kingserver
January 26th, 2013, 12:36
.
http://p30learning.com/wp-content/uploads/CHFIv8.jpg (http://p30learning.com/wp-content/uploads/CHFIv8.jpg).
EC-Council CHFI Computer Hacking Forensic Investigator
این بار با مجموعه ای خدمت تان رسیده ایم که بی شک رویای متخصصان حوزه امنیت اطلاعات است. مدرک CHFI یا computer hacking forensic investigator به منظور آماده سازی متخصصانی برای بررسی ، کشف و مبارزه با جرایم رایانه ای طراحی شده است. جرایم مورد بررسی در این عرصه بسیار گسترده اند و به شما آموخته خواهد شد تا بتوانید مدارک ارتکاب به اعمال مجرمانه را از فایل ها ، سیستم های عامل ، شبکه ، CD و DVD ، گوشی های موبایل ، دستگاه iPod ، ایمیل ، اینترنت ، وب سایت ها ، فایروال ها ، روترها و … جمع آوری کرده و برای مبارزه با مجرمان از آن ها استفاده نمایید .
مجموعه آموزش ویدیویی که پیش روی شماست محصول موسسه آموزشی Career Academy است که با حجم 10 گیگابایت و به مدت زمان بیش از 40 ساعت و در 22 ماژول در اختیار شما عزیزان قرار می گیرد.
در ادامه با سرفصل های درسی این مجموعه آموزشی نفیس آشنا می شویم :
بخش اول – مقدمه ای بر این کورس آموزشی
بخش دوم – آشنایی دانش پژوهان با این مجموعه آموزش و مدرک CHFI :
Student Introduction
CHFIv8 Course Outline
EC-Council Certification Program
Computer Hacking Forensic Investigator Track
CHFIv8 Exam Information
What Does CHFI Teach You?
CHFI Class Speed
Let’s Start Forensics Investigation!
بخش سوم – جرم شناسایی رایانه ای و جایگاه آن در جهان کنونی :
Module Flow: Computer Forensics
Computer Forensics
Security Incident Report
Aspects of Organizational Security
Evolution of Computer Forensics (Cont’d)
Evolution of Computer Forensics
Objective of Computer Forensics
Need for Computer Forensics
Module Flow: Forensics Readiness
Benefits of Forensics Readiness
Goals of Forensics Readiness
Forensics Readiness Planning
Module Flow: Cyber Crimes
Cyber Crime
Computer Facilitated Crimes
Modes of Attacks
Examples of Cyber Crime (Cont’d)
Examples of Cyber Crime
Types of Computer Crimes
Cyber Criminals
Organized Cyber Crime: Organizational Chart
How Serious are Different Types of Incidents?
Disruptive Incidents to the Business
Cost Expenditure Responding to the Security Incident
Module Flow: Cyber Crime Investigation
Cyber Crime Investigation
Key Steps in Forensics Investigation (Cont’d)
Key Steps in Forensics Investigation
Rules of Forensics Investigation
Need for Forensics Investigator
Role of Forensics Investigator
Accessing Computer Forensics Resources
Role of Digital Evidence
Module Flow: Corporate Investigations
Understanding Corporate Investigations
Approach to Forensics Investigation: A Case Study (Cont’d)
Approach to Forensics Investigation: A Case Study
Instructions for the Forensic Investigator to Approach the Crime Scene
Why and When Do You Use Computer Forensics?
Enterprise Theory of Investigation (ETI)
Legal Issues
Reporting the Results
Module Flow: Reporting a Cyber Crime
Why you Should Report Cybercrime?
Reporting Computer-Related Crimes (Cont’d)
Reporting Computer-Related Crimes
Person Assigned to Report the Crime
When and How to Report an Incident?
Who to Contact at the Law Enforcement
Federal Local Agents Contact (Cont’d)
Federal Local Agents Contact
More Contacts
CIO Cyberthreat Report Form
Module 01 Review
بخش چهارم – آشنایی با پروسه جرم شناسی رایانه ای و کشف و مبارزه با جرایم کامپیوتری :
Computer Forensics Investigation Process
Investigating Computer Crime
Before the Investigation
Build a Forensics Workstation
Building the Investigation Team
People Involved in Computer Forensics
Review Policies and Laws
Forensics Laws (Cont’d)
Forensics Laws
Notify Decision Makers and Acquire Authorization
Risk Assessment
Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation (Cont’d)
Steps to Prepare for a Computer Forensics Investigation
Computer Forensics Investigation Methodology: Obtain Search Warrant
Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
Computer Forensics Investigation Methodology: Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
Computer Forensics Investigation Methodology: Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence (Cont’d)
Collect Electronic Evidence
Guidelines for Acquiring Evidence
Computer Forensics Investigation Methodology: Secure the Evidence
Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
Computer Forensics Investigation Methodology: Acquire the Data
Original Evidence Should NEVER Be Used for Analysis
Duplicate the Data (Imaging)
Verify Image Integrity
Demo – HashCalc
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
Computer Forensics Investigation Methodology: Analyze the Data
Data Analysis
Data Analysis Tools
Computer Forensics Investigation Methodology: Assess Evidence and Case
Evidence Assessment
Case Assessment (Cont’d)
Case Assessment
Processing Location Assessment
Best Practices to Assess the Evidence
Computer Forensics Investigation Methodology: Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report (Cont’d)
Writing the Investigation Report
Sample Report (1 of 7)
Sample Report (2 of 7)
Sample Report (3 of 7)
Sample Report (4 of 7)
Sample Report (5 of 7)
Sample Report (6 of 7)
Sample Report (7 of 7)
Computer Forensics Investigation Methodology: Testify as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers (Cont’d)
Computer Forensics Service Providers
Module 02 Review
بخش پنجم – جستجو در سیستم های کامپیوتری به دنبال کشف جرم :
Module Flow: Searching and Seizing Computers without a Warrant
Searching and Seizing Computers without a Warrant
Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers: Principles
Reasonable Expectation of Privacy in Computers as Storage Devices
Reasonable Expectation of Privacy and Third-Party Possession
Private Searches
Use of Technology to Obtain Information
Exceptions to the Warrant Requirement in Cases Involving Computers
Consent
Scope of Consent
Third-Party Consent
Implied Consent
Exigent Circumstances
Plain View
Search Incident to a Lawful Arrest
Inventory Searches
Border Searches
International Issues
Special Case: Workplace Searches
Private Sector Workplace Searches
Public-Sector Workplace Searches
Module Flow: Searching and Seizing Computers with a Warrant
Searching and Seizing Computers with a Warrant
Successful Search with a Warrant
Basic Strategies for Executing Computer Searches
When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
When Hardware Is Merely a Storage Device for Evidence of Crime
The Privacy Protection Act
The Terms of the Privacy Protection Act
Application of the PPA to Computer Searches and Seizures (Cont’d)
Application of the PPA to Computer Searches and Seizures
Civil Liability Under the Electronic Communications Privacy Act (ECPA)
Considering the Need for Multiple Warrants in Network Searches
No-Knock Warrants
Sneak-and-Peek Warrants
Privileged Documents
Drafting the Warrant and Affidavit
Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments
Defending Computer Search Warrants Against Challenges Based on the “Things to be Seized”
Establish Probable Cause in the Affidavit
Explanation of the Search Strategy and Practical & Legal Considerations
Post-Seizure Issues
Searching Computers Already in Law Enforcement Custody
The Permissible Time Period for Examining Seized Computers
Rule 41(e) Motions for Return of Property
Module Flow: The Electronic Communications Privacy Act
The Electronic Communications Privacy Act
Providers of Electronic Communication Service vs. Remote Computing Service
Classifying Types of Information Held by Service Providers
Compelled Disclosure Under ECPA
Voluntary Disclosure
Working with Network Providers
Module Flow: Electronic Surveillance in Communications Networks
Electronic Surveillance in Communications Networks
Content vs. Addressing Information
The Pen/Trap Statute
The Wiretap Statute (“Title III”)
Exceptions to Title III
Remedies For Violations of Title III and the Pen/Trap Statute
Module Flow: Evidence
Evidence (Cont’d)
Evidence
Authentication
Hearsay
Other Issues
Module 03 Review
بخش ششم – آموزش جمع آوری مدارک جرم دیجیتال :
Module Flow: Digital Data
Definition of Digital Evidence
Increasing Awareness of Digital Evidence
Challenging Aspects of Digital Evidence
The Role of Digital Evidence
Characteristics of Digital Evidence
Fragility of Digital Evidence
Anti-Digital Forensics (ADF)
Module Flow: Types of Digital Data
Types of Digital Data (Cont’d)
Types of Digital Data (Cont’d)
Types of Digital Data
Module Flow: Rules of Evidence
Rules of Evidence
Best Evidence Rule
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence
International Organization on Computer Evidence (IOCE)
IOCE International Principles for Digital Evidence
Scientific Working Group on Digital Evidence (SWGDE)
SWGDE Standards for the Exchange of Digital Evidence (Cont’d)
SWGDE Standards for the Exchange of Digital Evidence (Cont’d)
SWGDE Standards for the Exchange of Digital Evidence
Module Flow: Electronic Devices: Types and Collecting Potential Evidence
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: Digital Evidence Examination Process
Digital Evidence Examination Process – Evidence Assessment
Evidence Assessment
Prepare for Evidence Acquisition
Digital Evidence Examination Process – Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Demo – Disk Sterilization with DD
Bit-Stream Copies
Write Protection
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Demo – Utilizing HD PARM for HD Information
Collecting Evidence (Cont’d)
Collecting Evidence (Cont’d)
Collecting Evidence (Cont’d)
Collecting Evidence
Collecting Evidence from RAM (Cont’d)
Collecting Evidence from RAM
Collecting Evidence from a Standalone Network Computer
Chain of Custody
Chain of Evidence Form
Digital Evidence Examination Process – Evidence Preservation
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist
Preserving Removable Media (Cont’d)
Preserving Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
Digital Evidence Examination Process – Evidence Examination and Analysis
DO NOT WORK on the Original Evidence
Evidence Examination (Cont’d)
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
Digital Evidence Examination Process – Evidence Documentation and Reporting
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Computer Evidence Worksheet (Cont’d)
Computer Evidence Worksheet
Hard Drive Evidence Worksheet (Cont’d)
Hard Drive Evidence Worksheet
Removable Media Worksheet
Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category
Module 04 Review
بخش هفتم – آموزش روندهای پاسخگویی اولیه :
Module Flow: First Responder
Electronic Evidence
First Responder
Roles of First Responder
Electronic Devices: Types and Collecting Potential Evidence (Cont’ d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: First Responder Toolkit
First Responder Toolkit
Creating a First Responder Toolkit
Evidence Collecting Tools and Equipment (Cont’d)
Evidence Collecting Tools and Equipment (Cont’d)
Evidence Collecting Tools and Equipment
Module Flow: First Response Basics
First Response Rule
Incident Response: Different Situations
First Response for System Administrators
First Response by Non-Laboratory Staff
First Response by Laboratory Forensics Staff (Cont’d)
First Response by Laboratory Forensics Staff
Module Flow: Securing and Evaluating Electronic Crime Scene
Securing and Evaluating Electronic Crime Scene: A Checklist (Cont’d)
Securing and Evaluating Electronic Crime Scene: A Checklist
Securing the Crime Scene
Warrant for Search and Seizure
Planning the Search and Seizure (Cont’d)
Planning the Search and Seizure
Initial Search of the Scene
eNotes
eNotes
Health and Safety Issues
Module Flow: Conducting Preliminary Interviews
Questions to Ask When Client Calls the Forensic Investigator
Consent
Sample of Consent Search Form
Witness Signatures
Conducting Preliminary Interviews
Conducting Initial Interviews
Witness Statement Checklist
Module Flow: Documenting Electronic Crime Scene
Documenting Electronic Crime Scene
Photographing the Scene
Sketching the Scene
Video Shooting the Crime Scene
Module Flow: Collecting and Preserving Electronic Evidence
Collecting and Preserving Electronic Evidence (Cont’d)
Collecting and Preserving Electronic Evidence
Order of Volatility
Dealing with Powered On Computers (Cont’d)
Demo – Imaging RAM
Demo – Parsing RAM
Dealing with Powered On Computers
Dealing with Powered Off Computers
Dealing with Networked Computer
