INSTITUTE OF FORENSIC SCIENCE GUJARAT FORENSIC SCIENCES UNIVERSITY IFS-GFSU CERTIFIED ELECTRONIC EVIDENCE EXAMINER EEE
IFS$GFSUCertification#18001 ElectronicEvidenceExaminer AnIFS(GFSUCertifiedElectronicEvidenceExaminer isequippedwithspecializedknowledgeandskillsin collecting,examining,analyzingandreportingof electronicevidenceandcybertrails. DATESFOR2014EXAMS The exam for the IFS(GFSU Certification #18001ElectronicEvidenceExaminerwill be conductedonthefollowingdatesin2014: Sunday19 th January,2014 Sunday20 th April,2014 Sunday20 th July,2014 Sunday19 th October,2014 Registration for the exam closes 30 days priortotheexamdate. SUMMARYOFEXAMINFORMATION ExamDuration:3hours PassingMarks:70% One(timeregistrationfees:Rs1,000 ExamFees:Rs4,500forstudents ExamFees:Rs10,000forothers ABOUTIFS$GFSU This certification is provided by Institute of Forensic Science, Gujarat Forensic Sciences University (IFS(GFSU). The Government of Gujarat, under the flagship of the Home Department of the Government of Gujarat, has established GFSU. GFSU is the only university across the world, dedicated to Forensic&InvestigativeScience. ABOUTTHISDOCUMENT Thisdocumentisissuedinpursuanceofthe IFS(GFSUCertificationPolicy. This document is issued as a guide to candidates pursuing an IFS(GFSU certification. IFS(GFSU does not make any representationsorwarrantiesthattheuseof this document will assure candidates of passinganyifs(gfsucertification. 2013InstituteofForensicScience,Gujarat Forensic Sciences University. All rights reserved. GujaratForensicSciencesUniversity DFSHeadQuarters,Sector18(A, NearPoliceBhavan, Gandhinagar(382007, Gujarat(India 1
QuickGuidetoEarning&maintainingyourIFS$GFSUcertification ObtainPRN Applyfor Exam Preparefor Exam Passthe exam Earnthe certiaication EarnCEUs Obtainyourone(timePermanentRegistrationNumber. 1 2 Applyfortheexamination. PreparefortheexambystudyingthereferencematerialcomprisingtheIFS(GFSU 3 CommonBodyofKnowledgeforElectronicEvidenceExamination(CBOK(EEE). 4 Appearforthecertificationexamandobtain70%ineachsection. 5 Earnyourcertification.EarntherighttouseEEE.GetupgradedtoEEE+after6years. 6 Earn120ContinuingEducationUnits(CEUs)every3yearsandsubmitproofofthesame. 2
TableofContents A.BenefitsofIFS$GFSUCertifications...4 A1.Benefitstoindividuals...4 A2.Benefitstoorganizations...5 B.AbouttheCertification...6 B1.AboutElectronicEvidenceExamination...6 B2.Requiredcompetence...6 B3.Abilities...6 B4.Prerequisites...6 B5.CodeofProfessionalEthics...7 B6.Criteriaforinitialcertification...7 B7.Criteriaforrenewalofcertification...7 B8.Groundsforsuspendingandwithdrawingcertification...7 B9.ExamOverview...8 B10.Developmentoftheexam...8 B11.SubjectMatterExperts...8 B12.Typeofquestions...10 B13.PreparationfortheExam...10 B14.CommonBodyofKnowledgeforElectronicEvidenceExamination(CBOKEEE)...10 B15.AdministrationoftheExam...10 AdmissionPass...10 Entrytotheexamcentre...11 SpecialArrangements...11 Whattocarryintotheexamcentre...11 WhatNOTtocarryintotheexamcentre...11 Malpracticeorcheating...11 B16.Fees...11 B17.ExamDuration...12 B18.PassingScore...12 B19.Dates...12 B20.OverviewofExaminationSyllabus...12 B21.DetailedExaminationSyllabus...12 C.TheIFS$GFSUContinuousEducationProgram...18 D.AboutGFSU...19 E.ApplicationFormforPermanentRegistrationNumberforIFS$GFSU CertificationPrograms...20 3
A.BenefitsofIFS/GFSUCertifications A1.Benefitstoindividuals Achieveahigherposition,raise,and promotionfaster 1 Becomemoreemployable 2 Affirmyourprofessionalexpertise 3 Increasejobsecurity Demonstratethatyoupossess essentialdomainknowledge Boostrelevancebystayingcurrent intheprofessionwithcontinuing educationrequirements. Advanceyourcareerpotentialdue torecognitionasacertified professional Recognitionofprofessional competencebyprofessionalpeers andmanagement Increaseyourvalueandincome Keepupwithever(changing standardsandtechnologies Validateyourknowledge Differentiateyourselffromyour peers Boostyourconfidence 1Salary surveys show that the majority of hiring managers consider certifications a factor in hiring decisions, and that obtaining relevant certifications oftenleadstoasalaryincrease. 2According to an IDC white paper, "63% of hiring managers believe certified individuals are more productivethantheirnon(certifiedcounterparts." 3Your employer, clients, employees and peers will recognizeyourgfsucredentialasanindicationofthe skills and knowledge you ve gained through certification. Showthatyouknowthemost currentprinciplesandpracticesof yourfield Personalsatisfactionof accomplishingamilestoneinyour career Standoutagainstotherapplicantsin atoughjobmarket. Getpreparedforgreateron(the(job responsibilities Potentiallyearnhigherincomefor beingformallyrecognizedasa certifiedprofessional DemonstrateYourCommitment Buildandenhanceyourcredibility Build&ShowcaseYourSkills Becomemoremarketablewhenyou competefortoppositions Raiseyourprestigeamongyour staffandyourpeers Improveoverallperformance, removeuncertaintyandwiden marketopportunities Ensureyouarecontinually improvingandrefiningyour activities Becomepartofaprofessional network Enjoybettercareerflexibility Berecognizedasbeing knowledgeableandskilled Openthedoorsofopportunity; enhanceyourcareer 4
