Computer hacking forensic investigation CHFI V8

CHFI canvas1CHFI canvasCHFI canvas3CHFI canvas4CHFI canvas5

ec council courses-chfi
Computek is one of the largest and first Ec-council learning solution in egypt with 20 years of experience delivering training and certifications in all technologies.All Ec-Council Training in computek is held by Ec-Council Certified Instructors with over than 10 years experience in the technical and training field .

CHFI v8 Program certifies individuals in the specific security discipline of computer forensics from a vendor-neutral perspective. The C|HFI certification will fortify the application knowledge of law enforcement personnel, system administrators, security officers, defense and military personal, legal professionals, bankers, security professionals, and anyone who is concerned about the integrity of the network infrastructure. chfi certification photo

A CHFI v8 certified professional will be able to understand
A CHFI v8 certified professional will be able to understand:
The process of investigating cyber-crime, laws involved, and the details in obtaining a search warrant.
Different types of digital evidence, rules of evidence, digital evidence examination process, and electronic crime and digital evidence consideration by crime category
Roles of first responder, first responder toolkit, securing and evaluating electronic crime scene, conducting preliminary interviews, documenting electronic crime scene, collecting and preserving electronic evidence, packaging and transporting electronic evidence, reporting the crime scene
How to recover deleted files and deleted partitions in Windows, Mac OS X, and Linux
The process involved in forensic investigation using Access Data FTK and Encase Steganography and its techniques, Steganalysis, and image file forensics
Password Cracking Concepts, tools, types of password attacks and how to investigate password protected file breach
Different types of log capturing techniques, log management, time synchronization, log capturing tools
How to investigate logs, network traffic, wireless attacks, and web attacks
How to track e-mails and investigate e-mail crimes and many more.

Computer hacking forensic investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks.

Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence. Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud. Computer forensic investigators can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information.

ec council chfi courses
ec council chfi participants

The CHFI course will give participants the necessary skills to identify an intruder’s footprints and to properly gather the necessary evidence to prosecute. Many of today’s top tools of the forensic trade will be taught during this course, including software, hardware and specialized techniques. The need for businesses to become more efficient and integrated with one another, as well as the home user, has given way to a new type of criminal, the “cyber-criminal.” It is no longer a matter of “will your or-ganization be comprised (hacked)?” but, rather, “when?” Today’s battles between corporations, gov-ernments, and countries are no longer fought only in the typical arenas of boardrooms or battlefields using physical force. Now the battlefield starts in the technical realm, which ties into most every facet of modern day life. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cybercriminal, then this is the course for you

ec council chfi training1

Computer forensics training teaches that computer forensics investigation is the process of detecting hacking attacks and properly extracting evidence to report the crime and conduct audits to prevent future attacks.

Computer forensics is simply the application of computer investigation and analysis techniques in the interests of determining potential legal evidence.

Evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft of or destruction of intellectual property, and fraud.

Computer Hacking Forensic investigators (CHFI) can draw on an array of methods for discovering data that resides in a computer system, or recovering deleted, encrypted, or damaged file information.

Securing and analyzing electronic evidence is a central theme in an ever-increasing number of conflict situations and criminal cases.



EC-Council releases the most advanced Computer Forensic Investigation program in the world. CHFIv8 presents a detailed methodological approach to computer forensics and evidence analysis. It is a comprehensive course covering major forensic investigation scenarios that enable students to acquire hands-on experience on various forensic investigation techniques and standard tools necessary to successfully carry-out a computer forensic investigation.
Battles between corporations, governments, and countries are no longer fought using physical force. Cyber war has begun and the consequences can be seen in every day life. With the onset of sophisticated cyber-attacks, the need for advanced cyber security and investigation training is a mandate in the present day. If you or your organization requires the knowledge or skills to identify, track, and prosecute the cybercriminals, then this is the course for you. This course helps students to excel in digital evidence acquisition, handling and analysis in a forensically sound manner. Acceptable in a court of law, these skills will lead to successful prosecutions in various types of security incidents such as data breaches, corporate espionage, insider threats and other intricate cases involving computer systems.

The CHFI program is designed for all IT professionals involved with information system security, computer forensics, and incident response.
Duration: 5 days (9:00 – 5:00)


The CHFI 312-49 exam will be conducted on the last day of training. Students need to pass the online Prometric exam to receive the CHFI certification.


chfi v8 11course222outline333


Computer Forensics in Today's World



Forensics Science

Computer Forensics

Security Incident Report

Aspects of Organizational Security

Evolution of Computer Forensics

Objective of Computer Forensics

Need for Compute Forensics

Forensics Readiness

Benefits of Forensics Readiness

Goals of Forensics Readiness

Forensics Readiness Planning

Cyber Crime

Computer Facilitated Crimes

Modes of Attacks

Examples of Cyber Crime

Types of Computer Crimes

Cyber Criminals

Organized Cyber Crime: Organizational Chart

How Serious are Different Types of Incidents?

Disruptive Incidents to the Business

Cost Expenditure Responding to the Security Incident

Cyber Crime Investigation

Key Steps in Forensics Investigation

Rules of Forensics Investigation

Need for Forensics Investigator

Role of Forensics Investigator

Accessing Computer Forensics Resources

Role of Digital Evidence

Corporate Investigations

Understanding Corporate Investigations

Approach to Forensics Investigation: A Case Study

Instructions for the Forensic Investigator to Approach the Crime Scene

Why and When Do You Use Computer Forensics?

Enterprise Theory of Investigation (ETI)

Legal Issues

Reporting the Results

Reporting a Cyber Crime

Why you Should Report Cybercrime?

Reporting Computer-Related Crimes

Person Assigned to Report the Crime

When and How to Report an Incident?

Who to Contact at the Law Enforcement?

Federal Local Agents Contact

More Contacts

CIO Cyberthreat Report Form

back to top


Computer Forensics Investigation Process



Investigating Computer Crime

Before the Investigation

Build a Forensics Workstation

Building the Investigation Team

People Involved in Computer Forensics

Review Policies and Laws

Forensics Laws

Notify Decision Makers and Acquire Authorization

Risk Assessment

Build a Computer Investigation Toolkit

Steps to Prepare for a Computer Forensics Investigation

Computer Forensics Investigation Methodology

Obtain Search Warrant

Example of Search Warrant

Searches Without a Warrant

Evaluate and Secure the Scene

Forensics Photography

Gather the Preliminary Information at the Scene

First Responder

Collect the Evidence

Collect Physical Evidence

Evidence Collection Form

Collect Electronic Evidence

Guidelines for Acquiring Evidence

Secure the Evidence

Evidence Management

Chain of Custody

Chain of Custody Form

Acquire the Data

Duplicate the Data (Imaging)

Verify Image Integrity

MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

Recover Lost or Deleted Data

Data Recovery Software

Analyze the Data

Data Analysis

Data Analysis Tools

Assess Evidence and Case

Evidence Assessment

Case Assessment

Processing Location Assessment

Best Practices to Assess the Evidence

Prepare the Final Report

Documentation in Each Phase

Gather and Organize Information

Writing the Investigation Report

Sample Report

Testifying as an Expert Witness

Expert Witness

Testifying in the Court Room

Closing the Case

Maintaining Professional Conduct

Investigating a Company Policy Violation

Computer Forensics Service Providers

back to top

Searching and Seizing Computers



Searching and Seizing Computers without a Warrant

Searching and Seizing Computers without a Warrant

§ A: Fourth Amendment’s “Reasonable Expectation of Privacy” in Cases Involving Computers: General Principles