Dealing with Open Files and Startup Files
Operating System Shutdown Procedure (Cont’d)
Operating System Shutdown Procedure Example
Computers and Servers
eNotes
Preserving Electronic Evidence
Seizing Portable Computers
Switched On Portables
Collecting and Preserving Electronic Evidence Wrap-up
Module Flow: Packaging and Transporting Electronic Evidence
Evidence Bag Contents List
Packaging Electronic Evidence
Exhibit Numbering
Transporting Electronic Evidence
Handling and Transportation to the Forensics Laboratory
Storing Electronic Evidence
Chain of Custody
Simple Format of the Chain of Custody Document
Chain of Custody Forms (Cont’d)
Chain of Custody Forms (Cont’d)
Chain of Custody Forms
Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
Demo – Hardware Inventories
Module Flow: Reporting the Crime Scene
Reporting the Crime Scene
Note Taking Checklist (Cont’d)
Note Taking Checklist
First Responder Common Mistakes
Module 05 Review
بخش هشتم – آشنایی با Computer Forensics Lab :
Module Flow: Setting a Computer Forensics Lab
Computer Forensics Lab
Planning for a Forensics Lab
Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensics Lab
Structural Design Considerations
Environmental Conditions
Electrical Needs
Communication Needs
Work Area of a Computer Forensics Lab
Ambience of a Forensics Lab
Ambience of a Forensics Lab: Ergonomics
Physical Security Recommendations
Fire-Suppression Systems
Evidence Locker Recommendations
Computer Forensic Investigator
Law Enforcement Officer
Lab Director
Forensics Lab Licensing Requisite
Features of the Laboratory Imaging System
Technical Specifications of the Laboratory Based Imaging System
Forensics Lab (1 of 3)
Forensics Lab (2 of 3)
Forensics Lab (3 of 3)
Auditing a Computer Forensics Lab (Cont’d)
Auditing a Computer Forensics Lab
Recommendations to Avoid Eyestrain
Module Flow: Investigative Services in Forensics
Computer Forensics Investigative Services
Computer Forensic Investigative Service Sample
Computer Forensics Services: PenrodEllis Forensic Data Discovery
Data Destruction Industry Standards
Computer Forensics Services (Cont’d)
Computer Forensics Services
Module Flow: Computer Forensics Hardware
Equipment Required in a Forensics Lab
Forensic Workstations
Basic Workstation Requirements in a Forensics Lab
Stocking the Hardware Peripherals
Paraben Forensics Hardware: Handheld First Responder Kit
Paraben Forensics Hardware: Wireless StrongHold Bag
Paraben Forensics Hardware: Wireless StrongHold Box
Paraben Forensics Hardware: Passport StrongHold Bag
Paraben Forensics Hardware: Device Seizure Toolbox
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Lockdown
Paraben Forensics Hardware: iRecovery Stick
Paraben Forensics Hardware: Data Recovery Stick
Paraben Forensics Hardware: Chat Stick
Paraben Forensics Hardware: USB Serial DB9 Adapter
Paraben Forensics Hardware: Mobile Field Kit
Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop
Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon
Portable Forensic Systems and Towers: Ultimate Forensic Machine
Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
Tableau T3u Forensic SATA Bridge Write Protection Kit
Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader
Tableau TACC 1441 Hardware Accelerator
Multiple TACC1441 Units
Tableau TD1 Forensic Duplicator
Power Supplies and Switches
Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon)
Digital Intelligence Forensic Hardware: FRED-L
Digital Intelligence Forensic Hardware: FRED SC
Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)
Digital Intelligence Forensic Hardware: Rack-A-TACC
Digital Intelligence Forensic Hardware: FREDDIE
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensic UltraDock v4
Wiebetech: Drive eRazer
Wiebetech: v4 Combo Adapters
Wiebetech: ProSATA SS8
Wiebetech: HotPlug
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
CelleBrite: UFED Ruggedized
DeepSpar: Disk Imager Forensic Edition
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector
InfinaDyne Forensic Products: Robotic System Status Light
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Image MASSter: Rapid Image 7020CS IT
Logicube: Forensic MD5
Logicube: Forensic Talon
Logicube: Portable Forensic Lab
Logicube: CellDEK
Logicube: Forensic Quest-2
Logicube: NETConnect
Logicube: RAID I/O Adapter
Logicube: GPStamp
Logicube: OmniPort
Logicube: Desktop WritePROtects
Logicube: USB Adapter
Logicube: CloneCard Pro
Logicube: EchoPlus
OmniClone IDE Laptop Adapters
Logicube: Cables
VoomTech: HardCopy 3P
VoomTech: SHADOW 2
Module Flow: Computer Forensics Software
Basic Software Requirements in a Forensics Lab
Main Operating System and Application Inventories
Imaging Software: R-drive Image
Demo – R-Drive Image
Imaging Software: P2 eXplorer Pro
Imaging Software: AccuBurn-R for CD/DVD Inspector
Imaging Software: Flash Retriever Forensic Edition
File Conversion Software: FileMerlin
File Conversion Software: SnowBatch
File Conversion Software: Zamzar
File Viewer Software: File Viewer
File Viewer Software: Quick View Plus 11 Standard Edition
Demo – File Viewers
Analysis Software: P2 Commander
P2 Commander Screenshot
Analysis Software: DriveSpy
Analysis Software: SIM Card Seizure
Analysis Software: CD/DVD Inspector
Analysis Software: Video Indexer (Vindex)
Monitoring Software: Device Seizure
Device Seizure Screenshots
Monitoring Software: Deployable P2 Commander (DP2C)
Monitoring Software: ThumbsDisplay
ThumbsDisplay Screenshot
Monitoring Software: Email Detective
Computer Forensics Software: DataLifter
Computer Forensics Software: X-Ways Forensics
Demo – X-Ways Forensics
Computer Forensics Software: LiveWire Investigator
Module 06 Review
بخش نهم – بررسی هارد دیسک ها و فایل ها به منظور یافتن مدارک و کشف جرم های صورت گرفته :
Module Flow: Hard Disk Drive Overview
Disk Drive Overview (Cont’d)
Disk Drive Overview
Hard Disk Drive
Solid-State Drive (SSD)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk
Logical Structure of Hard Disk
Types of Hard Disk Interfaces
Hard Disk Interfaces: ATA
Hard Disk Interfaces: SCSI (Cont’d)
Hard Disk Interfaces: SCSI
Hard Disk Interfaces: IDE/EIDE
Hard Disk Interfaces: USB
Hard Disk Interfaces: Fibre Channel
Disk Platter
Tracks
Track Numbering
Sector
Advanced Format: Sectors
Sector Addressing
Cluster
Cluster Size
Changing the Cluster Size
Demo – Cluster Size
Slack Space ( Cont’d)
Slack Space
Demo – Slack Space
Lost Clusters
Bad Sector
Hard Disk Data Addressing
Disk Capacity Calculation
Demo – Calculating Disk Capacity
Measuring the Performance of the Hard Disk
Module Flow: Disk Partitions and Boot Process
Disk Partitions
Demo – Partitioning Linux
Master Boot Record
Structure of a Master Boot Record (Cont’d)
Demo – Backing Up the MBR
Structure of a Master Boot Record
What is the Booting Process?
Essential Windows System Files
Windows 7 Boot Process (Cont’d)
Windows 7 Boot Process (Cont’d)
Windows 7 Boot Process
Macintosh Boot Process (Cont’d)
Macintosh Boot Process (Cont’d)
Macintosh Boot Process (Cont’d)
Macintosh Boot Process
Bootdisk.Com (http://www.bootdisk.com)
Module Flow: Understanding File Systems
Understanding File Systems
Types of File Systems
List of Disk File Systems (Cont’d)
List of Disk File Systems (Cont’d)
List of Disk File Systems
List of Network File Systems
List of Special Purpose File Systems
List of Shared Disk File Systems
Windows File Systems
Popular Windows File Systems
File Allocation Table (FAT)
FAT File System Layout
FAT Partition Boot Sector
FAT Structure
FAT Folder Structure
Directory Entries and Cluster Chains
Filenames on FAT Volumes
Examining FAT
FAT32
New Technology File System (NTFS) (Cont’d)
NTFS (Cont’d)
NTFS
NTFS Architecture
NTFS System Files
NTFS Partition Boot Sector
Cluster Sizes of NTFS Volume
NTFS Master File Table (MFT) (Cont’d)
NTFS Master File Table (MFT) (Cont’d)
NTFS Master File Table (MFT)
Metadata Files Stored in the MFT
NTFS Files and Data Storage
NTFS Attributes
NTFS Data Stream (Cont’d)
NTFS Data Stream
NTFS Compressed Files
Setting the Compression State of a Volume
Encrypting File Systems (EFS)
Components of EFS
Operation of Encrypting File System
EFS Attribute
Encrypting a File
EFS Recovery Key Agent (Cont’d)
EFS Recovery Key Agent
Tool: Advanced EFS Data Recovery
Tool: EFS Key
Sparse Files
Deleting NTFS Files
Registry Data (Cont’d)
Registry Data
Examining Registry Data
FAT vs. NTFS
Linux File Systems
Popular Linux File Systems
Linux File System Architecture
Ext2 (Cont’d)
Ext2 (Cont’d)
Ext2
Ext3 (Cont’d)
Ext3
Mac OS X File Systems
Mac OS X File Systems
HFS vs. HFS Plus
HFS
HFS Plus
HFS Plus Volumes
HFS Plus Journal
Sun Solaris 10 File System: ZFS
CD-ROM / DVD File System
CDFS
Demo – Multi-sessions Discs
Module Flow: RAID Storage System
RAID Storage System
RAID Level 0: Disk Striping
RAID Level 1: Disk Mirroring
RAID Level 3: Disk Striping with Parity
RAID Level 5: Block Interleaved Distributed Parity
RAID Level 10: Blocks Striped and Mirrored
RAID Level 50: Mirroring and Striping across Multiple RAID Levels
Different RAID Levels
Comparing RAID Levels
Recover Data from Unallocated Space Using File Carving Process
Module Flow: File System Analysis Using the Sleuth Kit (TSK)
Tool: The Sleuth Kit (TSK)
The Sleuth Kit (TSK): fsstat
The Sleuth Kit (TSK): istat (1 of 4)
The Sleuth Kit (TSK): istat (2 of 4)
The Sleuth Kit (TSK): istat (3 of 4)
The Sleuth Kit (TSK): istat (4 of 4)
The Sleuth Kit (TSK): fls and img_stat
Demo – TSK and Autopsy
Module 07 Review
بخش دهم – آموزش بررسی مدارک در سیستم عامل ویندوز :
Module Flow: Collecting Volatile Information
Volatile Information
System Time
Logged-On Users
Logged-On Users: PsLoggedOn Tool
Logged-On Users: net sessions Command
Logged-On Users: LogonSessions Tool
Open Files
Open Files: net file Command
Open Files: PsFile Utility
Open Files: Openfiles Command
Network Information (Cont’d)
Network Information
Network Connections (Cont’d)
Demo – Netstat Command
Network Connections
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information
Process-to-Port Mapping (Cont’d)
Process-to-Port Mapping
Process Memory
Network Status (Cont’d)
Demo – ipconfig
Network Status
Other Important Information (Cont’d)
Demo – Clipboard Viewer
Other Important Information
Module Flow: Collecting Non-Volatile Information
Non-Volatile Information
Examine File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File (Cont’d)
Index.dat File
Demo – Grabbing Registry Files
Devices and Other Information
Slack Space
Virtual Memory
Swap File
Windows Search Index
Collecting Hidden Partition Information
Demo – Gparted
Hidden ADS Streams
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Module Flow: Windows Memory Analysis
Memory Dump (Cont’d)
Memory Dump
EProcess Structure
Process Creation Mechanism
Parsing Memory Contents
Parsing Process Memory
Extracting the Process Image (Cont’d)
Extracting the Process Image
Collecting Process Memory
Module Flow: Windows Registry Analysis
Inside the Registry (Cont’d)
Inside the Registry (Cont’d)
Inside the Registry
Registry Structure within a Hive File
The Registry as a Log File
Registry Analysis
System Information (Cont’d)
System Information
TimeZone Information
Shares
Audit Policy
Wireless SSIDs
Autostart Locations
System Boot
User Login
User Activity
Enumerating Autostart Registry Locations
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices
Mounted Devices (Cont’d)
Mounted Devices
Finding Users (Cont’d)
Finding Users (Cont’d)
Finding Users: Screenshots
Tracking User Activity
The UserAssist Keys
MRU Lists (Cont’d)
MRU Lists (Cont’d)
MRU Lists
Search Assistant
Connecting to Other Systems
Analyzing Restore Point Registry Settings (Cont’d)
Analyzing Restore Point Registry Settings
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations
Demo – Reg Ripper
Module Flow: Cache, Cookie, and History Analysis
Cache, Cookie, and History Analysis in IE
Cache, Cookie, and History Analysis in Firefox
Cache, Cookie, and History Analysis in Chrome
Analysis Tool: IECookiesView
Analysis Tool: IECacheView
Analysis Tool: IEHistoryView
Analysis Tool: MozillaCookiesView
Analysis Tool: MozillaCacheView
Analysis Tool: MozillaHistoryView
Analysis Tool: ChromeCookiesView
Analysis Tool: ChromeCacheView
Analysis Tool: ChromeHistoryView
Module Flow: MD5 Calculation
Message Digest Function: MD5
Why MD5 Calculation?