A2.Benefitstoorganizations Benchmark With GFSU certifications, your organization will have a benchmark to compensate, measure and evaluate employees skills for roles within the organization. GFSU certifications also provide a recognized benchmark of skills that can be aligned to organisationalskillsframeworks. Consistency WithGFSUcertifications,yourteamsaretrainedtoconsistentskilllevels. Staffmotivation The regular assessment process will improve staff responsibility, commitment and motivationandensurecompetentemployees. IncreasedProductivity GFSU certified professionals are typically more productive and work to consistent standards. Assurance GFSUcertificationsassurethatthecertifiedprofessionalhastheknowledgeandskills neededtoperformtheallottedtasks. Performance$relatedpay GainingGFSUcertificationscanbealignedtoperformance(relatedpay. Customersatisfaction GFSU certifications can ensure greater customer satisfaction (internal and external customers). Employeesatisfaction GFSU certifications provide professional development, advancement and recognition opportunitiesforstaff.thiscanalsoleadtolowerstaffturnover. Higherquality GFSUcertificationsleadtomorereliable,higherqualityresultsproducedwithincreased efficiencyandconsistencybyprofessionalswhouseindustrystandardtechniques. Cultureoflearning GFSU certifications empower a culture of learning and improvement that increases returnoninvestment. Increasedcredibility GFSU certifications demonstrate to customers, competitors, suppliers, staff and investorsthatyouuseindustry(standardpractices. Stakeholdersatisfaction GFSU certifications demonstrate to your stakeholders that your business is run effectively. 5
B.AbouttheCertification B1.AboutElectronicEvidenceExamination An Electronic Evidence Examiner (EEE) is skilled in collecting, examining, analyzing and reportingofelectronicevidenceandcybertrails.morespecifically,aneee: 1. Performsforensicanalysisofdigitalinformationusingstandardcomputerforensics& evidencehandlingtechniques. 2. Uses forensically sound procedures to identify network computer intrusion evidence andidentifiesperpetrators. 3. Employsforensictoolsandtechniquestoidentifyandexaminemaliciousfiles. 4. Employsforensictoolsandtechniquestocrackfileandsystempasswords. 5. Detects steganography and recovers deleted, fragmented and corrupted data from digitalmediaofalltypes. 6. Observesproperevidencecustodyandcontrolprocedures. 7. Documents procedures and findings in a manner suitable for courtroom presentation andpreparescomprehensivewrittennotesandreports. Thiselectronicevidencemaybefoundincomputers,laptops,servers,cellphones,tablets,pen drives,digitalcameras,cds,dvds,computernetworks,theinternetetc. Electronic evidence can be hidden in pictures (steganography), encrypted files, password protectedfiles,deletedfiles,formattedharddisks,deletedemails,chattranscriptsetc. Electronicevidencecanrelatetoonlinebankingfrauds,onlinesharetradingfraud,sourcecode theft, credit card fraud, tax evasion, virus attacks, cyber sabotage, phishing attacks, email hijacking, denial of service, hacking, divorce cases, murder cases, organized crime, terrorist operations,defamation,pornography,extortion,smugglingetc. B2.Requiredcompetence Toearnthiscertification,candidatesmusttakethecertificationexamandobtainaminimumof 70%marks. B3.Abilities Candidate svision,hearing,mobilityandotherabilitiesmustbesuchthatwouldpermithimto workefficientlyinelectronicevidenceexaminationinanorganizationalenvironment. B4.Prerequisites ThecandidatemustbeagraduateinanystreamfromarecognizedUniversity. 6
B5.CodeofProfessionalEthics AllIFS(GFSUcertifiedprofessionalsshould: 1. Encourageimplementationofmeasuresforcontrolofcorporatecrime. 2. Performdutiestothebestoftheirknowledge,skillsandcapabilities. 3. Maintainhighstandardsofmoralcharacter. 4. Preserve the privacy and confidentiality of information obtained in the course of professionalassignments,subjecttoregulatoryrequirements. 5. Ensurecompliancewithregulatoryandlegalframework. Failure to comply with this Code of Professional Ethics may result in suspension and subsequentwithdrawalofcertification. B6.Criteriaforinitialcertification 1. Demonstrating mastery of IFS(GFSU Common Body of Knowledge for Electronic Evidence Examination by successfully taking the certification exam with a score of at least70%. 2. Being a graduate in any stream from a recognized University. Students pursuing graduationmayappearforthecertificationexamandonsuccessfullypassingtheexam willbeissuedaprovisionalcertificate.suchapplicantswillbecertifiedonsubmitting proofofgraduation. 3. AcceptingtheIFS(GFSUCodeofProfessionalEthics. B7.Criteriaforrenewalofcertification 1. Earn120CEUs(ContinuingEducationUnits)every3years. 2. SubmitdocumentaryevidenceinrespectofCEUsearned. 3. SubmitadministrativefeeofRs.2,000plusapplicabletaxes(every3years). 4. CompliancewithIFS(GFSUCodeofProfessionalEthics. B8.Groundsforsuspendingandwithdrawingcertification The Certification Management Committee, Institute of Forensic Science, Gujarat Forensic Sciences University (IFS(GFSU) may suspend and withdraw a certification for any of the followingreasons: 1. ViolationofthetermsofanyundertakingmadetoIFS(GFSU. 2. FailuretoobtaintherequiredCEUs(ContinuingEducationUnits)every3years. 3. Failuretosubmitdocumentaryevidenceevery3yearsofCEUsearnedalongwiththe applicableadministrativefee. 4. ViolatinganyprovisionoftheIFS(GFSUCodeofProfessionalEthics. 5. ProvidinganyfalseinformationtoIFS(GFSU. 7