§ A.1: Reasonable Expectation of Privacy in Computers as Storage Devices

§ A.3: Reasonable Expectation of Privacy and Third-Party Possession

§ A.4: Private Searches

§ A.5 Use of Technology to Obtain Information

§ B: Exceptions to the Warrant Requirement in Cases Involving Computers

§ B.1: Consent

§ B.1.a: Scope of Consent

§ B.1.b: Third-Party Consent

§ B.1.c: Implied Consent

§ B.2: Exigent Circumstances

§ B.3: Plain View

§ B.4: Search Incident to a Lawful Arrest

§ B.5: Inventory Searches

§ B.6: Border Searches

§ B.7: International Issues

§ C: Special Case: Workplace Searches

§ C.1: Private Sector Workplace Searches

§ C.2: Public-Sector Workplace Searches

Searching and Seizing Computers with a Warrant

Searching and Seizing Computers with a Warrant

A: Successful Search with a Warrant

A.1: Basic Strategies for Executing Computer Searches

§ A.1.a: When Hardware is itself Contraband, Evidence, or an Instrumentality or Fruit of Crime

§ A.1.b: When Hardware is Merely a Storage Device for Evidence of Crime

§ A.2: The Privacy Protection Act

§ A.2.a: The Terms of the Privacy Protection Act

§ A.2.b: Application of the PPA to Computer Searches and Seizures

§ A.3: Civil Liability Under the Electronic Communications Privacy Act (ECPA)

§ A.4: Considering the Need for Multiple Warrants in Network Searches

§ A.5: No-Knock Warrants

§ A.6: Sneak-and-Peek Warrants

§ A.7: Privileged Documents

§ B: Drafting the Warrant and Affidavit

§ B.1: Accurately and Particularly Describe the Property to be Seized in the Warrant and/or Attachments to the Warrant

§ B.1.a: Defending Computer Search Warrants Against Challenges Based on the Description of the “Things to Be Seized”

§ B.2: Establish Probable Cause in the Affidavit

§ B.3: In the Affidavit Supporting the Warrant, include an Explanation of the Search Strategy as Well as the Practical & Legal Considerations that Will Govern the Execution of the Search

§ C: Post-Seizure Issues

§ C.1: Searching Computers Already in Law Enforcement Custody

§ C.2: The Permissible Time Period for Examining Seized Computers

§ C.3: Rule 41(e) Motions for Return of Property

The Electronic Communications Privacy Act

The Electronic Communications Privacy Act

§ A. Providers of Electronic Communication Service vs. Remote Computing Service

§ B. Classifying Types of Information Held by Service Providers

§ C. Compelled Disclosure Under ECPA

§ D. Voluntary Disclosure

§ E. Working with Network Providers

Electronic Surveillance in Communications Networks

Electronic Surveillance in Communications Networks

A. Content vs. Addressing Information

B. The Pen/Trap Statute, 18 U.S.C. §§ 3121-3127

C. The Wiretap Statute (“Title III”), 18 U.S.C. §§ 2510-2522

§ C.1: Exceptions to Title III

§ D. Remedies For Violations of Title III and the Pen/Trap Statute



§ A. Authentication

§ B. Hearsay

§ C. Other Issues

back to top

Digital Evidence


Digital Data

Definition of Digital Evidence

Increasing Awareness of Digital Evidence

Challenging Aspects of Digital Evidence

The Role of Digital Evidence

Characteristics of Digital Evidence

Fragility of Digital Evidence

Anti-Digital Forensics (ADF)

Types of Digital Data

Types of Digital Data

Rules of Evidence

Rules of Evidence

Best Evidence Rule

Federal Rules of Evidence

International Organization on Computer Evidence (IOCE)

IOCE International Principles for Digital Evidence

Scientific Working Group on Digital Evidence (SWGDE)

SWGDE Standards for the Exchange of Digital Evidence

Electronic Devices: Types and Collecting Potential Evidence

Electronic Devices: Types and Collecting Potential Evidence

Digital Evidence Examination Process

Evidence Assessment

Evidence Assessment

Prepare for Evidence Acquisition

Evidence Acquisition

Preparation for Searches

Seizing the Evidence


Bit-Stream Copies

Write Protection

Evidence Acquisition

Evidence Acquisition from Crime Location

Acquiring Evidence from Storage Devices

Collecting Evidence

Collecting Evidence from RAM

Collecting Evidence from a Standalone Network Computer

Chain of Custody

Chain of Evidence Form

Evidence Preservation

Preserving Digital Evidence: Checklist

Preserving??Removable Media

Handling Digital Evidence

Store and Archive

Digital Evidence Findings

Evidence Examination and Analysis

Evidence Examination

Physical Extraction

Logical Extraction

Analyze Host Data

Analyze Storage Media

Analyze Network Data

Analysis of Extracted Data

Timeframe Analysis

Data Hiding Analysis

Application and File Analysis

Ownership and Possession

Evidence Documentation and Reporting

Documenting the Evidence

Evidence Examiner Report

Final Report of Findings

Computer Evidence Worksheet

Hard Drive Evidence Worksheet

Removable Media Worksheet

Electronic Crime and Digital Evidence Consideration by Crime Category

Electronic Crime and Digital Evidence Consideration by Crime Category


back to top

First Responder



Electronic Evidence

First Responder

Roles of First Responder

Electronic Devices: Types and Collecting Potential Evidence

First Responder Toolkit

First Responder Toolkit

Creating a First Responder Toolkit

Evidence Collecting Tools and Equipment

First Response Basics

First Response Rule

Incident Response: Different Situations

First Response for System Administrators

First Response by Non-Laboratory Staff

First Response by Laboratory Forensics Staff

Securing and Evaluating Electronic Crime Scene

Securing and Evaluating Electronic Crime Scene: A Checklist

Securing the Crime Scene

Warrant for Search and Seizure

Planning the Search and Seizure

Initial Search of the Scene

Health and Safety Issues

Conducting Preliminary Interviews

Questions to Ask When Client Calls the Forensic Investigator


Sample of Consent Search Form

Witness Signatures

Conducting Preliminary Interviews

Conducting Initial Interviews

Witness Statement Checklist

Documenting Electronic Crime Scene

Documenting Electronic Crime Scene

Photographing the Scene

Sketching the Scene

Video Shooting the Crime Scene

Collecting and Preserving Electronic Evidence

Collecting and Preserving Electronic Evidence

Order of Volatility

Dealing with Powered On Computers

Dealing with Powered Off Computers

Dealing with Networked Computer

Dealing with Open Files and Startup Files

Operating System Shutdown Procedure

Computers and Servers

Preserving Electronic Evidence

Seizing Portable Computers

Switched On Portables

Collecting and Preserving Electronic Evidence

Packaging and Transporting Electronic Evidence

Evidence Bag Contents List

Packaging Electronic Evidence

Exhibit Numbering

Transporting Electronic Evidence

Handling and Transportation to the Forensics Laboratory

Storing Electronic Evidence

Chain of Custody

Simple Format of the Chain of Custody Document

Chain of Custody Forms

Chain of Custody on Property Evidence Envelope/Bag and Sign-out Sheet

Reporting the Crime Scene

Reporting the Crime Scene

Note Taking Checklist

First Responder Common Mistakes

back to top

Computer Forensics Lab



Setting a Computer Forensics Lab

Computer Forensics Lab

Planning for a Forensics Lab

Budget Allocation for a Forensics Lab

Physical Location Needs of a Forensics Lab

Structural Design Considerations

Environmental Conditions

Electrical Needs

Communication Needs

Work Area of a Computer Forensics Lab

Ambience of a Forensics Lab

Ambience of a Forensics Lab: Ergonomics

Physical Security Recommendations

Fire-Suppression Systems

Evidence Locker Recommendations

Computer Forensic Investigator

Law Enforcement Officer

Lab Director

Forensics Lab Licensing Requisite

Features of the Laboratory Imaging System

Technical Specification of the Laboratory-??ased Imaging System

Forensics Lab

Auditing a Computer Forensics Lab

Recommendations to Avoid Eyestrain

Investigative Services in Computer Forensics

Computer Forensics Investigative Services

Computer Forensic Investigative Service Sample

Computer Forensics Services: PenrodEllis Forensic Data Discovery

Data Destruction Industry Standards

Computer Forensics Services

Computer Forensics Hardware

Equipment Required in a Forensics Lab

Forensic Workstations

Basic Workstation Requirements in a Forensics Lab

Stocking the Hardware Peripherals

Paraben Forensics Hardware

Handheld First Responder Kit

Wireless StrongHold Bag

Wireless StrongHold Box

Passport StrongHold Bag

Device Seizure Toolbox



iRecovery Stick

Data Recovery Stick

Chat Stick

USB Serial DB9 Adapter

Mobile Field Kit

Portable Forensic Systems and Towers: Forensic Air-Lite VI MK III laptop

Portable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel Tower

Portable Forensic Workhorse V: Tableau 335 Forensic Drive Bay Controller

Portable Forensic Systems and Towers: Forensic Air-Lite IV MK II

Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

Portable Forensic Systems and Towers: Forensic Tower IV Dual Xeon

Portable Forensic Systems and Towers: Ultimate Forensic Machine

Forensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ES

Tableau T3u Forensic SATA Bridge Write Protection Kit

Tableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash Media Reader

Tableau TACC 1441 Hardware Accelerator

Multiple TACC1441 Units

Tableau TD1 Forensic Duplicator

Power Supplies and Switches

Digital Intelligence Forensic Hardware

FRED SR (Dual Xeon)