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
MD5 Checksum Verifier
ChaosMD5
Module Flow: Windows File Analysis
Recycle Bin (Cont’d)
Recycle Bin
System Restore Points (Rp.log Files)
System Restore Points (Change.log.x Files)
Prefetch Files (Cont’d)
Prefetch Files
Shortcut Files
Word Documents
PDF Documents
Image Files
File Signature Analysis
NTFS Alternate Data Streams
Executable File Analysis
Documentation Before Analysis
Static Analysis Process
Search Strings
PE Header Analysis
Import Table Analysis
Export Table Analysis
Dynamic Analysis Process
Creating Test Environment
Collecting Information Using Tools
Process of Testing the Malware
Module Flow: Metadata Investigation
Metadata
Types of Metadata (Cont’d)
Types of Metadata
Metadata in Different File Systems (Cont’d)
Metadata in Different File Systems
Metadata in PDF Files
Metadata in Word Documents
Tool: Metadata Analyzer
Module Flow: Text Based Logs
Understanding Events
Event Logon Types (Cont’d)
Event Logon Types (Cont’d)
Event Logon Types
Event Record Structure (Cont’d)
Event Record Structure (Cont’d)
Event Record Structure (Cont’d)
Event Record Structure
Vista Event Logs (Cont’d)
Vista Event Logs: Screenshots
IIS Logs
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs
Parsing FTP Logs
FTP sc-status Codes (Cont’d)
FTP sc-status Codes (Cont’d)
FTP sc-status Codes
Parsing DHCP Server Logs (Cont’d)
Parsing DHCP Server Logs
Parsing Windows Firewall Logs
Using the Microsoft Log Parser
Module Flow: Other Audit Events
Evaluating Account Management Events (Cont’d)
Evaluating Account Management Events
Examining Audit Policy Change Events
Examining System Log Entries
Examining Application Log Entries
Examining Application Log Entries (Screenshot)
Module Flow: Forensic Analysis of Event Logs
Searching with Event Viewer
Using EnCase to Examine Windows Event Log Files
Windows Event Log Files Internals
Module Flow: Windows Password Issues
Understanding Windows Password Storage (Cont’d)
Understanding Windows Password Storage
Cracking Windows Passwords Stored on Running Systems (Cont’d)
Cracking Windows Passwords Stored on Running Systems
Exploring Windows Authentication Mechanisms
LanMan Authentication Process
NTLM Authentication Process
Kerberos Authentication Process
Sniffing and Cracking Windows Authentication Exchanges
Cracking Offline Passwords
Module Flow: Forensics Tools
Windows Forensics Tool: OS Forensics
Windows Forensics Tool: Helix3 Pro
Helix3 Pro Screenshot
Helix3 Pro Screenshot
Integrated Windows Forensics Software: X-Ways Forensics
X-Ways Forensics Screenshot
X-Ways Trace
Windows Forensic Toolchest (WFT)
Built-in Tool: Sigverif
Computer Online Forensic Evidence Extractor (COFEE)
System Explorer
Tool: System Scanner
SecretExplorer
Registry Viewer Tool: Registry Viewer
Registry Viewer Tool: RegScanner
Registry Viewer Tool: Alien Registry Viewer
MultiMon
CurrProcess
Process Explorer
Security Task Manager
PrcView
ProcHeapViewer
Memory Viewer
Tool: PMDump
Word Extractor
Belkasoft Evidence Center
Belkasoft Browser Analyzer
Metadata Assistant
HstEx
XpoLog Center Suite
XpoLog Center Suite Screenshot
LogViewer Pro
Event Log Explorer
LogMeister
ProDiscover Forensics
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DriveLook
Module 08 Review
بخش یازدهم – بدست آوردن داده های مرتبط با جرم و کپی برداری از آنها :
Module Flow: Data Acquisition and Duplication Concepts
Data Acquisition
Forensic and Procedural Principles
Types of Data Acquisition Systems
Data Acquisition Formats (Cont’d)
Data Acquisition Formats (Cont’d)
Data Acquisition Formats
Bit Stream vs. Backups
Why to Create a Duplicate Image?
Issues with Data Duplication
Data Acquisition Methods (Cont’d)
Data Acquisition Methods
Determining the Best Acquisition Method (Cont’d)
Determining the Best Acquisition Method
Contingency Planning for Image Acquisitions (Cont’d)
Contingency Planning for Image Acquisitions
Data Acquisitions Mistakes
Module Flow: Data Acquisition Types
Rules of Thumb
Static Data Acquisition
Collecting Static Data
Demo – Forensic Imaging Using Linux
Demo – Forensic Imaging Using Windows
Static Data Collection Process
Live Data Acquisition
Why Volatile Data is Important?
Volatile Data (Cont’d)
Volatile Data
Order of Volatility
Common Mistakes in Volatile Data Collection
Volatile Data Collection Methodology (Cont’d)
Volatile Data Collection Methodology (Cont’d)
Volatile Data Collection Methodology
Basic Steps in Collecting Volatile Data
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information
Demo – WinTaylors
Module Flow: Disk Acquisition Tool Requirements
Disk Imaging Tool Requirements
Disk Imaging Tool Requirements: Mandatory (Cont’d)
Disk Imaging Tool Requirements: Mandatory
Disk Imaging Tool Requirements: Optional (Cont’d)
Disk Imaging Tool Requirements: Optional
Module Flow: Validation Methods
Validating Data Acquisitions
Linux Validation Methods (Cont’d)
Linux Validation Methods (Cont’d)
Linux Validation Methods (Cont’d)
Linux Validation Methods
Windows Validation Methods
Module Flow: Raid Data Acquisition
Understanding RAID Disks (Cont’d)
Understanding RAID Disks (Cont’d)
Understanding RAID Disks
Acquiring RAID Disks (Cont’d)
Acquiring RAID Disks
Remote Data Acquisition
Module Flow: Acquisition Best Practices
Acquisition Best Practices (Cont’d)
Acquisition Best Practices (Cont’d)
Acquisition Best Practices (Cont’d)
Acquisition Best Practices
Module Flow: Data Acquisition Software Tools
Acquiring Data on Windows
Acquiring Data on Linux
dd Command
dcfldd Command
Extracting the MBR
Netcat Command
EnCase Forensic
EnCase Forensic Screenshot
Analysis Software: DriveSpy
ProDiscover Forensics
AccessData FTK Imager
Mount Image Pro
Data Acquisition Toolbox
SafeBack
ILookPI
ILookPI Screenshot
RAID Recovery for Windows
R-Tools R-Studio
F-Response
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DataLifter
X-Ways Forensics
R-drive Image
Demo – Forensic Imaging
DriveLook
DiskExplorer
P2 eXplorer Pro
Flash Retriever Forensic Edition
Module Flow: Data Acquisition Hardware Tools
US-LATT
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Tableau TD1 Forensic Duplicator
Logicube: Forensic MD5
Logicube: Portable Forensic Lab
Logicube: Forensic Talon
Logicube: RAID I/O Adapter
DeepSpar: Disk Imager Forensic Edition
Logicube: USB Adapter
Disk Jockey PRO
Logicube: Forensic Quest-2
Logicube: CloneCard Pro
Logicube: EchoPlus
Paraben Forensics Hardware: Chat Stick
Image MASSter: Rapid Image 7020CS IT
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensics UltraDock v4
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Forensic Tower IV Dual Xeon
Digital Intelligence Forensic Hardware: FREDDIE
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
Logicube: Cables
Logicube: Adapters
Logicube: GPStamp
Logicube: OmniPort
Logicube: CellDEK
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Mobile Field Kit
Paraben Forensics Hardware: iRecovery Stick
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
Module 09 Review
بخش دوازدهم – بازگردانی فایل ها و پارتیشن های پاک شده :
Module Flow: Recovering the Deleted Files
Deleting Files
What Happens When a File is Deleted in Windows?
Recycle Bin in Windows (Cont’d)
Recycle Bin in Windows
Storage Locations of Recycle Bin in FAT and NTFS Systems
How the Recycle Bin Works (Cont’d)
How the Recycle Bin Works
Demo – Recycle Bins
Damaged or Deleted INFO File
Damaged Files in Recycle Bin Folder
Damaged Recycle Folder
File Recovery in Mac OS X (Cont’d)
File Recovery in Mac OS X
File Recovery in Linux
Module Flow: File Recovery Tools for Windows
Recover My Files
EASEUS Data Recovery Wizard
PC INSPECTOR File Recovery
Demo – PC INSPECTOR File Recovery
Recuva
DiskDigger
Handy Recovery
Quick Recovery
Stellar Phoenix Windows Data Recovery
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Module Flow: File Recovery Tools for Mac
Mac File Recovery
Mac Data Recovery
Boomerang Data Recovery Software
VirtualLab
File Recovery Tools for Mac OS X
Module Flow: File Recovery Tools for Linux
R-Studio for Linux
Quick Recovery for Linux
Kernal for Linux Data Recovery
TestDisk for Linux
Demo – File Carving
Module Flow: Recovering the Deleted Partitions
Disk Partition
Deletion of Partition
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition
Module Flow: Partition Recovery Tools
Active@ Partition Recovery for Windows
Acronis Recovery Expert
DiskInternals Partition Recovery
NTFS Partition Data Recovery
GetDataBack
EASEUS Partition Recovery
Advanced Disk Recovery
Power Data Recovery
Remo Recover (Mac) – Pro
Mac Data Recovery Software
Quick Recovery for Linux
Stellar Phoenix Linux Data Recovery Software
Tools to Recover Deleted Partitions
Tools to Recover Deleted Partitions
Demo – Partition Recovery
Module 10 Review
بخش سیزدهم – آموزش استفاده از AccessData FTK در روند کشف جرم و جرم شناسی رایانه ای :
Module Flow: Overview and Installation of FTK
Overview of Forensic Toolkit (FTK)
Features of FTK
Software Requirement
Configuration Option
Database Installation (Cont’d)
Database Installation
FTK Application Installation (1 of 6)
FTK Application Installation (2 of 6)
FTK Application Installation (3 of 6)
FTK Application Installation (4 of 6)
FTK Application Installation (5 of 6)
FTK Application Installation (6 of 6)
Module Flow: FTK Case Manager User Interface
Case Manager Window
Case Manager Database Menu
Setting Up Additional Users and Assigning Roles
Case Manager Case Menu
Assigning Users Shared Label Visibility
Case Manager Tools Menu
Recovering Processing Jobs
Restoring an Image to a Disk
Case Manager Manage Menu
Managing Carvers
Managing Custom Identifiers
Module Flow: FTK Examiner User Interface
FTK Examiner User Interface
Menu Bar: File Menu
Exporting Files
Exporting Case Data to a Custom Content Image
Exporting the Word List
Menu Bar: Edit Menu
Menu Bar: View Menu
Menu Bar: Evidence Menu
Menu Bar: Tools Menu
Verifying Drive Image Integrity
Demo – Verifying Image Integrity
Mounting an Image to a Drive
File List View
Using Labels
Creating and Applying a Label
Module Flow: Starting with FTK
Creating a case
Selecting Detailed Options: Evidence Processing (Cont’d)
Selecting Detailed Options: Evidence Processing
Selecting Detailed Options: Fuzzy Hashing (Cont’d)
Selecting Detailed Options: Fuzzy Hashing
Selecting Detailed Options: Data Carving
Selecting Detailed Options: Custom File Identification (Cont’d)
Selecting Detailed Options: Custom File Identification
Selecting Detailed Options: Evidence Refinement (Advanced) (Cont’d)
Selecting Detailed Options: Evidence Refinement (Advanced)
Selecting Detailed Options: Index Refinement (Advanced) (Cont’d)
Selecting Detailed Options: Index Refinement (Advanced)
Module Flow: FTK Interface Tabs
Demo – FTK Imaging and Adding
FTK Interface Tabs
Explore Tab
Overview Tab
Email Tab
Graphics Tab
Bookmarks Tab
Live Search Tabs
Volatile Tab
Demo – File Overview Tab
Module Flow: Adding and Processing Static, Live, and Remote Evidence
Adding Evidence to a Case
Evidence Groups
Acquiring Local Live Evidence
FTK Role Requirements For Remote Acquisition
Types of Remote Information
Acquiring Data Remotely Using Remote Device Management System (RDMS) (Cont’d)
Acquiring Data Remotely Using Remote Device Management System (RDMS)
Imaging Drives
Mounting and Unmounting a Device
Module Flow: Using and Managing Filters
Accessing Filter Tools
Using Filters
Customizing Filters
Using Predefined Filters
Demo – Filtering
Module Flow: Using Index Search and Live Search
Conducting an Index Search
Selecting Index Search Options
Viewing Index Search Results
Documenting Search Results
Conducting a Live Search: Live Text Search
Conducting a Live Search: Live Hex Search
Conducting a Live Search: Live Pattern Search
Demo – Indexed and Live Searches
Demo – FTK File Carving
Module Flow: Decrypting EFS and other Encrypted Files
Decrypting EFS Files and Folders
Decrypting MS Office Files
Viewing Decrypted Files
Decrypting Domain Account EFS Files from Live Evidence (Cont’d)
Decrypting Domain Account EFS Files from Live Evidence
Decrypting Credant Files
Decrypting Safeboot Files
Demo – FTK File Encryption
Module Flow: Working with Reports
Creating a Report
Entering Case Information
Managing Bookmarks in a Report
Managing Graphics in a Report
Selecting a File Path List
Adding a File Properties List
Making Registry Selections
Selecting the Report Output Options
Customizing the Formatting of Reports
Viewing and Distributing a Report
Demo – Reporting
Module 11 Review
بخش چهاردهم – آموزش کشف جرم و مبارزه با آن به کمک EnCase :
Module Flow: Overview of EnCase Forensic
Official Licensed Content Provided by EnCase to EC-Council
Overview of EnCase Forensic
EnCase Forensic Features (Cont’d)
EnCase Forensic Features
EnCase Forensic Platform
EnCase Forensic Modules (Cont’d)
EnCase Forensic Modules
Module Flow: Installing EnCase Forensic
Minimum Requirements
Installing the Examiner
Installed Files
Installing the EnCase Modules
Configuring EnCase
Configuring EnCase: Case Options Tab
Configuring EnCase: Global Tab
Configuring EnCase: Debug Tab
Configuring EnCase: Colors Tab and Fonts Tab
Configuring EnCase: EnScript Tab and Storage Paths Tab
Sharing Configuration (INI) Files
Module Flow: EnCase Interface
Demo – EnCase Options
Main EnCase Window
System Menu Bar
Toolbar
Panes Overview (Cont’d)
Panes Overview
Tree Pane
Table Pane
Table Pane: Table Tab
Table Pane: Report Tab
Table Pane: Gallery Tab
Table Pane: Timeline Tab
Table Pane: Disk Tab and Code Tab
View Pane (Cont’d)
View Pane
Filter Pane
Filter Pane Tabs
Creating a Filter
Creating Conditions
Status Bar
Demo – EnCase Tabs and Views
Module Flow: Case Management
Overview of Case Structure
Case Management
Indexing a Case (Cont’d)
Indexing a Case
Case Backup
Options Dialog Box
Logon Wizard
New Case Wizard
Setting Time Zones for Case Files
Setting Time Zone Options for Evidence Files
Module Flow: Working with Evidence
Types of Entries
Adding a Device (Cont’d)
Adding a Device
Adding a Device using Tableau Write Blocker (Cont’d)
Adding a Device using Tableau Write Blocker
Performing a Typical Acquisition
Acquiring a Device (Cont’d)
Acquiring a Device
Canceling an Acquisition
Verifying Evidence Files
Demo – Imaging with EnCase
Delayed Loading of Internet Artifacts
Hashing the Subject Drive
Logical Evidence File (LEF)
Creating a Logical Evidence File (Cont’d)
Creating a Logical Evidence File
Recovering Folders on FAT Volumes
Restoring a Physical Drive
Demo – Restoring a Drive from an Image
Module Flow: Source Processor
Source Processor
Starting to Work with Source Processor
Setting Case Options
Collection Jobs
Creating a Collection Job (Cont’d)
Creating a Collection Job
Copying a Collection Job
Running a Collection Job (Cont’d)
Running a Collection Job
Analysis Jobs
Creating an Analysis Job
Running an Analysis Job (Cont’d)
Running an Analysis Job
Creating a Report (Cont’d)
Creating a Report
Demo – Enscripts
Module Flow: Analyzing and Searching Files
Viewing the File Signature Directory
Performing a Signature Analysis
Hash Analysis
Hashing a New Case
Demo – Signature Analysis and Hashing
Creating a Hash Set
Keyword Searches
Creating Global Keywords
Adding Keywords
Importing and Exporting Keywords
Searching Entries for Email and Internet Artifacts
Viewing Search Hits
Generating an Index
Tag Records
Demo – Keyword Searcher
Module Flow: Viewing File Content
Viewing Files
Copying and Unerasing Files (Cont’d)
Copying and Unerasing Files
Adding a File Viewer
Demo – Adding a File Viewer
Viewing File Content Using View Pane
Viewing Compound Files
Viewing Base64 and UUE Encoded Files
Demo – Compound Files
Module Flow: Bookmarking Items
Bookmarks Overview
Creating a Highlighted Data Bookmark
Creating a Note Bookmark
Creating a Folder Information/Structure Bookmark
Creating a Notable File Bookmark
Creating a File Group Bookmark
Creating a Log Record Bookmark
Creating a Snapshot Bookmark
Organizing Bookmarks
Copying/Moving a Table Entry into a Folder
Viewing a Bookmark on the Table Report Tab
Excluding Bookmarks (Cont’d)
Excluding Bookmarks
Copying Selected Items from One Folder to Another
Demo – Bookmarks
Module Flow: Reporting
Reporting
Report User Interface
Creating a Report Using the Report Tab
Report Single/Multiple Files
Viewing a Bookmark Report
Viewing an Email Report
Viewing a Webmail Report
Viewing a Search Hits Report
Creating a Quick Entry Report
Creating an Additional Fields Report
Exporting a Report
Demo – Reporting
Module 12 Review
بخش پانزدهم – آشنایی با Steganography و کشف جرم از طریق عکس ها :
Module Flow: Steganography
What is Steganography?