B9.ExamOverview TheElectronicEvidenceExaminer(EEE)certificationfromInstituteofForensicScience,Gujarat ForensicSciencesUniversity(IFS(GFSU)provesspecialistlevelexpertiseinelectronicevidence examination. B10.Developmentoftheexam The Certification Management Committee of IFS(GFSU is responsible for operational policies and procedures, implementation of the policies and procedures, resources for certification activities (personnel, outsourcing, premises, including examination sites, equipment and resources for carrying out certification activities), assessment activities, decisions on certification,includingthegranting,maintaining,recertifying,expanding,reducing,suspending or withdrawing of the certification, contractual arrangements. The Certification Development Committee of IFS(GFSU is responsible for development and maintenance of the certification schemes.subjectmatterexpertscomeunderthecertificationdevelopmentcommittee. B11.SubjectMatterExperts Subject Matter Experts for certification programs conducted by Institute of Forensic Science, GujaratForensicSciencesUniversityadviseinthedevelopmentandreviewofthecertification scheme 4. The Subject Matter Experts for IFS7GFSU Certification #18001 Electronic Evidence Examinerare(inalphabeticalorder): DebasisNayak,DirectorAsianSchoolofCyberLaws DebasisNayakisDirectorandco(founderofAsianSchoolofCyberLaws.Heisalsothemanaging partner, Techjuris Law Consultants. He has also been involved in the activity of framing draft rules and regulations under the Information Technology Act, 2000 for the Department of InformationTechnology,GovernmentofIndia. He is a visiting faculty on cyber law and cyber crime investigation at the National Police Academy,Hyderabad.HehastaughtcyberlawatnumerouseducationalinstitutionsacrossIndia. He has trained various law enforcement agencies in cyber crime investigation including personnelfromgovernmentsofmalaysiaandmauritius.hisotherareasofinterestincludethe legalregimeregulatingonlinegaming,copyrightissuesrelatingtosoftware,implementationof publickeyinfrastructureandcyberforensics.heisaconsultanttocorporateorganizations,law enforcementagenciesandgovernmentsontheseissues. JimmyMate,AssistantManager,EY With over 7 years of experience in Forensic Technology, he currently holds the position of Assistant Manager with a Big4. His expertise covers Digital Forensic Data Analysis, Computer Forensics,FraudInvestigationsalongwithevaluatingdesign&operatingefficienciesofinternal controlsattheentity&processlevelandidentifyingareasofimprovement&costsavings. He has addressed various sectors like Cement Manufacturing, Apparels & Footwear, Pharmaceutical, Information Technology, Automotive, Micro Finance, Consumer Electronic manufacturing,media&entertainment,hospitality,business&technologyservices,insurance 4Thisincludescriteriaforinitialcertificationandrecertification;curriculumforcertificationexaminationsandtests; assessment methods for initial certification and recertification; surveillance methods and criteria (if applicable); criteria for suspending and withdrawing certification; criteria for changing the scope or level of certification (if applicable);submittingquestionsforinclusioninthecertificationexaminationsandtests(optional). 8
andsteelmanufacturing.hehasalsoworkedondesigning&executionoftrainingmodulesinthe areaofforensictechnologyforgovernmentorganizations&corporates. RVittalRajFCA,CISA,CGEIT,CISM,CRISC,CISSP,CIA,CFE Hehas25+yearsofexperienceindirecting,managingprojectsinInformationSecurity,ISAudit, ITGovernance. RamGopalSoni,AssociateVP$SecurityConsulting,ControlCaseInternationalPvt.Ltd. Ram Gopal Soni is an Information Security Graduate with strong cognition and industry experienceininformationsecurityimplementation,assessment,auditandinformationsecurity Management. He is working as QSA / Associate VP ( Security Consulting with ControlCase International Pvt. Ltd and is currently focused on Information Security Compliance Audit and Certification including PCI(DSS, PA(DSS and Computer Forensics, Fraud Investigation and Risk Assessment. He is also involved in execution and management of Technical Risk Assessment includingapplicationsecurity,penetrationtestingandbusinessdevelopmentactivities. RavindranathPatil,AssociateDirector,RiskConsulting,KPMG He is a former IPS officer having over 9 years of experience in cyber and fraud investigation pertaining to industries such as