· Web viewInvestigating Computer Crime Before the Investigation Build a Forensics Workstation Building the Investigation Team People Involved in Computer Forensics Review Policies

EC-Council - Computer Hacking Forensic Investigator v.8

Course Introduction 2mCourse Introduction

Module 00 - Student Introduction 6mStudent IntroductionCHFIv8 Course OutlineEC-Council Certification ProgramComputer Hacking Forensic Investigator TrackCHFIv8 Exam InformationWhat Does CHFI Teach You?CHFI Class SpeedLet's Start Forensics Investigation!

Module 01 - Computer Forensics in Today's World 1h 8mModule Flow: Computer ForensicsForensics ScienceComputer ForensicsSecurity Incident ReportAspects of Organizational SecurityEvolution of Computer Forensics (Cont'd)Evolution of Computer ForensicsObjective of Computer ForensicsNeed for Computer ForensicsModule Flow: Forensics ReadinessBenefits of Forensics ReadinessGoals of Forensics ReadinessForensics Readiness PlanningModule Flow: Cyber CrimesCyber CrimeComputer Facilitated CrimesModes of AttacksExamples of Cyber Crime (Cont'd)Examples of Cyber CrimeTypes of Computer CrimesCyber CriminalsOrganized Cyber Crime: Organizational ChartHow Serious are Different Types of Incidents?Disruptive Incidents to the BusinessCost Expenditure Responding to the Security IncidentModule Flow: Cyber Crime InvestigationCyber Crime InvestigationKey Steps in Forensics Investigation (Cont'd)Key Steps in Forensics InvestigationRules of Forensics InvestigationNeed for Forensics InvestigatorRole of Forensics InvestigatorAccessing Computer Forensics ResourcesRole of Digital EvidenceModule Flow: Corporate InvestigationsUnderstanding Corporate Investigations

Approach to Forensics Investigation: A Case Study (Cont'd)Approach to Forensics Investigation: A Case StudyInstructions for the Forensic Investigator to Approach the Crime SceneWhy and When Do You Use Computer Forensics?Enterprise Theory of Investigation (ETI)Legal IssuesReporting the ResultsModule Flow: Reporting a Cyber CrimeWhy you Should Report Cybercrime?Reporting Computer-Related Crimes (Cont'd)Reporting Computer-Related CrimesPerson Assigned to Report the CrimeWhen and How to Report an Incident?Who to Contact at the Law EnforcementFederal Local Agents Contact (Cont'd)Federal Local Agents ContactMore ContactsCIO Cyberthreat Report FormModule 01 Review

Module 02 - Computer Forensics Investigation Process 1h 20mComputer Forensics Investigation ProcessInvestigating Computer CrimeBefore the InvestigationBuild a Forensics WorkstationBuilding the Investigation TeamPeople Involved in Computer ForensicsReview Policies and LawsForensics Laws (Cont'd)Forensics LawsNotify Decision Makers and Acquire AuthorizationRisk AssessmentBuild a Computer Investigation ToolkitSteps to Prepare for a Computer Forensics Investigation (Cont'd)Steps to Prepare for a Computer Forensics InvestigationComputer Forensics Investigation Methodology: Obtain Search WarrantObtain Search WarrantExample of Search WarrantSearches Without a WarrantComputer Forensics Investigation Methodology: Evaluate and Secure the SceneForensics PhotographyGather the Preliminary Information at the SceneFirst ResponderComputer Forensics Investigation Methodology: Collect the EvidenceCollect Physical EvidenceEvidence Collection FormCollect Electronic Evidence (Cont'd)Collect Electronic EvidenceGuidelines for Acquiring EvidenceComputer Forensics Investigation Methodology: Secure the EvidenceSecure the EvidenceEvidence ManagementChain of CustodyChain of Custody FormComputer Forensics Investigation Methodology: Acquire the DataOriginal Evidence Should NEVER Be Used for Analysis

Duplicate the Data (Imaging)Verify Image IntegrityDemo - HashCalcMD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFilesRecover Lost or Deleted DataData Recovery SoftwareComputer Forensics Investigation Methodology: Analyze the DataData AnalysisData Analysis ToolsComputer Forensics Investigation Methodology: Assess Evidence and CaseEvidence AssessmentCase Assessment (Cont'd)Case AssessmentProcessing Location AssessmentBest Practices to Assess the EvidenceComputer Forensics Investigation Methodology: Prepare the Final ReportDocumentation in Each PhaseGather and Organize InformationWriting the Investigation Report (Cont'd)Writing the Investigation ReportSample Report (1 of 7)Sample Report (2 of 7)Sample Report (3 of 7)Sample Report (4 of 7)Sample Report (5 of 7)Sample Report (6 of 7)Sample Report (7 of 7)Computer Forensics Investigation Methodology: Testify as an Expert WitnessExpert WitnessTestifying in the Court RoomClosing the CaseMaintaining Professional ConductInvestigating a Company Policy ViolationComputer Forensics Service Providers (Cont'd)Computer Forensics Service ProvidersModule 02 Review

Module 03 - Searching and Seizing Computers 1h 27mModule Flow: Searching and Seizing Computers without a WarrantSearching and Seizing Computers without a WarrantFourth Amendment's "Reasonable Expectation of Privacy" in Cases Involving Computers: PrinciplesReasonable Expectation of Privacy in Computers as Storage DevicesReasonable Expectation of Privacy and Third-Party PossessionPrivate SearchesUse of Technology to Obtain InformationExceptions to the Warrant Requirement in Cases Involving ComputersConsentScope of ConsentThird-Party ConsentImplied ConsentExigent CircumstancesPlain ViewSearch Incident to a Lawful ArrestInventory SearchesBorder SearchesInternational Issues

Special Case: Workplace SearchesPrivate Sector Workplace SearchesPublic-Sector Workplace SearchesModule Flow: Searching and Seizing Computers with a WarrantSearching and Seizing Computers with a WarrantSuccessful Search with a WarrantBasic Strategies for Executing Computer SearchesWhen Hardware Is Itself Contraband, Evidence, or an Instrumentality or Fruit of CrimeWhen Hardware Is Merely a Storage Device for Evidence of CrimeThe Privacy Protection ActThe Terms of the Privacy Protection ActApplication of the PPA to Computer Searches and Seizures (Cont'd)Application of the PPA to Computer Searches and SeizuresCivil Liability Under the Electronic Communications Privacy Act (ECPA)Considering the Need for Multiple Warrants in Network SearchesNo-Knock WarrantsSneak-and-Peek WarrantsPrivileged DocumentsDrafting the Warrant and AffidavitAccurately and Particularly Describe the Property to Be Seized in the Warrant and/or AttachmentsDefending Computer Search Warrants Against Challenges Based on the "Things to be Seized"Establish Probable Cause in the AffidavitExplanation of the Search Strategy and Practical & Legal ConsiderationsPost-Seizure IssuesSearching Computers Already in Law Enforcement CustodyThe Permissible Time Period for Examining Seized ComputersRule 41(e) Motions for Return of PropertyModule Flow: The Electronic Communications Privacy ActThe Electronic Communications Privacy ActProviders of Electronic Communication Service vs. Remote Computing ServiceClassifying Types of Information Held by Service ProvidersCompelled Disclosure Under ECPAVoluntary DisclosureWorking with Network ProvidersModule Flow: Electronic Surveillance in Communications NetworksElectronic Surveillance in Communications NetworksContent vs. Addressing InformationThe Pen/Trap StatuteThe Wiretap Statute ("Title III")Exceptions to Title IIIRemedies For Violations of Title III and the Pen/Trap StatuteModule Flow: EvidenceEvidence (Cont'd)EvidenceAuthenticationHearsayOther IssuesModule 03 Review

Module 04 - Digital Evidence 2h

Module Flow: Digital DataDefinition of Digital EvidenceIncreasing Awareness of Digital EvidenceChallenging Aspects of Digital EvidenceThe Role of Digital EvidenceCharacteristics of Digital EvidenceFragility of Digital EvidenceAnti-Digital Forensics (ADF)Module Flow: Types of Digital DataTypes of Digital Data (Cont'd)Types of Digital DataModule Flow: Rules of EvidenceRules of EvidenceBest Evidence RuleFederal Rules of Evidence (Cont'd)Federal Rules of EvidenceInternational Organization on Computer Evidence (IOCE)IOCE International Principles for Digital EvidenceScientific Working Group on Digital Evidence (SWGDE)SWGDE Standards for the Exchange of Digital Evidence (Cont'd)SWGDE Standards for the Exchange of Digital EvidenceModule Flow: Electronic Devices: Types and Collecting Potential EvidenceElectronic Devices: Types and Collecting Potential Evidence (Cont'd)Electronic Devices: Types and Collecting Potential EvidenceModule Flow: Digital Evidence Examination ProcessDigital Evidence Examination Process - Evidence AssessmentEvidence AssessmentPrepare for Evidence AcquisitionDigital Evidence Examination Process - Evidence AcquisitionPreparation for SearchesSeizing the EvidenceImagingDemo - Disk Sterilization with DDBit-Stream CopiesWrite ProtectionEvidence AcquisitionEvidence Acquisition from Crime LocationAcquiring Evidence from Storage DevicesDemo - Utilizing HD PARM for HD InformationCollecting Evidence (Cont'd)Collecting EvidenceCollecting Evidence from RAM (Cont'd)Collecting Evidence from RAMCollecting Evidence from a Standalone Network ComputerChain of CustodyChain of Evidence FormDigital Evidence Examination Process - Evidence PreservationPreserving Digital Evidence: Checklist (Cont'd)Preserving Digital Evidence: ChecklistPreserving Removable Media (Cont'd)Preserving Removable MediaHandling Digital EvidenceStore and ArchiveDigital Evidence FindingsDigital Evidence Examination Process - Evidence Examination and AnalysisDO NOT WORK on the Original Evidence