Forensic Recovery of Evidence Data Center (FREDC)




UltraBay II

UltraBlock SCSI

Micro Forensic Recovery of Evidence Device (µFRED)

HardCopy 3P


Forensics DriveDock v4

Forensics UltraDock v4

Drive eRazer

v4 Combo Adapters




UFED System

UFED Physical Pro

UFED Ruggedized


Disk Imager Forensic Edition

3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor

InfinaDyne Forensic Products

Robotic Loader Extension for CD/DVD Inspector

Robotic System Status Light

Image MASSter

Solo-4 (Super Kit)

RoadMASSter- 3



Rapid Image 7020CS IT


Forensic MD5

Forensic Talon®

Portable Forensic Lab™


Forensic Quest-2®


RAID I/O Adapter™



Desktop WritePROtects

USB Adapter

CloneCard Pro


OmniClone IDE Laptop Adapters



HardCopy 3P


Computer Forensics Software

Basic Software Requirements in a Forensic Lab

Maintain Operating System and Application Inventories

Imaging Software

R-drive Image

P2 eXplorer Pro

AccuBurn-R for CD/DVD Inspector

Flash Retriever Forensic Edition

File Conversion Software




File Viewer Software

File Viewer

Quick View Plus 11 Standard Edition

Analysis Software

P2 Commander


SIM Card Seizure

CD/DVD Inspector

Video Indexer (Vindex™)

Monitoring Software

Device Seizure

Deployable P2 Commander (DP2C)


Email Detective

Computer Forensics Software


X-Ways Forensics

LiveWire Investigator

back to top

Understanding Hard Disks and File Systems



Hard Disk Drive Overview

Disk Drive Overview

Hard Disk Drive

Solid-State Drive (SSD)

Physical Structure of a Hard Disk

Logical Structure of Hard Disk

Types of Hard Disk Interfaces

Hard Disk Interfaces





Fibre Channel

Disk Platter


Track Numbering


Advanced Format: Sectors

Sector Addressing


Cluster Size

Changing the Cluster Size

Slack Space

Lost Clusters

Bad Sector

Hard Disk Data Addressing

Disk Capacity Calculation

Measuring the Performance of the Hard Disk

Disk Partitions and Boot Process

Disk Partitions

Master Boot Record

Structure of a Master Boot Record

What is the Booting Process?

Essential Windows System Files

Windows Boot Process

Macintosh Boot Process

Understanding File Systems

Understanding File Systems

Types of File Systems

List of Disk File Systems

List of Network File Systems

List of Special Purpose File Systems

List of Shared Disk File Systems

Popular Windows File Systems

File Allocation Table (FAT)

FAT File System Layout

FAT Partition Boot Sector

FAT Structure

FAT Folder Structure

Directory Entries and Cluster Chains

Filenames on FAT Volumes

Examining FAT


New Technology File System (NTFS)

NTFS Architecture

NTFS System Files

NTFS Partition Boot Sector

Cluster Sizes of NTFS Volume

NTFS Master File Table (MFT)

Metadata Files Stored in the MFT

NTFS Files and Data Storage

NTFS Attributes

NTFS Data Stream

NTFS Compressed Files

Setting the Compression State of a Volume

Encrypting File Systems (EFS)

Components of EFS

Operation of Encrypting File System

EFS Attribute

Encrypting a File

EFS Recovery Key Agent

Tool: Advanced EFS Data Recovery

Tool: EFS Key

Sparse Files

Deleting NTFS Files

Registry Data

Examining Registry Data


Popular Linux File Systems

Linux File System Architecture



Mac OS X File System

HFS vs. HFS Plus


HFS Plus

HFS Plus Volumes

HFS Plus Journal

Sun Solaris 10 File System: ZFS

CD-ROM / DVD File System


RAID Storage System

RAID Levels

Different RAID Levels

Comparing RAID Levels

Recover Data from Unallocated Space Using File Carving Process

File System Analysis Using The Sleuth Kit (TSK)

The Sleuth Kit (TSK)

The Sleuth Kit (TSK): fsstat

The Sleuth Kit (TSK): istat

The Sleuth Kit (TSK): fls and img_stat

back to top

Windows Forensics

Windows-Forensics-textswindows-forensics333333Collecting Volatile Information

Volatile Information

System Time

Logged-on Users


Net Sessions Command

Logonsessions Tool

Open Files

Net File Command

PsFile Utility

OpenFiles Command

Network Information

Network Connections

Process Information

Process-to-Port Mapping

Process Memory

Network Status

Other Important Information

Collecting Non-volatile Information

Non-volatile Information

Examine File Systems

Registry Settings

Microsoft Security ID

Event Logs

Index.dat File

Devices and Other Information

Slack Space

Virtual Memory

Swap File

Windows Search Index

Collecting Hidden Partition Information

Hidden ADS Streams

Investigating ADS Streams: StreamArmor

Other Non-Volatile Information

Windows Memory Analysis

Memory Dump

EProcess Structure

Process Creation Mechanism

Parsing Memory Contents

Parsing Process Memory

Extracting the Process Image

Collecting Process Memory

Windows Registry Analysis

Inside the Registry

Registry Structure within a Hive File

The Registry as a Log File

Registry Analysis

System Information

TimeZone Information


Audit Policy

Wireless SSIDs

Autostart Locations

System Boot

User Login

User Activity

Enumerating Autostart Registry Locations

USB Removable Storage Devices

Mounted Devices

Finding Users

Tracking User Activity

The UserAssist Keys

MRU Lists

Search Assistant

Connecting to Other Systems

Analyzing Restore Point Registry Settings

Determining the Startup Locations

Cache, Cookie, and History Analysis

Cache, Cookie, and History Analysis in IE

Cache, Cookie, and History Analysis in Firefox

Cache, Cookie, and History Analysis in Chrome

Analysis Tools

IE Cookies View

IE Cache View

IE History Viewer







MD5 Calculation

Message Digest Function: MD5

Why MD5 Calculation?

MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

MD5 Checksum Verifier


Windows File Analysis

Recycle Bin

System Restore Points (Rp.log Files)

System Restore Points (Change.log.x Files)

Prefetch Files

Shortcut Files

Word Documents

PDF Documents

Image Files

File Signature Analysis

NTFS Alternate Data Streams

Executable File Analysis

Documentation Before Analysis

Static Analysis Process

Search Strings

PE Header Analysis

Import Table Analysis

Export Table Analysis

Dynamic Analysis Process

Creating Test Environment

Collecting Information Using Tools

Process of Testing the Malware

Metadata Investigation


Types of Metadata

Metadata in Different File Systems

Metadata in PDF Files

Metadata in Word Documents

Tool: Metadata Analyzer

Text Based Logs

Understanding Events

Event Logon Types

Event Record Structure

Vista Event Logs

IIS Logs

Parsing IIS Logs

Parsing FTP Logs

FTP sc-status Codes

Parsing DHCP Server Logs

Parsing Windows Firewall Logs

Using the Microsoft Log Parser

Other Audit Events

Evaluating Account Management Events

Examining Audit Policy Change Events

Examining System Log Entries

Examining Application Log Entries

Forensic Analysis of Event Logs

Searching with Event Viewer

Using EnCase to Examine Windows Event Log Files

Windows Event Log Files Internals

Windows Password Issues

Understanding Windows Password Storage

Cracking Windows Passwords Stored on Running Systems

Exploring Windows Authentication Mechanisms

LanMan Authentication Process

NTLM Authentication Process

Kerberos Authentication Process

Sniffing and Cracking Windows Authentication Exchanges

Cracking Offline Passwords

Forensic Tools

Windows Forensics Tool: OS Forensics

Windows Forensics Tool: Helix3 Pro

Integrated Windows Forensics Software: X-Ways Forensics

X-Ways Trace

Windows Forensic Toolchest (WFT)

Built-in Tool: Sigverif

Computer Online Forensic Evidence Extractor (COFEE)

System Explorer

Tool: System Scanner

Secret Explorer

Registry Viewer Tool: Registry Viewer

Registry Viewer Tool: Reg Scanner

Registry Viewer Tool: Alien Registry Viewer



Process Explorer

Security Task Manager



Memory Viewer

Tool: PMDump

Word Extractor

Belkasoft Evidence Center

Belkasoft Browser Analyzer

Metadata Assistant


XpoLog Center Suite

LogViewer Pro

Event Log Explorer


ProDiscover Forensics


LiveWire Investigator



back to top

Data Acquisition and Duplication


viruses-worms2Data Acquisition and Duplication Concepts

Data Acquisition

Forensic and Procedural Principles

Types of Data Acquisition Systems

Data Acquisition Formats

Bit Stream vs. Backups

Why to Create a Duplicate Image?

Issues with Data Duplication

Data Acquisition Methods

Determining the Best Acquisition Method

Contingency Planning for Image Acquisitions

Data Acquisition Mistakes

Data Acquisition Types

Rules of Thumb

Static Data Acquisition

Collecting Static Data

Static Data Collection Process

Live Data Acquisition

Why Volatile Data is Important?

Volatile Data

Order of Volatility

Common Mistakes in Volatile Data Collection

Volatile Data Collection Methodology

Basic Steps in Collecting Volatile Data

Types of Volatile Information

Disk Acquisition Tool Requirements

Disk Imaging Tool Requirements

Disk Imaging Tool Requirements: Mandatory

Disk Imaging Tool Requirements: Optional

Validation Methods

Validating Data Acquisitions

Linux Validation Methods

Windows Validation Methods

RAID Data Acquisition

Understanding RAID Disks

Acquiring RAID Disks

Remote Data Acquisition

Acquisition Best Practices

Acquisition Best Practices

Data Acquisition Software Tools

Acquiring Data on Windows

Acquiring Data on Linux

dd Command

dcfldd Command

Extracting the MBR

Netcat Command

EnCase Forensic

Analysis Software: DriveSpy

ProDiscover Forensics

AccessData FTK Imager

Mount Image Pro

Data Acquisition Toolbox



RAID Recovery for Windows

R-Tools R-Studio



LiveWire Investigator



X-Ways Forensics

R-drive Image



P2 eXplorer Pro

Flash Retriever Forensic Edition

Data Acquisition Hardware Tools


Image MASSter: Solo-4 (Super Kit)

Image MASSter: RoadMASSter- 3

Tableau TD1 Forensic Duplicator

Logicube: Forensic MD5

Logicube: Portable Forensic Lab™

Logicube: Forensic Talon®

Logicube: RAID I/O Adapter™

DeepSpar: Disk Imager Forensic Edition

Logicube: USB Adapter

Disk Jockey PRO

Logicube: Forensic Quest-2®

Logicube: CloneCard Pro

Logicube: EchoPlus

Paraben Forensics Hardware: Chat Stick

Image MASSter: Rapid Image 7020CS IT

Digital Intelligence Forensic Hardware: UltraKit

Digital Intelligence Forensic Hardware: UltraBay II

Digital Intelligence Forensic Hardware: UltraBlock SCSI

Digital Intelligence Forensic Hardware: HardCopy 3P

Wiebetech: Forensics DriveDock v4

Wiebetech: Forensics UltraDock v4

Image MASSter: WipeMASSter

Image MASSter: WipePRO

Portable Forensic Systems and Towers: Forensic Air-Lite V MK III

Forensic Tower IV Dual Xeon

Digital Intelligence Forensic Hardware: FREDDIE

DeepSpar: 3D Data Recovery

Phase 1 Tool: PC-3000 Drive Restoration System

Phase 2 Tool: DeepSpar Disk Imager

Phase 3 Tool: PC-3000 Data Extractor







Paraben Forensics Hardware


Mobile Field Kit

iRecovery Stick


UFED System

UFED Physical Pro

back to top


Recovering Deleted Files and Deleted partitions



Recovering the Deleted Files

Deleting Files

What Happens When a File is Deleted in Windows?

Recycle Bin in Windows

Storage Locations of Recycle Bin in FAT and NTFS System

How the Recycle Bin Works

Damaged or Deleted INFO File

Damaged Files in Recycled Folder

Damaged Recycle Folder

File Recovery in MAC OS X

File Recovery in Linux

File Recovery Tools for Windows

Recover My Files

EASEUS Data Recovery Wizard

PC INSPECTOR File Recovery



Handy Recovery

Quick Recovery

Stellar Phoenix Windows Data Recovery

Tools to Recover Deleted Files

Total Recall

Advanced Disk Recovery

Windows Data Recovery Software


PC Tools File Recover

Data Rescue PC

Smart Undelete

FileRestore Professional

Deleted File Recovery Software

DDR Professional Recovery Software

Data Recovery Pro



Search and Recover

File Scavenger


Virtual Lab


Win Undelete


Recover4all Professional

eData Unerase

Active@ File Recovery


File Recovery Tools for MAC

MAC File Recovery

MAC Data Recovery

Boomerang Data Recovery Software


File Recovery Tools for MAC OS X


AppleXsoft File Recovery for MAC

Disk Doctors MAC Data Recovery

R-Studio for MAC

Data Rescue

Stellar Phoenix MAC Data Recovery


TechTool Pro

File Recovery Tools for Linux

R-Studio for Linux

Quick Recovery for Linux

Kernal for Linux Data Recovery

TestDisk for Linux

Recovering the Deleted Partitions

Disk Partition

Deletion of Partition

Recovery of the Deleted Partition

Partition Recovery Tools

Active@ Partition Recovery for Windows

Acronis Recovery Expert

DiskInternals Partition Recovery

NTFS Partition Data Recovery


EASEUS Partition Recovery

Advanced Disk Recovery

Power Data Recovery

Remo Recover (MAC) - Pro

MAC Data Recovery Software

Quick Recovery for Linux

Stellar Phoenix Linux Data Recovery Software

Tools to Recover Deleted Partitions

Handy Recovery

TestDisk for Windows

Stellar Phoenix Windows Data Recovery

ARAX Disk Doctor

Power Data Recovery

Quick Recovery for MAC

Partition Find & Mount

Advance Data Recovery Software Tools

TestDisk for MAC

Kernel for FAT and NTFS – Windows Disk Recovery

Disk Drill

Stellar Phoenix MAC Data Recovery

ZAR Windows Data Recovery

AppleXsoft File Recovery for MAC

Quick Recovery for FAT & NTFS

TestDisk for Linux

back to top

Forensics Investigation using Access Data FTK



Overview and Installation of FTK

Overview of Forensic Toolkit (FTK)

Features of FTK

Software Requirement

Configuration Option

Database Installation

FTK Application Installation

FTK Case Manager User Interface

Case Manager Window

Case Manager Database Menu

Setting Up Additional Users and Assigning Roles

Case Manager Case Menu

Assigning Users Shared Label Visibility

Case Manager Tools Menu

Recovering Processing Jobs

Restoring an Image to a Disk

Case Manager Manage Menu

Managing Carvers

Managing Custom Identifiers

FTK Examiner User Interface

FTK Examiner User Interface

Menu Bar: File Menu

Exporting Files

Exporting Case Data to a Custom Content Image

Exporting the Word List

Menu Bar: Edit Menu

Menu Bar: View Menu

Menu Bar: Evidence Menu

Menu Bar: Tools Menu

Verifying Drive Image Integrity

Mounting an Image to a Drive

File List View

Using Labels

Creating and Applying a Label

Starting with FTK

Creating a case

Selecting Detailed Options: Evidence Processing

Selecting Detailed Options: Fuzzy Hashing

Selecting Detailed Options: Data Carving

Selecting Detailed Options: Custom File Identification

Selecting Detailed Options: Evidence Refinement (Advanced)

