Computer Forensic Specialist: Data and Image Files - EC-Council

Computer Forensic Specialist 

CFS304 

Course Title: 

Computer Forensic Specialist: Data and Image Files 

Page 1 of 9 

Data and Image Files Copyright © by EC-Council | Press 

All Rights Reserved. Reproduction is Strictly Prohibited.


CFS304 

Course Description 

The Computer Forensic Series by EC-Council provides the knowledge and skills to identify, track, and 

prosecute the cyber-criminal. The series is comprised of five books covering a broad base of topics in 

Computer Hacking Forensic Investigation, designed to expose the reader to the process of detecting 

attacks and collecting evidence in a forensically sound manner with the intent to report crime and prevent 

future attacks. Learners are introduced to advanced techniques in computer investigation and analysis 

with interest in generating potential legal evidence. This and the other four books provide preparation to 

identify evidence in computer related crime and abuse cases as well as track the intrusive hacker's path 

through a client system. The series and accompanying labs help prepare the security student or 

professional to profile an intruder's footprint and gather all necessary information and evidence to 

support prosecution in a court of law. 

Investigating data and image files provides a basic understanding of steganography, data acquisition and 

duplication, encase, how to recover the deleted files and partitions and image file forensics. 

Certification Info 

Computer Forensic Specialist: Data and Image Files 

Who Should Attend 

This course will significantly benefit police and other law enforcement personnel, defense and military 

personnel, e-business security professionals, systems administrators, legal professionals, banking, 

insurance and other professionals, government agencies and IT managers. 

Course Duration 

2 days (9:00AM – 5:00PM) 

CPE/ECE Qualification 

16 ECE Credits awarded for attendance (1 for each classroom hour) 

Suggested Retail: 

$799 USD 

Page 2 of 9 




CFS304 

Required Courseware: 

Visit www.cengage.com/community/eccouncil and click on Training Workshops for ordering details. 

What’s included? 

Physical Courseware 

1 year Access To EC-Council Student LMS for Practical Labs (if applicable), testing, and Certificate 

Course + Supplement Cost: 

See the “Training Workshops” section at www.cengage.com/community/eccouncil for current pricing 

information. 

Related Certificates: 

Computer Forensic Specialist: Procedures & Response 

Computer Forensic Specialist: Storage Device & Operating Systems 

Computer Forensic Specialist: Network Intrusion & Cybercrime 

Computer Forensic Specialist: Wireless Networks and Devices 

Page 3 of 9 




CFS304 

Course Briefing 

1. Steganography 

Chapter Brief: 

Steganography, the art of hidden writing, has been in use for centuries. It involves embedding a 

hidden message in some transport or carrier medium, and has been used by mathematicians, military 

personnel, and scientists. They all engage themselves in changing the common language and 

transferring it through secret and hidden communication. 

The objective of this chapter is to make you familiar with the concept of steganography. This chapter 

covers the various methods in which steganography can be applied either legally or illegally. It 

discusses the early history and evolution of steganography and highlights the various steganography 

tools that are used and the salient features of these tools as well. 

2. Data Acquisition and Duplication 


Data acquisition is an important step in the investigation process. The data collected from the victim’s 

system is presented as the evidence. So, the data should be kept with the investigator and produced in 

the court while the trial is going on. Sometimes instead of data acquisition, duplication of the data is 

the best way to collect the data. Duplicated data can also be presented at the court. 

This chapter deals with data acquisition and data duplication process which are the important 

aspects of the forensic investigation. It also highlights the popular tools required during the data 

acquisition and data duplication process. 

3. Forensic Investigations Using EnCase 


Encase is widely known and used tool in the forensics. It helps to collect and verify the evidences for 

the investigation process. This chapter covers the evidence files, verifying file integrity, configuring 

encase, searching, and bookmarks. 

This chapter describes the complete process of forensic investigation using EnCase. 

4. Recovering Deleted Files and Deleted Partitions 


During the investigation of the computer system, an investigator may come across a situation where 

the evidences of the crime are deleted from the system. In this case, an investigator should know how 

to recover the deleted files, which can be used as evidence. Deleted files and deleted partitions can be 

a good source of evidence which are useful to provide an important clue in the investigation. 

This chapter covers the various methods in which a forensic investigator can recover the deleted files. 

It deals primarily with understanding the basic concept of recovering the deleted files. The chapter 

also highlights the various data recovery tools and the salient features of these tools. 