Evidence Examination (Cont'd)Evidence Examination Physical ExtractionLogical ExtractionAnalyze Host DataAnalyze Storage MediaAnalyze Network DataAnalysis of Extracted DataTimeframe AnalysisData Hiding AnalysisApplication and File AnalysisOwnership and PossessionDigital Evidence Examination Process - Evidence Documentation and ReportingDocumenting the EvidenceEvidence Examiner ReportFinal Report of FindingsComputer Evidence Worksheet (Cont'd)Computer Evidence Worksheet Hard Drive Evidence Worksheet (Cont'd)Hard Drive Evidence WorksheetRemovable Media WorksheetModule Flow: Electronic Crime and Digital Evidence Consideration by Crime CategoryElectronic Crime and Digital Evidence Consideration by Crime Category (Cont'd)Electronic Crime and Digital Evidence Consideration by Crime CategoryModule 04 Review

Module 05 - First Responder Procedures 1h 59mModule Flow: First ResponderElectronic EvidenceFirst ResponderRoles of First ResponderElectronic Devices: Types and Collecting Potential Evidence (Cont' d)Electronic Devices: Types and Collecting Potential Evidence Module Flow: First Responder ToolkitFirst Responder ToolkitCreating a First Responder ToolkitEvidence Collecting Tools and Equipment (Cont'd)Evidence Collecting Tools and EquipmentModule Flow: First Response BasicsFirst Response RuleIncident Response: Different SituationsFirst Response for System AdministratorsFirst Response by Non-Laboratory StaffFirst Response by Laboratory Forensics Staff (Cont'd)First Response by Laboratory Forensics StaffModule Flow: Securing and Evaluating Electronic Crime SceneSecuring and Evaluating Electronic Crime Scene: A Checklist (Cont'd)Securing and Evaluating Electronic Crime Scene: A ChecklistSecuring the Crime SceneWarrant for Search and SeizurePlanning the Search and Seizure (Cont'd)Planning the Search and SeizureInitial Search of the SceneHealth and Safety IssuesModule Flow: Conducting Preliminary InterviewsQuestions to Ask When Client Calls the Forensic Investigator

ConsentSample of Consent Search FormWitness SignaturesConducting Preliminary InterviewsConducting Initial InterviewsWitness Statement ChecklistModule Flow: Documenting Electronic Crime SceneDocumenting Electronic Crime ScenePhotographing the SceneSketching the SceneVideo Shooting the Crime SceneModule Flow: Collecting and Preserving Electronic EvidenceCollecting and Preserving Electronic Evidence (Cont'd)Collecting and Preserving Electronic EvidenceOrder of VolatilityDealing with Powered On Computers (Cont'd)Demo - Imaging RAMDemo - Parsing RAMDealing with Powered On ComputersDealing with Powered Off ComputersDealing with Networked ComputerDealing with Open Files and Startup FilesOperating System Shutdown Procedure (Cont'd)Operating System Shutdown Procedure ExampleComputers and ServersPreserving Electronic EvidenceSeizing Portable ComputersSwitched On PortablesCollecting and Preserving Electronic Evidence Wrap-upModule Flow: Packaging and Transporting Electronic EvidenceEvidence Bag Contents ListPackaging Electronic EvidenceExhibit NumberingTransporting Electronic EvidenceHandling and Transportation to the Forensics LaboratoryStoring Electronic EvidenceChain of CustodySimple Format of the Chain of Custody DocumentChain of Custody Forms (Cont'd)Chain of Custody FormsChain of Custody on Property Evidence Envelope/Bag and Sign-out SheetDemo - Hardware InventoriesModule Flow: Reporting the Crime SceneReporting the Crime SceneNote Taking Checklist (Cont'd)Note Taking ChecklistFirst Responder Common MistakesModule 05 Review

Module 06 - Computer Forensics Lab 2h 5m

Module Flow: Setting a Computer Forensics LabComputer Forensics LabPlanning for a Forensics LabBudget Allocation for a Forensics LabPhysical Location Needs of a Forensics LabStructural Design ConsiderationsEnvironmental ConditionsElectrical NeedsCommunication NeedsWork Area of a Computer Forensics LabAmbience of a Forensics LabAmbience of a Forensics Lab: ErgonomicsPhysical Security RecommendationsFire-Suppression SystemsEvidence Locker RecommendationsComputer Forensic InvestigatorLaw Enforcement OfficerLab DirectorForensics Lab Licensing RequisiteFeatures of the Laboratory Imaging SystemTechnical Specifications of the Laboratory Based Imaging SystemForensics Lab (1 of 3)Forensics Lab (2 of 3)Forensics Lab (3 of 3)Auditing a Computer Forensics Lab (Cont'd)Auditing a Computer Forensics LabRecommendations to Avoid Eyestrain Module Flow: Investigative Services in ForensicsComputer Forensics Investigative ServicesComputer Forensic Investigative Service SampleComputer Forensics Services: PenrodEllis Forensic Data DiscoveryData Destruction Industry StandardsComputer Forensics Services (Cont'd)Computer Forensics ServicesModule Flow: Computer Forensics HardwareEquipment Required in a Forensics LabForensic WorkstationsBasic Workstation Requirements in a Forensics LabStocking the Hardware PeripheralsParaben Forensics Hardware: Handheld First Responder KitParaben Forensics Hardware: Wireless StrongHold BagParaben Forensics Hardware: Wireless StrongHold BoxParaben Forensics Hardware: Passport StrongHold BagParaben Forensics Hardware: Device Seizure ToolboxParaben Forensics Hardware: Project-a-PhoneParaben Forensics Hardware: LockdownParaben Forensics Hardware: iRecovery StickParaben Forensics Hardware: Data Recovery StickParaben Forensics Hardware: Chat StickParaben Forensics Hardware: USB Serial DB9 AdapterParaben Forensics Hardware: Mobile Field KitPortable Forensic Systems and Towers: Forensic Air-Lite VI MK III LaptopPortable Forensic Systems and Towers: Original Forensic Tower II and Forensic Solid Steel TowerPortable Forensic Workhorse V: Tableau 335 Forensic Drive Bay ControllerPortable Forensic Systems and Towers: Forensic Air-Lite IV MK IIPortable Forensic Systems and Towers: Forensic Air-Lite V MK III

Portable Forensic Systems and Towers: Forensic Tower IV Duel XeonPortable Forensic Systems and Towers: Ultimate Forensic MachineForensic Write Protection Devices and Kits: Ultimate Forensic Write Protection Kit II-ESTableau T3u Forensic SATA Bridge Write Protection KitTableau T8 Forensic USB Bridge Kit/Addonics Mini DigiDrive READ ONLY 12-in-1 Flash ReaderTableau TACC 1441 Hardware AcceleratorMultiple TACC1441 UnitsTableau TD1 Forensic DuplicatorPower Supplies and SwitchesDigital Intelligence Forensic Hardware: FRED SR (Duel Xeon)Digital Intelligence Forensic Hardware: FRED-LDigital Intelligence Forensic Hardware: FRED SCDigital Intelligence Forensic Hardware: Forensic Recovery of Evidence Data Center (FREDC)Digital Intelligence Forensic Hardware: Rack-A-TACCDigital Intelligence Forensic Hardware: FREDDIEDigital Intelligence Forensic Hardware: UltraKitDigital Intelligence Forensic Hardware: UltraBay IIDigital Intelligence Forensic Hardware: UltraBlock SCSIDigital Intelligence Forensic Hardware: Micro Forensic Recovery of Evidence DeviceDigital Intelligence Forensic Hardware: HardCopy 3PWiebetech: Forensics DriveDock v4Wiebetech: Forensic UltraDock v4Wiebetech: Drive eRazerWiebetech: v4 Combo AdaptersWiebetech: ProSATA SS8Wiebetech: HotPlugCelleBrite: UFED SystemCelleBrite: UFED Physical ProCelleBrite: UFED RuggedizedDeepSpar: Disk Imager Forensic EditionDeepSpar: 3D Data RecoveryPhase 1 Tool: PC-3000 Drive Restoration SystemPhase 2 Tool: DeepSpar Disk ImagerPhase 3 Tool: PC-3000 Data ExtractorInfinaDyne Forensic Products: Robotic Loader Extension for CD/DVD InspectorInfinaDyne Forensic Products: Robotic System Status LightImage MASSter: Solo-4 (Super Kit)Image MASSter: RoadMASSter- 3Image MASSter: WipeMASSterImage MASSter: WipePROImage MASSter: Rapid Image 7020CS ITLogicube: Forensic MD5Logicube: Forensic TalonLogicube: Portable Forensic LabLogicube: CellDEKLogicube: Forensic Quest-2Logicube: NETConnectLogicube: RAID I/O AdapterLogicube: GPStampLogicube: OmniPortLogicube: Desktop WritePROtectsLogicube: USB AdapterLogicube: CloneCard ProLogicube: EchoPlusOmniClone IDE Laptop AdaptersLogicube: Cables