Infrastructure, Liquor, FMCG, Telecommunication, IT, Engineering Goods, Automobile and Micro Finance. He has worked as an Assistant Director GeneralofForeignTrade,MinistryofCommerce,GovernmentofIndia.Heisavisitingfacultyon cybercrimeinvestigationatnationalpoliceacademy,nationalacademyofdirecttaxesandthe Centre for Police Research. He is a research fellow of Centre for Police Research on Mobile Technology. SethuSRaman,VicePresident&ChiefRiskOfficer,MphasiSanHPCompany SethuSRamanisanex(defenceofficerpresentlyworkingastheChiefRiskOfficerwithanMNC IT services company. He is a senior risk management professional with a strong academic background(mba,bal[law],crma,cpp,cbcp,cisa,cissp)and21yearsofversatileexperience inmanagingriskinits manifoldmanifestation especiallyinbankinganditindustries. S.P.Srivastava,formerDirectorGeneralofUPPoliceandformerJointDirectorofCentralBureau ofinvestigation(cbi) Shri S. P. Srivastava is a retired Director General of Police, Uttar Pradesh and former Joint Director(Delhi,Mumbai),CentralBureauofInvestigation(CBI).Duringhisillustriouscareerin the Indian Police Service, he has held the following posts: Director General, U.P. Police Head Quarters, JointDirector(Delhi,Mumbai),CentralBureauof Investigation, Govt. of India, Crime Branch, U.P., Criminal Investigation Department / Intelligence Department, Chief Security Commissioner(NER,CR),IndianRailways,JointManager(Vigilance)/RegionalManager,Food CorporationofIndia,SuperintendentofPolice,StateVigilanceEstablishment. He has developed an IT tool for investigation of disproportionate asset cases enabling law enforcementagenciestolaunchsuccessfulprosecutionagainstcorruptaccusedpersons.hehas alsodevelopedanin(housetoolforscientificallocationofbudgettofieldunitsenablingoptimal utilizationandmaximumyield(uppolicehasannualbudgetaryoutlayofapprox.6000croresand approximately2lakhpolicepersonnel). WhileworkinginCBI,NewDelhi,hehelpedsolveahighprofileandsensitivemurdercasewith thehelpofscientifictoolsandutmostregardtohumanrights.accusedpersonswerefoundguilty by the trial court and severe punishment awarded, making it a landmark investigation. While workingincbi,mumbaialargeamountofblackmoney(oneofthelargest)wasunearthedfroma seniorgovernmentofficial,whichbecamealandmarkhaulofhardcashstashedinthehouse. 9
HehasbeenengagedactivelyindevelopmentofITtoolstocombatcybercrimeandanintegrated application for holistic police functioning. His educational qualifications include B.Sc. (Physics, Chemistry Mathematics), BCA, M.Sc. Physics (Electronics). He is a published author and has writtenmanyarticlesoncontemporarytopicsincludingcorruptioninnationaldailynewspapers. SzabolcsHallai,CISO,CISA,CISM,CITRM,C CISO Szabolcssprimarygoalasanauditorand/orconsultantistoreconciletheeverlastingdilemma of an IT/ITSEC being a business based function inside of a non(it core business entity. By becoming a skilled expert of both worlds ( business and information technology he tries to discovercontrolandsystemerrorsandtohelpthemcorrectthebestpossibleway.workingasa team player he never lost his individual skills. Experienced in governmental / multinational / equity / financials / banking environments, multitasking, with high communication skills on senior level and with end(users. Specialities: Expertise on the field of IT Auditing, QA and Consultancy,RiskManagement,PolicyCompliance,ISO27001/17799/BS7799,ITIL,COBIT,AML, MiFID,GeneralInternalAudit,Duediligence,ITSecurity,Legislationcompliance,ITgovernance B12.Typeofquestions TheexaminationwillconsistprimarilyofCaseStudyBased(Problem(Based)questions.These questions consist of a practical problem followed by several options. Candidates must apply theirknowledgeandskillstochoosethemostappropriateoption.ifs(gfsucertificationsuse thistypeofquestionsastheyallowcandidatestodemonstratetheirpracticalunderstandingof thetopicratherthanrequiringthemtomemoriseinformation.suchquestionsfocusontestinga candidate s skill development, require thinking and do not focus on purely theoretical knowledge. B13.PreparationfortheExam CaseStudyBased(Problem(Based)questionsrequirecandidatestostudythereferencematerial thoroughly and ensure understanding of how the information can be applied in real(life practical situations. On registering for the certification exam, you will be provided comprehensivereferencematerialandtheifs(gfsuguidetothecommonbodyofknowledge forelectronicevidenceexamination(cbok(eee)inelectronicform. B14.CommonBodyofKnowledgeforElectronicEvidenceExamination(CBOK/EEE) The IFS(GFSU Common Body of Knowledge for Electronic Evidence Examination (CBOK(EEE) establishesabaselineforthebodyofknowledgeforelectronicevidenceexamination.cbok( EEE is a comprehensive description of the sum of knowledge and professional practices and techniquesthataregenerallyacceptedwithintheelectronicevidenceexaminationprofession. CBOKEEE is not static and will be constantly evolving as the field of Electronic Evidence Examinationdevelops. B15.AdministrationoftheExam AdmissionPass Approximatelyoneweekpriortotheexamdate,registeredcandidateswillbeemailed an electronic Admission Pass containing the date, time and exact venue of the examination.youmustcarryaprintoutofthisadmissionpassalongwithagovernment issuedphoto(identitycard(e.g.pancard,driverslicense,passport,etc.). 10