Selecting Detailed Options: Index Refinement (Advanced)

FTK Interface Tabs

FTK Interface Tabs

Explore Tab

Overview Tab

Email Tab

Graphics Tab

Bookmarks Tab

Live Search Tabs

Volatile Tab

Adding and Processing Static, Live, and Remote Evidence

Adding Evidence to a Case

Evidence Groups

Acquiring Local Live Evidence

FTK Role Requirements For Remote Acquisition

Types of Remote Information

Acquiring Data Remotely Using Remote Device Management System (RDMS)

Imaging Drives

Mounting and Unmounting a Device

Using and Managing Filters

Accessing Filter Tools

Using Filters

Customizing Filters

Using Predefined Filters

Using Index Search and Live Search

Conducting an Index Search

Selecting Index Search Options

Viewing Index Search Results

Documenting Search Results

Conducting a Live Search: Live Text Search

Conducting a Live Search: Live Hex Search

Conducting a Live Search: Live Pattern Search

Decrypting EFS and other Encrypted Files

Decrypting EFS Files and Folders

Decrypting MS Office Files

Viewing Decrypted Files

Decrypting Domain Account EFS Files from Live Evidence

Decrypting Credant Files

Decrypting Safeboot Files

Working with Reports

Creating a Report

Entering Case Information

Managing Bookmarks in a Report

Managing Graphics in a Report

Selecting a File Path List

Adding a File Properties List

Making Registry Selections

Selecting the Report Output Options

Customizing the Formatting of Reports

Viewing and Distributing a Report

back to top

Forensics Investigation Using EnCase



protocal-analysisOverview of EnCase Forensic

Overview of EnCase Forensic

EnCase Forensic Features

EnCase Forensic Platform

EnCase Forensic Modules

Installing EnCase Forensic

Minimum Requirements

Installing the Examiner

Installed Files

Installing the EnCase Modules

Configuring EnCase

Configuring EnCase: Case Options Tab

Configuring EnCase: Global Tab

Configuring EnCase: Debug Tab

Configuring EnCase: Colors Tab and Fonts Tab

Configuring EnCase: EnScript Tab and Storage Paths Tab

Sharing Configuration (INI) Files

EnCase Interface

Main EnCase Window

System Menu Bar


Panes Overview

Tree Pane

Table Pane

Table Pane: Table Tab

Table Pane: Report Tab

Table Pane: Gallery Tab

Table Pane: Timeline Tab

Table Pane: Disk Tab and Code Tab

View Pane

Filter Pane

Filter Pane Tabs

Creating a Filter

Creating Conditions

Status Bar

Case Management

Overview of Case Structure

Case Management

Indexing a Case

Case Backup

Options Dialog Box

Logon Wizard

New Case Wizard

Setting Time Zones for Case Files

Setting Time Zone Options for Evidence Files

Working with Evidence

Types of Entries

Adding a Device

Adding a Device using Tableau Write Blocker

Performing a Typical Acquisition

Acquiring a Device

Canceling an Acquisition

Acquiring a Handsprings PDA

Delayed Loading of Internet Artifacts

Hashing the Subject Drive

Logical Evidence File (LEF)

Creating a Logical Evidence File

Recovering Folders on FAT Volumes

Restoring a Physical Drive

Source Processor

Source Processor

Starting to Work with Source Processor

Setting Case Options

Collection Jobs

Creating a Collection Job

Copying a Collection Job

Running a Collection Job

Analysis Jobs

Creating an Analysis Job

Running an Analysis Job

Creating a Report

Analyzing and Searching Files

Viewing the File Signature Directory

Performing a Signature Analysis

Hash Analysis

Hashing a New Case

Creating a Hash Set

Keyword Searches

Creating Global Keywords

Adding Keywords

Importing and Exporting Keywords

Searching Entries for Email and Internet Artifacts

Viewing Search Hits

Generating an Index

Tag Records

Viewing File Content

Viewing Files

Copying and Unerasing Files

Adding a File Viewer

Viewing File Content Using View Pane

Viewing Compound Files

Viewing Base64 and UUE Encoded Files

Bookmarking Items

Bookmarks Overview

Creating a Highlighted Data Bookmark

Creating a Note Bookmark

Creating a Folder Information/ Structure Bookmark

Creating a Notable File Bookmark

Creating a File Group Bookmark

Creating a Log Record Bookmark

Creating a Snapshot Bookmark

Organizing Bookmarks

Copying/Moving a Table Entry into a Folder

Viewing a Bookmark on the Table Report Tab

Excluding Bookmarks

Copying Selected Items from One Folder to Another



Report User Interface

Creating a Report Using the Report Tab

Report Single/Multiple Files

Viewing a Bookmark Report

Viewing an Email Report

Viewing a Webmail Report

Viewing a Search Hits Report

Creating a Quick Entry Report

Creating an Additional Fields Report

Exporting a Report

back to top

Steganography and Image File Forensics




What is Steganography?

How Steganography Works

Legal Use of Steganography

Unethical Use of Steganography

Steganography Techniques

Steganography Techniques

Application of Steganography

Classification of Steganography

Technical Steganography

Linguistic Steganography

Types of Steganography

Image Steganography

Least Significant Bit Insertion

Masking and Filtering

Algorithms and Transformation

Image Steganography: Hermetic Stego

Steganography Tool: S- Tools

Image Steganography Tools









Audio Steganography

Audio Steganography Methods

Audio Steganography: Mp3stegz

Audio Steganography Tools

MAXA Security Tools

Stealth Files






CHAOS Universal

Video Steganography

Video Steganography: MSU StegoVideo

Video Steganography Tools


Max File Encryption

Xiao Steganography

RT Steganography

Our Secret

BDV DataHider

CHAOS Universal

OmniHide PRO

Document Steganography: wbStego

Byte Shelter I

Document Steganography Tools

Merge Streams

Office XML


Data Stash


Xidie Security Suite



Whitespace Steganography Tool: SNOW

Folder Steganography: Invisible Secrets 4

Folder Steganography Tools



Max Folder Secure

WinMend Folder Hidden

PSM Encryptor


Universal Shield

Hide My Files

Spam/Email Steganography: Spam Mimic

Steganographic File System

Issues in Information Hiding



How to Detect Steganography

Detecting Text, Image, Audio, and Video Steganography

Steganalysis Methods/Attacks on Steganography

Disabling or Active Attacks

Steganography Detection Tool: Stegdetect

Steganography Detection Tools


Stego Watch




Gargoyle Investigator™ Forensic Pro



Image Files

Image Files

Common Terminologies

Understanding Vector Images

Understanding Raster Images

Metafile Graphics

Understanding Image File Formats

GIF (Graphics Interchange Format)

JPEG (Joint Photographic Experts Group)

JPEG File Structure

JPEG 2000

BMP (Bitmap) File

BMP File Structure

PNG (Portable Network Graphics)

PNG File Structure

TIFF (Tagged Image File Format)

TIFF File Structure

Data Compression

Understanding Data Compression

How Does File Compression Work?

