Course Title: Computer Forensic Specialist: Storage Device & Operating Systems Page 1 of 14
Course Description The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and prosecute the cyber-criminal. The series is comprised of five books covering a broad base of topics in Computer Hacking Forensic Investigation, designed to expose the reader to the process of detecting attacks and collecting evidence in a forensically sound manner with the intent to report crime and prevent future attacks. Learners are introduced to advanced techniques in computer investigation and analysis with interest in generating the potential legal evidence. This and the other four books provide preparation to identify evidence in computer related crime and abuse cases as well as track the intrusive hacker's path through a client system. The series and accompanying labs help prepare the security student or professional to profile an intruder's footprint and gather all necessary information and evidence to support prosecution in a court of law. Hard Disks, file and operating systems provides a basic understanding of file systems, hard disks, and digital media devices. Boot processes, Windows, and Linux Forensics and application of password crackers are all discussed. Certification Info Computer Forensic Specialist: Storage Device & Operating Systems Who Should Attend This course will significantly benefit police and other law enforcement personnel, defense and military personnel, e-business security professionals, systems administrators, legal professionals, banking, insurance and other professionals, government agencies and IT managers. Course Duration 2 days (9:00AM 5:00PM) CPE/ECE Qualification 16 ECE Credits awarded for attendance (1 for each classroom hour) Suggested Retail: $799 USD Page 2 of 14
Required Courseware: Visit www.cengage.com/community/eccouncil and click on Training Workshops for ordering details. What s included? Physical Courseware 1 year Access To EC-Council Student LMS for Practical Labs (if applicable), testing, and Certificate Course + Supplement Cost: See the Training Workshops section at www.cengage.com/community/eccouncil for current pricing information. Related Certificates: Computer Forensic Specialist: Procedures and Response Computer Forensic Specialist: Network Intrusion & Cybercrime Computer Forensic Specialist: Data and Image Files Computer Forensic Specialist: Wireless Networks and Devices Page 3 of 14
Course Briefing 1. Understanding File Systems and Hard Disks Chapter Brief: Hard disk is an important source of the information, by the point of view of the investigator. Thus, an investigator should know the structure and behavior of the hard disk. The data to be collected as the evidence from the hard disk has to be located and protected from perishing. Hence, all the necessary information about the hard disk should be known to the investigator. Also, the file system is important as the data storage and distribution in the hard disk is dependent on the file system used. On completion of this chapter, an investigator gets familiar with disk drive, types of hard disk interfaces, and understanding of file systems, disk partitions, and various hard disk evidence collector tools. 2. Understanding Digital Media Devices Chapter Brief: Digital Evidence is delicate information which needs to be collected and preserved carefully. Now-adays, the use of digital devices is increased drastically and thus the use of such digital devices in crime is more than the previous. Hence, an investigator needs to deal with the evidence collection and preservation of the evidences from the digital device. This chapter will introduce you how to find the digital evidence from the computer system or any electronic devices that contains digital data in forensically sound manner. This chapter discusses about digital media devices such as: tapes, floppy disks, CDs, DVDs, ipods, flash memory cards, and USB flash drives. 3. Windows, Linux, and Macintosh Boot Processes Chapter Brief: Booting is the process of loading an operating system into the computer's main memory or random access memory (RAM). Once the operating system is loaded, the computer is ready for users to run applications. This chapter describes the terminologies and basic booting process in Windows XP, Linux, and Mac OS X operating systems. It also emphasizes the various step by step booting processes for windows Linux and Mac OS X. 4. Windows Forensics I Chapter Brief: When a Windows based system is investigated for gathering evidence and relevant facts, it involves several steps for collecting volatile data. Volatile data contains the current information about the machines, registers, caches, etc. This chapter familiarizes with the process of forensic investigation in windows based environment. It also highlights the various tools that help in the investigation process to solve windows crimes. Page 4 of 14