Entrytotheexamcentre Registeredcandidatesmustentertheexamcentre30minutespriortothestartofthe exam.anycandidatewhoislatewillbedeniedentrytotheexamcentreandwillnotbe permittedtotaketheexam.theexamfeespaidbysuchacandidatewillbeforfeited. SpecialArrangements Nofoodordrinkispermittedattheexamcentre.Anexceptioncanbemadeincaseof medicalreasonsprovidedtheregisteredcandidateshowsadoctor scertificatetothis effect. Whattocarryintotheexamcentre Suitable pencils, eraser, sharpener, a printout of your Admission Pass and a valid Governmentissuedphoto(identitycard. WhatNOTtocarryintotheexamcentre Anyreferencematerials,paper,books,calculator,cell(phone,laptop,tablet,etc.Donot carryanyfoodordrinksunlessyouhaveadoctor scertificateprovingtheneedforit. Malpracticeorcheating The following activities will constitute malpractice and may result in the candidate beingdebarredfromallfutureexamsaswellasprosecutedunderthelaw: 1. carryinganyreferencematerialintotheexamcentre; 2. attemptingtotaketheexamforanotherperson; 3. usinganyreferencematerial; 4. assistinganothercandidateinattemptingtheexam; 5. usinganycommunicationdevice; 6. leavingorenteringtheexamcentrewithoutauthorizationfromtheexaminer; 7. carryingthequestionbookletoranswersheetsoutsidetheexamcentre; 8. disturbingtheothercandidatesduringtheexamination; B16.Fees Ff Particulars Fee One(timePermanentRegistrationFee 1,000 ExamFees(Forstudentspursuinggraduation) 4,500 ExamFees(Forothers) 10,000 Note: 1. Incasearegistrantfailsthecertificationexam,he/shewillberequiredtopay50%of thecurrentexamfeesforsubsequentattempts. 2. Nofeerefundswillbemadetoanyregistrant. 3. On registering for a certification, the registrant shall be provided the list of recommendedreferencematerial. 4. Nocontactlecturesorclassesshallbeprovided. 11
B17.ExamDuration Thecertificationexamhasalengthof3hours. B18.PassingScore Topass,acandidatemustobtainaminimumof70%ineachofthesectionsoftheexam. B19.Dates Examdate Sunday19 th January,2014 Sunday20 th April,2014 Sunday20 th July,2014 Sunday19 th October,2014 Registrationcloseson 19 th December,2013 20 th March,2014 20 th June,2014 19 th September,2014 B20.OverviewofExaminationSyllabus Thisexaminationisdividedintothefollowingsections: 1. PerformingTheForensicProcess 2. FileForensics 3. OperatingSystemsForensics 4. NetworkForensics 5. ApplicationForensics 6. InternetForensics 7. MobileForensics 8. PracticalForensics 9. Legal&DocumentationIssues B21.DetailedExaminationSyllabus 1. PERFORMINGTHEFORENSICPROCESS 1.1 DataCollection,Examination,Analysis&Reporting 1.2 BestPractices&InternationalStandards 1.2.1 SWGDEModelStandardOperationProceduresforComputerForensics 1.2.2 ENFSIGuidelinesforBestPracticeintheForensicExaminationofDigitalTechnology 1.2.3 CIGIEQualityStandardsforDigitalForensics 1.2.4 GoodPracticeGuideforComputer(BasedElectronicEvidencebyAssociationofChief PoliceOfficers(ACPO),UK 1.2.5 BestPracticesForSeizingElectronicEvidencebytheUnitedStatesSecretService 1.2.6 InvestigationsInvolvingtheInternetandComputerNetworksbytheUSDepartment ofjustice 1.2.7 CyberCrimeInvestigationManualbyAsianSchoolofCyberLaws 1.2.8 ISO/IEC27037:2012[Informationtechnology(Securitytechniques(Guidelinesfor identification,collection,acquisitionandpreservationofdigitalevidence] 12
1.2.9 InternationalStandardISO/TR15801:2009(Documentmanagement(Information storedelectronically(recommendationsfortrustworthinessandreliability 1.2.10 ISO/IECTR18044:2004Informationtechnology(Securitytechniques(Information securityincidentmanagement 1.2.11 RelevantNISTRecommendations&Guidelines 2. FILEFORENSICS 2.1 FileBasics 2.1.1 FileStorageMedia 2.1.2 Filesystems(FAT16,FAT32,NTFS,HPFS,ext2fs,ext3fs,ReiserFS,HFS,HFSPlus,UFS, CDFS,UDF,ISO9660,Joliet 2.1.3 OtherDataonMedia(DeletedFiles,SlackSpace,FreeSpace,AlternateDataStreams 2.2 CollectingFiles 2.2.1 CopyingFilesfromMedia LogicalBackup,BitstreamImaging 2.2.2 DataFileIntegrity writeblocker,hash,messagedigest 2.2.3 FileModification,Access,andCreationTimes,Metadata 2.2.4 TechnicalIssues wiping,demagnetizing,hiddendata 2.3 ExaminingFiles 2.3.1 LocatingtheFiles hexeditors,slackrecoverytools 2.3.2 ExtractingtheData fileheaders,filesignatures,encryption(symmetric,asymmetric Cryptography,Fileencryption,Diskencryption,Fulldiskencryption),SSL,Email encryption),steganography,digitalwatermarks,keyloggers,passwords 2.3.3 UsingaForensicToolkit fileviewers,uncompressingfiles,graphicallydisplaying directorystructures,identifyingknownfiles,performingstringsearchesandpattern matches,accessingfilemetadata 2.3.4 Analysis 3. OPERATINGSYSTEMSFORENSICS 3.1 OSBasics 3.1.1 Non(VolatileData Configurationfiles(usersandgroups,passwordfiles,scheduled jobs),logs(systemevents,auditrecords,applicationevents,commandhistory,recently accessedfiles),applicationfiles,datafiles,swapfiles,dumpfiles,hibernationfiles, Temporaryfiles,InterruptRequestLine,Hotkeys 3.1.2 VolatileData Slackspace,Freespace,Networkconfiguration(NICdrivers,IP addresses,virtualprivatenetworks),networkconnections,runningprocesses,open files,loginsession,operatingsystemtime 3.2 CollectingOSData 3.2.1 CollectingVolatileOSData(Contentsofmemory,Networkconfiguration,Network connections,runningprocesses,openfiles,loginsessions,operatingsystemtime 3.2.2 CollectingNon(VolatileOSData Usersandgroups,Passwords,Networkshares,Logs 3.2.3 TechnicalIssueswithCollectingData OSaccess(biometricbasedauthentication, autorunfeature),logmodification,harddriveswithflashmemory,keyremapping,os data 3.3 ExaminingandAnalyzingOSData 13