How Steganography Works
Legal Use of Steganography
Unethical Use of Steganography
Module Flow: Steganography Techniques
Steganography Techniques
Application of Steganography
Classification of Steganography
Technical Steganography
Linguistic Steganography (Cont’d)
Linguistic Steganography
Types of Steganography
Image Steganography
Least Significant Bit Insertion
Masking and Filtering
Algorithms and Transformation
Image Steganography: Hermetic Stego
Steganography Tool: S-Tools
Image Steganography Tools
Audio Steganography
Audio Steganography Methods (Cont’d)
Audio Steganography Methods
Audio Steganography: Mp3stegz
Audio Steganography Tools
Video Steganography
Video Steganography: MSU StegoVideo
Video Steganography Tools
Document Steganography: wbStego
Byte Shelter I
Document Steganography Tools
Whitespace Steganography Tool: SNOW
Folder Steganography: Invisible Secrets 4
Demo – Invisible Secrets
Folder Steganography Tools
Spam/Email Steganography: Spam Mimic
Steganographic File System
Issues in Information Hiding
Module Flow: Steganalysis
Steganalysis
How to Detect Steganography (Cont’d)
How to Detect Steganography
Detecting Text, Image, Audio, and Video Steganography (Cont’d)
Detecting Text, Image, Audio, and Video Steganography
Steganalysis Methods/Attacks on Steganography
Disabling or Active Attacks
Steganography Detection Tool: Stegdetect
Steganography Detection Tools
Demo – Steg Detection
Module Flow: Image Files
Image Files
Common Terminologies
Understanding Vector Images
Understanding Raster Images
Metafile Graphics
Understanding Image File Formats
GIF (Graphics Interchange Format) (Cont’d)
GIF (Cont’d)
GIF
JPEG (Joint Photographic Experts Group)
JPEG Files Structure (Cont’d)
JPEG Files Structure
JPEG 2000
BMP (Bitmap) File
BMP File Structure
PNG (Portable Network Graphics)
PNG File Structure
TIFF (Tagged Image File Format)
TIFF File Structure (Cont’d)
TIFF File Structure
Module Flow: Data Compression
Understanding Data Compression
How Does File Compression Work?
Lossless Compression
Huffman Coding Algorithm (Cont’d)
Huffman Coding Algorithm
Lempel-Ziv Coding Algorithm (Cont’d)
Lempel-Ziv Coding Algorithm
Lossy Compression
Vector Quantization
Module Flow: Locating and Recovering Image Files
Best Practices for Forensic Image Analysis
Forensic Image Processing Using MATLAB
Advantages of MATLAB
MATLAB Screenshot
Locating and Recovering Image Files
Analyzing Image File Headers
Repairing Damaged Headers (Cont’d)
Repairing Damaged Headers
Reconstructing File Fragments
Identifying Unknown File Formats
Identifying Image File Fragments
Identifying Copyright Issues on Graphics
Picture Viewer: IrfanView
Picture Viewer: ACDSee Photo Manager 12
Picture Viewer: Thumbsplus
Picture Viewer: AD Picture Viewer Lite
Picture Viewer Max
Picture Viewer: FastStone Image Viewer
Picture Viewer: XnView
Demo – Picture Viewers
Faces – Sketch Software
Digital Camera Data Discovery Software: File Hound
Module Flow: Image File Forensics Tools
Hex Workshop
GFE Stealth – Forensics Graphics File Extractor
Ilook
Adroit Photo Forensics 2011
Digital Photo Recovery
Digital Photo Recovery Screenshots
Stellar Phoenix Photo Recovery Software
Zero Assumption Recovery (ZAR)
Photo Recovery Software
Forensic Image Viewer
File Finder
DiskGetor Data Recovery
DERescue Data Recovery Master
Recover My Files
Universal Viewer
Module 13 Review
بخش شانزدهم – آموزش شکستن رمزها به منظور کشف جرم و مبارزه با جرایم :
Module Flow: Password Cracking Concepts
Password – Terminology
Password Types
Password Cracker
How Does a Password Cracker Work?
How Hash Passwords are Stored in Windows SAM
Module Flow: Types of Password Attacks
Password Cracking Techniques
Types of Password Attacks
Passive Online Attacks: Wire Sniffing
Password Sniffing
Passive Online Attack: Man-in-the-Middle and Replay Attack
Active Online Attack: Password Guessing
Active Online Attack: Trojan/Spyware/keylogger
Active Online Attack: Hash Injection Attack
Rainbow Attacks: Pre-Computed Hash
Distributed Network Attack
Elcomsoft Distributed Password Recovery
Non-Electronic Attacks
Manual Password Cracking (Guessing)
Automatic Password Cracking Algorithm
Time Needed to Crack Passwords
Classification of Cracking Software
Systems Software vs. Applications Software
Module Flow: System Software Password Cracking
System Software Password Cracking
Bypassing BIOS Passwords
Using Manufacturer’s Backdoor Password to Access the BIOS
Using Password Cracking Software
CmosPwd
Resetting the CMOS using the Jumpers or Solder Beads
Removing CMOS Battery
Overloading the Keyboard Buffer and Using a Professional Service
Tool to Reset Admin Password: Active@ Password Changer
Tool to Reset Admin Password: Windows Key
Module Flow: Application Software Password Cracking
Passware Kit Forensic
Accent Keyword Extractor
Distributed Network Attack
Password Recovery Bundle
Advanced Office Password Recovery
Office Password Recovery
Office Password Recovery Toolbox
Office Multi-document Password Cracker
Word Password Recovery Master
Accent WORD Password Recovery
Word Password
PowerPoint Password Recovery
PowerPoint Password
Powerpoint Key
Stellar Phoenix Powerpoint Password Recovery
Excel Password Recovery Master
Accent EXCEL Password Recovery
Excel Password
Advanced PDF Password Recovery
PDF Password Cracker
PDF Password Cracker Pro
Atomic PDF Password Recovery
PDF Password
Recover PDF Password
Appnimi PDF Password Recovery
Advanced Archive Password Recovery
KRyLack Archive Password Recovery
Zip Password
Atomic ZIP Password Recovery
RAR Password Unlocker
Demo – Office Password Cracking
Default Passwords
Big bertha says: default passwords (http://www.defaultpassword.com)
Default Passwords | CIRT.net (http://www.cirt.net/passwords)
Default passwords list - Select manufacturer (http://default-password.info)
Fastsearchfinder.com (http://www.defaultpassword.us)
default password (http://www.passwordsdatabase.com)
Home - Virus.Org (http://www.virus.org)
Module Flow: Password Cracking Tools
L0phtCrack
OphCrack
Cain & Abel
RainbowCrack
Windows Password Unlocker
Windows Password Breaker
SAMInside
PWdump7 and Fgdump
Password Cracking Tools
Demo – System Password Cracking
Module 14 Review
بخش هفدهم – آموزش استفاده از Log ها و اصلاح رخدادها :
Module Flow: Computer Security Logs
Computer Security Logs
Operating System Logs
Application Logs
Security Software Logs
Router Log Files
Honeypot Logs
Linux Process Accounting
Logon Event in Windows
Windows Log File
Configuring Windows Logging
Analyzing Windows Logs
Windows Log File: System Logs
Windows Log Files: Application Logs
Logon Events that appear in the Security Event Log (Cont’d)
Logon Events that appear in the Security Event Log
Demo – Windows Event Viewer
IIS Logs
IIS Log File Format
Maintaining Credible IIS Log Files
Log File Accuracy
Log Everything
Keeping Time
UTC Time
View the DHCP Logs
Sample DHCP Audit Log File
ODBC Logging
Module Flow: Logs and Legal Issues
Legality of Using Logs (Cont’d)
Legality of Using Logs
Records of Regularly Conducted Activity as Evidence
Laws and Regulations
Module Flow: Log Management
Log Management
Functions of Log Management
Challenges in Log Management
Meeting the Challenges in Log Management
Module Flow: Centralized Logging and Syslogs
Centralized Logging
Centralized Logging Architecture
Steps to Implement Central Logging
Syslog
Syslog in Unix-Like Systems
Steps to Set Up a Syslog Server for Unix Systems
Advantages of Centralized Syslog Server
IIS Centralized Binary Logging
Module Flow: Time Synchronization
Why Synchronize Computer Times?
What is NTP?
NTP Stratum Levels (Cont’d)
NTP Stratum Levels
NIST Time Servers (Cont’d)
NIST Time Servers
Configuring Time Server in Windows Server
Module Flow: Event Correlation
Event Correlation
Types of Event Correlation
Prerequisites for Event Correlation
Event Correlation Approaches (Cont’d)
Event Correlation Approaches
Module Flow: Log Capturing and Analysis
.
برای مشاهده جزئیات و دانلود این آموزش، به ادامه مطلب مراجعه کنید.
————————–
حجم: 10000 مگابایت | Size: 10000 MB
زبان: انگلیسی | Language: English
پسورد: |Password: |www.p30learning.com
.
لینک دانلود مستقیم با قابلیت Resume
Direct Download Link (Resumable and 100% Free!)
http://p30learning.com/wp-content/uploads/d.gif (http://www.dl.p30learning.com/files/list.php?dir=video%2Fnetwork%2F1255%2F).
0
http://p30learning.com/wp-content/uploads/CHFIv8.jpg (http://p30learning.com/wp-content/uploads/CHFIv8.jpg).
EC-Council CHFI Computer Hacking Forensic Investigator
این بار با مجموعه ای خدمت تان رسیده ایم که بی شک رویای متخصصان حوزه امنیت اطلاعات است. مدرک CHFI یا computer hacking forensic investigator به منظور آماده سازی متخصصانی برای بررسی ، کشف و مبارزه با جرایم رایانه ای طراحی شده است. جرایم مورد بررسی در این عرصه بسیار گسترده اند و به شما آموخته خواهد شد تا بتوانید مدارک ارتکاب به اعمال مجرمانه را از فایل ها ، سیستم های عامل ، شبکه ، CD و DVD ، گوشی های موبایل ، دستگاه iPod ، ایمیل ، اینترنت ، وب سایت ها ، فایروال ها ، روترها و … جمع آوری کرده و برای مبارزه با مجرمان از آن ها استفاده نمایید .
مجموعه آموزش ویدیویی که پیش روی شماست محصول موسسه آموزشی Career Academy است که با حجم 10 گیگابایت و به مدت زمان بیش از 40 ساعت و در 22 ماژول در اختیار شما عزیزان قرار می گیرد.
در ادامه با سرفصل های درسی این مجموعه آموزشی نفیس آشنا می شویم :
بخش اول – مقدمه ای بر این کورس آموزشی
بخش دوم – آشنایی دانش پژوهان با این مجموعه آموزش و مدرک CHFI :
Student Introduction
CHFIv8 Course Outline
EC-Council Certification Program
Computer Hacking Forensic Investigator Track
CHFIv8 Exam Information
What Does CHFI Teach You?
CHFI Class Speed
Let’s Start Forensics Investigation!