VoomTech: HardCopy 3PVoomTech: SHADOW 2Module Flow: Computer Forensics SoftwareBasic Software Requirements in a Forensics LabMain Operating System and Application InventoriesImaging Software: R-drive ImageDemo - R-Drive ImageImaging Software: P2 eXplorer ProImaging Software: AccuBurn-R for CD/DVD InspectorImaging Software: Flash Retriever Forensic EditionFile Conversion Software: FileMerlinFile Conversion Software: SnowBatchFile Conversion Software: ZamzarFile Viewer Software: File ViewerFile Viewer Software: Quick View Plus 11 Standard EditionDemo - File ViewersAnalysis Software: P2 CommanderP2 Commander ScreenshotAnalysis Software: DriveSpyAnalysis Software: SIM Card SeizureAnalysis Software: CD/DVD InspectorAnalysis Software: Video Indexer (Vindex)Monitoring Software: Device SeizureDevice Seizure ScreenshotsMonitoring Software: Deployable P2 Commander (DP2C)Monitoring Software: ThumbsDisplayThumbsDisplay ScreenshotMonitoring Software: Email DetectiveComputer Forensics Software: DataLifterComputer Forensics Software: X-Ways ForensicsDemo - X-Ways ForensicsComputer Forensics Software: LiveWire InvestigatorModule 06 Review

Module 07 - Understanding Hard Disks and File Systems 3h 59mModule Flow: Hard Disk Drive OverviewDisk Drive Overview (Cont'd)Disk Drive OverviewHard Disk DriveSolid-State Drive (SSD)Physical Structure of a Hard Disk (Cont'd)Physical Structure of a Hard DiskLogical Structure of Hard DiskTypes of Hard Disk InterfacesHard Disk Interfaces: ATAHard Disk Interfaces: SCSI (Cont'd)Hard Disk Interfaces: SCSIHard Disk Interfaces: IDE/EIDEHard Disk Interfaces: USBHard Disk Interfaces: Fibre ChannelDisk PlatterTracksTrack NumberingSectorAdvanced Format: SectorsSector Addressing

ClusterCluster SizeChanging the Cluster SizeDemo - Cluster SizeSlack Space ( Cont'd)Slack SpaceDemo - Slack SpaceLost ClustersBad SectorHard Disk Data AddressingDisk Capacity CalculationDemo - Calculating Disk CapacityMeasuring the Performance of the Hard DiskModule Flow: Disk Partitions and Boot ProcessDisk PartitionsDemo - Partitioning LinuxMaster Boot RecordStructure of a Master Boot Record (Cont'd)Demo - Backing Up the MBRStructure of a Master Boot RecordWhat is the Booting Process?Essential Windows System FilesWindows 7 Boot Process (Cont'd)Windows 7 Boot ProcessMacintosh Boot Process (Cont'd)Macintosh Boot Processhttp://www.bootdisk.comModule Flow: Understanding File SystemsUnderstanding File SystemsTypes of File SystemsList of Disk File Systems (Cont'd)List of Disk File SystemsList of Network File SystemsList of Special Purpose File SystemsList of Shared Disk File SystemsWindows File SystemsPopular Windows File SystemsFile Allocation Table (FAT)FAT File System LayoutFAT Partition Boot SectorFAT StructureFAT Folder StructureDirectory Entries and Cluster ChainsFilenames on FAT VolumesExamining FATFAT32New Technology File System (NTFS) (Cont'd)NTFS (Cont'd)NTFSNTFS ArchitectureNTFS System FilesNTFS Partition Boot SectorCluster Sizes of NTFS VolumeNTFS Master File Table (MFT) (Cont'd)NTFS Master File Table (MFT)Metadata Files Stored in the MFT

NTFS Files and Data StorageNTFS AttributesNTFS Data Stream (Cont'd)NTFS Data StreamNTFS Compressed FilesSetting the Compression State of a VolumeEncrypting File Systems (EFS)Components of EFSOperation of Encrypting File SystemEFS AttributeEncrypting a FileEFS Recovery Key Agent (Cont'd)EFS Recovery Key AgentTool: Advanced EFS Data RecoveryTool: EFS KeySparse FilesDeleting NTFS FilesRegistry Data (Cont'd)Registry DataExamining Registry DataFAT vs. NTFSLinux File SystemsPopular Linux File SystemsLinux File System ArchitectureExt2 (Cont'd)Ext2Ext3 (Cont'd)Ext3Mac OS X File SystemsHFS vs. HFS PlusHFSHFS PlusHFS Plus VolumesHFS Plus JournalSun Solaris 10 File System: ZFSCD-ROM / DVD File SystemCDFSDemo - Multi-sessions DiscsModule Flow: RAID Storage SystemRAID Storage SystemRAID Level 0: Disk StripingRAID Level 1: Disk MirroringRAID Level 3: Disk Striping with ParityRAID Level 5: Block Interleaved Distributed ParityRAID Level 10: Blocks Striped and MirroredRAID Level 50: Mirroring and Striping across Multiple RAID LevelsDifferent RAID LevelsComparing RAID LevelsRecover Data from Unallocated Space Using File Carving ProcessModule Flow: File System Analysis Using the Sleuth Kit (TSK)Tool: The Sleuth Kit (TSK)The Sleuth Kit (TSK): fsstatThe Sleuth Kit (TSK): istat (1 of 4)The Sleuth Kit (TSK): istat (2 of 4)The Sleuth Kit (TSK): istat (3 of 4)The Sleuth Kit (TSK): istat (4 of 4)

The Sleuth Kit (TSK): fls and img_statDemo - TSK and AutopsyModule 07 Review

Module 08 - Windows Forensics 3h 37mModule Flow: Collecting Volatile InformationVolatile InformationSystem TimeLogged-On UsersLogged-On Users: PsLoggedOn ToolLogged-On Users: net sessions CommandLogged-On Users: LogonSessions ToolOpen FilesOpen Files: net file CommandOpen Files: PsFile UtilityOpen Files: Openfiles CommandNetwork Information (Cont'd)Network InformationNetwork Connections (Cont'd)Demo - Netstat CommandNetwork Connections Process Information (Cont'd)Process InformationProcess-to-Port Mapping (Cont'd)Process-to-Port MappingProcess MemoryNetwork Status (Cont'd)Demo - ipconfigNetwork StatusOther Important Information (Cont'd)Demo - Clipboard ViewerOther Important InformationModule Flow: Collecting Non-Volatile InformationNon-Volatile InformationExamine File SystemsRegistry SettingsMicrosoft Security IDEvent LogsIndex.dat File (Cont'd)Index.dat FileDemo - Grabbing Registry FilesDevices and Other InformationSlack SpaceVirtual MemorySwap FileWindows Search IndexCollecting Hidden Partition InformationDemo - GpartedHidden ADS StreamsInvestigating ADS Streams: StreamArmorOther Non-Volatile InformationModule Flow: Windows Memory AnalysisMemory Dump (Cont'd)Memory DumpEProcess StructureProcess Creation Mechanism

Parsing Memory ContentsParsing Process MemoryExtracting the Process Image (Cont'd)Extracting the Process ImageCollecting Process MemoryModule Flow: Windows Registry AnalysisInside the Registry (Cont'd)Inside the RegistryRegistry Structure within a Hive FileThe Registry as a Log FileRegistry AnalysisSystem Information (Cont'd)System InformationTimeZone InformationSharesAudit PolicyWireless SSIDsAutostart LocationsSystem BootUser LoginUser ActivityEnumerating Autostart Registry LocationsUSB Removable Storage Devices (Cont'd)USB Removable Storage DevicesMounted Devices (Cont'd)Mounted DevicesFinding Users (Cont'd)Finding Users: ScreenshotsTracking User ActivityThe UserAssist KeysMRU Lists (Cont'd)MRU ListsSearch AssistantConnecting to Other SystemsAnalyzing Restore Point Registry Settings (Cont'd)Analyzing Restore Point Registry SettingsDetermining the Startup Locations (Cont'd)Determining the Startup LocationsDemo - Reg RipperModule Flow: Cache, Cookie, and History AnalysisCache, Cookie, and History Analysis in IECache, Cookie, and History Analysis in FirefoxCache, Cookie, and History Analysis in ChromeAnalysis Tool: IECookiesViewAnalysis Tool: IECacheViewAnalysis Tool: IEHistoryViewAnalysis Tool: MozillaCookiesViewAnalysis Tool: MozillaCacheViewAnalysis Tool: MozillaHistoryViewAnalysis Tool: ChromeCookiesViewAnalysis Tool: ChromeCacheViewAnalysis Tool: ChromeHistoryViewModule Flow: MD5 CalculationMessage Digest Function: MD5Why MD5 Calculation?MD5 Hash Calculators: HashCalc, MD5 Calculator and HashMyFiles

MD5 Checksum VerifierChaosMD5Module Flow: Windows File AnalysisRecycle Bin (Cont'd)Recycle BinSystem Restore Points (Rp.log Files)System Restore Points (Change.log.x Files)Prefetch Files (Cont'd)Prefetch FilesShortcut FilesWord DocumentsPDF DocumentsImage FilesFile Signature AnalysisNTFS Alternate Data StreamsExecutable File AnalysisDocumentation Before AnalysisStatic Analysis ProcessSearch StringsPE Header AnalysisImport Table AnalysisExport Table AnalysisDynamic Analysis ProcessCreating Test EnvironmentCollecting Information Using ToolsProcess of Testing the MalwareModule Flow: Metadata InvestigationMetadataTypes of Metadata (Cont'd)Types of MetadataMetadata in Different File Systems (Cont'd)Metadata in Different File Systems Metadata in PDF FilesMetadata in Word DocumentsTool: Metadata AnalyzerModule Flow: Text Based LogsUnderstanding EventsEvent Logon Types (Cont'd)Event Logon TypesEvent Record Structure (Cont'd)Event Record StructureVista Event Logs (Cont'd)Vista Event Logs: ScreenshotsIIS LogsParsing IIS Logs (Cont'd)Parsing IIS LogsParsing FTP LogsFTP sc-status Codes (Cont'd)FTP sc-status CodesParsing DHCP Server Logs (Cont'd)Parsing DHCP Server LogsParsing Windows Firewall LogsUsing the Microsoft Log ParserModule Flow: Other Audit EventsEvaluating Account Management Events (Cont'd)Evaluating Account Management Events