5. Windows Forensics II Chapter Brief: Windows operating system maintains the logs of the activities done by the user and also the changes taking place on the system. These logs are important by the point of view of the investigation as it shows the things which happened on the system and changes taken place. These logs are stored on the specific location in the system; an investigator should have knowledge of the system as it will help to extract the logs and use it as evidence. This chapter explains about the text based logs and forensic analysis of the event based logs. It also covers the password issues encountered during the investigation. 6. Linux Forensics Chapter Brief: Linux is an important and widely used operating system. Many users opt for the Linux as it is free and open source. Forensic investigator should know how to investigate the Linux system and where to search for the evidences. A detailed and good knowledge about the Linux system will help the investigator in the investigation process. This chapter familiarizes with the Linux forensic investigation process. It discusses the analysis techniques such as Floppy Disk Analysis and Hard Disk Analysis. It also emphasizes several popular Linux tool kits that provide GUI as well for convenience and their search techniques. 7. Application Password Crackers Chapter Brief: A password cracker is an application program that is used to identify an unknown or forgotten password to a computer or network resource. It can also be used to help a human cracker to obtain unauthorized access to resources. This chapter deals with password crackers and tools used in the password recovery. It throws light on delicate concepts, such as ways to bypass BIOS passwords, remove CMOS batteries, and Windows XP/2000/NT keys. It also enumerates the BIOS password crackers and explains the passware kit. It also highlights topics such as the default password database and distributed network attacks. Page 5 of 14
Course Outline Chapter 1: Understanding File Systems and Hard Disks Introduction to File Systems and Hard Disks Disk Drive Overview o Types of Disk Drives Hard Disks Physical Makeup Zoned Bit Recording Hard Disk Interfaces o Hard Disk Interfaces: SCSI o Hard Disk Interfaces: SATA o Hard Disk Interfaces: Parallel ATA (PATA) o Hard Disk Interfaces: Fiber Channel Disk Platters o Disk Platters: Platter Organization o Disk Platters: Bad Sectors o Disk Platters: Clusters o Disk Platters: Lost cluster Disk Partition Master Boot Record Disk Capacity Calculation Hard Disk Tools Understanding File Systems o Types of File Systems Popular Linux File Systems Sun Solaris 10 File System: ZFS Mac OS X File Systems UFS (Unix File System) Windows and DOS File Systems NTFS CD-ROM/DVD File Systems Comparison of File Systems Registry Data Page 6 of 14
Chapter 2: Understanding Digital Media Devices Introduction to Digital Media Devices Magnetic Tapes Floppy Disks Compact Discs o Reading a CD DVDs o HD DVDs Blu-ray Discs ipod Zune Flash Memory Cards Secure Digital (SD) CompactFlash (CF) Memory Stick (MS) MultiMediaCard (MMC) xd-picture Card (xd) SmartMedia (SM) USB Flash Drives Chapter 3: Windows, Linux, and Macintosh Boot Processes Introduction to Windows, Linux, and Macintosh Boot Processes Boot Loader Boot Sector Basic System Boot Process MS-DOS Boot Process Windows XP Boot Process Linux Boot Process o Step 1: Boot Manager o Step 2: init o Step 2.1: /etc/inittab o Step 3: Services o Step 4: More inittab Mac OS X Mac OS X Hidden Files and Key Directories Mac OS X Boot Process Page 7 of 14
Open Firmware Boot Loader Mac OS X Boot Options Mac OS X Boot Sequence Installing Mac OS X on Windows XP Tool: PearPC Chapter 4: Windows Forensics I Introduction to Windows Forensics Volatile Information System Time Logged-On Users Open Files NetBIOS Name Table Cache Network Connections Netstat Process Information o Tool: Tlist o Tool: Tasklist o Tool: PsList o Tool: ListDLLs o Tool: Handle Process-to-Port Mapping Network Status o Tool: Ipconfig o Tool: PromiscDetect o Tool: PromiscDetect and Promqry Clipboard Contents Service/Driver Information Command History Mapped Drives and Shares Nonvolatile Information Examining File Systems Registry Settings Event Logs Index.dat File Page 8 of 14