Lossless Compression

Huffman Coding Algorithm

Lempel-Ziv Coding Algorithm

Lossy Compression

Vector Quantization

Locating and Recovering Image Files

Best Practices for Forensic Image Analysis

Forensic Image Processing Using MATLAB

Locating and Recovering Image Files

Analyzing Image File Headers

Repairing Damaged Headers

Reconstructing File Fragments

Identifying Unknown File Formats

Identifying Image File Fragments

Identifying Copyright Issues on Graphics

Picture Viewer: IrfanView

Picture Viewer: ACDSee Photo Manager 12

Picture Viewer: Thumbsplus

Picture Viewer: AD Picture Viewer Lite

Picture Viewer Max

Picture Viewer: FastStone Image Viewer

Picture Viewer: XnView

Faces – Sketch Software

Digital Camera Data Discovery Software: File Hound

Image File Forensics Tools

Hex Workshop

GFE Stealth™ - Forensics Graphics File Extractor


Adroit Photo Forensics 2011

Digital Photo Recovery

Stellar Phoenix Photo Recovery Software

Zero Assumption Recovery (ZAR)

Photo Recovery Software

Forensic Image Viewer

File Finder

DiskGetor Data Recovery

DERescue Data Recovery Master

Recover My Files

Universal Viewer

back to top

Application Password Crackers



Password Cracking Concepts

Password - Terminology

Password Types

Password Cracker

How Does a Password Cracker Work?

How Hash Passwords are Stored in Windows SAM

Types of Password Attacks

Password Cracking Techniques

Types of Password Attacks

Passive Online Attacks: Wire Sniffing

Password Sniffing

Passive Online Attack: Man-in-the-Middle and Replay Attack

Active Online Attack: Password Guessing

Active Online Attack: Trojan/Spyware/keylogger

Active Online Attack: Hash Injection Attack

Rainbow Attacks: Pre-Computed Hash

Distributed Network Attack

Elcomsoft Distributed Password Recovery

Non-Electronic Attacks

Manual Password Cracking (Guessing)

Automatic Password Cracking Algorithm

Time Needed to Crack Passwords

Classification of Cracking Software

Systems Software vs. Applications Software

System Software Password Cracking

Bypassing BIOS Passwords

Using Manufacturer’s Backdoor Password to Access the BIOS

Using Password Cracking Software


Resetting the CMOS using the Jumpers or Solder Beads

Removing CMOS Battery

Overloading the Keyboard Buffer and Using a Professional Service

Tool to Reset Admin Password: Active@ Password Changer

Tool to Reset Admin Password: Windows Key

Application Software Password Cracking

Passware Kit Forensic

Accent Keyword Extractor

Distributed Network Attack

Password Recovery Bundle

Advanced Office Password Recovery

Office Password Recovery

Office Password Recovery Toolbox

Office Multi-document Password Cracker

Word Password Recovery Master

Accent WORD Password Recovery

Word Password

PowerPoint Password Recovery

PowerPoint Password

Powerpoint Key

Stellar Phoenix Powerpoint Password Recovery

Excel Password Recovery Master

Accent EXCEL Password Recovery

Excel Password

Advanced PDF Password Recovery

PDF Password Cracker

PDF Password Cracker Pro

Atomic PDF Password Recovery

PDF Password

Recover PDF Password

Appnimi PDF Password Recovery

Advanced Archive Password Recovery

KRyLack Archive Password Recovery

Zip Password

Atomic ZIP Password Recovery

RAR Password Unlocker

Default Passwords

Password Cracking Tools



Cain & Abel


Windows Password Unlocker

Windows Password Breaker


PWdump7 and Fgdump



Recover Keys

Windows Password Cracker

Proactive System Password Recovery

Password Unlocker Bundle

Windows Password Reset Professional

Windows Password Reset Standard


Password Kit


Passware Kit Enterprise






Mail PassView

Messenger Key


Protected Storage PassView

Network Password Recovery

Asterisk Key

IE PassView

back to top

Log Capturing and Event Correlation


internet-security-icon2Computer Security Logs

Computer Security Logs

Operating System Logs

Application Logs

Security Software Logs

Router Log Files

Honeypot Logs

Linux Process Accounting

Logon Event in Window

Windows Log File

Configuring Windows Logging

Analyzing Windows Logs

Windows Log File: System Logs

Windows Log File: Application Logs

Logon Events that appear in the Security Event Log

IIS Logs

IIS Log File Format

Maintaining Credible IIS Log Files

Log File Accuracy

Log Everything

Keeping Time

UTC Time

View the DHCP Logs

Sample DHCP Audit Log File

ODBC Logging

Logs and Legal Issues

Legality of Using Logs

Records of Regularly Conducted Activity as Evidence

Laws and Regulations

Log Management

Log Management

Functions of Log Management

Challenges in Log Management

Meeting the Challenges in Log Management

Centralized Logging and Syslogs

Centralized Logging

Centralized Logging Architecture

Steps to Implement Central Logging


Syslog in Unix-Like Systems

Steps to Set Up a Syslog Server for Unix Systems

Advantages of Centralized Syslog Server

IIS Centralized Binary Logging

Time Synchronization

Why Synchronize Computer Times?

What is NTP?

NTP Stratum Levels

NIST Time Servers

Configuring Time Server in Windows Server

Event Correlation

Event Correlation

Types of Event Correlation

Prerequisites for Event Correlation

Event Correlation Approaches

Log Capturing and Analysis Tools

GFI EventsManager

Activeworx Security Center

EventLog Analyzer

Syslog-ng OSE

Kiwi Syslog Server


Firewall Analyzer: Log Analysis Tool

Activeworx Log Center


Kiwi Log Viewer

Event Log Explorer

WebLog Expert

XpoLog Center Suite

ELM Event Log Monitor



LogViewer Pro

WinAgents EventLog Translation Service

EventTracker Enterprise

Corner Bowl Log Manager

Ascella Log Monitor Plus

FLAG - Forensic and Log Analysis GUI

Simple Event Correlator (SEC)


back to top

Network Forensics Investigating Logs and Investigating Network Traffic



Network Forensics

Network Forensics

Network Forensics Analysis Mechanism

Network Addressing Schemes

Overview of Network Protocols

Overview of Physical and Data-Link Layer of the OSI Model

Overview of Network and Transport Layer of the OSI Model

OSI Reference Model

TCP/ IP Protocol

Intrusion Detection Systems (IDS) and ??heir Placement

How IDS Works

Types of Intrusion Detection Systems

General Indications of Intrusions



Network Attacks

Network Vulnerabilities

Types of Network Attacks

IP Address Spoofing

Man-in-the-Middle Attack

Packet Sniffing

How a Sniffer Works


Denial of Service Attack

Session Sniffing

Buffer Overflow

Trojan Horse

Log Injection Attacks

New Line Injection Attack

New Line Injection Attack Countermeasure

Separator Injection Attack

Defending Separator Injection Attacks

Timestamp Injection Attack

Defending Timestamp Injection Attacks

Word Wrap Abuse Attack

Defending Word Wrap Abuse Attacks

HTML Injection Attack

Defending HTML Injection Attacks

Terminal Injection Attack

Defending Terminal Injection Attacks

Investigating and Analyzing Logs

Postmortem and Real-Time Analysis

Where to Look for Evidence

Log Capturing Tool: ManageEngine EventLog Analyzer

Log Capturing Tool: ManageEngine Firewall Analyzer

Log Capturing Tool: GFI EventsManager

Log Capturing Tool: Kiwi Syslog Server

Handling Logs as Evidence

Log File Authenticity

Use Signatures, Encryption, and Checksums

Work with Copies

Ensure System’s Integrity

Access Control

Chain of Custody

Condensing Log File

Investigating Network Traffic

Why Investigate Network Traffic?