Examining Audit Policy Change EventsExamining System Log EntriesExamining Application Log EntriesExamining Application Log Entries (Screenshot)Module Flow: Forensic Analysis of Event LogsSearching with Event ViewerUsing EnCase to Examine Windows Event Log FilesWindows Event Log Files InternalsModule Flow: Windows Password IssuesUnderstanding Windows Password Storage (Cont'd)Understanding Windows Password StorageCracking Windows Passwords Stored on Running Systems (Cont'd)Cracking Windows Passwords Stored on Running SystemsExploring Windows Authentication MechanismsLanMan Authentication ProcessNTLM Authentication ProcessKerberos Authentication ProcessSniffing and Cracking Windows Authentication ExchangesCracking Offline PasswordsModule Flow: Forensics ToolsWindows Forensics Tool: OS ForensicsWindows Forensics Tool: Helix3 ProHelix3 Pro ScreenshotIntegrated Windows Forensics Software: X-Ways ForensicsX-Ways Forensics ScreenshotX-Ways TraceWindows Forensic Toolchest (WFT)Built-in Tool: SigverifComputer Online Forensic Evidence Extractor (COFEE)System ExplorerTool: System ScannerSecretExplorerRegistry Viewer Tool: Registry ViewerRegistry Viewer Tool: RegScannerRegistry Viewer Tool: Alien Registry ViewerMultiMonCurrProcessProcess ExplorerSecurity Task ManagerPrcViewProcHeapViewerMemory ViewerTool: PMDumpWord ExtractorBelkasoft Evidence CenterBelkasoft Browser AnalyzerMetadata AssistantHstExXpoLog Center SuiteXpoLog Center Suite ScreenshotLogViewer ProEvent Log ExplorerLogMeisterProDiscover ForensicsPyFlagLiveWire Investigator

ThumbsDisplayThumbsDisplay ScreenshotDriveLookModule 08 Review

Module 09 - Data Acquisition and Duplication 2h 53mModule Flow: Data Acquisition and Duplication ConceptsData AcquisitionForensic and Procedural PrinciplesTypes of Data Acquisition SystemsData Acquisition Formats (Cont'd)Data Acquisition FormatsBit Stream vs. BackupsWhy to Create a Duplicate Image?Issues with Data DuplicationData Acquisition Methods (Cont'd)Data Acquisition MethodsDetermining the Best Acquisition Method (Cont'd)Determining the Best Acquisition MethodContingency Planning for Image Acquisitions (Cont'd)Contingency Planning for Image AcquisitionsData Acquisitions MistakesModule Flow: Data Acquisition TypesRules of ThumbStatic Data AcquisitionCollecting Static DataDemo - Forensic Imaging Using LinuxDemo - Forensic Imaging Using WindowsStatic Data Collection ProcessLive Data AcquisitionWhy Volatile Data is Important?Volatile Data (Cont'd)Volatile DataOrder of VolatilityCommon Mistakes in Volatile Data CollectionVolatile Data Collection Methodology (Cont'd)Volatile Data Collection MethodologyBasic Steps in Collecting Volatile DataTypes of Volatile Information (Cont'd)Types of Volatile InformationDemo - WinTaylorsModule Flow: Disk Acquisition Tool RequirementsDisk Imaging Tool RequirementsDisk Imaging Tool Requirements: Mandatory (Cont'd)Disk Imaging Tool Requirements: MandatoryDisk Imaging Tool Requirements: Optional (Cont'd)Disk Imaging Tool Requirements: OptionalModule Flow: Validation MethodsValidating Data AcquisitionsLinux Validation Methods (Cont'd)Linux Validation MethodsWindows Validation MethodsModule Flow: Raid Data AcquisitionUnderstanding RAID Disks (Cont'd)Understanding RAID DisksAcquiring RAID Disks (Cont'd)

Acquiring RAID DisksRemote Data AcquisitionModule Flow: Acquisition Best PracticesAcquisition Best Practices (Cont'd)Acquisition Best PracticesModule Flow: Data Acquisition Software ToolsAcquiring Data on WindowsAcquiring Data on Linuxdd Commanddcfldd CommandExtracting the MBRNetcat CommandEnCase ForensicEnCase Forensic ScreenshotAnalysis Software: DriveSpyProDiscover ForensicsAccessData FTK ImagerMount Image ProData Acquisition ToolboxSafeBackILookPIILookPI ScreenshotRAID Recovery for WindowsR-Tools R-StudioF-ResponsePyFlagLiveWire InvestigatorThumbsDisplayThumbsDisplay ScreenshotDataLifterX-Ways ForensicsR-drive ImageDemo - Forensic ImagingDriveLookDiskExplorerP2 eXplorer ProFlash Retriever Forensic EditionModule Flow: Data Acquisition Hardware ToolsUS-LATTImage MASSter: Solo-4 (Super Kit)Image MASSter: RoadMASSter- 3Tableau TD1 Forensic DuplicatorLogicube: Forensic MD5Logicube: Portable Forensic LabLogicube: Forensic TalonLogicube: RAID I/O AdapterDeepSpar: Disk Imager Forensic EditionLogicube: USB AdapterDisk Jockey PROLogicube: Forensic Quest-2Logicube: CloneCard ProLogicube: EchoPlusParaben Forensics Hardware: Chat StickImage MASSter: Rapid Image 7020CS ITDigital Intelligence Forensic Hardware: UltraKitDigital Intelligence Forensic Hardware: UltraBay II

Digital Intelligence Forensic Hardware: UltraBlock SCSIDigital Intelligence Forensic Hardware: HardCopy 3PWiebetech: Forensics DriveDock v4Wiebetech: Forensics UltraDock v4Image MASSter: WipeMASSterImage MASSter: WipePROPortable Forensic Systems and Towers: Forensic Air-Lite V MK IIIForensic Tower IV Dual XeonDigital Intelligence Forensic Hardware: FREDDIEDeepSpar: 3D Data RecoveryPhase 1 Tool: PC-3000 Drive Restoration SystemPhase 2 Tool: DeepSpar Disk ImagerPhase 3 Tool: PC-3000 Data ExtractorLogicube: CablesLogicube: AdaptersLogicube: GPStampLogicube: OmniPortLogicube: CellDEKParaben Forensics Hardware: Project-a-PhoneParaben Forensics Hardware: Mobile Field KitParaben Forensics Hardware: iRecovery StickCelleBrite: UFED SystemCelleBrite: UFED Physical ProModule 09 Review

Module 10 - Recovering Deleted Files and Deleted Partition 1h 21mModule Flow: Recovering the Deleted FilesDeleting FilesWhat Happens When a File is Deleted in Windows?Recycle Bin in Windows (Cont'd)Recycle Bin in WindowsStorage Locations of Recycle Bin in FAT and NTFS SystemsHow the Recycle Bin Works (Cont'd)How the Recycle Bin WorksDemo - Recycle BinsDamaged or Deleted INFO FileDamaged Files in Recycle Bin FolderDamaged Recycle FolderFile Recovery in Mac OS X (Cont'd)File Recovery in Mac OS XFile Recovery in LinuxModule Flow: File Recovery Tools for WindowsRecover My FilesEASEUS Data Recovery WizardPC INSPECTOR File RecoveryDemo - PC INSPECTOR File RecoveryRecuvaDiskDiggerHandy RecoveryQuick RecoveryStellar Phoenix Windows Data RecoveryTools to Recover Deleted FilesModule Flow: File Recovery Tools for MacMac File RecoveryMac Data RecoveryBoomerang Data Recovery Software

VirtualLabFile Recovery Tools for Mac OS XModule Flow: File Recovery Tools for LinuxR-Studio for LinuxQuick Recovery for LinuxKernal for Linux Data RecoveryTestDisk for LinuxDemo - File CarvingModule Flow: Recovering the Deleted PartitionsDisk PartitionDeletion of PartitionRecovery of the Deleted Partition (Cont'd)Recovery of the Deleted PartitionModule Flow: Partition Recovery ToolsActive@ Partition Recovery for WindowsAcronis Recovery ExpertDiskInternals Partition RecoveryNTFS Partition Data RecoveryGetDataBackEASEUS Partition RecoveryAdvanced Disk RecoveryPower Data RecoveryRemo Recover (Mac) - ProMac Data Recovery SoftwareQuick Recovery for LinuxStellar Phoenix Linux Data Recovery SoftwareTools to Recover Deleted PartitionsDemo - Partition RecoveryModule 10 Review

Module 11 - Forensics Investigation Using AccessData FTK 3h 9mModule Flow: Overview and Installation of FTKOverview of Forensic Toolkit (FTK)Features of FTKSoftware RequirementConfiguration OptionDatabase Installation (Cont'd)Database InstallationFTK Application Installation (1 of 6)FTK Application Installation (2 of 6)FTK Application Installation (3 of 6)FTK Application Installation (4 of 6)FTK Application Installation (5 of 6)FTK Application Installation (6 of 6)Module Flow: FTK Case Manager User InterfaceCase Manager WindowCase Manager Database MenuSetting Up Additional Users and Assigning RolesCase Manager Case MenuAssigning Users Shared Label VisibilityCase Manager Tools MenuRecovering Processing JobsRestoring an Image to a DiskCase Manager Manage MenuManaging CarversManaging Custom Identifiers