بخش سوم – جرم شناسایی رایانه ای و جایگاه آن در جهان کنونی :
Module Flow: Computer Forensics
Computer Forensics
Security Incident Report
Aspects of Organizational Security
Evolution of Computer Forensics (Cont’d)
Evolution of Computer Forensics
Objective of Computer Forensics
Need for Computer Forensics
Module Flow: Forensics Readiness
Benefits of Forensics Readiness
Goals of Forensics Readiness
Forensics Readiness Planning
Module Flow: Cyber Crimes
Cyber Crime
Computer Facilitated Crimes
Modes of Attacks
Examples of Cyber Crime (Cont’d)
Examples of Cyber Crime
Types of Computer Crimes
Cyber Criminals
Organized Cyber Crime: Organizational Chart
How Serious are Different Types of Incidents?
Disruptive Incidents to the Business
Cost Expenditure Responding to the Security Incident
Module Flow: Cyber Crime Investigation
Cyber Crime Investigation
Key Steps in Forensics Investigation (Cont’d)
Key Steps in Forensics Investigation
Rules of Forensics Investigation
Need for Forensics Investigator
Role of Forensics Investigator
Accessing Computer Forensics Resources
Role of Digital Evidence
Module Flow: Corporate Investigations
Understanding Corporate Investigations
Approach to Forensics Investigation: A Case Study (Cont’d)
Approach to Forensics Investigation: A Case Study
Instructions for the Forensic Investigator to Approach the Crime Scene
Why and When Do You Use Computer Forensics?
Enterprise Theory of Investigation (ETI)
Legal Issues
Reporting the Results
Module Flow: Reporting a Cyber Crime
Why you Should Report Cybercrime?
Reporting Computer-Related Crimes (Cont’d)
Reporting Computer-Related Crimes
Person Assigned to Report the Crime
When and How to Report an Incident?
Who to Contact at the Law Enforcement
Federal Local Agents Contact (Cont’d)
Federal Local Agents Contact
More Contacts
CIO Cyberthreat Report Form
Module 01 Review
بخش چهارم – آشنایی با پروسه جرم شناسی رایانه ای و کشف و مبارزه با جرایم کامپیوتری :
Computer Forensics Investigation Process
Investigating Computer Crime
Before the Investigation
Build a Forensics Workstation
Building the Investigation Team
People Involved in Computer Forensics
Review Policies and Laws
Forensics Laws (Cont’d)
Forensics Laws
Notify Decision Makers and Acquire Authorization
Risk Assessment
Build a Computer Investigation Toolkit
Steps to Prepare for a Computer Forensics Investigation (Cont’d)
Steps to Prepare for a Computer Forensics Investigation
Computer Forensics Investigation Methodology: Obtain Search Warrant
Obtain Search Warrant
Example of Search Warrant
Searches Without a Warrant
Computer Forensics Investigation Methodology: Evaluate and Secure the Scene
Forensics Photography
Gather the Preliminary Information at the Scene
First Responder
Computer Forensics Investigation Methodology: Collect the Evidence
Collect Physical Evidence
Evidence Collection Form
Collect Electronic Evidence (Cont’d)
Collect Electronic Evidence
Guidelines for Acquiring Evidence
Computer Forensics Investigation Methodology: Secure the Evidence
Secure the Evidence
Evidence Management
Chain of Custody
Chain of Custody Form
Computer Forensics Investigation Methodology: Acquire the Data
Original Evidence Should NEVER Be Used for Analysis
Duplicate the Data (Imaging)
Verify Image Integrity
Demo – HashCalc
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
Recover Lost or Deleted Data
Data Recovery Software
Computer Forensics Investigation Methodology: Analyze the Data
Data Analysis
Data Analysis Tools
Computer Forensics Investigation Methodology: Assess Evidence and Case
Evidence Assessment
Case Assessment (Cont’d)
Case Assessment
Processing Location Assessment
Best Practices to Assess the Evidence
Computer Forensics Investigation Methodology: Prepare the Final Report
Documentation in Each Phase
Gather and Organize Information
Writing the Investigation Report (Cont’d)
Writing the Investigation Report
Sample Report (1 of 7)
Sample Report (2 of 7)
Sample Report (3 of 7)
Sample Report (4 of 7)
Sample Report (5 of 7)
Sample Report (6 of 7)
Sample Report (7 of 7)
Computer Forensics Investigation Methodology: Testify as an Expert Witness
Expert Witness
Testifying in the Court Room
Closing the Case
Maintaining Professional Conduct
Investigating a Company Policy Violation
Computer Forensics Service Providers (Cont’d)
Computer Forensics Service Providers
Module 02 Review
بخش پنجم – جستجو در سیستم های کامپیوتری به دنبال کشف جرم :
Module Flow: Searching and Seizing Computers without a Warrant
Searching and Seizing Computers without a Warrant
Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers: Principles
Reasonable Expectation of Privacy in Computers as Storage Devices
Reasonable Expectation of Privacy and Third-Party Possession
Private Searches
Use of Technology to Obtain Information
Exceptions to the Warrant Requirement in Cases Involving Computers
Consent
Scope of Consent
Third-Party Consent
Implied Consent
Exigent Circumstances
Plain View
Search Incident to a Lawful Arrest
Inventory Searches
Border Searches
International Issues
Special Case: Workplace Searches
Private Sector Workplace Searches
Public-Sector Workplace Searches
Module Flow: Searching and Seizing Computers with a Warrant
Searching and Seizing Computers with a Warrant
Successful Search with a Warrant
Basic Strategies for Executing Computer Searches
When Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of Crime
When Hardware Is Merely a Storage Device for Evidence of Crime
The Privacy Protection Act
The Terms of the Privacy Protection Act
Application of the PPA to Computer Searches and Seizures (Cont’d)
Application of the PPA to Computer Searches and Seizures
Civil Liability Under the Electronic Communications Privacy Act (ECPA)
Considering the Need for Multiple Warrants in Network Searches
No-Knock Warrants
Sneak-and-Peek Warrants
Privileged Documents
Drafting the Warrant and Affidavit
Accurately and Particularly Describe the Property to Be Seized in the Warrant and/or Attachments
Defending Computer Search Warrants Against Challenges Based on the “Things to be Seized”
Establish Probable Cause in the Affidavit
Explanation of the Search Strategy and Practical & Legal Considerations
Post-Seizure Issues
Searching Computers Already in Law Enforcement Custody
The Permissible Time Period for Examining Seized Computers
Rule 41(e) Motions for Return of Property
Module Flow: The Electronic Communications Privacy Act
The Electronic Communications Privacy Act
Providers of Electronic Communication Service vs. Remote Computing Service
Classifying Types of Information Held by Service Providers
Compelled Disclosure Under ECPA
Voluntary Disclosure
Working with Network Providers
Module Flow: Electronic Surveillance in Communications Networks
Electronic Surveillance in Communications Networks
Content vs. Addressing Information
The Pen/Trap Statute
The Wiretap Statute (“Title III”)
Exceptions to Title III
Remedies For Violations of Title III and the Pen/Trap Statute
Module Flow: Evidence
Evidence (Cont’d)
Evidence
Authentication
Hearsay
Other Issues
Module 03 Review
بخش ششم – آموزش جمع آوری مدارک جرم دیجیتال :
Module Flow: Digital Data
Definition of Digital Evidence
Increasing Awareness of Digital Evidence
Challenging Aspects of Digital Evidence
The Role of Digital Evidence
Characteristics of Digital Evidence
Fragility of Digital Evidence
Anti-Digital Forensics (ADF)
Module Flow: Types of Digital Data
Types of Digital Data (Cont’d)
Types of Digital Data (Cont’d)
Types of Digital Data
Module Flow: Rules of Evidence
Rules of Evidence
Best Evidence Rule
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence (Cont’d)
Federal Rules of Evidence
International Organization on Computer Evidence (IOCE)
IOCE International Principles for Digital Evidence
Scientific Working Group on Digital Evidence (SWGDE)
SWGDE Standards for the Exchange of Digital Evidence (Cont’d)
SWGDE Standards for the Exchange of Digital Evidence (Cont’d)
SWGDE Standards for the Exchange of Digital Evidence
Module Flow: Electronic Devices: Types and Collecting Potential Evidence
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence (Cont’d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: Digital Evidence Examination Process
Digital Evidence Examination Process – Evidence Assessment
Evidence Assessment
Prepare for Evidence Acquisition
Digital Evidence Examination Process – Evidence Acquisition
Preparation for Searches
Seizing the Evidence
Imaging
Demo – Disk Sterilization with DD
Bit-Stream Copies
Write Protection
Evidence Acquisition
Evidence Acquisition from Crime Location
Acquiring Evidence from Storage Devices
Demo – Utilizing HD PARM for HD Information
Collecting Evidence (Cont’d)
Collecting Evidence (Cont’d)
Collecting Evidence (Cont’d)
Collecting Evidence
Collecting Evidence from RAM (Cont’d)
Collecting Evidence from RAM
Collecting Evidence from a Standalone Network Computer
Chain of Custody
Chain of Evidence Form
Digital Evidence Examination Process – Evidence Preservation
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist (Cont’d)
Preserving Digital Evidence: Checklist
Preserving Removable Media (Cont’d)
Preserving Removable Media
Handling Digital Evidence
Store and Archive
Digital Evidence Findings
Digital Evidence Examination Process – Evidence Examination and Analysis
DO NOT WORK on the Original Evidence
Evidence Examination (Cont’d)
Evidence Examination
Physical Extraction
Logical Extraction
Analyze Host Data
Analyze Storage Media
Analyze Network Data
Analysis of Extracted Data
Timeframe Analysis
Data Hiding Analysis
Application and File Analysis
Ownership and Possession
Digital Evidence Examination Process – Evidence Documentation and Reporting
Documenting the Evidence
Evidence Examiner Report
Final Report of Findings
Computer Evidence Worksheet (Cont’d)
Computer Evidence Worksheet
Hard Drive Evidence Worksheet (Cont’d)
Hard Drive Evidence Worksheet
Removable Media Worksheet
Module Flow: Electronic Crime and Digital Evidence Consideration by Crime Category
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category (Cont’d)
Electronic Crime and Digital Evidence Consideration by Crime Category
Module 04 Review
بخش هفتم – آموزش روندهای پاسخگویی اولیه :
Module Flow: First Responder
Electronic Evidence
First Responder
Roles of First Responder
Electronic Devices: Types and Collecting Potential Evidence (Cont’ d)
Electronic Devices: Types and Collecting Potential Evidence
Module Flow: First Responder Toolkit
First Responder Toolkit
Creating a First Responder Toolkit
Evidence Collecting Tools and Equipment (Cont’d)
Evidence Collecting Tools and Equipment (Cont’d)
Evidence Collecting Tools and Equipment
Module Flow: First Response Basics
First Response Rule
Incident Response: Different Situations
First Response for System Administrators
First Response by Non-Laboratory Staff
First Response by Laboratory Forensics Staff (Cont’d)
First Response by Laboratory Forensics Staff
Module Flow: Securing and Evaluating Electronic Crime Scene
Securing and Evaluating Electronic Crime Scene: A Checklist (Cont’d)
Securing and Evaluating Electronic Crime Scene: A Checklist
Securing the Crime Scene
Warrant for Search and Seizure
Planning the Search and Seizure (Cont’d)
Planning the Search and Seizure
Initial Search of the Scene
eNotes
eNotes
Health and Safety Issues
Module Flow: Conducting Preliminary Interviews
Questions to Ask When Client Calls the Forensic Investigator
Consent
Sample of Consent Search Form
Witness Signatures
Conducting Preliminary Interviews
Conducting Initial Interviews
Witness Statement Checklist
Module Flow: Documenting Electronic Crime Scene
Documenting Electronic Crime Scene
Photographing the Scene
Sketching the Scene
Video Shooting the Crime Scene
Module Flow: Collecting and Preserving Electronic Evidence
Collecting and Preserving Electronic Evidence (Cont’d)
Collecting and Preserving Electronic Evidence
Order of Volatility
Dealing with Powered On Computers (Cont’d)
Demo – Imaging RAM
Demo – Parsing RAM
Dealing with Powered On Computers
Dealing with Powered Off Computers
Dealing with Networked Computer
Dealing with Open Files and Startup Files
Operating System Shutdown Procedure (Cont’d)
Operating System Shutdown Procedure Example
Computers and Servers
eNotes
Preserving Electronic Evidence
Seizing Portable Computers
Switched On Portables
Collecting and Preserving Electronic Evidence Wrap-up
Module Flow: Packaging and Transporting Electronic Evidence
Evidence Bag Contents List
