Computer Forensic Specialist: Data and Image Files - EC-Council
Computer Forensic Specialist: Data and Image Files - EC-Council
Computer Forensic Specialist: Data and Image Files - EC-Council
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
Course Title:<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: <strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong><br />
Page 1 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
Course Description<br />
The <strong>Computer</strong> <strong>Forensic</strong> Series by <strong>EC</strong>-<strong>Council</strong> provides the knowledge <strong>and</strong> skills to identify, track, <strong>and</strong><br />
prosecute the cyber-criminal. The series is comprised of five books covering a broad base of topics in<br />
<strong>Computer</strong> Hacking <strong>Forensic</strong> Investigation, designed to expose the reader to the process of detecting<br />
attacks <strong>and</strong> collecting evidence in a forensically sound manner with the intent to report crime <strong>and</strong> prevent<br />
future attacks. Learners are introduced to advanced techniques in computer investigation <strong>and</strong> analysis<br />
with interest in generating potential legal evidence. This <strong>and</strong> the other four books provide preparation to<br />
identify evidence in computer related crime <strong>and</strong> abuse cases as well as track the intrusive hacker's path<br />
through a client system. The series <strong>and</strong> accompanying labs help prepare the security student or<br />
professional to profile an intruder's footprint <strong>and</strong> gather all necessary information <strong>and</strong> evidence to<br />
support prosecution in a court of law.<br />
Investigating data <strong>and</strong> image files provides a basic underst<strong>and</strong>ing of steganography, data acquisition <strong>and</strong><br />
duplication, encase, how to recover the deleted files <strong>and</strong> partitions <strong>and</strong> image file forensics.<br />
Certification Info<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: <strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong><br />
Who Should Attend<br />
This course will significantly benefit police <strong>and</strong> other law enforcement personnel, defense <strong>and</strong> military<br />
personnel, e-business security professionals, systems administrators, legal professionals, banking,<br />
insurance <strong>and</strong> other professionals, government agencies <strong>and</strong> IT managers.<br />
Course Duration<br />
2 days (9:00AM – 5:00PM)<br />
CPE/<strong>EC</strong>E Qualification<br />
16 <strong>EC</strong>E Credits awarded for attendance (1 for each classroom hour)<br />
Suggested Retail:<br />
$799 USD<br />
Page 2 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
Required Courseware:<br />
Visit www.cengage.com/community/eccouncil <strong>and</strong> click on Training Workshops for ordering details.<br />
What’s included?<br />
Physical Courseware<br />
1 year Access To <strong>EC</strong>-<strong>Council</strong> Student LMS for Practical Labs (if applicable), testing, <strong>and</strong> Certificate<br />
Course + Supplement Cost:<br />
See the “Training Workshops” section at www.cengage.com/community/eccouncil for current pricing<br />
information.<br />
Related Certificates:<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: Procedures & Response<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: Storage Device & Operating Systems<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: Network Intrusion & Cybercrime<br />
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong>: Wireless Networks <strong>and</strong> Devices<br />
Page 3 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
Course Briefing<br />
1. Steganography<br />
Chapter Brief:<br />
Steganography, the art of hidden writing, has been in use for centuries. It involves embedding a<br />
hidden message in some transport or carrier medium, <strong>and</strong> has been used by mathematicians, military<br />
personnel, <strong>and</strong> scientists. They all engage themselves in changing the common language <strong>and</strong><br />
transferring it through secret <strong>and</strong> hidden communication.<br />
The objective of this chapter is to make you familiar with the concept of steganography. This chapter<br />