Module Flow: FTK Examiner User InterfaceFTK Examiner User InterfaceMenu Bar: File MenuExporting FilesExporting Case Data to a Custom Content ImageExporting the Word ListMenu Bar: Edit MenuMenu Bar: View MenuMenu Bar: Evidence MenuMenu Bar: Tools MenuVerifying Drive Image IntegrityDemo - Verifying Image IntegrityMounting an Image to a DriveFile List ViewUsing LabelsCreating and Applying a LabelModule Flow: Starting with FTKCreating a caseSelecting Detailed Options: Evidence Processing (Cont'd)Selecting Detailed Options: Evidence ProcessingSelecting Detailed Options: Fuzzy Hashing (Cont'd)Selecting Detailed Options: Fuzzy HashingSelecting Detailed Options: Data CarvingSelecting Detailed Options: Custom File Identification (Cont'd)Selecting Detailed Options: Custom File IdentificationSelecting Detailed Options: Evidence Refinement (Advanced) (Cont'd)Selecting Detailed Options: Evidence Refinement (Advanced) Selecting Detailed Options: Index Refinement (Advanced) (Cont'd)Selecting Detailed Options: Index Refinement (Advanced)Module Flow: FTK Interface TabsDemo - FTK Imaging and AddingFTK Interface TabsExplore TabOverview TabEmail TabGraphics TabBookmarks TabLive Search TabsVolatile TabDemo - File Overview TabModule Flow: Adding and Processing Static, Live, and Remote EvidenceAdding Evidence to a CaseEvidence GroupsAcquiring Local Live EvidenceFTK Role Requirements For Remote AcquisitionTypes of Remote InformationAcquiring Data Remotely Using Remote Device Management System (RDMS) (Cont'd)Acquiring Data Remotely Using Remote Device Management System (RDMS)Imaging DrivesMounting and Unmounting a DeviceModule Flow: Using and Managing FiltersAccessing Filter ToolsUsing FiltersCustomizing FiltersUsing Predefined FiltersDemo - Filtering

Module Flow: Using Index Search and Live SearchConducting an Index SearchSelecting Index Search OptionsViewing Index Search ResultsDocumenting Search ResultsConducting a Live Search: Live Text SearchConducting a Live Search: Live Hex SearchConducting a Live Search: Live Pattern SearchDemo - Indexed and Live SearchesDemo - FTK File CarvingModule Flow: Decrypting EFS and other Encrypted FilesDecrypting EFS Files and FoldersDecrypting MS Office FilesViewing Decrypted FilesDecrypting Domain Account EFS Files from Live Evidence (Cont'd)Decrypting Domain Account EFS Files from Live EvidenceDecrypting Credant FilesDecrypting Safeboot FilesDemo - FTK File EncryptionModule Flow: Working with ReportsCreating a ReportEntering Case InformationManaging Bookmarks in a ReportManaging Graphics in a ReportSelecting a File Path ListAdding a File Properties ListMaking Registry SelectionsSelecting the Report Output OptionsCustomizing the Formatting of ReportsViewing and Distributing a ReportDemo - ReportingModule 11 Review

Module 12 - Forensics Investigation Using EnCase 3h 18mModule Flow: Overview of EnCase ForensicOfficial Licensed Content Provided by EnCase to EC-CouncilOverview of EnCase ForensicEnCase Forensic Features (Cont'd)EnCase Forensic FeaturesEnCase Forensic PlatformEnCase Forensic Modules (Cont'd)EnCase Forensic ModulesModule Flow: Installing EnCase ForensicMinimum RequirementsInstalling the ExaminerInstalled FilesInstalling the EnCase ModulesConfiguring EnCaseConfiguring EnCase: Case Options TabConfiguring EnCase: Global TabConfiguring EnCase: Debug TabConfiguring EnCase: Colors Tab and Fonts TabConfiguring EnCase: EnScript Tab and Storage Paths TabSharing Configuration (INI) FilesModule Flow: EnCase InterfaceDemo - EnCase Options

Main EnCase WindowSystem Menu BarToolbarPanes Overview (Cont'd)Panes OverviewTree PaneTable PaneTable Pane: Table TabTable Pane: Report TabTable Pane: Gallery TabTable Pane: Timeline TabTable Pane: Disk Tab and Code TabView Pane (Cont'd)View PaneFilter PaneFilter Pane TabsCreating a FilterCreating ConditionsStatus BarDemo - EnCase Tabs and ViewsModule Flow: Case ManagementOverview of Case StructureCase ManagementIndexing a Case (Cont'd)Indexing a CaseCase BackupOptions Dialog BoxLogon WizardNew Case WizardSetting Time Zones for Case FilesSetting Time Zone Options for Evidence FilesModule Flow: Working with EvidenceTypes of EntriesAdding a Device (Cont'd)Adding a DeviceAdding a Device using Tableau Write Blocker (Cont'd)Adding a Device using Tableau Write Blocker Performing a Typical AcquisitionAcquiring a Device (Cont'd)Acquiring a Device Canceling an AcquisitionVerifying Evidence FilesDemo - Imaging with EnCaseDelayed Loading of Internet ArtifactsHashing the Subject DriveLogical Evidence File (LEF)Creating a Logical Evidence File (Cont'd)Creating a Logical Evidence FileRecovering Folders on FAT VolumesRestoring a Physical DriveDemo - Restoring a Drive from an ImageModule Flow: Source ProcessorSource ProcessorStarting to Work with Source ProcessorSetting Case OptionsCollection Jobs

Creating a Collection Job (Cont'd)Creating a Collection JobCopying a Collection JobRunning a Collection Job (Cont'd)Running a Collection Job Analysis JobsCreating an Analysis JobRunning an Analysis Job (Cont'd)Running an Analysis JobCreating a Report (Cont'd)Creating a ReportDemo - EnscriptsModule Flow: Analyzing and Searching FilesViewing the File Signature DirectoryPerforming a Signature AnalysisHash AnalysisHashing a New CaseDemo - Signature Analysis and HashingCreating a Hash SetKeyword SearchesCreating Global KeywordsAdding KeywordsImporting and Exporting KeywordsSearching Entries for Email and Internet ArtifactsViewing Search HitsGenerating an IndexTag RecordsDemo - Keyword SearcherModule Flow: Viewing File ContentViewing FilesCopying and Unerasing Files (Cont'd)Copying and Unerasing Files Adding a File ViewerDemo - Adding a File ViewerViewing File Content Using View PaneViewing Compound FilesViewing Base64 and UUE Encoded FilesDemo - Compound FilesModule Flow: Bookmarking ItemsBookmarks OverviewCreating a Highlighted Data BookmarkCreating a Note BookmarkCreating a Folder Information/Structure BookmarkCreating a Notable File BookmarkCreating a File Group BookmarkCreating a Log Record BookmarkCreating a Snapshot BookmarkOrganizing BookmarksCopying/Moving a Table Entry into a FolderViewing a Bookmark on the Table Report TabExcluding Bookmarks (Cont'd)Excluding BookmarksCopying Selected Items from One Folder to AnotherDemo - BookmarksModule Flow: Reporting Reporting

Report User InterfaceCreating a Report Using the Report TabReport Single/Multiple FilesViewing a Bookmark ReportViewing an Email ReportViewing a Webmail ReportViewing a Search Hits ReportCreating a Quick Entry ReportCreating an Additional Fields ReportExporting a ReportDemo - ReportingModule 12 Review

Module 13 - Steganography and Image File Forensics 2h 11mModule Flow: SteganographyWhat is Steganography?How Steganography WorksLegal Use of SteganographyUnethical Use of SteganographyModule Flow: Steganography TechniquesSteganography TechniquesApplication of SteganographyClassification of SteganographyTechnical SteganographyLinguistic Steganography (Cont'd)Linguistic SteganographyTypes of SteganographyImage SteganographyLeast Significant Bit InsertionMasking and FilteringAlgorithms and TransformationImage Steganography: Hermetic StegoSteganography Tool: S-ToolsImage Steganography ToolsAudio SteganographyAudio Steganography Methods (Cont'd)Audio Steganography MethodsAudio Steganography: Mp3stegzAudio Steganography ToolsVideo SteganographyVideo Steganography: MSU StegoVideoVideo Steganography ToolsDocument Steganography: wbStegoByte Shelter IDocument Steganography ToolsWhitespace Steganography Tool: SNOWFolder Steganography: Invisible Secrets 4Demo - Invisible SecretsFolder Steganography ToolsSpam/Email Steganography: Spam MimicSteganographic File SystemIssues in Information HidingModule Flow: SteganalysisSteganalysisHow to Detect Steganography (Cont'd)How to Detect Steganography