Evidence Gathering via Sniffing

Capturing Live Data Packets Using Wireshark

Display Filters in Wireshark

Additional Wireshark Filters

Acquiring Traffic Using DNS Poisoning Techniques

Intranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)

Proxy Server DNS Poisoning

DNS Cache Poisoning

Evidence Gathering from ARP Table

Evidence Gathering at the Data-Link Layer: DHCP Database

Gathering Evidence by IDS

Traffic Capturing and Analysis Tools



Intrusion Detection Tool: Snort

How Snort Works

IDS Policy Manager

MaaTec Network Analyzer

Iris Network Traffic Analyzer

NetWitness Investigator

Colasoft Capsa Network Analyzer

Sniff - O - Matic


Network Probe

NetFlow Analyzer

OmniPeek Network Analyzer

Firewall Evasion Tool: Traffic IQ Professional




SoftPerfect Network Protocol Analyzer

EffeTech HTTP Sniffer


EtherDetect Packet Sniffer



AnalogX Packetmon

IEInspector HTTP Analyzer


Distinct Network Monitor

Give Me Too


Show Traffic


Documenting the Evidence Gathered on a Network

back to top

Investigating Wireless Attacks


routerWireless Technologies

Wireless Networks

Wireless Terminologies

Wireless Components

Types of Wireless Networks

Wireless Standards

MAC Filtering

Service Set Identifier (SSID)

Types of Wireless Encryption: WEP

Types of Wireless Encryption: WPA

Types of Wireless Encryption: WPA2

WEP vs. WPA vs. WPA2

Wireless Attacks

Wi-Fi Chalking

Wi-Fi Chalking Symbols

Access Control Attacks

Integrity Attacks

Confidentiality Attacks

Availability Attacks

Authentication Attacks

Investigating Wireless Attacks

Key Points to Remember

Steps for Investigation

Obtain a Search Warrant

Identify Wireless Devices at Crime Scene

Search for Additional Devices

Detect Rogue Access Point

Document the Scene and Maintain a Chain of Custody

Detect the Wireless Connections

Methodologies to Detect Wireless Connections

Wi-Fi Discovery Tool: inSSIDer

GPS Mapping

GPS Mapping Tool: WIGLE

GPS Mapping Tool: Skyhook

How to Discover Wi-Fi Networks Using Wardriving

Check for MAC Filtering

Changing the MAC Address

Detect WAPs using the Nessus Vulnerability Scanner

Capturing Wireless Traffic

Sniffing Tool: Wireshark

Follow TCP Stream in Wireshark

Display Filters in Wireshark

Additional Wireshark Filters

Determine Wireless Field Strength

Determine Wireless Field Strength: FSM

Determine Wireless Field Strength: ZAP Checker Products

What is Spectrum Analysis?

Map Wireless Zones & Hotspots

Connect to Wireless Network

Connect to the Wireless Access Point

Access Point Data Acquisition and Analysis: Attached Devices

Access Point Data Acquisition and Analysis: LAN TCP/IP Setup

Access Point Data Acquisition and Analysis

Firewall Analyzer

Firewall Log Analyzer

Wireless Devices Data Acquisition and Analysis

Report Generation

Features of a Good Wireless Forensics Tool

Wireless Forensics Tools

Wi-Fi Discovery Tools






AirPort Signal

WiFi Hopper




Meraki WiFi Stumbler


AirCheck Wi-Fi Tester

AirRadar 2

Wi-Fi Packet Sniffers


CommView for Wi-Fi

Wi-Fi USB Dongle: AirPcap



Aircrack-ng Suite

AirMagnet WiFi Analyzer

Wardriving Tools









RF Monitoring Tools









Wi-Fi Connection Manager Tools

Aironet Wireless LAN



Avanquest Connection Manager

Intel PROSet

Odyssey Access Client


QuickLink Mobile

Wi-Fi Traffic Analyzer Tools

AirMagnet WiFi Analyzer

Cascade Pilot Personal Edition

OptiView® XG Network Analysis Tablet

Network Packet Analyzer

Network Observer

Ufasoft Snif

CommView for WiFi

Network Assistant

Wi-Fi Raw Packet Capturing Tools


Pirni Sniffer



Wi-Fi Spectrum Analyzing Tools

Cisco Spectrum Expert




Traffic Capturing and Analysis Tools



Intrusion Detection Tool: Snort

How Snort Works

IDS Policy Manager

MaaTec Network Analyzer

Iris Network Traffic Analyzer

NetWitness Investigator

Colasoft Capsa Network Analyzer

Sniff - O - Matic


Network Probe

NetFlow Analyzer

OmniPeek Network Analyzer

Firewall Evasion Tool: Traffic IQ Professional




SoftPerfect Network Protocol Analyzer

EffeTech HTTP Sniffer o Big-Mother o EtherDetect Packet Sniffer

Cascade Pilot Personal Edition

OptiView® XG Network Analysis Tablet

Network Packet Analyzer

Network Observer

Ufasoft Snif

CommView for WiFi

Network Assistant

Wi-Fi Raw Packet Capturing Tools


Pirni Sniffer



Wi-Fi Spectrum Analyzing Tools

Cisco Spectrum Expert




back to top

Investigating Web Attacks



Introduction to Web Applications and Webservers

Introduction to Web Applications

Web Application Components

How Web Applications Work

Web Application Architecture

Open Source Webserver Architecture

Indications of a Web Attack

Web Attack Vectors

Why Web Servers are Compromised

Impact of Webserver Attacks

Website Defacement

Case Study

Web Logs

Overview of Web Logs

Application Logs

Internet Information Services (IIS) Logs

IIS Webserver Architecture

IIS Log File Format

Apache Webserver Logs

DHCP Server Logs

Web Attacks

Web Attacks - 1

Web Attacks - 2

Unvalidated Input

Parameter/Form Tampering

Directory Traversal

Security Misconfiguration

Injection Flaws

SQL Injection Attacks

Command Injection Attacks

Command Injection Example

File Injection Attack

What is LDAP Injection?

How LDAP Injection Works

Hidden Field Manipulation Attack

Cross-Site Scripting (XSS) Attacks

How XSS Attacks Work

Cross-Site Request Forgery (CSRF) Attack

How CSRF Attacks Work

Web Application Denial-of-Service (DoS) Attack

Denial of Service (DoS) Examples

Buffer Overflow Attacks

Cookie/Session Poisoning

How Cookie Poisoning Works

Session Fixation Attack

Insufficient Transport Layer Protection

Improper Error Handling

Insecure Cryptographic Storage

Broken Authentication and Session Management

Unvalidated Redirects and Forwards

DMZ Protocol Attack/ Zero Day Attack

Log Tampering

URL Interpretation and Impersonation Attack

Web Services Attack

Web Services Footprinting Attack

Web Services XML Poisoning

Webserver Misconfiguration

HTTP Response Splitting Attack

Web Cache Poisoning Attack

HTTP Response Hijacking

SSH Bruteforce Attack

Man-in-the-Middle Attack

Defacement Using DNS Compromise

Web Attack Investigation

Investigating Web Attacks

Investigating Web Attacks in Windows-Based Servers

Investigating IIS Logs

Investigating Apache Logs

Example of FTP Compromise

Investigating FTP Servers

Investigating Static and Dynamic IP Addresses

Sample DHCP Audit Log File

Investigating Cross-Site Scripting (XSS)

Investigating SQL Injection Attacks

Pen-Testing CSRF Validation Fields

Investigating Code Injection Attack

Investigating Cookie Poisoning Attack

Detecting Buffer Overflow

Investigating Authentication Hijacking

Web Page Defacement

Investigating DNS Poisoning

Intrusion Detection

Security Strategies to Web Applications

Checklist for Web Security

Web Attack Detection Tools

Web Application Security Tools

Acunetix Web Vulnerability Scanner

Falcove Web Vulnerability Scanner


N-Stalker Web Application Security Scanner





SecuBat Vulnerability Scanner




Web Application Firewalls


IBM AppScan

ServerDefender VP

Web Log Viewers

Deep Log Analyzer

WebLog Expert

AlterWind Log Analyzer


eWebLog Analyzer

Apache Logs Viewer (ALV)

Web Attack Investigation Tools


Paros Proxy


Tools for Locating IP Address

Whois Lookup






Hide Real IP

IP - Address Manager

Pandora FMS

back to top

TrackingEmails and Investigating Email Crimes


Email System Basics

Email Terminology

Email System

Email Clients

Email Server

SMTP Server

POP3 and IMAP Servers

Email Message

Importance of Electronic Records Management

Email Crimes

Email Crime

Email Spamming

Mail Bombing/Mail Storm


Email Spoofing

Crime via Chat Room

Identity Fraud/Chain Letter

Email Headers

Examples of Email Headers

List of Common Headers

Steps to Investigate

Why to Investigate Emails

Investigating Email Crime and Violation

Obtain a Search Warrant and Seize the Computer and Email Account

Obtain a Bit-by-Bit Image of Email Information

Examine Email Headers

Viewing Email Headers in Microsoft Outlook

Viewing Email Headers in AOL

Viewing Email Headers in Hotmail

Viewing Email Headers in Gmail

Viewing Headers in Yahoo Mail

Forging Headers

Analyzing Email Headers

Email Header Fields

Received: Headers

Microsoft Outlook Mail

Examining Additional Files (.pst or .ost files)