Page 4 of 9 




CFS304 

5. Image File Forensics 


Image files are the key component in the investigation process. Image files can be presented as 

evidence in the court. It is important to recover the image files from the attacked computer and 

preserve it. Image files are delicate and can be corrupted if it is not handled properly. 

This chapter covers the various methods in which a forensic investigator can go about recovering the 

image files. This chapter mainly deals with understanding the basic concept of recovering the image 

files. This chapter also highlights the various image recovery, steganalysis, and viewing tools that are 

used in this process. 

Page 5 of 9 




CFS304 

Course Outline 

Chapter 1: Steganography 

• Introduction to Steganography 

• Stegosystem Model 

• Application of Steganography 

• Classification of Steganography 

• Digital File Types 

• Steganographic File System 

• Cryptography 

• Watermarking 

• Issues in Information Hiding 

• Detecting Steganography 

• Tools 

Chapter 2: Data Acquisition and Duplication 

• Introduction to Data Acquisition and Duplication 

• Determining the Best Acquisition Methods 

o Disk-to-Image File 

o Disk-to-Disk Copy 

o Sparse Data Copy 

• Data Recovery Contingencies 

• The Need For Data Duplication 

• Data Acquisition Software Tools 

• Windows Standard Tools 

• Linux Standard Tools 

o DriveSpy 

o FTK Imager 

o Mount Image Pro 

o Drive SnapShot 

o SnapBack DatArrest 

o SafeBack 

• Data Acquisition Hardware Tools 

o Image MASSter Solo-3 

o LinkMASSter-2 

o RoadMASSter-2 

Page 6 of 9 




CFS304 

• Data Duplication Software Tools 

o R-Drive Image 

o DriveLook 

o DiskExplorer 

o Save-N-Sync 

o DFSMSdss 

o SCSIPAK 

• Data Duplication Hardware Tools 

o ImageMASSter 6007SAS 

o Disk Jockey IT 

o QuickCopy 

Chapter 3: Forensic Investigations Using EnCase 

• Introduction to Forensic Investigation Using EnCase 

• Evidence Files 

o Verifying Evidence Files 

o Evidence File Format 

• Verifying File Integrity 

• Hashing 

• Acquiring an Image 

• Configuring EnCase 

o View Menu 

o Device Tab 

o Status Bar 

o Searching 

o Keywords 

o Starting the Search 

o Search Hits Tab 

o Bookmarks 

o Creating Bookmark Folders 

o Adding Bookmarks 

o Bookmarking a Selected Area 

• Recovering Deleted Files/Folders in a FAT Partition 

• Viewing Recovered Files 

• Recovering Files/Folders in an NTFS Partition 

• Master Boot Record (MBR) 

Page 7 of 9 




CFS304 

• NTFS Starting Point 

• Viewing Disk Geometry 

• Recovering Deleted Partitions 

• Hash Values 

o Creating Hash Sets 

o MD5 Hash 

o Creating Hashes 

o Viewers 

o Creating Hashes 

• Signature Analysis 

• Viewing the Results 

• Copying Files and Folders 

• E-Mail Recovery 

• Reporting 

• EnCase Boot Disks 

Chapter 4: Recovering Deleted Files and Deleted Partitions 

• Introduction to Recovering Deleted Files and Deleted Partitions 

• Deleting Files 

• What Happens When a File Is Deleted in Windows? 

• The Recycle Bin in Windows 

• Damaged Recycled Folder 

• How to Undelete a File 

• Data Recovery in Linux 

o Tools to Recover Deleted Files 

• File Recovery Tools for Windows 

• Tools for Use with UNIX-based Systems 

o Tools Based on File Type 

o Tools Based on Media Type 

• Recovering Deleted Partitions 

• Deletion of a Partition 

• What Happens When a Partition is Deleted? 

• Recovery of Deleted Partitions 

• Tools to Recover Deleted and Damaged Partitions 

Chapter 5: Image File Forensics 

Page 8 of 9 




CFS304 

• Introduction to Graphics File Forensics 

• Introduction to Graphics Files 

• Understanding Vector Images 

• Understanding Raster Images 

• Metafile Graphics 

• Understanding Image File Formats 

• BMP (Bitmap) File 

• Data Compression in Image Files 

• Understanding File Compression 

• Lossless Compression Algorithms 

• Lossy Compression 

• Locating and Recovering Image Files 

• Steganography in Image Files 

• Steganalysis 

• Identifying Copyright Issues with Graphics 

Page 9 of 9

Computer Forensic Specialist: Data and Image Files - EC-Council

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?