3.4 WindowsForensics 3.4.1 WindowsDisks,FilesandPartitions 3.4.2 WindowsBootSequence 3.4.3 ForensicIssues(Recyclebinforensics,hiberfil.sys,logsfiles,pagingfiles,thumbs.db files,registryanalysis 3.5 LinuxForensics 3.5.1 Linuxdisks,partitionsandthefilesystem 3.5.2 TheLinuxbootsequence 3.5.3 Linuxcommands 3.5.4 ForensicIssues(Includedforensictools,Determiningthestructureofthedisk, Creatingaforensicimageofthesuspectdisk,Mountingarestoredimage,Mounting theimageusingtheloopbackdevice,filehash,makingalistofallfiles,makingalistof filetypes,viewingfiles,searchingunallocatedandslackspacefortext,handlinglarge disks,preparingadiskforthesuspectimage,obtainingdiskinformation,dd,splitting filesandimages,compressiononthefly,datacarving,carvingpartitions,determining thesubjectdiskfilesystemstructure 3.6 MacForensics 3.6.1 Filesystems,operatingsystems,datafiles 3.6.2 Bootprocess 3.6.3 Technologies(Bonjour,FileVault,Spotlight,DiskArbitration,Activate/Deactivate DiskArbitration,TargetDiskMode,TargetDiskModeProcedure 3.6.4 ForensicIssues ImagingatargetMacintosh,Diskstructure,FilevaultandMacOSX security,diskutility&dmgfiles,spotlight,userhomedirectorystructure,user LibraryFolder,Applications,.MacandRelatedEvidence,iChat,andInstantMessaging Applications,MacOSXLogFiles,MacOSX plist Files,SleepandSafeSleep,Apple BootKeyCombos 4. NETWORKFORENSICS 4.1 TCP/IPBasics 4.1.1 ApplicationLayer DNS,HTTP,SMTP,FTP,SNMP 4.1.2 TransportLayer TCP,UDP,packetsandpayload,DHCP, 4.1.3 InternetProtocolLayer ICMP,IGMP,IPv6,ESP 4.1.4 HardwareLayer Ethernet,Routersandfirewalls,EtherTypevalue 4.1.5 SignificanceofTCP/IPlayersinNetworkForensics 4.2 NetworkTrafficDataSources 4.2.1 FirewallsandRouters Privateaddresses,Publicaddresses,Proxies,NAT,VPN 4.2.2 PacketSniffersandProtocolAnalyzers(Promiscuousmode,Capturefiles 4.2.3 IntrusionDetectionSystems NetworkIDs,HostIDs,IDSsensors,Bufferoverflow 4.2.4 RemoteAccess RemoteAccessServers,VPNGateways,Modemservers,Packet filtering 4.2.5 SecurityEventManagementSoftware 4.2.6 NetworkForensicAnalysisTools 4.2.7 OtherSources DHCPservers,Networkmonitoringsoftware,ISPrecords,client/ serverapplications,hosts networkconfigurationsandconnections 4.3 CollectingNetworkTrafficData 4.3.1 LegalConsiderations 4.3.2 TechnicalIssues Datastorage,Encryptedtraffic(IPSEC,SSH,SSL),Servicesrunning onunexpectedports,alternateaccesspoints,monitoringfailures 14
4.4 ExaminingandAnalyzingNetworkTrafficData 4.4.1 IdentifyinganEventofInterest 4.4.2 ExaminingDataSources DataSourceValue(IDSsignatures,IDSsoftware,SEMsoftware,NFATsoftware (trafficreconstructionandvisualization),firewalls,routers,proxyservers&remote accessservers,dhcpservers,packetsniffers,networkmonitoring,isprecords. Examination&AnalysisTools blindsearch,covertchannels,visualizationtools 4.4.3 DrawingConclusions 4.4.4 AttackerIdentification spoofedipaddresses,manysourceipaddresses,validityofip address(anonymizers),whois,dnsrecords,tracking&tracingemails,analyzing serverlogs, 5. APPLICATIONFORENSICS 5.1 ApplicationComponents 5.1.1 Configurationsettings Configurationfile,run7timeoptions,batchfiles,addedto sourcecode 5.1.2 Authentication Externalauthentication,Proprietaryauthentication,Pass7through authentication,host/userenvironment 5.1.3 Logs Event,Audit,Error,Installation,Debugging 5.1.4 Data Genericdataformats,Proprietarydataformats,Databases,Temporaryfiles, Datafiletemplates,Sampledatafiles,Documents 5.1.5 SupportingFiles Documentation,Links,Graphics 5.1.6 ApplicationArchitecture Local,Client/server,Peer7to7peer 5.2 TypesofApplications 5.2.1 E(mail POP3,IMAP 5.2.2 WebUsage 5.2.3 InteractiveCommunications Groupchat(InternetRelayChat),InstantMessaging Applications,AudioandVideo(VOIP,H.323,SessionInitiationProtocol) 5.2.4 FileSharing Client/server(NFS,AFP,SMB,SFTP),Peer7to7peer 5.2.5 DocumentUsage Wordprocessors,Spreadsheet,Presentation,PersonalDatabase software 5.2.6 SecurityApplications 5.2.7 DataConcealmentTools Systemclean7uptools 5.3 CollectingApplicationData Filesystems,VolatileOSdata,Networktraffic 5.4 ExaminingandAnalyzingApplicationData 6. INTERNETFORENSICS 6.1 FacebookForensics 6.1.1 FacebookProtocolFormat 6.1.2 ForensicsonCommonFacebookActivities 6.1.3 FacebookForensicsinVirtualEnvironment 6.1.4 FacebookForensicsinMobileDevices 6.2 BrowserForensics 6.2.1 InternetExplorerForensics 6.2.2 FirefoxForensics 6.2.3 ChromeForensics 15