Detecting Text, Image, Audio, and Video Steganography (Cont'd)Detecting Text, Image, Audio, and Video Steganography Steganalysis Methods/Attacks on SteganographyDisabling or Active AttacksSteganography Detection Tool: StegdetectSteganography Detection ToolsDemo - Steg DetectionModule Flow: Image FilesImage FilesCommon TerminologiesUnderstanding Vector ImagesUnderstanding Raster ImagesMetafile GraphicsUnderstanding Image File FormatsGIF (Graphics Interchange Format) (Cont'd)GIF (Cont'd)GIFJPEG (Joint Photographic Experts Group)JPEG Files Structure (Cont'd)JPEG Files StructureJPEG 2000BMP (Bitmap) FileBMP File StructurePNG (Portable Network Graphics)PNG File StructureTIFF (Tagged Image File Format)TIFF File Structure (Cont'd)TIFF File StructureModule Flow: Data CompressionUnderstanding Data CompressionHow Does File Compression Work?Lossless CompressionHuffman Coding Algorithm (Cont'd)Huffman Coding AlgorithmLempel-Ziv Coding Algorithm (Cont'd)Lempel-Ziv Coding AlgorithmLossy CompressionVector QuantizationModule Flow: Locating and Recovering Image FilesBest Practices for Forensic Image AnalysisForensic Image Processing Using MATLABAdvantages of MATLABMATLAB ScreenshotLocating and Recovering Image FilesAnalyzing Image File HeadersRepairing Damaged Headers (Cont'd)Repairing Damaged HeadersReconstructing File FragmentsIdentifying Unknown File FormatsIdentifying Image File FragmentsIdentifying Copyright Issues on GraphicsPicture Viewer: IrfanViewPicture Viewer: ACDSee Photo Manager 12Picture Viewer: ThumbsplusPicture Viewer: AD Picture Viewer LitePicture Viewer Max

Picture Viewer: FastStone Image ViewerPicture Viewer: XnViewDemo - Picture ViewersFaces - Sketch SoftwareDigital Camera Data Discovery Software: File HoundModule Flow: Image File Forensics ToolsHex WorkshopGFE Stealth - Forensics Graphics File ExtractorIlookAdroit Photo Forensics 2011Digital Photo RecoveryDigital Photo Recovery ScreenshotsStellar Phoenix Photo Recovery SoftwareZero Assumption Recovery (ZAR)Photo Recovery SoftwareForensic Image ViewerFile FinderDiskGetor Data RecoveryDERescue Data Recovery MasterRecover My FilesUniversal ViewerModule 13 Review

Module 14 - Application Password Crackers 1h 8mModule Flow: Password Cracking ConceptsPassword - TerminologyPassword TypesPassword CrackerHow Does a Password Cracker Work?How Hash Passwords are Stored in Windows SAMModule Flow: Types of Password AttacksPassword Cracking TechniquesTypes of Password AttacksPassive Online Attacks: Wire SniffingPassword SniffingPassive Online Attack: Man-in-the-Middle and Replay AttackActive Online Attack: Password GuessingActive Online Attack: Trojan/Spyware/keyloggerActive Online Attack: Hash Injection AttackRainbow Attacks: Pre-Computed HashDistributed Network AttackElcomsoft Distributed Password RecoveryNon-Electronic AttacksManual Password Cracking (Guessing)Automatic Password Cracking AlgorithmTime Needed to Crack PasswordsClassification of Cracking SoftwareSystems Software vs. Applications SoftwareModule Flow: System Software Password CrackingSystem Software Password CrackingBypassing BIOS PasswordsUsing Manufacturer's Backdoor Password to Access the BIOSUsing Password Cracking SoftwareCmosPwdResetting the CMOS using the Jumpers or Solder BeadsRemoving CMOS Battery

Overloading the Keyboard Buffer and Using a Professional ServiceTool to Reset Admin Password: Active@ Password ChangerTool to Reset Admin Password: Windows KeyModule Flow: Application Software Password CrackingPassware Kit ForensicAccent Keyword ExtractorDistributed Network AttackPassword Recovery BundleAdvanced Office Password RecoveryOffice Password RecoveryOffice Password Recovery ToolboxOffice Multi-document Password CrackerWord Password Recovery MasterAccent WORD Password RecoveryWord PasswordPowerPoint Password RecoveryPowerPoint PasswordPowerpoint KeyStellar Phoenix Powerpoint Password RecoveryExcel Password Recovery MasterAccent EXCEL Password RecoveryExcel PasswordAdvanced PDF Password RecoveryPDF Password CrackerPDF Password Cracker ProAtomic PDF Password RecoveryPDF PasswordRecover PDF PasswordAppnimi PDF Password RecoveryAdvanced Archive Password RecoveryKRyLack Archive Password RecoveryZip PasswordAtomic ZIP Password RecoveryRAR Password UnlockerDemo - Office Password CrackingDefault Passwordshttp://www.defaultpassword.comhttp://www.cirt.net/passwordshttp://default-password.infohttp://www.defaultpassword.ushttp://www.passwordsdatabase.comhttp://www.virus.orgModule Flow: Password Cracking ToolsL0phtCrackOphCrackCain & AbelRainbowCrackWindows Password UnlockerWindows Password BreakerSAMInsidePWdump7 and FgdumpPassword Cracking ToolsDemo - System Password CrackingModule 14 Review

Module 15 - Log Capturing and Event Correlation 1h 23m

Module Flow: Computer Security LogsComputer Security LogsOperating System LogsApplication LogsSecurity Software LogsRouter Log FilesHoneypot LogsLinux Process AccountingLogon Event in WindowsWindows Log FileConfiguring Windows LoggingAnalyzing Windows LogsWindows Log File: System LogsWindows Log Files: Application LogsLogon Events that appear in the Security Event Log (Cont'd)Logon Events that appear in the Security Event LogDemo - Windows Event ViewerIIS LogsIIS Log File FormatMaintaining Credible IIS Log FilesLog File AccuracyLog EverythingKeeping TimeUTC TimeView the DHCP LogsSample DHCP Audit Log FileODBC LoggingModule Flow: Logs and Legal IssuesLegality of Using Logs (Cont'd)Legality of Using LogsRecords of Regularly Conducted Activity as EvidenceLaws and RegulationsModule Flow: Log ManagementLog ManagementFunctions of Log ManagementChallenges in Log ManagementMeeting the Challenges in Log ManagementModule Flow: Centralized Logging and SyslogsCentralized LoggingCentralized Logging ArchitectureSteps to Implement Central LoggingSyslogSyslog in Unix-Like SystemsSteps to Set Up a Syslog Server for Unix SystemsAdvantages of Centralized Syslog ServerIIS Centralized Binary LoggingModule Flow: Time SynchronizationWhy Synchronize Computer Times?What is NTP?NTP Stratum Levels (Cont'd)NTP Stratum LevelsNIST Time Servers (Cont'd)NIST Time ServersConfiguring Time Server in Windows ServerModule Flow: Event CorrelationEvent Correlation

Types of Event CorrelationPrerequisites for Event CorrelationEvent Correlation Approaches (Cont'd)Event Correlation ApproachesModule Flow: Log Capturing and Analysis ToolsGFI EventsManagerGFI EventsManager ScreenshotActiveworx Security CenterEventLog AnalyzerEventLog Analyzer ScreenshotSyslog-ng OSESyslog-ng ScreenshotKiwi Syslog ServerKiwi Syslog Server ScreenshotWinSyslogFirewall Analyzer: Log Analysis ToolFirewall Analyzer ArchitectureFirewall Analyzer ScreenshotActiveworx Log CenterEventReporterKiwi Log ViewerEvent Log ExplorerWebLog ExpertXpoLog Center SuiteXpoLog Center Suite ScreenshotELM Event Log MonitorEventSentryLogMeisterLogViewer ProWinAgents EventLog Translation ServiceEventTracker EnterpriseCorner Bowl Log ManagerAscella Log Monitor PlusFLAG - Forensic and Log Analysis GUIFLAG ScreenshotSimple Event Correlator (SEC)OSSECModule 15 Review

Module 16 - Network Forensics, Investigating Logsand Investigating Network Traffic 1h 37mModule Flow: Network ForensicsNetwork Attack StatisticsNetwork ForensicsNetwork Forensics Analysis MechanismNetwork Addressing SchemesOverview of Network ProtocolsOverview of Physical and Data-Link Layer of the OSI ModelOverview of Network and Transport Layer of the OSI ModelOSI Reference ModelTCP/IP ProtocolIntrusion Detection Systems (IDS) and Their PlacementHow IDS WorksTypes of Intrusion Detection SystemsGeneral Indications of IntrusionsFirewall

HoneypotModule Flow: Network AttacksNetwork VulnerabilitiesTypes of Network AttacksIP Address SpoofingMan-in-the-Middle AttackPacket SniffingHow a Sniffer WorksEnumerationDenial of Service AttackSession SniffingBuffer OverflowTrojan HorseModule Flow: Log Injection AttacksNew Line Injection AttackNew Line Injection Attack CountermeasureSeparator Injection Attack (Cont'd)Separator Injection AttackDefending Separator Injection AttacksTimestamp Injection Attack (Cont'd)Timestamp Injection AttackDefending Timestamp Injection AttacksWord Wrap Abuse AttackDefending Word Wrap Abuse AttacksHTML Injection AttackDefending HTML Injection AttacksTerminal Injection AttackDefending Terminal Injection AttacksModule Flow: Investigating and Analyzing LogsPostmortem and Real-Time AnalysisWhere to Look for EvidenceLog Capturing Tool: ManageEngine EventLog AnalyzerLog Capturing Tool: ManageEngine Firewall AnalyzerLog Capturing Tool: GFI EventsManagerGFI EventsManager ScreenshotLog Capturing Tool: Kiwi Syslog ServerKiwi Syslog Server ScreenshotHandling Logs as EvidenceLog File AuthenticityDemo - Kiwi Log ViewerUse Signatures, Encryption, and ChecksumsWork with CopiesEnsure System's IntegrityAccess ControlChain of CustodyCondensing Log FileModule Flow: Investigating Network TrafficWhy Investigate Network Traffic?Evidence Gathering via SniffingCapturing Live Data Packets Using WiresharkWireshark ScreenshotDisplay Filters in WiresharkAdditional Wireshark FiltersDemo - WiresharkAcquiring Traffic Using DNS Poisoning TechniquesIntranet DNS Spoofing (Local Network)