Packaging Electronic Evidence
Exhibit Numbering
Transporting Electronic Evidence
Handling and Transportation to the Forensics Laboratory
Storing Electronic Evidence
Chain of Custody
Simple Format of the Chain of Custody Document
Chain of Custody Forms (Cont’d)
Chain of Custody Forms (Cont’d)
Chain of Custody Forms
Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet
Demo – Hardware Inventories
Module Flow: Reporting the Crime Scene
Reporting the Crime Scene
Note Taking Checklist (Cont’d)
Note Taking Checklist
First Responder Common Mistakes
Module 05 Review
بخش هشتم – آشنایی با Computer Forensics Lab :
Module Flow: Setting a Computer Forensics Lab
Computer Forensics Lab
Planning for a Forensics Lab
Budget Allocation for a Forensics Lab
Physical Location Needs of a Forensics Lab
Structural Design Considerations
Environmental Conditions
Electrical Needs
Communication Needs
Work Area of a Computer Forensics Lab
Ambience of a Forensics Lab
Ambience of a Forensics Lab: Ergonomics
Physical Security Recommendations
Fire-Suppression Systems
Evidence Locker Recommendations
Computer Forensic Investigator
Law Enforcement Officer
Lab Director
Forensics Lab Licensing Requisite
Features of the Laboratory Imaging System
Technical Specifications of the Laboratory Based Imaging System
Forensics Lab (1 of 3)
Forensics Lab (2 of 3)
Forensics Lab (3 of 3)
Auditing a Computer Forensics Lab (Cont’d)
Auditing a Computer Forensics Lab
Recommendations to Avoid Eyestrain
Module Flow: Investigative Services in Forensics
Computer Forensics Investigative Services
Computer Forensic Investigative Service Sample
Computer Forensics Services: PenrodEllis Forensic Data Discovery
Data Destruction Industry Standards
Computer Forensics Services (Cont’d)
Computer Forensics Services
Module Flow: Computer Forensics Hardware
Equipment Required in a Forensics Lab
Forensic Workstations
Basic Workstation Requirements in a Forensics Lab
Stocking the Hardware Peripherals
Paraben Forensics Hardware: Handheld First Responder Kit
Paraben Forensics Hardware: Wireless StrongHold Bag
Paraben Forensics Hardware: Wireless StrongHold Box
Paraben Forensics Hardware: Passport StrongHold Bag
Paraben Forensics Hardware: Device Seizure Toolbox
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Lockdown
Paraben Forensics Hardware: iRecovery Stick
Paraben Forensics Hardware: Data Recovery Stick
Paraben Forensics Hardware: Chat Stick
Paraben Forensics Hardware: USB Serial DB9 Adapter
Paraben Forensics Hardware: Mobile Field Kit
Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III Laptop
Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower
Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller
Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Portable Forensic Systems and Towers: Forensic Tower IV Duel Xeon
Portable Forensic Systems and Towers: Ultimate Forensic Machine
Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES
Tableau T3u Forensic SATA Bridge Write Protection Kit
Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Reader
Tableau TACC 1441 Hardware Accelerator
Multiple TACC1441 Units
Tableau TD1 Forensic Duplicator
Power Supplies and Switches
Digital Intelligence Forensic Hardware: FRED SR (Duel Xeon)
Digital Intelligence Forensic Hardware: FRED-L
Digital Intelligence Forensic Hardware: FRED SC
Digital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)
Digital Intelligence Forensic Hardware: Rack-A-TACC
Digital Intelligence Forensic Hardware: FREDDIE
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence Device
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensic UltraDock v4
Wiebetech: Drive eRazer
Wiebetech: v4 Combo Adapters
Wiebetech: ProSATA SS8
Wiebetech: HotPlug
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
CelleBrite: UFED Ruggedized
DeepSpar: Disk Imager Forensic Edition
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
InfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD Inspector
InfinaDyne Forensic Products: Robotic System Status Light
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Image MASSter: Rapid Image 7020CS IT
Logicube: Forensic MD5
Logicube: Forensic Talon
Logicube: Portable Forensic Lab
Logicube: CellDEK
Logicube: Forensic Quest-2
Logicube: NETConnect
Logicube: RAID I/O Adapter
Logicube: GPStamp
Logicube: OmniPort
Logicube: Desktop WritePROtects
Logicube: USB Adapter
Logicube: CloneCard Pro
Logicube: EchoPlus
OmniClone IDE Laptop Adapters
Logicube: Cables
VoomTech: HardCopy 3P
VoomTech: SHADOW 2
Module Flow: Computer Forensics Software
Basic Software Requirements in a Forensics Lab
Main Operating System and Application Inventories
Imaging Software: R-drive Image
Demo – R-Drive Image
Imaging Software: P2 eXplorer Pro
Imaging Software: AccuBurn-R for CD/DVD Inspector
Imaging Software: Flash Retriever Forensic Edition
File Conversion Software: FileMerlin
File Conversion Software: SnowBatch
File Conversion Software: Zamzar
File Viewer Software: File Viewer
File Viewer Software: Quick View Plus 11 Standard Edition
Demo – File Viewers
Analysis Software: P2 Commander
P2 Commander Screenshot
Analysis Software: DriveSpy
Analysis Software: SIM Card Seizure
Analysis Software: CD/DVD Inspector
Analysis Software: Video Indexer (Vindex)
Monitoring Software: Device Seizure
Device Seizure Screenshots
Monitoring Software: Deployable P2 Commander (DP2C)
Monitoring Software: ThumbsDisplay
ThumbsDisplay Screenshot
Monitoring Software: Email Detective
Computer Forensics Software: DataLifter
Computer Forensics Software: X-Ways Forensics
Demo – X-Ways Forensics
Computer Forensics Software: LiveWire Investigator
Module 06 Review
بخش نهم – بررسی هارد دیسک ها و فایل ها به منظور یافتن مدارک و کشف جرم های صورت گرفته :
Module Flow: Hard Disk Drive Overview
Disk Drive Overview (Cont’d)
Disk Drive Overview
Hard Disk Drive
Solid-State Drive (SSD)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk (Cont’d)
Physical Structure of a Hard Disk
Logical Structure of Hard Disk
Types of Hard Disk Interfaces
Hard Disk Interfaces: ATA
Hard Disk Interfaces: SCSI (Cont’d)
Hard Disk Interfaces: SCSI
Hard Disk Interfaces: IDE/EIDE
Hard Disk Interfaces: USB
Hard Disk Interfaces: Fibre Channel
Disk Platter
Tracks
Track Numbering
Sector
Advanced Format: Sectors
Sector Addressing
Cluster
Cluster Size
Changing the Cluster Size
Demo – Cluster Size
Slack Space ( Cont’d)
Slack Space
Demo – Slack Space
Lost Clusters
Bad Sector
Hard Disk Data Addressing
Disk Capacity Calculation
Demo – Calculating Disk Capacity
Measuring the Performance of the Hard Disk
Module Flow: Disk Partitions and Boot Process
Disk Partitions
Demo – Partitioning Linux
Master Boot Record
Structure of a Master Boot Record (Cont’d)
Demo – Backing Up the MBR
Structure of a Master Boot Record
What is the Booting Process?
Essential Windows System Files
Windows 7 Boot Process (Cont’d)
Windows 7 Boot Process (Cont’d)
Windows 7 Boot Process
Macintosh Boot Process (Cont’d)
Macintosh Boot Process (Cont’d)
Macintosh Boot Process (Cont’d)
Macintosh Boot Process
Bootdisk.Com (http://www.bootdisk.com)
Module Flow: Understanding File Systems
Understanding File Systems
Types of File Systems
List of Disk File Systems (Cont’d)
List of Disk File Systems (Cont’d)
List of Disk File Systems
List of Network File Systems
List of Special Purpose File Systems
List of Shared Disk File Systems
Windows File Systems
Popular Windows File Systems
File Allocation Table (FAT)
FAT File System Layout
FAT Partition Boot Sector
FAT Structure
FAT Folder Structure
Directory Entries and Cluster Chains
Filenames on FAT Volumes
Examining FAT
FAT32
New Technology File System (NTFS) (Cont’d)
NTFS (Cont’d)
NTFS
NTFS Architecture
NTFS System Files
NTFS Partition Boot Sector
Cluster Sizes of NTFS Volume
NTFS Master File Table (MFT) (Cont’d)
NTFS Master File Table (MFT) (Cont’d)
NTFS Master File Table (MFT)
Metadata Files Stored in the MFT
NTFS Files and Data Storage
NTFS Attributes
NTFS Data Stream (Cont’d)
NTFS Data Stream
NTFS Compressed Files
Setting the Compression State of a Volume
Encrypting File Systems (EFS)
Components of EFS
Operation of Encrypting File System
EFS Attribute
Encrypting a File
EFS Recovery Key Agent (Cont’d)
EFS Recovery Key Agent
Tool: Advanced EFS Data Recovery
Tool: EFS Key
Sparse Files
Deleting NTFS Files
Registry Data (Cont’d)
Registry Data
Examining Registry Data
FAT vs. NTFS
Linux File Systems
Popular Linux File Systems
Linux File System Architecture
Ext2 (Cont’d)
Ext2 (Cont’d)
Ext2
Ext3 (Cont’d)
Ext3
Mac OS X File Systems
Mac OS X File Systems
HFS vs. HFS Plus
HFS
HFS Plus
HFS Plus Volumes
HFS Plus Journal
Sun Solaris 10 File System: ZFS
CD-ROM / DVD File System
CDFS
Demo – Multi-sessions Discs
Module Flow: RAID Storage System
RAID Storage System
RAID Level 0: Disk Striping
RAID Level 1: Disk Mirroring
RAID Level 3: Disk Striping with Parity
RAID Level 5: Block Interleaved Distributed Parity
RAID Level 10: Blocks Striped and Mirrored
RAID Level 50: Mirroring and Striping across Multiple RAID Levels
Different RAID Levels
Comparing RAID Levels
Recover Data from Unallocated Space Using File Carving Process
Module Flow: File System Analysis Using the Sleuth Kit (TSK)
Tool: The Sleuth Kit (TSK)
The Sleuth Kit (TSK): fsstat
The Sleuth Kit (TSK): istat (1 of 4)
The Sleuth Kit (TSK): istat (2 of 4)
The Sleuth Kit (TSK): istat (3 of 4)
The Sleuth Kit (TSK): istat (4 of 4)
The Sleuth Kit (TSK): fls and img_stat
Demo – TSK and Autopsy
Module 07 Review
بخش دهم – آموزش بررسی مدارک در سیستم عامل ویندوز :
Module Flow: Collecting Volatile Information
Volatile Information
System Time
Logged-On Users
Logged-On Users: PsLoggedOn Tool
Logged-On Users: net sessions Command
Logged-On Users: LogonSessions Tool
Open Files
Open Files: net file Command
Open Files: PsFile Utility
Open Files: Openfiles Command
Network Information (Cont’d)
Network Information
Network Connections (Cont’d)
Demo – Netstat Command
Network Connections
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information (Cont’d)
Process Information
Process-to-Port Mapping (Cont’d)
Process-to-Port Mapping
Process Memory
Network Status (Cont’d)
Demo – ipconfig
Network Status
Other Important Information (Cont’d)
Demo – Clipboard Viewer
Other Important Information
Module Flow: Collecting Non-Volatile Information
Non-Volatile Information
Examine File Systems
Registry Settings
Microsoft Security ID
Event Logs
Index.dat File (Cont’d)
Index.dat File
Demo – Grabbing Registry Files
Devices and Other Information
Slack Space
Virtual Memory
Swap File
Windows Search Index
Collecting Hidden Partition Information
Demo – Gparted
Hidden ADS Streams
Investigating ADS Streams: StreamArmor
Other Non-Volatile Information
Module Flow: Windows Memory Analysis
Memory Dump (Cont’d)
Memory Dump
EProcess Structure
Process Creation Mechanism
Parsing Memory Contents
Parsing Process Memory
Extracting the Process Image (Cont’d)
Extracting the Process Image
Collecting Process Memory
Module Flow: Windows Registry Analysis
Inside the Registry (Cont’d)
Inside the Registry (Cont’d)
Inside the Registry
Registry Structure within a Hive File
The Registry as a Log File
Registry Analysis
System Information (Cont’d)
System Information
TimeZone Information
Shares
Audit Policy
Wireless SSIDs
Autostart Locations
System Boot
User Login
User Activity
Enumerating Autostart Registry Locations
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices (Cont’d)
USB Removable Storage Devices
Mounted Devices (Cont’d)
Mounted Devices
Finding Users (Cont’d)
Finding Users (Cont’d)
Finding Users: Screenshots
Tracking User Activity
The UserAssist Keys
MRU Lists (Cont’d)
MRU Lists (Cont’d)
MRU Lists
Search Assistant
Connecting to Other Systems
Analyzing Restore Point Registry Settings (Cont’d)
Analyzing Restore Point Registry Settings
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations (Cont’d)
Determining the Startup Locations
Demo – Reg Ripper
Module Flow: Cache, Cookie, and History Analysis
Cache, Cookie, and History Analysis in IE
Cache, Cookie, and History Analysis in Firefox
Cache, Cookie, and History Analysis in Chrome
Analysis Tool: IECookiesView
Analysis Tool: IECacheView
Analysis Tool: IEHistoryView
Analysis Tool: MozillaCookiesView
Analysis Tool: MozillaCacheView
Analysis Tool: MozillaHistoryView
Analysis Tool: ChromeCookiesView
Analysis Tool: ChromeCacheView
Analysis Tool: ChromeHistoryView
Module Flow: MD5 Calculation
Message Digest Function: MD5
Why MD5 Calculation?
MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles
MD5 Checksum Verifier
ChaosMD5
Module Flow: Windows File Analysis
Recycle Bin (Cont’d)
Recycle Bin
System Restore Points (Rp.log Files)
System Restore Points (Change.log.x Files)
Prefetch Files (Cont’d)
Prefetch Files
Shortcut Files
Word Documents
PDF Documents
Image Files
File Signature Analysis
NTFS Alternate Data Streams
Executable File Analysis
Documentation Before Analysis
Static Analysis Process
Search Strings
PE Header Analysis
Import Table Analysis
Export Table Analysis
Dynamic Analysis Process
Creating Test Environment
Collecting Information Using Tools
Process of Testing the Malware
Module Flow: Metadata Investigation
Metadata
Types of Metadata (Cont’d)
Types of Metadata
Metadata in Different File Systems (Cont’d)
Metadata in Different File Systems
Metadata in PDF Files
Metadata in Word Documents
Tool: Metadata Analyzer
Module Flow: Text Based Logs
Understanding Events
Event Logon Types (Cont’d)
Event Logon Types (Cont’d)
Event Logon Types
Event Record Structure (Cont’d)
Event Record Structure (Cont’d)
Event Record Structure (Cont’d)
Event Record Structure
Vista Event Logs (Cont’d)
Vista Event Logs: Screenshots
IIS Logs
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs (Cont’d)
Parsing IIS Logs
Parsing FTP Logs
FTP sc-status Codes (Cont’d)
FTP sc-status Codes (Cont’d)
FTP sc-status Codes
Parsing DHCP Server Logs (Cont’d)
Parsing DHCP Server Logs
Parsing Windows Firewall Logs
Using the Microsoft Log Parser
Module Flow: Other Audit Events
Evaluating Account Management Events (Cont’d)
Evaluating Account Management Events
Examining Audit Policy Change Events
Examining System Log Entries
Examining Application Log Entries
Examining Application Log Entries (Screenshot)
Module Flow: Forensic Analysis of Event Logs
Searching with Event Viewer
Using EnCase to Examine Windows Event Log Files
Windows Event Log Files Internals
Module Flow: Windows Password Issues
Understanding Windows Password Storage (Cont’d)
Understanding Windows Password Storage
Cracking Windows Passwords Stored on Running Systems (Cont’d)
Cracking Windows Passwords Stored on Running Systems
Exploring Windows Authentication Mechanisms
LanMan Authentication Process
NTLM Authentication Process
Kerberos Authentication Process
Sniffing and Cracking Windows Authentication Exchanges
Cracking Offline Passwords
Module Flow: Forensics Tools
Windows Forensics Tool: OS Forensics
Windows Forensics Tool: Helix3 Pro
Helix3 Pro Screenshot
Helix3 Pro Screenshot
Integrated Windows Forensics Software: X-Ways Forensics
X-Ways Forensics Screenshot
X-Ways Trace
Windows Forensic Toolchest (WFT)
Built-in Tool: Sigverif
Computer Online Forensic Evidence Extractor (COFEE)
System Explorer
Tool: System Scanner
SecretExplorer
Registry Viewer Tool: Registry Viewer
Registry Viewer Tool: RegScanner
Registry Viewer Tool: Alien Registry Viewer
MultiMon
CurrProcess
Process Explorer
Security Task Manager
PrcView
ProcHeapViewer
Memory Viewer
Tool: PMDump
Word Extractor
Belkasoft Evidence Center
Belkasoft Browser Analyzer
Metadata Assistant
HstEx
XpoLog Center Suite
XpoLog Center Suite Screenshot
LogViewer Pro
Event Log Explorer
LogMeister
ProDiscover Forensics
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DriveLook
Module 08 Review
بخش یازدهم – بدست آوردن داده های مرتبط با جرم و کپی برداری از آنها :
Module Flow: Data Acquisition and Duplication Concepts
Data Acquisition
Forensic and Procedural Principles
Types of Data Acquisition Systems
Data Acquisition Formats (Cont’d)
Data Acquisition Formats (Cont’d)
Data Acquisition Formats
Bit Stream vs. Backups
Why to Create a Duplicate Image?
Issues with Data Duplication
Data Acquisition Methods (Cont’d)
Data Acquisition Methods
Determining the Best Acquisition Method (Cont’d)
Determining the Best Acquisition Method
Contingency Planning for Image Acquisitions (Cont’d)
Contingency Planning for Image Acquisitions
Data Acquisitions Mistakes
Module Flow: Data Acquisition Types
Rules of Thumb
Static Data Acquisition
Collecting Static Data
Demo – Forensic Imaging Using Linux
Demo – Forensic Imaging Using Windows
Static Data Collection Process
Live Data Acquisition
Why Volatile Data is Important?
Volatile Data (Cont’d)
Volatile Data
Order of Volatility
Common Mistakes in Volatile Data Collection
Volatile Data Collection Methodology (Cont’d)
Volatile Data Collection Methodology (Cont’d)
Volatile Data Collection Methodology
Basic Steps in Collecting Volatile Data
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information (Cont’d)
Types of Volatile Information
Demo – WinTaylors
Module Flow: Disk Acquisition Tool Requirements
Disk Imaging Tool Requirements
Disk Imaging Tool Requirements: Mandatory (Cont’d)
Disk Imaging Tool Requirements: Mandatory
Disk Imaging Tool Requirements: Optional (Cont’d)
Disk Imaging Tool Requirements: Optional
Module Flow: Validation Methods
Validating Data Acquisitions
Linux Validation Methods (Cont’d)
Linux Validation Methods (Cont’d)
Linux Validation Methods (Cont’d)
Linux Validation Methods
Windows Validation Methods
Module Flow: Raid Data Acquisition
Understanding RAID Disks (Cont’d)
Understanding RAID Disks (Cont’d)
Understanding RAID Disks
Acquiring RAID Disks (Cont’d)
Acquiring RAID Disks
Remote Data Acquisition
Module Flow: Acquisition Best Practices
Acquisition Best Practices (Cont’d)
Acquisition Best Practices (Cont’d)
Acquisition Best Practices (Cont’d)
Acquisition Best Practices
Module Flow: Data Acquisition Software Tools
Acquiring Data on Windows
Acquiring Data on Linux
dd Command
dcfldd Command
Extracting the MBR
Netcat Command
EnCase Forensic
EnCase Forensic Screenshot
Analysis Software: DriveSpy
ProDiscover Forensics
AccessData FTK Imager
Mount Image Pro
Data Acquisition Toolbox
SafeBack
ILookPI
ILookPI Screenshot
RAID Recovery for Windows
R-Tools R-Studio
F-Response
PyFlag
LiveWire Investigator
ThumbsDisplay
ThumbsDisplay Screenshot
DataLifter
X-Ways Forensics
R-drive Image
Demo – Forensic Imaging
DriveLook
DiskExplorer
P2 eXplorer Pro
Flash Retriever Forensic Edition
Module Flow: Data Acquisition Hardware Tools
US-LATT
Image MASSter: Solo-4 (Super Kit)
Image MASSter: RoadMASSter- 3
Tableau TD1 Forensic Duplicator
Logicube: Forensic MD5
Logicube: Portable Forensic Lab
Logicube: Forensic Talon
Logicube: RAID I/O Adapter
DeepSpar: Disk Imager Forensic Edition
Logicube: USB Adapter
Disk Jockey PRO
Logicube: Forensic Quest-2
Logicube: CloneCard Pro
Logicube: EchoPlus
Paraben Forensics Hardware: Chat Stick
Image MASSter: Rapid Image 7020CS IT
Digital Intelligence Forensic Hardware: UltraKit
Digital Intelligence Forensic Hardware: UltraBay II
Digital Intelligence Forensic Hardware: UltraBlock SCSI
Digital Intelligence Forensic Hardware: HardCopy 3P
Wiebetech: Forensics DriveDock v4
Wiebetech: Forensics UltraDock v4
Image MASSter: WipeMASSter
Image MASSter: WipePRO
Portable Forensic Systems and Towers: Forensic Air-Lite V MK III
Forensic Tower IV Dual Xeon
Digital Intelligence Forensic Hardware: FREDDIE
DeepSpar: 3D Data Recovery
Phase 1 Tool: PC-3000 Drive Restoration System
Phase 2 Tool: DeepSpar Disk Imager
Phase 3 Tool: PC-3000 Data Extractor
Logicube: Cables
Logicube: Adapters
Logicube: GPStamp
Logicube: OmniPort
Logicube: CellDEK
Paraben Forensics Hardware: Project-a-Phone
Paraben Forensics Hardware: Mobile Field Kit
Paraben Forensics Hardware: iRecovery Stick
CelleBrite: UFED System
CelleBrite: UFED Physical Pro
Module 09 Review
بخش دوازدهم – بازگردانی فایل ها و پارتیشن های پاک شده :
Module Flow: Recovering the Deleted Files
Deleting Files
What Happens When a File is Deleted in Windows?
Recycle Bin in Windows (Cont’d)
Recycle Bin in Windows
Storage Locations of Recycle Bin in FAT and NTFS Systems
How the Recycle Bin Works (Cont’d)
How the Recycle Bin Works
Demo – Recycle Bins
Damaged or Deleted INFO File
Damaged Files in Recycle Bin Folder
Damaged Recycle Folder
File Recovery in Mac OS X (Cont’d)
File Recovery in Mac OS X
File Recovery in Linux
Module Flow: File Recovery Tools for Windows
Recover My Files
EASEUS Data Recovery Wizard
PC INSPECTOR File Recovery
Demo – PC INSPECTOR File Recovery
Recuva
DiskDigger
Handy Recovery
Quick Recovery
Stellar Phoenix Windows Data Recovery
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Tools to Recover Deleted Files
Module Flow: File Recovery Tools for Mac
Mac File Recovery
Mac Data Recovery
Boomerang Data Recovery Software
VirtualLab
File Recovery Tools for Mac OS X
Module Flow: File Recovery Tools for Linux
R-Studio for Linux
Quick Recovery for Linux
Kernal for Linux Data Recovery
TestDisk for Linux
Demo – File Carving
Module Flow: Recovering the Deleted Partitions
Disk Partition
Deletion of Partition
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition (Cont’d)
Recovery of the Deleted Partition
Module Flow: Partition Recovery Tools
Active@ Partition Recovery for Windows
Acronis Recovery Expert
DiskInternals Partition Recovery
NTFS Partition Data Recovery
GetDataBack
EASEUS Partition Recovery
Advanced Disk Recovery
Power Data Recovery
Remo Recover (Mac) – Pro
Mac Data Recovery Software
Quick Recovery for Linux
Stellar Phoenix Linux Data Recovery Software
Tools to Recover Deleted Partitions
Tools to Recover Deleted Partitions
Demo – Partition Recovery
Module 10 Review
بخش سیزدهم – آموزش استفاده از AccessData FTK در روند کشف جرم و جرم شناسی رایانه ای :
Module Flow: Overview and Installation of FTK
Overview of Forensic Toolkit (FTK)
Features of FTK
Software Requirement
Configuration Option
Database Installation (Cont’d)
Database Installation
FTK Application Installation (1 of 6)
FTK Application Installation (2 of 6)
FTK Application Installation (3 of 6)
FTK Application Installation (4 of 6)
FTK Application Installation (5 of 6)
FTK Application Installation (6 of 6)
Module Flow: FTK Case Manager User Interface
Case Manager Window
Case Manager Database Menu
Setting Up Additional Users and Assigning Roles
Case Manager Case Menu
Assigning Users Shared Label Visibility
Case Manager Tools Menu
Recovering Processing Jobs
Restoring an Image to a Disk
Case Manager Manage Menu
Managing Carvers
Managing Custom Identifiers
Module Flow: FTK Examiner User Interface
FTK Examiner User Interface
Menu Bar: File Menu
Exporting Files
Exporting Case Data to a Custom Content Image
Exporting the Word List
Menu Bar: Edit Menu
Menu Bar: View Menu
Menu Bar: Evidence Menu
Menu Bar: Tools Menu
Verifying Drive Image Integrity
Demo – Verifying Image Integrity
Mounting an Image to a Drive
File List View
Using Labels
Creating and Applying a Label
Module Flow: Starting with FTK
Creating a case
Selecting Detailed Options: Evidence Processing (Cont’d)
Selecting Detailed Options: Evidence Processing
Selecting Detailed Options: Fuzzy Hashing (Cont’d)
Selecting Detailed Options: Fuzzy Hashing
Selecting Detailed Options: Data Carving
Selecting Detailed Options: Custom File Identification (Cont’d)
Selecting Detailed Options: Custom File Identification
Selecting Detailed Options: Evidence Refinement (Advanced) (Cont’d)
Selecting Detailed Options: Evidence Refinement (Advanced)
Selecting Detailed Options: Index Refinement (Advanced) (Cont’d)
Selecting Detailed Options: Index Refinement (Advanced)
Module Flow: FTK Interface Tabs
Demo – FTK Imaging and Adding
FTK Interface Tabs
Explore Tab
Overview Tab
Email Tab
Graphics Tab
Bookmarks Tab
Live Search Tabs
Volatile Tab
Demo – File Overview Tab
Module Flow: Adding and Processing Static, Live, and Remote Evidence
Adding Evidence to a Case
Evidence Groups
Acquiring Local Live Evidence
FTK Role Requirements For Remote Acquisition
Types of Remote Information
Acquiring Data Remotely Using Remote Device Management System (RDMS) (Cont’d)
Acquiring Data Remotely Using Remote Device Management System (RDMS)
Imaging Drives
Mounting and Unmounting a Device
Module Flow: Using and Managing Filters
Accessing Filter Tools
Using Filters
Customizing Filters
Using Predefined Filters
Demo – Filtering
Module Flow: Using Index Search and Live Search
Conducting an Index Search
Selecting Index Search Options
Viewing Index Search Results
Documenting Search Results
Conducting a Live Search: Live Text Search
Conducting a Live Search: Live Hex Search
Conducting a Live Search: Live Pattern Search
Demo – Indexed and Live Searches
Demo – FTK File Carving
Module Flow: Decrypting EFS and other Encrypted Files
Decrypting EFS Files and Folders
Decrypting MS Office Files
Viewing Decrypted Files
Decrypting Domain Account EFS Files from Live Evidence (Cont’d)
Decrypting Domain Account EFS Files from Live Evidence
Decrypting Credant Files
Decrypting Safeboot Files
Demo – FTK File Encryption
Module Flow: Working with Reports
Creating a Report