6.2.4 SafariForensics 6.2.5 OperaForensics 6.3 ForensicsWebServices 7. MOBILEFORENSICS 7.1 ipad&iphoneforensics 7.2 BlackberryForensics 7.3 AndroidForensics 7.4 WindowsMobileForensics 7.5 SymbianForensics 8. PRACTICALFORENSICS 8.1 SoftwareToolsforForensics 8.1.1 CloudForensics(InternetEvidenceFinder 8.1.2 DeletedFileRecovery Autopsy,BelkasoftEvidenceCenter,ILooKIX,P2Commander, TheSleuthKit,X7WaysForensics 8.1.3 DiskImaging(ParabenForensicReplicator,ILookIXimager,MacQuisition,X7Ways Forensics,X7WaysImager 8.1.4 EmailParsing(Aid4Mail,BelkasoftEvidenceCenter,BlackLight,ParabenE7mail Examiner,InternetEvidenceFinder,ParabenNetworkE7mailExaminer 8.1.5 GraphicalForensics(LiveView 8.1.6 HashAnalysis(Autopsy,MareswareHash 8.1.7 InstantMessenger BlackLight,InternetEvidenceFinder 8.1.8 MediaSanitization/DriveRe(use(X7WaysForensics/WinHex 8.1.9 MemoryCaptureandAnalysis(BelkasoftLiveRAMCapturer,MacMemoryReader, WindowsMemoryReader,ILookIXimager,InternetEvidenceFinder,MacQuisition 8.1.10 MobileDeviceAcquisitionandAnalysis(ElcomsoftBlackberryBackupExplorer, ElcomsoftiOSForensicToolkit,Lantern3,iXam,SIMiFOR,XAMN,XRY 8.1.11 P2PAnalysis(BelkasoftEvidenceCenter,eMuleReader,InternetEvidenceFinder,P2P Marshal 8.1.12 SocialMedia(BelkasoftFacebookProfileSaver,InternetEvidenceFinder 8.1.13 SoftwareWriteBlock(SAFEBlockVista/2008,SAFEBlockWin7/2008R2,SAFEBlock XP/2003,SoftBlock 8.1.14 Steganalysis(SteganographyAnalyzerArtifactScanner(StegAlyzerAS), SteganographyAnalyzerFieldScanner(StegAlyzerFS),SteganographyAnalyzerReal7 TimeScanner(StegAlyzerRTS),SteganographyAnalyzerSignatureScanner (StegAlyzerSS) 8.1.15 StringSearch(Autopsy,BlackLight,dtSearch,X7WaysForensics 8.1.16 WebBrowserForensics(BlackLight,InternetEvidenceFinder 8.1.17 WindowsRegistryAnalysis(BlackLight,RegistryRecon 8.2 PasswordBreaking 8.2.1 Passwareproductline 8.2.2 Elcomsoftproductline 9. LEGAL&DOCUMENTATIONISSUES 9.1 InformationTechnologyAct 9.2 IndianPenalCode 16
9.3 CodeofCriminalProcedure 9.4 IndianEvidenceAct 9.5 DocumentationIssues FirstInformationReport,PropertySearch&SeizureForm,Final Form/Report,Relevantchecklists,Relevantreports 17
C.TheIFS/GFSUContinuousEducationProgram The IFS(GFSU Continuous Education Program (CEP) is designed to keep your expertise and skillsupdated.youarerequiredtoobtain120ceus(continuingeducationunits)every3years tomaintainyourgfsucertification. Youarerequiredtosubmitdocumentaryevidenceevery3yearsofCEUsearnedbyyou.Enclose administrativefeeofrs2,000plustaxesalongwiththedocumentaryevidenceofceus. # Activity 1 Teaching,training orinstructingina relevantfield 2 Deliveringan Industry Presentationina relevantfield 3 Participationina GFSUapproved IndustryEvent, Seminar,Workshop orconference CEUsearned 3CEUsperhourofactual teaching,trainingor instructing 3CEUsperhourofactual presentation 1CEUforeachhour spentinarelevant session 4 WorkExperience 1CEUforeachmonthina relevantprofile 5 Publishingofa relevant professionalarticle, WhitePaperor Book 6 Activemembership ofagfsuapproved relevantcommittee /Board/Chapter/ Association 4CEUsperarticleor whitepaper; 20CEUsperpublished book 0.25CEUforeachmonth ofmembership Documentary Evidence to be submitted 1.Descriptionofcontent covered 2.Deliverydate(s) 3.Numberofattendees 1.Descriptionofcontent covered 2.Deliverydate(s) 3.Numberofattendees 4.Copyofpresentation 1.Thetypeofactivityattended (event,seminar,workshopor conference) 2.Descriptionoftheactivity 3.DateofActivity 4.Proofofcompletionprovided byactivityhost(where applicable) Followingdetailsonemployer letterhead: 1.Currentjobtitle 2.Briefdescriptionofwork profile 3.Durationinthisjob(startand enddates) 4.Confirmationbyemployer thatthecandidateismeeting theexpectations 5.Signatureofthecandidates supervisor Descriptionofthecontent covered Linktoorcopyofthepublished work 1.Committee/Board/Chapter /Associationdetails 2.Proofofmembership 3.Timeframeofactive membership Maximum CEUs in a 3 yearperiod 42CEUs 42CEUs 42CEUs 36CEUs 42CEUs 9CEUs 18
D.AboutGFSU ThiscertificationisprovidedbyInstituteof ForensicScience,GujaratForensicSciences University(GFSU). GFSU is established by the Government of Gujarat, under the flagship of the Home Department(GovernmentofGujarat. The GFSU is a highly specialized higher education institution that came into existencethroughanact:no.17,passedby the Gujarat State Legislative Assembly, datedthe30thofseptember2008. The University runs in parallel association with the Directorate of Forensic Science (DFS) ( Gujarat State, to provide hands(on training. DFS ( Gujarat State is a state(of(the(art; NABL accredited; ISO(IEC 17025:2005 certified laboratory, maintaining international standards in terms of infrastructure and facilities for Computer Forensics, Narco(analysis and Polygraph Examination, Brain Electrical Oscillation SignatureProfiling. ItalsohasSuspectDetectionSystem(SDS), Audio Video Tape Authentication System, VoiceSpectrograph,SpeechLab,Integrated Ballistics Identification System, Computerized Petroleum