Intranet DNS Spoofing (Remote Network)Proxy Server DNS PoisoningDNS Cache PoisoningEvidence Gathering from ARP TableEvidence Gathering at the Data-Link Layer: DHCP DatabaseGathering Evidence by IDSModule Flow: Traffic Capturing and Analysis ToolsNetworkMinerTcpdump/WindumpIntrusion Detection Tool: SnortHow Snort WorksIDS Policy ManagerMaaTec Network AnalyzerIris Network Traffic AnalyzerNetWitness InvestigatorNetWitness Investigator ScreenshotColasoft Capsa Network AnalyzerSniff - O - MaticNetResidentNetwork ProbeNetFlow AnalyzerOmniPeek Network AnalyzerFirewall Evasion Tool: Traffic IQ ProfessionalNetworkViewCommViewObserverSoftPerfect Network Protocol AnalyzerEffeTech HTTP SnifferBig-MotherEtherDetect Packet SnifferNtopEtherApeDemo - NmapAnalogX PacketmonIEInspector HTTP AnalyzerSmartSniffDistinct Network MonitorGive Me TooEtherSnoopShow TrafficArgusDocumenting the Evidence Gathered on a NetworkModule 16 Review

Module 17 - Investigating Wireless Attacks 2h 5mModule Flow: Wireless TechnologiesWi-Fi Usage Statistics in the USWireless NetworksWireless TerminologiesWireless ComponentsTypes of Wireless NetworksWireless StandardsMAC FilteringService Set Identifier (SSID)Types of Wireless Encryption: WEPTypes of Wireless Encryption: WPA

Types of Wireless Encryption: WPA2WEP vs. WPA vs. WPA2Module Flow: Wireless AttacksWi-Fi ChalkingWi-Fi Chalking SymbolsAccess Control Attacks (Cont'd)Access Control AttacksIntegrity Attacks (Cont'd)Integrity AttacksConfidentiality Attacks (Cont'd)Confidentiality AttacksAvailability Attacks (Cont'd)Availability AttacksAuthentication Attacks (Cont'd)Authentication AttacksModule Flow: Investigating Wireless AttacksKey Points to RememberSteps for InvestigationObtain a Search WarrantIdentify Wireless Devices at Crime Scene (Cont'd)Identify Wireless Devices at Crime SceneSearch for Additional DevicesDetect Rogue Access PointDocument the Scene and Maintain a Chain of CustodyDetect the Wireless ConnectionsMethodologies to Detect Wireless ConnectionsWi-Fi Discovery Tool: inSSIDerGPS MappingGPS Mapping Tool: WIGLEGPS Mapping Tool: SkyhookHow to Discover Wi-Fi Networks Using WardrivingCheck for MAC Filtering (Cont'd)Check for MAC FilteringChanging the MAC Address (Cont'd)Changing the MAC AddressDetect WAPs Using the Nessus Vulnerability ScannerCapturing Wireless TrafficSniffing Tool: WiresharkFollow TCP Stream in WiresharkDisplay Filters in WiresharkAdditional Wireshark FiltersDetermine Wireless Field Strength: FSMDetermine Wireless Field Strength: ZAP Checker ProductsWhat is Spectrum Analysis?Map Wireless Zones and HotspotsConnect to the Wireless Access Point (Cont'd)Connect to the Wireless Access Point Access Point Data Acquisition and Analysis: Attached DevicesAccess Point Data Acquisition and Analysis: LAN TCP/IP SetupAccess Point Data Acquisition and AnalysisFirewall AnalyzerFirewall Log AnalyzerWireless Devices Data Acquisition and Analysis (Cont'd)Wireless Devices Data Acquisition and AnalysisReport GenerationModule Flow: Features of a Good Wireless Forensics Tool

Features of a Good Wireless Forensics Tool (Cont'd)Features of a Good Wireless Forensics ToolModule Flow: Wireless Forensics ToolsWi-Fi Discovery Tool: NetStumblerDemo - inSSIDer NetStumblerWi-Fi Discovery Tool: NetSurveyorWi-Fi Discovery Tool: VistumblerWi-Fi Discovery Tool: WirelessMonWi-Fi Discovery Tool: KismetWi-Fi Discovery Tool: AirPort SignalWi-Fi Discovery ToolsWi-Fi Packet Sniffer: OmniPeek (Cont'd)Wi-Fi Packet Sniffer: OmniPeek Wi-Fi Packet Sniffer: CommView for WiFiWi-Fi USB Dongle: AirPcapWi-Fi Packet Sniffer: Wireshark with AirPcapWi-Fi Packet Sniffer: tcpdumptcpdump Commands (Cont'd)tcpdump CommandsWi-Fi Packet Sniffer: KisMACAircrack-ng SuiteDemo - AirCrackAirMagnet WiFi AnalyzerWardriving ToolsRF Monitoring ToolsWi-Fi Connection Manager ToolsWi-Fi Traffic Analyzer ToolsWi-Fi Raw Packet Capturing Tools / Wi-Fi Spectrum Analyzing ToolsModule 17 Review

Module 18 - Investigating Web Attacks 2h 14mModule Flow: Introduction to Web Applications and Web ServersWeb Application Security StatisticsWebserver Market SharesIntroduction to Web ApplicationsWeb Application ComponentsHow Web Applications WorkWeb Application ArchitectureOpen Source Web Server ArchitectureIndications of a Web AttackWeb Attack VectorsWhy Web Servers are CompromisedImpact of Web Server AttacksWebsite DefacementCase StudyModule Flow: Web LogsOverview of Web LogsApplication LogsInternet Information Services (IIS) LogsIIS Web Server ArchitectureIIS Log File FormatApache Web Server LogsDHCP Server LogsModule Flow: Web AttacksWeb Attacks - 1Web Attacks - 2

Unvalidated InputParameter/Form TamperingDirectory TraversalSecurity MisconfigurationInjection FlawsSQL Injection AttacksCommand Injection AttacksCommand Injection ExampleFile Injection AttackWhat is LDAP Injection?How LDAP Injection WorksHidden Field Manipulation AttackCross-Site Scripting (XSS) AttacksHow XSS Attacks WorkCross-Site Request Forgery (CSRF) AttackHow CSRF Attacks WorkWeb Application Denial-of-Service (DoS) AttackDenial of Service (DoS) ExamplesBuffer Overflow AttacksCookie/Session PoisoningHow Cookie Poisoning WorksSession Fixation AttackInsufficient Transport Layer ProtectionImproper Error HandlingInsecure Cryptographic StorageBroken Authentication and Session ManagementUnvalidated Redirects and ForwardsDMZ Protocol Attack/ Zero Day AttackLog TamperingURL Interpretation and Impersonation AttackWeb Services AttackWeb Services Footprinting AttackWeb Services XML PoisoningWeb Server MisconfigurationExampleHTTP Response Splitting AttackWeb Cache Poisoning AttackHTTP Response HijackingSSH Bruteforce AttackMan-in-the-Middle AttackDefacement Using DNS CompromiseModule Flow: Web Attack InvestigationInvestigating Web AttacksInvestigating Web Attacks in Windows-Based Servers (Cont'd)Investigating Web Attacks in Windows-Based ServersInvestigating IIS LogsInvestigating Apache Logs (Cont'd)Investigating Apache LogsExample of FTP CompromiseInvestigating FTP ServersInvestigating Static and Dynamic IP AddressesSample DHCP Audit Log FileInvestigating Cross-Site Scripting (XSS) (Cont'd)Investigating Cross-Site Scripting (XSS)Investigating SQL Injection Attacks (Cont'd)Investigating SQL Injection Attacks

Pen-Testing CSRF Validation FieldsInvestigating Code Injection AttackInvestigating Cookie Poisoning AttackDetecting Buffer OverflowInvestigating Authentication HijackingWeb Page DefacementInvestigating DNS Poisoning Intrusion DetectionSecurity Strategies for Web ApplicationsChecklist for Web SecurityModule Flow: Web Attack Detection ToolsDemo - NessusWeb Application Security Tool: Acunetix Web Vulnerability ScannerWeb Application Security Tool: Falcove Web Vulnerability ScannerWeb Application Security Tool: NetsparkerWeb Application Security Tool: N-Stalker Web Application Security ScannerWeb Application Security Tool: SandcatWeb Application Security Tool: WiktoWeb Application Security Tools: WebWatchBotWeb Application Security Tool: OWASP ZAPWeb Application Security Tool: SecuBat Vulnerability ScannerWeb Application Security Tool: WebsecurifyWeb Application Security Tool: HackAlertWeb Application Security Tool: WebCruiserWeb Application Firewall: dotDefenderWeb Application Firewall: IBM AppScanWeb Application Firewall: ServerDefender VPWeb Log Viewer : Deep Log AnalyzerWeb Log Viewer: WebLog ExpertWeb Log Viewer: AlterWind Log AnalyzerWeb Log Viewer: WebalizerWeb Log Viewer: eWebLog AnalyzerWeb Log Viewer: Apache Logs Viewer (ALV)Web Attack Investigation Tool: AWStatsWeb Attack Investigation Tools: Paros ProxyWeb Attack Investigation Tools: ScrawlrModule Flow: Tools for Locating IP AddressesWhois Lookup (Cont'd)Whois Lookup ResultSmartWhoisActiveWhoisLanWhoIsCountryWhoisCallerIPReal Hide IPDemo - Real Hide IPIP - Address ManagerPandora FMSDemo - Whois LookupModule 18 Review