covers the various methods in which steganography can be applied either legally or illegally. It<br />
discusses the early history <strong>and</strong> evolution of steganography <strong>and</strong> highlights the various steganography<br />
tools that are used <strong>and</strong> the salient features of these tools as well.<br />
2. <strong>Data</strong> Acquisition <strong>and</strong> Duplication<br />
Chapter Brief:<br />
<strong>Data</strong> acquisition is an important step in the investigation process. The data collected from the victim’s<br />
system is presented as the evidence. So, the data should be kept with the investigator <strong>and</strong> produced in<br />
the court while the trial is going on. Sometimes instead of data acquisition, duplication of the data is<br />
the best way to collect the data. Duplicated data can also be presented at the court.<br />
This chapter deals with data acquisition <strong>and</strong> data duplication process which are the important<br />
aspects of the forensic investigation. It also highlights the popular tools required during the data<br />
acquisition <strong>and</strong> data duplication process.<br />
3. <strong>Forensic</strong> Investigations Using EnCase<br />
Chapter Brief:<br />
Encase is widely known <strong>and</strong> used tool in the forensics. It helps to collect <strong>and</strong> verify the evidences for<br />
the investigation process. This chapter covers the evidence files, verifying file integrity, configuring<br />
encase, searching, <strong>and</strong> bookmarks.<br />
This chapter describes the complete process of forensic investigation using EnCase.<br />
4. Recovering Deleted <strong>Files</strong> <strong>and</strong> Deleted Partitions<br />
Chapter Brief:<br />
During the investigation of the computer system, an investigator may come across a situation where<br />
the evidences of the crime are deleted from the system. In this case, an investigator should know how<br />
to recover the deleted files, which can be used as evidence. Deleted files <strong>and</strong> deleted partitions can be<br />
a good source of evidence which are useful to provide an important clue in the investigation.<br />
This chapter covers the various methods in which a forensic investigator can recover the deleted files.<br />
It deals primarily with underst<strong>and</strong>ing the basic concept of recovering the deleted files. The chapter<br />
also highlights the various data recovery tools <strong>and</strong> the salient features of these tools.<br />
Page 4 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
5. <strong>Image</strong> File <strong>Forensic</strong>s<br />
Chapter Brief:<br />
<strong>Image</strong> files are the key component in the investigation process. <strong>Image</strong> files can be presented as<br />
evidence in the court. It is important to recover the image files from the attacked computer <strong>and</strong><br />
preserve it. <strong>Image</strong> files are delicate <strong>and</strong> can be corrupted if it is not h<strong>and</strong>led properly.<br />
This chapter covers the various methods in which a forensic investigator can go about recovering the<br />
image files. This chapter mainly deals with underst<strong>and</strong>ing the basic concept of recovering the image<br />
files. This chapter also highlights the various image recovery, steganalysis, <strong>and</strong> viewing tools that are<br />
used in this process.<br />
Page 5 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
Course Outline<br />
Chapter 1: Steganography<br />
• Introduction to Steganography<br />
• Stegosystem Model<br />
• Application of Steganography<br />
• Classification of Steganography<br />
• Digital File Types<br />
• Steganographic File System<br />
• Cryptography<br />
• Watermarking<br />
• Issues in Information Hiding<br />
• Detecting Steganography<br />
• Tools<br />
Chapter 2: <strong>Data</strong> Acquisition <strong>and</strong> Duplication<br />
• Introduction to <strong>Data</strong> Acquisition <strong>and</strong> Duplication<br />
• Determining the Best Acquisition Methods<br />
o Disk-to-<strong>Image</strong> File<br />
o Disk-to-Disk Copy<br />
o Sparse <strong>Data</strong> Copy<br />
• <strong>Data</strong> Recovery Contingencies<br />
• The Need For <strong>Data</strong> Duplication<br />
