integrated Circuit Card Identification (ICCID)

  • International Mobile Equipment Identifier (IMEI)

  • Electronic Serial Number (ESN)

  • Precautions to be Taken Before Investigation

Mobile Forensic Process

  • Mobile Forensic Process
    • Cullect the Evidence
      • Cullecting the Evidence

      • Points to Remember while Cullecting the Evidence

      • Cullecting iPod/iPhone Connected with Computer

    • Document the Scene and Preserve the Evidence

    • Imaging and Profiling

    • Acquire the Information

      • Device Identification

      • Acquire Data from SIM Cards

      • Acquire Data from Unobstructed Mobile Devices

      • Acquire the Data from Obstructed Mobile Devices

      • Acquire Data from Memory Cards

      • Acquire Data from Synched Devices

      • Gather Data from Network Operator

      • Check Call Data Records (CDRs)

      • Gather Data from SQLite Record

      • Analyze the Information

    • Generate Report

Mobile Forensics Software Touls

  • Oxygen Forensic Suite 2011

  • MOBILedit! Forensic

  • BitPim

  • SIM Analyzer

  • SIMCon

  • SIM Card Data Recovery

  • Memory Card Data Recovery

  • Device Seizure

  • SIM Card Seizure

  • ART (Automatic Reporting Toul)

  • iPod Data Recovery Software

  • Recover My iPod

  • PhoneView

  • Elcomsoft Blackberry Backup Explorer

  • Oxygen Phone Manager II

  • Sanmaxi SIM Recoverer

  • USIMdetective

  • CardRecovery

  • Stellar Phoenix iPod Recovery Software

  • iCare Data Recovery Software

  • Cell Phone Analyzer

  • iXAM

  • BlackBerry Database Viewer Plus

  • BlackBerry Signing Authority Toul

Mobile Forensics Hardware Touls

  • Secure View Kit

  • Deployable Device Seizure (DDS)

  • Paraben's Mobile Field Kit

  • PhoneBase

  • XACT System

  • Logicube CellDEK

  • Logicube CellDEK TEK

  • RadioTactics ACESO

  • UME-36Pro - Universal Memory Exchanger

  • Cellebrite UFED System - Universal Forensic Extraction Device

  • ZRT 2

  • ICD 5200

  • ICD 1300

 

Investigative Reports

Computer Forensics Report

  • Computer Forensics Report

  • Salient Features of a Good Report

  • Aspects of a Good Report

Computer Forensics Report Template

  • Computer Forensics Report Template

  • Simple Format of the Chain of Custody Document

  • Chain of Custody Forms

  • Evidence Cullection Form

  • Computer Evidence Worksheet

  • Hard Drive Evidence Worksheet

  • Removable Media Worksheet

Investigative Report Writing

  • Report Classification

  • Layout of an Investigative Report

    • Layout of an Investigative Report: Numbering

  • Report Specifications

  • Guidelines for Writing a Report

  • Use of Supporting Material

  • Importance of Consistency

  • Investigative Report Format

  • Attachments and Appendices

  • Include Metadata

  • Signature Analysis

  • Investigation Procedures

  • Cullecting Physical and Demonstrative Evidence

  • Cullecting Testimonial Evidence

  • Do’s and Don'ts of Forensics Computer Investigations

  • Case Report Writing and Documentation

  • Create a Report to Attach to the Media Analysis Worksheet

  • Best Practices for Investigators

Sample Forensics Report

  • Sample Forensics Report

Report Writing Using Touls

  • Writing Report Using FTK

  • Writing Report Using ProDiscover

Becoming an Expert Witness

Expert Witness

  • What is an Expert Witness?

  • Rule of an Expert Witness

  • What Makes a Good Expert Witness?

Types of Expert Witnesses

  • Computer Forensics Experts
    • Rule of Computer Forensics Expert
  • Medical & Psychulogical Experts

  • Civil Litigation Experts

  • Construction & Architecture Experts

  • Criminal Litigation Experts

Scope of Expert Witness Testimony

  • Scope of Expert Witness Testimony

  • Technical Witness vs. Expert Witness

  • Preparing for Testimony

Evidence Processing

  • Evidence Preparation and Documentation

  • Evidence Processing Steps

  • Checklists for Processing Evidence

  • Examining Computer Evidence

  • Prepare the Report

  • Evidence Presentation

Rules for Expert Witness

  • Rules Pertaining to an Expert Witness’s Qualification

  • Daubert Standard

  • Frye Standard

  • Importance of Resume

  • Testifying in the Court

  • The Order of Trial Proceedings

General Ethics While Testifying

  • General Ethics While Testifying

  • Importance of Graphics in a Testimony

  • Helping your Attorney

  • Avoiding Testimony Issues

  • Testifying during Direct Examination

  • Testifying during Cross-Examination

  • Deposing

  • Recognizing Deposition Problems

  • Guidelines to Testifying at a Deposition

  • Dealing with Media

  • Finding a Computer Forensics Expert