Module 19 - Tracking Emails and Investigating Email Crimes 1h 40m

Module Flow: Email System BasicsEmail TerminologyEmail SystemEmail ClientsEmail ServerSMTP ServerPOP3 and IMAP ServersEmail MessageImportance of Electronic Records ManagementModule Flow: Email CrimesEmail CrimeEmail SpammingMail Bombing/Mail StormPhishing (Cont'd)PhishingEmail SpoofingCrime via Chat RoomIdentity Fraud/Chain LetterModule Flow: Email HeadersExample of Email HeaderList of Common Headers (Cont'd)List of Common Headers Module Flow: Steps to InvestigateWhy to Investigate EmailsInvestigating Email Crime and ViolationObtain a Search Warrant and Seize the Computer and Email AccountObtain a Bit-by-Bit Image of Email InformationExamine Email HeadersViewing Email Headers in Microsoft OutlookViewing Email Headers in AOLViewing Email Headers in HotmailViewing Email Headers in GmailViewing Headers in Yahoo MailForging HeadersAnalyzing Email Headers (Cont'd)Analyzing Email HeadersEmail Header FieldsReceived: HeadersDemo - Email HeadersMicrosoft Outlook MailExamining Additional Files (.pst or .ost Files)Checking the Email ValidityExamine the Originating IP AddressTracing BackTracing Back Web-Based EmailEmail ArchivesContent of Email ArchivesLocal Archive (Cont'd)Local ArchiveServer Storage Archive (Cont'd)Server Storage ArchiveForensic Acquisition of Email Archive (Cont'd)Forensic Acquisition of Email Archive Deleted Email RecoveryModule Flow: Email Forensics ToolsStellar Phoenix Deleted Email Recovery

Recover My EmailOutlook Express RecoveryZmeilQuick Recovery for MS OutlookEmail DetectiveEmail Trace - Email TrackingR-MailFINALeMAILeMailTrackerProForensic Tool Kit (FTK)Paraben's E-mail ExaminerParaben's Network E-mail ExaminerDiskInternal's Outlook Express RepairAbuse.NetMailDetective ToolModule Flow: Laws and Acts against Email CrimesU.S. Laws Against Email Crime: CAN-SPAM Act (Cont'd)U.S. Laws Against Email Crime: CAN-SPAM Act18 U.S.C. - 2252A18 U.S.C. - 2252BEmail Crime Law in Washington: RCW 19.190.020Module 19 Review

Module 20 - Mobile Forensics 1h 58mModule Flow: Mobile PhonesSmartphone Sales Statistics 2010/2011Mobile PhoneDifferent Mobile DevicesHardware Characteristics of Mobile DevicesSoftware Characteristics of Mobile DevicesComponents of Cellular NetworkCellular NetworkDifferent Cellular NetworksModule Flow: Mobile Operating SystemsMobile Operating SystemsTypes of Mobile Operating SystemswebOSwebOS System ArchitectureSymbian OSSymbian OS ArchitectureAndroid OSAndroid OS ArchitectureRIM Blackberry OSWindows Phone 7Windows Phone 7 ArchitectureApple iOSModule Flow: Mobile ForensicsWhat a Criminal Can Do with Mobile PhonesMobile ForensicsMobile Forensics ChallengesForensics Information in Mobile PhonesMemory Considerations in MobilesSubscriber Identity Module (SIM)SIM File SystemIntegrated Circuit Card Identification (ICCID)International Mobile Equipment Identifier (IMEI)

Electronic Serial Number (ESN)Precautions to Be Taken Before Investigation (Cont'd)Precautions to Be Taken Before Investigation Module Flow: Mobile Forensics ProcessMobile Forensics ProcessCollecting the EvidencePoints to Remember while Collecting the EvidenceCollecting an iPod/iPhone Connected to a ComputerDemo - Mac-based iPodsDemo - Windows-based iPodsDocument the Scene and Preserve the Evidence (Cont'd)Document the Scene and Preserve the EvidenceImaging and ProfilingAcquire the InformationDevice IdentificationAcquire Data from SIM Cards (Cont'd)Acquire Data from SIM CardsAcquire Data from Unobstructed Mobile DevicesAcquire the Data from Obstructed Mobile DevicesAcquire Data from Memory Cards (Cont'd)Acquire Data from Memory CardsAcquire Data from Synched DevicesGather Data from Network OperatorCheck Call Data Records (CDRs)Gather Data from SQLite Record (Cont'd)Gather Data from SQLite RecordAnalyze the Information (Cont'd)Analyze the InformationGenerate ReportModule Flow: Mobile Forensics Software ToolsOxygen Forensic Suite 2011MOBILedit! ForensicMOBILedit! Forensic: ScreenshotBitPimSIM AnalyzerSIMConSIM Card Data RecoveryMemory Card Data RecoveryDevice SeizureSIM Card SeizureART (Automatic Reporting Tool)iPod Data Recovery SoftwareRecover My iPodPhoneViewElcomsoft Blackberry Backup ExplorerOxygen Phone Manager IISanmaxi SIM RecovererMobile Forensics ToolsDemo - Mobile Forensic SoftwareModule Flow: Mobile Forensics Hardware ToolsSecure View KitDeployable Device Seizure (DDS)Paraben's Mobile Field KitPhoneBaseXACT SystemLogicube CellDEK

Logicube CellDEK TEKRadioTactics ACESOUME-36Pro - Universal Memory ExchangerCellebrite UFED System - Universal Forensic Extraction DeviceZRT 2ICD 5200ICD 1300Module 20 Review

Module 21 - Investigative Reports 1h 16mModule Flow: Computer Forensics ReportComputer Forensics ReportSalient Features of a Good Report (Cont'd)Salient Features of a Good Report Aspects of a Good ReportModule Flow: Computer Forensics Report TemplateComputer Forensics Report Template (Cont'd)Computer Forensics Report TemplateSimple Format of the Chain of Custody DocumentChain of Custody Forms (Cont'd)Chain of Custody FormsEvidence Collection FormComputer Evidence Worksheet (Cont'd)Computer Evidence WorksheetHard Drive Evidence Worksheet (Cont'd)Hard Drive Evidence Worksheet Removable Media WorksheetModule Flow: Investigative Report WritingReport ClassificationLayout of an Investigative ReportLayout of an Investigative Report: NumberingReport SpecificationsGuidelines for Writing a ReportUse of Supporting MaterialImportance of ConsistencyInvestigative Report FormatAttachments and AppendicesInclude MetadataSignature AnalysisInvestigation ProceduresCollecting Physical and Demonstrative EvidenceCollecting Testimonial EvidenceDo's and Don'ts of Computer Forensics InvestigationsCase Report Writing and DocumentationCreating a Report to Attach to the Media Analysis WorksheetBest Practices for InvestigatorsModule Flow: Sample Forensics ReportSample Forensics ReportSample Forensics Report 1 (1 of 5)Sample Forensics Report 1 (2 of 5)Sample Forensics Report 1 (3 of 5)Sample Forensics Report 1 (4 of 5)Sample Forensics Report 1 (5 of 5)Sample Forensics Report 2 (1 of 3)Sample Forensics Report 2 (2 of 3)Sample Forensics Report 2 (3 of 3)

Module Flow: Report Writing Using ToolsWriting Report Using FTK (1 of 10)Writing Report Using FTK (2 of 10)Writing Report Using FTK (3 of 10)Writing Report Using FTK (4 of 10)Writing Report Using FTK (5 of 10)Writing Report Using FTK (6 of 10)Writing Report Using FTK (7 of 10)Writing Report Using FTK (8 of 10)Writing Report Using FTK (9 of 10)Writing Report Using FTK (10 of 10)Writing Report Using ProDiscover (1 of 7)Writing Report Using ProDiscover (2 of 7)Writing Report Using ProDiscover (3 of 7)Writing Report Using ProDiscover (4 of 7)Writing Report Using ProDiscover (5 of 7)Writing Report Using ProDiscover (6 of 7)Writing Report Using ProDiscover (7 of 7)Demo - Investigative ReportsModule 21 Review

Module 22 - Becoming an Expert Witness 1hModule Flow: Expert WitnessWhat is an Expert Witness?Role of an Expert WitnessWhat Makes a Good Expert Witness?Module Flow: Types of Expert WitnessesTypes of Expert WitnessesComputer Forensics ExpertsRole of Computer Forensics ExpertMedical & Psychological ExpertsCivil Litigation ExpertsConstruction & Architecture ExpertsCriminal Litigation ExpertsModule Flow: Scope of Expert Witness TestimonyScope of Expert Witness Testimony (Cont'd)Scope of Expert Witness TestimonyTechnical Witness vs. Expert WitnessPreparing for TestimonyModule Flow: Evidence ProcessingEvidence Preparation and DocumentationEvidence Processing Steps (Cont'd)Evidence Processing StepsChecklists for Processing EvidenceExamining Computer EvidencePrepare the ReportEvidence PresentationModule Flow: Rules for Expert WitnessRules Pertaining to an Expert Witness's Qualifications (Cont'd)Rules Pertaining to an Expert Witness' QualificationDaubert StandardFrye StandardImportance of ResumeTestifying in the CourtThe Order of Trial ProceedingsModule Flow: General Ethics While Testifying

General Ethics While TestifyingImportance of Graphics in a TestimonyHelping your AttorneyAvoiding Testimony IssuesTestifying during Direct Examination (Cont'd)Testifying during Direct ExaminationTestifying during Cross-ExaminationDeposingRecognizing Deposition ProblemsGuidelines to Testifying at a DepositionDealing with MediaFinding a Computer Forensics ExpertLearn More…Module 22 ReviewCourse Closure

Total Duration: 44h 56m