Checking the Email Validity

Examine the Originating IP Address

Trace Email Origin

Tracing Back

Tracing Back Web-based Email

Acquire Email Archives

Email Archives

Content of Email Archives

Local Archive

Server Storage Archive

Forensic Acquisition of Email Archive

Recover Deleted Emails

Deleted Email Recovery

Email Forensics Tools

Stellar Phoenix Deleted Email Recovery

Recover My Email

Outlook Express Recovery


Quick Recovery for MS Outlook

Email Detective

Email Trace - Email Tracking




Forensic Tool Kit (FTK)

Paraben’s email Examiner

Network Email Examiner by Paraben

DiskInternal’s Outlook Express Repair


MailDetective Tool

Laws and Acts against Email Crimes

U.S. Laws Against Email Crime: CAN-SPAM Act

18 U.S.C. § 2252A

18 U.S.C. § 2252B

Email Crime Law in Washington: RCW 19.190.020

Back to top

Mobile Forensics



Mobile Phone

Mobile Phone

Different Mobile Devices

Hardware Characteristics of Mobile Devices

Software Characteristics of Mobile Devices

Components of Cellular Network

Cellular Network

Different Cellular Networks

Mobile Operating Systems

Mobile Operating Systems

Types of Mobile Operating Systems


WebOS System Architecture

Symbian OS

Symbian OS Architecture

Android OS

Android OS Architecture

RIM BlackBerry OS

Windows Phone 7

Windows Phone 7 Architecture

Apple iOS

Mobile Forensics

What a Criminal can do with Mobiles Phones?

Mobile Forensics

Mobile Forensics Challenges

Forensics Information in Mobile Phones

Memory Considerations in Mobiles

Subscriber Identity Module (SIM)

SIM File System

Integrated Circuit Card Identification (ICCID)

International Mobile Equipment Identifier (IMEI)

Electronic Serial Number (ESN)

Precautions to be Taken Before Investigation

Mobile Forensic Process

Mobile Forensic Process

Collect the Evidence

Collecting the Evidence

Points to Remember while Collecting the Evidence

Collecting iPod/iPhone Connected with Computer

Document the Scene and Preserve the Evidence

Imaging and Profiling

Acquire the Information

Device Identification

Acquire Data from SIM Cards

Acquire Data from Unobstructed Mobile Devices

Acquire the Data from Obstructed Mobile Devices

Acquire Data from Memory Cards

Acquire Data from Synched Devices

Gather Data from Network Operator

Check Call Data Records (CDRs)

Gather Data from SQLite Record

Analyze the Information

Generate Report

Mobile Forensics Software Tools

Oxygen Forensic Suite 2011

MOBILedit! Forensic


SIM Analyzer


SIM Card Data Recovery

Memory Card Data Recovery

Device Seizure

SIM Card Seizure

ART (Automatic Reporting Tool)

iPod Data Recovery Software

Recover My iPod


Elcomsoft Blackberry Backup Explorer

Oxygen Phone Manager II

Sanmaxi SIM Recoverer



Stellar Phoenix iPod Recovery Software

iCare Data Recovery Software

Cell Phone Analyzer


BlackBerry Database Viewer Plus

BlackBerry Signing Authority Tool

Mobile Forensics Hardware Tools

Secure View Kit

Deployable Device Seizure (DDS)

Paraben's Mobile Field Kit


XACT System

Logicube CellDEK

Logicube CellDEK TEK

RadioTactics ACESO

UME-36Pro - Universal Memory Exchanger

Cellebrite UFED System - Universal Forensic Extraction Device


ICD 5200

ICD 1300

back to top

Investigative Reports



Computer Forensics Report

Computer Forensics Report

Salient Features of a Good Report

Aspects of a Good Report

Computer Forensics Report Template

Computer Forensics Report Template

Simple Format of the Chain of Custody Document

Chain of Custody Forms

Evidence Collection Form

Computer Evidence Worksheet

Hard Drive Evidence Worksheet

Removable Media Worksheet

Investigative Report Writing

Report Classification

Layout of an Investigative Report

Layout of an Investigative Report: Numbering

Report Specifications

Guidelines for Writing a Report

Use of Supporting Material

Importance of Consistency

Investigative Report Format

Attachments and Appendices

Include Metadata

Signature Analysis

Investigation Procedures

Collecting Physical and Demonstrative Evidence

Collecting Testimonial Evidence

Do’s and Don'ts of Forensics Computer Investigations

Case Report Writing and Documentation

Create a Report to Attach to the Media Analysis Worksheet

Best Practices for Investigators

Sample Forensics Report

Sample Forensics Report

Report Writing Using Tools

Writing Report Using FTK

Writing Report Using ProDiscover

back to top

Becoming an Expert Witness

Expert Witness
   What is an Expert Witness?
   Role of an Expert Witness
   What Makes a Good Expert Witness?
Types of Expert Witnesses
   Types of Expert Witnesses
       Computer Forensics Experts
          Role of Computer Forensics Expert
       Medical & Psychological Experts
       Civil Litigation Experts
       Construction & Architecture Experts
       Criminal Litigation Experts
Scope of Expert Witness Testimony
   Scope of Expert Witness Testimony
   Technical Witness vs. Expert Witness
   Preparing for Testimony
Evidence Processing
   Evidence Preparation and Documentation
   Evidence Processing Steps
   Checklists for Processing Evidence
   Examining Computer Evidence
   Prepare the Report
   Evidence Presentation
Rules for Expert Witness
   Rules Pertaining to an Expert Witness’s Qualification
   Daubert Standard
   Frye Standard
   Importance of Resume
   Testifying in the Court
   The Order of Trial Proceedings
General Ethics While Testifying
   General Ethics While Testifying
   Importance of Graphics in a Testimony
   Helping your Attorney
   Avoiding Testimony Issues
   Testifying during Direct Examination
   Testifying during Cross-Examination
   Recognizing Deposition Problems
   Guidelines to Testifying at a Deposition
   Dealing with Media
   Finding a Computer Forensics Expert


become an ethical hackerbecoma a forensic Investigator

become a secure computer userbecome an Enryption Specialist
become a network security administratorBecome a Network Defense Architect
  •                         ec-council-logo-reflection
need best quotation for a training course in egypt call


We are committed to providing our customers with the best service and products available.

100% satisfaction guarantee

why students prefer computek as the best training center in egypt new

1.Computek Training Center has trained over 1,000,000 trainees in Egypt and over 100,000 trainees in Middle East and africa.

2.Our programs are designed to meet our clients' training necessities including budget and time limitation.

3.We will cooperate with you to bring out effective programs fitting your organization.

4.Computek Training Center provides customer-focus training in mutable deliverymethods offering top quality training and high qualified instructor to meet individual learning styles and organization profession training.

5.Computek instructors are selected from the best of training professional instructors in Egypt who awarded the trust worthy certified international companies, Computek instructors not only provide superior education but also reliable work experience in the field of giving courses

6.Trainees prefer Computek Training Center not only due to our high quality training but also for our reasonable and cost-effective price list.

7.Computek Classroom is designed with cutting edge facilities strong from hardware and software technologies to the most sophisticated educational aids.

8.The information desk with our friendly and professional customers support representative is highly qualified to answer any questions and also deliver your unique requirements.

9.Computek Training Center staff is available 7 days in week from 10:00 AM to 10:00 PM to deal with any inquiries and assist student with anything they need.

10.Computek Training Center is partner of world's technology leads such as Microsoft, Cisco, Compatia, EC Council ,Adobe , Autodesk, prometric and Pearson VUE.

All Rights Reseved ©