• <strong>Data</strong> Acquisition Software Tools<br />
• Windows St<strong>and</strong>ard Tools<br />
• Linux St<strong>and</strong>ard Tools<br />
o DriveSpy<br />
o FTK <strong>Image</strong>r<br />
o Mount <strong>Image</strong> Pro<br />
o Drive SnapShot<br />
o SnapBack DatArrest<br />
o SafeBack<br />
• <strong>Data</strong> Acquisition Hardware Tools<br />
o <strong>Image</strong> MASSter Solo-3<br />
o LinkMASSter-2<br />
o RoadMASSter-2<br />
Page 6 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
• <strong>Data</strong> Duplication Software Tools<br />
o R-Drive <strong>Image</strong><br />
o DriveLook<br />
o DiskExplorer<br />
o Save-N-Sync<br />
o DFSMSdss<br />
o SCSIPAK<br />
• <strong>Data</strong> Duplication Hardware Tools<br />
o <strong>Image</strong>MASSter 6007SAS<br />
o Disk Jockey IT<br />
o QuickCopy<br />
Chapter 3: <strong>Forensic</strong> Investigations Using EnCase<br />
• Introduction to <strong>Forensic</strong> Investigation Using EnCase<br />
• Evidence <strong>Files</strong><br />
o Verifying Evidence <strong>Files</strong><br />
o Evidence File Format<br />
• Verifying File Integrity<br />
• Hashing<br />
• Acquiring an <strong>Image</strong><br />
• Configuring EnCase<br />
o View Menu<br />
o Device Tab<br />
o Status Bar<br />
o Searching<br />
o Keywords<br />
o Starting the Search<br />
o Search Hits Tab<br />
o Bookmarks<br />
o Creating Bookmark Folders<br />
o Adding Bookmarks<br />
o Bookmarking a Selected Area<br />
• Recovering Deleted <strong>Files</strong>/Folders in a FAT Partition<br />
• Viewing Recovered <strong>Files</strong><br />
• Recovering <strong>Files</strong>/Folders in an NTFS Partition<br />
• Master Boot Record (MBR)<br />
Page 7 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
• NTFS Starting Point<br />
• Viewing Disk Geometry<br />
• Recovering Deleted Partitions<br />
• Hash Values<br />
o Creating Hash Sets<br />
o MD5 Hash<br />
o Creating Hashes<br />
o Viewers<br />
o Creating Hashes<br />
• Signature Analysis<br />
• Viewing the Results<br />
• Copying <strong>Files</strong> <strong>and</strong> Folders<br />
• E-Mail Recovery<br />
• Reporting<br />
• EnCase Boot Disks<br />
Chapter 4: Recovering Deleted <strong>Files</strong> <strong>and</strong> Deleted Partitions<br />
• Introduction to Recovering Deleted <strong>Files</strong> <strong>and</strong> Deleted Partitions<br />
• Deleting <strong>Files</strong><br />
• What Happens When a File Is Deleted in Windows?<br />
• The Recycle Bin in Windows<br />
• Damaged Recycled Folder<br />
• How to Undelete a File<br />
• <strong>Data</strong> Recovery in Linux<br />
o Tools to Recover Deleted <strong>Files</strong><br />
• File Recovery Tools for Windows<br />
• Tools for Use with UNIX-based Systems<br />
o Tools Based on File Type<br />
o Tools Based on Media Type<br />
• Recovering Deleted Partitions<br />
• Deletion of a Partition<br />
• What Happens When a Partition is Deleted?<br />
• Recovery of Deleted Partitions<br />
• Tools to Recover Deleted <strong>and</strong> Damaged Partitions<br />
Chapter 5: <strong>Image</strong> File <strong>Forensic</strong>s<br />
Page 8 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.
<strong>Computer</strong> <strong>Forensic</strong> <strong>Specialist</strong><br />
CFS304<br />
• Introduction to Graphics File <strong>Forensic</strong>s<br />
• Introduction to Graphics <strong>Files</strong><br />
• Underst<strong>and</strong>ing Vector <strong>Image</strong>s<br />
• Underst<strong>and</strong>ing Raster <strong>Image</strong>s<br />
• Metafile Graphics<br />
• Underst<strong>and</strong>ing <strong>Image</strong> File Formats<br />
• BMP (Bitmap) File<br />
• <strong>Data</strong> Compression in <strong>Image</strong> <strong>Files</strong><br />
• Underst<strong>and</strong>ing File Compression<br />
• Lossless Compression Algorithms<br />
• Lossy Compression<br />
• Locating <strong>and</strong> Recovering <strong>Image</strong> <strong>Files</strong><br />
• Steganography in <strong>Image</strong> <strong>Files</strong><br />
• Steganalysis<br />
• Identifying Copyright Issues with Graphics<br />
Page 9 of 9<br />
<strong>Data</strong> <strong>and</strong> <strong>Image</strong> <strong>Files</strong> Copyright © by <strong>EC</strong>-<strong>Council</strong> | Press<br />
All Rights Reserved. Reproduction is Strictly Prohibited.