Testing Facilities, FullyAutomatedAlcoholEstimationSystem (GC(HS)FT(Raman,LC(MS,GC(MS,FT(IRfor Narcotic/Explosive/Poisons Analysis, ComputerizedPhotographicImageAnalysis System, Video Spectral Comparator for Document Examination, Accredited Cow( meat testing mobile laboratories, Accredited Mobile Investigation Vans, Ballistics Data Acquisition System (Computerizedfiringrange)andAutomated FingerprintIdentificationSystem. GFSU is the only university across the world, dedicated to Forensic & InvestigativeScience. TheGFSUhasanultramoderncampus,near the DFS premises, on a government allocatedlandof50,000squaremeters. The University is headed by its Director General Dr. J. M. Vyas (M.Sc., Ph.D., LL.B.). Dr.MohinderSinghDahiya(M.Sc.,Ph.D.)is the Director for the Institute of Forensic Science, Gujarat Forensic Sciences University. Shri Mehul K. Dave is the first Registrar of the Gujarat Forensic Sciences University. Theuniversityhasbeengrantedrecognition by the University Grants Commission wide its letter no. F.9(7/2011 (CPP(I/PU) dated 16 th May2011. 19
E.ApplicationFormforPermanent RegistrationNumberforIFS/GFSU CertificationPrograms To, Director, InstituteofForensicScience, GujaratForensicSciencesUniversity, Gandhinagar I am desirous of appearing for IFS(GFSU (Institute of Forensic Science, Gujarat Forensic Sciences University) certifications and therefore request for allotment of Permanent Registration Number. My personalinformationisasunder: Pleasepasteyourrecent A. NAME First Middle Last B. DATEOFBIRTH C.OCCUPATION DayMonthYear D. GENDER FemaleMale E. ADDRESSFORCOMMUNICATION Apartment/HouseNumber&theNameoftheBuilding Street/Road/Boulevard Town/City State Country PINCode/ZIP EmailAddress passportsizecolour photographinthisbox. DONOTSTAPLE (Incaseyouareastudent,mentiondetailssuchas College,course,yearetc.) Cell/Mobilenumber Phonenumber(withISD/STDcode) 20
F.FEEDETAILS BankDraftnumber Dated forrs.1,000(non(refundable) BankName Branch Favoring:"TheRegistrar,GujaratForensicSciencesUniversity PayableatGandhinagar,Gujarat G.ADDITIONALQUALIFICATIONS(IFANY) H.DOCUMENTS Pleaseencloseself$signedphotocopiesofthefollowingdocuments: 1.Proofofidentity:(anyone) Drivinglicense Passport PANCard CollegeIDcard 2.Proofofeducationalqualification(anyone) Marksheet Degree Other(plspecify) I.ADDITIONALINFORMATION HaveyoueverbeenconvictedofacognizableoffenceoraCourtMartialinmilitaryservice? Ifyes,providedetails. Haveyoueverhadaprofessionallicense,certification,membershiporregistrationrevoked? Ifyes,providedetails. The Application Form, duly completed, is submitted along with the relevant fee and supporting documents. All the information provided is true to the best of my knowledge and belief. Please acknowledgereceiptofthesameandconfirmmyregistration. Regards, (Applicant ssignature) Date 21
UNDERTAKING 1. IFS(GFSUmay,atitssolediscretion,makeinquiryofpersonsordocumentsdirectlyorindirectly referenced in this application to verify the accuracy and completeness of the information provided by me. I agree to cooperate in any such investigation by IFS(GFSU regarding the informationihaveprovided. 2. I understand that my non(cooperation in such investigation or my providing any information thatisfraudulent,misleadingorfalsemayresultintherefusalofifs(gfsutoissueacredential tome.itmayalsoleadtomybeingbarredfromeverholdingaifs(gfsucredential. 3. IundertaketoinformIFS(GFSU,withoutdelay,ofmattersthatcanaffectmycapabilitytofulfil the certification requirements. I shall comply with the relevant provisions of the certification scheme. 4. Iundertakenottoreleaseconfidentialexaminationmaterialsorparticipateinfraudulenttest( takingpractices. 5. Iagreetocomplywiththecertificationrequirementsandtosupplyanyinformationneededfor theassessment. 6. In the event of suspension of my certification, I shall refrain from further promotion of the certificationwhileitissuspended.intheeventofwithdrawalofmycertification,ishallrefrain fromuseofallreferencestoacertifiedstatus. 7. Ishallmakeclaimsregardingcertificationonlywithrespecttothescopeforwhichcertification hasbeengranted. 8. IshallnotusethecertificationinsuchamannerastobringIFS(GFSUintodisrepute,andshallnot to make any statement regarding the certification, which IFS(GFSU considers misleading or unauthorized. 9. IshalldiscontinuetheuseofallclaimstocertificationthatcontainanyreferencetoIFS(GFSUor certificationuponsuspensionorwithdrawalofcertification,andtoreturnanycertificatesissued byifs(gfsu. 10. Ishallnotusethecertificateinamisleadingmanner. 11. I understand that any action arising out of any application, examination, certification, etc. conductedbyifs(gfsuissubjecttothecourtsofgandhinagar,gujarat,india. Ihavereadandunderstoodthestatementsaboveandagreetobelegallyboundbythem. Regards, (Signature) Date Submitthefilled$inapplicationform,bankdraftanddocumentsto: Dr.MSDahiya, Director,InstituteofForensicScience, GujaratForensicSciencesUniversity, DFSHeadQuarters,Sector18(A NearPoliceBhavan,Gandhinagar(382007 Gujarat(India Phone:(079)65735503 22