Entering Case Information
Managing Bookmarks in a Report
Managing Graphics in a Report
Selecting a File Path List
Adding a File Properties List
Making Registry Selections
Selecting the Report Output Options
Customizing the Formatting of Reports
Viewing and Distributing a Report
Demo – Reporting
Module 11 Review
بخش چهاردهم – آموزش کشف جرم و مبارزه با آن به کمک EnCase :
Module Flow: Overview of EnCase Forensic
Official Licensed Content Provided by EnCase to EC-Council
Overview of EnCase Forensic
EnCase Forensic Features (Cont’d)
EnCase Forensic Features
EnCase Forensic Platform
EnCase Forensic Modules (Cont’d)
EnCase Forensic Modules
Module Flow: Installing EnCase Forensic
Minimum Requirements
Installing the Examiner
Installed Files
Installing the EnCase Modules
Configuring EnCase
Configuring EnCase: Case Options Tab
Configuring EnCase: Global Tab
Configuring EnCase: Debug Tab
Configuring EnCase: Colors Tab and Fonts Tab
Configuring EnCase: EnScript Tab and Storage Paths Tab
Sharing Configuration (INI) Files
Module Flow: EnCase Interface
Demo – EnCase Options
Main EnCase Window
System Menu Bar
Toolbar
Panes Overview (Cont’d)
Panes Overview
Tree Pane
Table Pane
Table Pane: Table Tab
Table Pane: Report Tab
Table Pane: Gallery Tab
Table Pane: Timeline Tab
Table Pane: Disk Tab and Code Tab
View Pane (Cont’d)
View Pane
Filter Pane
Filter Pane Tabs
Creating a Filter
Creating Conditions
Status Bar
Demo – EnCase Tabs and Views
Module Flow: Case Management
Overview of Case Structure
Case Management
Indexing a Case (Cont’d)
Indexing a Case
Case Backup
Options Dialog Box
Logon Wizard
New Case Wizard
Setting Time Zones for Case Files
Setting Time Zone Options for Evidence Files
Module Flow: Working with Evidence
Types of Entries
Adding a Device (Cont’d)
Adding a Device
Adding a Device using Tableau Write Blocker (Cont’d)
Adding a Device using Tableau Write Blocker
Performing a Typical Acquisition
Acquiring a Device (Cont’d)
Acquiring a Device
Canceling an Acquisition
Verifying Evidence Files
Demo – Imaging with EnCase
Delayed Loading of Internet Artifacts
Hashing the Subject Drive
Logical Evidence File (LEF)
Creating a Logical Evidence File (Cont’d)
Creating a Logical Evidence File
Recovering Folders on FAT Volumes
Restoring a Physical Drive
Demo – Restoring a Drive from an Image
Module Flow: Source Processor
Source Processor
Starting to Work with Source Processor
Setting Case Options
Collection Jobs
Creating a Collection Job (Cont’d)
Creating a Collection Job
Copying a Collection Job
Running a Collection Job (Cont’d)
Running a Collection Job
Analysis Jobs
Creating an Analysis Job
Running an Analysis Job (Cont’d)
Running an Analysis Job
Creating a Report (Cont’d)
Creating a Report
Demo – Enscripts
Module Flow: Analyzing and Searching Files
Viewing the File Signature Directory
Performing a Signature Analysis
Hash Analysis
Hashing a New Case
Demo – Signature Analysis and Hashing
Creating a Hash Set
Keyword Searches
Creating Global Keywords
Adding Keywords
Importing and Exporting Keywords
Searching Entries for Email and Internet Artifacts
Viewing Search Hits
Generating an Index
Tag Records
Demo – Keyword Searcher
Module Flow: Viewing File Content
Viewing Files
Copying and Unerasing Files (Cont’d)
Copying and Unerasing Files
Adding a File Viewer
Demo – Adding a File Viewer
Viewing File Content Using View Pane
Viewing Compound Files
Viewing Base64 and UUE Encoded Files
Demo – Compound Files
Module Flow: Bookmarking Items
Bookmarks Overview
Creating a Highlighted Data Bookmark
Creating a Note Bookmark
Creating a Folder Information/Structure Bookmark
Creating a Notable File Bookmark
Creating a File Group Bookmark
Creating a Log Record Bookmark
Creating a Snapshot Bookmark
Organizing Bookmarks
Copying/Moving a Table Entry into a Folder
Viewing a Bookmark on the Table Report Tab
Excluding Bookmarks (Cont’d)
Excluding Bookmarks
Copying Selected Items from One Folder to Another
Demo – Bookmarks
Module Flow: Reporting
Reporting
Report User Interface
Creating a Report Using the Report Tab
Report Single/Multiple Files
Viewing a Bookmark Report
Viewing an Email Report
Viewing a Webmail Report
Viewing a Search Hits Report
Creating a Quick Entry Report
Creating an Additional Fields Report
Exporting a Report
Demo – Reporting
Module 12 Review
بخش پانزدهم – آشنایی با Steganography و کشف جرم از طریق عکس ها :
Module Flow: Steganography
What is Steganography?
How Steganography Works
Legal Use of Steganography
Unethical Use of Steganography
Module Flow: Steganography Techniques
Steganography Techniques
Application of Steganography
Classification of Steganography
Technical Steganography
Linguistic Steganography (Cont’d)
Linguistic Steganography
Types of Steganography
Image Steganography
Least Significant Bit Insertion
Masking and Filtering
Algorithms and Transformation
Image Steganography: Hermetic Stego
Steganography Tool: S-Tools
Image Steganography Tools
Audio Steganography
Audio Steganography Methods (Cont’d)
Audio Steganography Methods
Audio Steganography: Mp3stegz
Audio Steganography Tools
Video Steganography
Video Steganography: MSU StegoVideo
Video Steganography Tools
Document Steganography: wbStego
Byte Shelter I
Document Steganography Tools
Whitespace Steganography Tool: SNOW
Folder Steganography: Invisible Secrets 4
Demo – Invisible Secrets
Folder Steganography Tools
Spam/Email Steganography: Spam Mimic
Steganographic File System
Issues in Information Hiding
Module Flow: Steganalysis
Steganalysis
How to Detect Steganography (Cont’d)
How to Detect Steganography
Detecting Text, Image, Audio, and Video Steganography (Cont’d)
Detecting Text, Image, Audio, and Video Steganography
Steganalysis Methods/Attacks on Steganography
Disabling or Active Attacks
Steganography Detection Tool: Stegdetect
Steganography Detection Tools
Demo – Steg Detection
Module Flow: Image Files
Image Files
Common Terminologies
Understanding Vector Images
Understanding Raster Images
Metafile Graphics
Understanding Image File Formats
GIF (Graphics Interchange Format) (Cont’d)
GIF (Cont’d)
GIF
JPEG (Joint Photographic Experts Group)
JPEG Files Structure (Cont’d)
JPEG Files Structure
JPEG 2000
BMP (Bitmap) File
BMP File Structure
PNG (Portable Network Graphics)
PNG File Structure
TIFF (Tagged Image File Format)
TIFF File Structure (Cont’d)
TIFF File Structure
Module Flow: Data Compression
Understanding Data Compression
How Does File Compression Work?
Lossless Compression
Huffman Coding Algorithm (Cont’d)
Huffman Coding Algorithm
Lempel-Ziv Coding Algorithm (Cont’d)
Lempel-Ziv Coding Algorithm
Lossy Compression
Vector Quantization
Module Flow: Locating and Recovering Image Files
Best Practices for Forensic Image Analysis
Forensic Image Processing Using MATLAB
Advantages of MATLAB
MATLAB Screenshot
Locating and Recovering Image Files
Analyzing Image File Headers
Repairing Damaged Headers (Cont’d)
Repairing Damaged Headers
Reconstructing File Fragments
Identifying Unknown File Formats
Identifying Image File Fragments
Identifying Copyright Issues on Graphics
Picture Viewer: IrfanView
Picture Viewer: ACDSee Photo Manager 12
Picture Viewer: Thumbsplus
Picture Viewer: AD Picture Viewer Lite
Picture Viewer Max
Picture Viewer: FastStone Image Viewer
Picture Viewer: XnView
Demo – Picture Viewers
Faces – Sketch Software
Digital Camera Data Discovery Software: File Hound
Module Flow: Image File Forensics Tools
Hex Workshop
GFE Stealth – Forensics Graphics File Extractor
Ilook
Adroit Photo Forensics 2011
Digital Photo Recovery
Digital Photo Recovery Screenshots
Stellar Phoenix Photo Recovery Software
Zero Assumption Recovery (ZAR)
Photo Recovery Software
Forensic Image Viewer
File Finder
DiskGetor Data Recovery
DERescue Data Recovery Master
Recover My Files
Universal Viewer
Module 13 Review
بخش شانزدهم – آموزش شکستن رمزها به منظور کشف جرم و مبارزه با جرایم :
Module Flow: Password Cracking Concepts
Password – Terminology
Password Types
Password Cracker
How Does a Password Cracker Work?
How Hash Passwords are Stored in Windows SAM
Module Flow: Types of Password Attacks
Password Cracking Techniques
Types of Password Attacks
Passive Online Attacks: Wire Sniffing
Password Sniffing
Passive Online Attack: Man-in-the-Middle and Replay Attack
Active Online Attack: Password Guessing
Active Online Attack: Trojan/Spyware/keylogger
Active Online Attack: Hash Injection Attack
Rainbow Attacks: Pre-Computed Hash
Distributed Network Attack
Elcomsoft Distributed Password Recovery
Non-Electronic Attacks
Manual Password Cracking (Guessing)
Automatic Password Cracking Algorithm
Time Needed to Crack Passwords
Classification of Cracking Software
Systems Software vs. Applications Software
Module Flow: System Software Password Cracking
System Software Password Cracking
Bypassing BIOS Passwords
Using Manufacturer’s Backdoor Password to Access the BIOS
Using Password Cracking Software
CmosPwd
Resetting the CMOS using the Jumpers or Solder Beads
Removing CMOS Battery
Overloading the Keyboard Buffer and Using a Professional Service
Tool to Reset Admin Password: Active@ Password Changer
Tool to Reset Admin Password: Windows Key
Module Flow: Application Software Password Cracking
Passware Kit Forensic
Accent Keyword Extractor
Distributed Network Attack
Password Recovery Bundle
Advanced Office Password Recovery
Office Password Recovery
Office Password Recovery Toolbox
Office Multi-document Password Cracker
Word Password Recovery Master
Accent WORD Password Recovery
Word Password
PowerPoint Password Recovery
PowerPoint Password
Powerpoint Key
Stellar Phoenix Powerpoint Password Recovery
Excel Password Recovery Master
Accent EXCEL Password Recovery
Excel Password
Advanced PDF Password Recovery
PDF Password Cracker
PDF Password Cracker Pro
Atomic PDF Password Recovery
PDF Password
Recover PDF Password
Appnimi PDF Password Recovery
Advanced Archive Password Recovery
KRyLack Archive Password Recovery
Zip Password
Atomic ZIP Password Recovery
RAR Password Unlocker
Demo – Office Password Cracking
Default Passwords
Big bertha says: default passwords (http://www.defaultpassword.com)
Default Passwords | CIRT.net (http://www.cirt.net/passwords)
Default passwords list - Select manufacturer (http://default-password.info)
Fastsearchfinder.com (http://www.defaultpassword.us)
default password (http://www.passwordsdatabase.com)
Home - Virus.Org (http://www.virus.org)
Module Flow: Password Cracking Tools
L0phtCrack
OphCrack
Cain & Abel
RainbowCrack
Windows Password Unlocker
Windows Password Breaker
SAMInside
PWdump7 and Fgdump
Password Cracking Tools
Demo – System Password Cracking
Module 14 Review
بخش هفدهم – آموزش استفاده از Log ها و اصلاح رخدادها :
Module Flow: Computer Security Logs
Computer Security Logs
Operating System Logs
Application Logs
Security Software Logs
Router Log Files
Honeypot Logs
Linux Process Accounting
Logon Event in Windows
Windows Log File
Configuring Windows Logging
Analyzing Windows Logs
Windows Log File: System Logs
Windows Log Files: Application Logs
Logon Events that appear in the Security Event Log (Cont’d)
Logon Events that appear in the Security Event Log
Demo – Windows Event Viewer
IIS Logs
IIS Log File Format
Maintaining Credible IIS Log Files
Log File Accuracy
Log Everything
Keeping Time
UTC Time
View the DHCP Logs
Sample DHCP Audit Log File
ODBC Logging
Module Flow: Logs and Legal Issues
Legality of Using Logs (Cont’d)
Legality of Using Logs
Records of Regularly Conducted Activity as Evidence
Laws and Regulations
Module Flow: Log Management
Log Management
Functions of Log Management
Challenges in Log Management
Meeting the Challenges in Log Management
Module Flow: Centralized Logging and Syslogs
Centralized Logging
Centralized Logging Architecture
Steps to Implement Central Logging
Syslog
Syslog in Unix-Like Systems
Steps to Set Up a Syslog Server for Unix Systems
Advantages of Centralized Syslog Server
IIS Centralized Binary Logging
Module Flow: Time Synchronization
Why Synchronize Computer Times?
What is NTP?
NTP Stratum Levels (Cont’d)
NTP Stratum Levels
NIST Time Servers (Cont’d)
NIST Time Servers
Configuring Time Server in Windows Server
Module Flow: Event Correlation
Event Correlation
Types of Event Correlation
Prerequisites for Event Correlation
Event Correlation Approaches (Cont’d)
Event Correlation Approaches
Module Flow: Log Capturing and Analysis
.
برای مشاهده جزئیات و دانلود این آموزش، به ادامه مطلب مراجعه کنید.
————————–
حجم: 10000 مگابایت | Size: 10000 MB
زبان: انگلیسی | Language: English
پسورد: |Password: |www.p30learning.com
.
لینک دانلود مستقیم با قابلیت Resume
Direct Download Link (Resumable and 100% Free!)
http://p30learning.com/wp-content/uploads/d.gif (http://www.dl.p30learning.com/files/list.php?dir=video%2Fnetwork%2F1255%2F).
0