Connected Devices Slack Space o Tool: DriveSpy Swap File Windows Search Index Hidden Partitions Hidden ADS Windows Memory Analysis Importance of a Memory Dump EProcess Structure Process Creation Mechanism Parsing Memory Contents Parsing Process Memory Extracting the Process Image Collecting Process Memory Inside the Windows Registry Registry Structure Within a Hive File Registry Analysis System Information Time Zone Information Shares Audit Policy Wireless SSIDs Autostart Locations USB Removable Storage Devices MountedDevices Finding Users Tracking User Activity Analyzing Restore Point Registry Settings Determining the Startup Locations Cache, Cookie, and History Analysis in Internet Explorer Cache, Cookie, and History Analysis in Mozilla, Firefox, and Netscape o Tool: Pasco o Tool: IECacheView o Tool: CacheMonitor II o Tool: IEHistoryView Page 9 of 14
o Tool: IE Cookie Analysis o Tool: IECookiesView o Tool: IE Sniffer MD5 Calculation MD5 Algorithm o Tool: ChaosMD5 o Tool: Secure Hash Signature Generator o Tool: Mat-MD5 o Tool: MD5 Checksum Verifier Recycle Bin Prefetch Files Shortcut Files Word Documents PDF Documents and Graphics Files File Signature Analysis NTFS Alternate Data Streams Creating, Enumerating, and Removing ADSs Executable File Analysis Documentation Before Analysis Static Analysis Process Dynamic Analysis Process Metadata o Metadata in Different File Systems o Viewing Metadata Chapter 5: Windows Forensics II Introduction to Windows Forensics, Part II Understanding Events Event Log File Format Vista Event Logs IIS Logs Parsing IIS Logs Parsing IIS FTP Logs Parsing DHCP Server Logs Parsing Windows Firewall Logs Using the Microsoft Log Parser Page 10 of 14
Evaluating Account Management Events Interpreting File and Other Object-Access Events Examining Audit-Policy Change Events Examining System Log Entries Examining Application Log Entries Using EnCase to Examine Windows Event Log Files EnCase Windows Event Log Parser Windows Event Log File Internals Repairing Corrupted Event Log Databases Understanding Windows Password Storage Hashing Passwords Cracking Windows Passwords Stored on Running Systems Exploring Windows Authentication Mechanisms LanMan Authentication NTLM and Kerberos Authentication Sniffing and Cracking Windows Authentication Exchanges Cracking Offline Passwords o Tool: Helix o Tool: Sigverif o Tool: Word Extractor o Tool: RegScanner o Tool: PMDump o Tool: System Scanner o Tool: X-Ways Forensics o Tool: Traces Viewer o Tool: PE Builder o Tool: Ultimate Boot CD-ROM Chapter 6: Linux Forensics Introduction to Linux Forensics Linux File System in Linux Linux Forensics Precautions During Investigation Recognizing Partitions in Linux mount Command Page 11 of 14
dd Command Options Floppy Disk Analysis Hard Disk Analysis Data Collection o Data Collection Using the Toolkit Keyword Searching Linux Crash Utility: Commands Investigation Examples Linux Forensic Tools o Tools in The Sleuth Kit o Autopsy o SMART for Linux o Penguin Sleuth Kit o The Farmer s Boot CD o Delve o Forensix o Maresware o Captain Nemo o The Coroner s Toolkit (TCT) o FLAG o md5deep o TestDisk o Vinetto o HELIX o BackTrack Chapter 7: Application Password Crackers Introduction to Mac Forensics Password Terminology What Is a Password Cracker? How Does a Password Cracker Work? Password-Cracking Methods System Password Cracking Bypassing the BIOS Password Removing the CMOS Battery Jumper Settings Page 12 of 14
Tools for System Software Password Cracking o Tool: CmosPwd o Tool: ERD Commander o Tool: Active@ Password Changer o Application Software Password Cracking o Tool: Word Password Recovery Master o Tool: Office Password Recovery Toolbox o Tool: Distributed Network Attack o Tool: Passware Kit o Tool: Advanced ZIP Password Recovery Default Password Databases Password-Cracking Tools o Tool: Cain & Abel o Tool: LCP o Tool: SID&User o Tool: ophcrack o Tool: John the Ripper o Tool: Brutus o Tool: Access PassView o Tool: RockXP o Tool: Magical Jelly Bean Keyfinder o Tool: PstPassword o Tool: Protected Storage PassView o Tool: Network Password Recovery o Tool: Mail PassView o Tool: Asterisk Key o Tool: Messenger Key o Tool: MessenPass o Tool: Password Spectator o Tool: SniffPass o Tool: Asterisk Logger o Tool: Dialupass o Tool: Mail Password Recovery o Tool: Database Password Sleuth o Tool: CHAOS Generator o Tool: PicoZip Recovery Page 13 of 14
o Tool: Netscapass Securing Passwords Page 14 of 14